Cyber Essentials - Antivirus Malware
This blog is the fourth in a series about putting in place the practical cybersecurity technology and processes to elevate your organisation’s security posture to the level needed to meet the UK NCSC Cyber Essentials standard.
Each blog focuses on one of the five control themes of the standard.
This blog focuses on the control theme ‘Protect from viruses and other malware’, and is focused on all computers, laptops, tablets and mobile phones that connect to your organisations internal network or are used by mobile staff outside your local network.
I’ll start with the three obvious questions:
1. What is malware?
2. How does it get onto your organisations systems?
3. How do you stop it?
The word ‘malware’ is a contraction of the phrase ‘malicious software’, and refers to any software that has been designed to act with malicious intent toward an individual or organisation that runs it.
The most commonly known type of malware are computer viruses, so called because when they are run on a system they automatically attempt to replicate themselves and transfer the copies to another system where the process can repeat. Computer viruses almost always have a secondary malicious function beyond replication which can range from digital graffiti (putting a message like ‘XXX was here’ on your desktop), to stealing data from your system, to adware that puts up annoying ads in your browser and finally they can install other malware packages.
Other significant types of malware include:
· macro viruses – these are a specialized form of computer virus that is embedded in a word document as a ‘macro’ and which run when you open the document.
· Drive-by-download – these are another specialized type of virus that are installed on a user’s system as a result of visiting a webpage that has had the malware embedded in it. In some cases the user does not need to take any action other than visiting the page for the malware to be able to install and execute a malware package on the users system.
· Remote Access Trojan or RAT – this is a type of malware package that is installed (usually by a virus or a drive-by-download that then lets a hacker remotely access and possibly control the users system).
· Keylogger – this is a malware package that after it is installed on a user’s system will log all of the keystrokes that the user types on the keyboard. This will inevitably include all website usernames and passwords etc …
So, how does malware get onto your organisations systems? I’ve touched on some of the answers to this question in my descriptions above, but it’s worth focusing specifically on this.
There are a number of methods that malicious actors (i.e. hackers) use to get malware onto your organisations systems.
1. They can send a user an email with an attachment that, if the user ‘open’s or ‘run’s it, will activate an embedded piece of malware. This will probably attempt to install itself locally and spread to any other devices it can reach on the network to which the user’s device is connected. If this takes place when the user is on your organisation’s internal network, then the malware is already inside the firewall.
2. They can send a user an email with an embedded link to a website that contains a ‘drive-by-download’ (or the user might just co-incidentally click on a page with embedded malware – no email link required). If the user clicks on the link and opens the page the embedded malware will attempt to download and install itself via the user’s web browser, and spread via the connected network. Again, if the user is on your organisations internal network, then once again, the malware has bypassed the firewall.
3. They can install the malware into the boot-sector of a cd-rom/dvd-rom/thumbdrive that a user then innocently inserts into their system. Again, the malware once accidently activated by the user will attempt to install itself locally and/or spread via the connected network, which may be behind your firewall.
4. They can convince the user to install a piece of malware that is masquerading as some other software.
There are many variations of the above methods, but these are the primary techniques that malware use to compromise your organisations systems, and therefore the primary focus of defence efforts under the UK NCSC Cyber Essentials standard.
To meet this control objective, you are therefore required to ensure that all of your computers, laptops, tablets and mobile phones are protected from malware by at least one of the following defence methods:
A. having anti-malware software installed
B. limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications)
C. application sandboxing (i.e. by using a virtual machine)
In practice, most organisations that have standard laptops and/or computers, and mobile phones and/or tablets, will have to use both (A) and (B) above.
Where anti-malware software is installed, it must be:
1. Set to update daily
2. Set to scan files automatically upon access
3. Set to scan web pages visited by users and warn about accessing malicious websites.
· You may use any commonly used anti-virus product, (paid-for or free) as long as it can carry out the requirements above
· a combination of Windows Defender and Microsoft SmartScreen on Windows 10 is suitable to meet these requirements
Where your organisation limits the installation of software on a device to approved set, by using an ‘App Store’ and an approved list of applications, the following controls must be enforced:
1. The device must be configured to only allow the user to install ‘signed’ applications. Any device where the user has ‘root’ or has otherwise been able to ‘jailbreak’ the device will NOT pass this test.
2. You organisation must maintain a ‘whitelist’ list of pre-approved software applications that your users are allowed to install.
3. The device or ‘App Store’ must be further configured to only allow the download and installation of software from the pre-approved ‘whitelist’.
· These requirements apply even where the devices are employee-owned devices
· It is a good idea to use Mobile Device Management (MDM) software to automate as much of this as possible, but it is NOT a requirement. You can reasonably meet the requirement using a combination of good policy, good process and effective staff training.
Finally, your organisation can choose to implement ‘application sandboxing’ to protect against malware. This is most commonly done to test software before it is added to the pre-approved application ‘whitelist’.
The most common sandbox technology is the use of virtual machines, but other forms of containerisation and separation can be used. The import points to address when sandboxing are the following controls:
1. The sandbox technology MUST be configured to block access to your organisations data stores.
2. The sandbox technology MUST be configured to block access to any sensitive peripherals.
3. The sandbox technology MUST be configured to block access to your local network.
4. You must document the process of configuring the sandbox to enforce the above controls (Note these are often setting that can be configured within a virtual machine)