So in Part 1, we covered solutions for preventing hacking attempts, as they are considered one of the top two reasons for successful security breaches. In this article, we will cover some common sense approaches to preventing and identifying malware breaches.
So one of the questions we pose to our audience in our presentation is, “Is anti-virus software worth the expense?”
The answers usually boil down to a yes/no debate and a discussion on the effectiveness of the technologies used by anti-virus (AV) vendors today.
This is honestly an ongoing discussion with many organizations today, and there are statistics to back up both sides of the argument.
To resolve these threats, we recommend a two-pronged approach.
Approach 1 – Look at the changes in AV technology. A lot of changes are coming from AV vendors and new vendors. These changes in technologies include anomaly detection and application whitelisting technologies, which show some promise, especially when we are such fans of that Least Functionality concept.
Approach 2 – The other approach is to apply some simple common sense techniques to thwart malware from successfully attacking an organization’s environment. To do this, we need to understand the basic three phases of a malware infestation, and adopt solutions for each phase:
- Infection and deployment
- Target acquisition and data harvesting
- Data exfiltration
Step 1 – Preventing Infection and Deployment – Obviously, if malware could not successfully install itself on systems, we would not have this ongoing problem. But the root cause for most infections is the simple fact that it can install itself. How can we break this cycle?
The answer has been around for a long, long time, and it’s really inexpensive – Stop using administrative permissions.
I know this is a radical concept (sarcasm), but it basically means you need to stop giving your users administrative access to their desktops/laptops and minimize the amount of software they can install on their systems.
With Windows 7 (and now 8), as well as the OSX family of desktops/laptops, a user rarely needs to have administrative permissions to do their job or day-to-day computer tasks.
The only time administrative access is needed in most cases is to install new software or a new device that requires a driver to be installed.
This one countermeasure effectively prevents malware from installing by as much as 80-90% of the time, depending on whose statistics you are reading.
The times when it does not work can be traced to a new vulnerability discovered in a third party application, such as a browser, Java, or a random plug-in like Adobe Flash or Acrobat. In these cases, leveraging patch management to keep you up-to-date on patches for these third party applications helps minimize this threat even further.
Step 2 – Identify Data Harvesting. Assuming a piece of malware made it onto your system, how would you identify you have a problem?
We ask this same question of system administrators every time we hear of some rogue person stealing a bunch of data from a company.
The solution is to monitor file access and log management. The solution is candidly not easy, and although simple to implement, it is problematic to maintain.
We all do it. We install a system and turn on some logging. But does anyone actually read the logs?
Guess what? The most effective way to identify malware after it has installed is to catch it accessing the types of files it was designed to harvest. The same question could be raised in the rogue user scenario as well. Should we have been able to catch a user stealing hundreds of files they had the rights to use?
I’m not all gloom and doom here . There are some excellent solutions out there now to assist you with this task. They are the DLP and SIEM solutions we hear about every day from our security vendors. They have become so popular that there are even free ones (to a point) for those organizations on a budget. The main challenge here is to actually get the data into the DLP or SIEM, and then build your alerting benchmarks and mechanisms into the solution to throw an alarm when you need it.
Step 3 – Preventing Data Exfiltration. The problem with this one is that it does require some forethought and likely changes to the way you allow access to your network. Additionally, we haven’t found a really inexpensive answer, but we do provide you with some options.
To prevent data exfiltration is a two-part process.
Part 1 – How bad is your firewall policy? Or how open are your VPN and Internet access policies?
If your firewall rule base looks like the examples from the typical firewall manual,
You are going to have a BIG problem catching and blocking malware from sending your data out of your network (let alone that rogue employee). So, the first step is to fill out your firewall policy.
Firewalls are meant to apply rules on source, destination, and service. Fill in all the blanks.
This gets us to at least a more controlled access model where we can start applying some monitoring logic when looking for malware.
Part 2 – Augment or replace your old firewalls. So here is the current challenge we face – the majority of the malware today communicates on HTTP and HTTPS. The rest leverage ICMP, FTP, DNS, and a few random ports.
Outside of basic filtering, “old skool” firewalls are useless at preventing or blocking most of this traffic, as they are not application or protocol aware.
– Augment – If it is cost prohibitive to replace your current firewalls, look at these technologies:
- A proxy or content filter – They have the ability to monitor the applications and malware trying to leave your environment.
- Malware IDS/IPS Solutions (Damballa and FireEye) – These are purpose-built monitoring and analyzing solutions that process the data traversing your network and can identify infected hosts, as well as infestation attempts.
– Replace – If you have the budget, maybe it is time to evaluate one of those new “Next Gen” firewalls. They have application awareness and some even provide malware analysis built right in.
Ultimately by leveraging the concepts outlined above, you will have established a set of security controls that can assist you in preventing malware infections and provide you with ability to identify an infection, as well as prevent data exfiltration by a malware infection from within your organization… and maybe even save some of your budget along the way.