Adam Adler: Protecting your organization from Malware
Adam Adler (Miami, Florida): Malicious software (also known as ‘malware’) is software or web content that can harm your organization, such as the recent WannaCry outbreak8. The most well-known form of malware is viruses, which are self-copying programs that infect legitimate software.
What is malware?
Malware is malicious software, which - is able to run - can cause harm in many ways, including:
causing a device to become locked or unusable
stealing, deleting, or encrypting data
taking control of your devices to attack other organizations
obtaining credentials which allow access to your organization's systems or services that you use
using services that may cost you money (e.g. premium rate phone calls).
Tip 1 Install (and turn on) antivirus software - which is often included for free within popular operating systems - should be used on all computers and laptops. For your office equipment, you can pretty much click ‘enable’, and you’re instantly safer. Smartphones and tablets might require a different approach and if configured, separate antivirus software might not be necessary.
Tip 2 Prevent staff from downloading dodgy apps
You should only download apps for mobile phones and tablets from manufacturer-approved stores (like Google Play or Apple App Store). These apps are checked to provide a certain level of protection from malware that might cause harm. You should prevent staff from downloading third-party apps from unknown vendors/sources, as these will not have been checked. Staff accounts should only have enough access required to perform their role, with extra permissions (i.e. for administrators) only given to those who need it. When administrative accounts are created, they should only be used for that specific task, with standard user accounts used for general work.
Tip 3 Keep all your IT equipment up to date (patching)
For all your IT equipment (so tablets, smartphones, laptops, and PCs), make sure that the software and firmware are always kept up to date with the latest versions from software developers, hardware suppliers, and vendors. Applying these updates (a process known as patching) is one of the most important things you can do to improve security - the IT version of eating your fruit and veg. Operating systems, programs, phones and apps should all be set to ‘automatically update’ wherever this is an option. At some point, these updates will no longer be available (as the product reaches the end of its supported life), at which point you should consider replacing it with a modern alternative.
Tip 4 Control how USB drives (and memory cards) can be used
We all know how tempting it is to use USB drives or memory cards to transfer files between organizations and people. However, it only takes a single cavalier user to inadvertently plug-in an infected stick (such as a USB drive containing malware) to devastate the whole organization. When drives and cards are openly shared, it becomes hard to track what they contain, where they’ve been, and who has used them. You can reduce the likelihood of infection by • blocking access to physical ports for most users • using antivirus tools • only allowing approved drives and cards to be used within your organization - and nowhere else Make these directives part of your company policy, to prevent your organization being exposed to unnecessary risks. You can also ask staff to transfer files using alternate means (such as by email or cloud storage), rather than via USB.
Tip 5 Switch on your firewall Firewalls creates a ‘buffer zone’ between your own network and external networks (such as the Internet). Most popular operating systems now include a firewall, so it may simply be a case of switching this on.
Prevent malware from being delivered and spreading to devices
You can reduce the likelihood of malicious content reaching your devices through a combination of:
filtering to only allow file types you would expect to receive
blocking websites that are known to be malicious
actively inspecting content
using signatures to block known malicious code
These are typically done by network services rather than users' devices. Examples include:
mail filtering (in combination with spam filtering) which can block malicious emails and remove executable attachments. NCSC's Mail Check platform can also help with this
intercepting proxies, which block known-malicious websites
internet security gateways, which can inspect content in certain protocols (including some encrypted protocols) for known malware
safe browsing lists within your web browsers which can prevent access to sites known to be hosting malicious content
Public sector organizations are encouraged to subscribe to the NCSC Protective DNS service. This will prevent users from reaching known malicious sites. Ransomware is increasingly being deployed by attackers who have gained access remotely via exposed services such as Remote Desktop Protocol (RDP), or unpatched remote access devices. To prevent these organizations should:
enable MFA at all remote access points into the network, and enforce IP allow listing using hardware firewalls
use a VPN that meets NCSC recommendations, for remote access to services; Software as a Service or other services exposed to the internet should use Single Sign-On (SSO) where access policies can be defined (for more information read our blogpost on protecting management interfaces)
use the least privilege model for providing remote access - use low privilege accounts to authenticate, and provide an audited process to allow a user to escalate their privileges within the remote session where necessary
the patch is known vulnerabilities in all remote access and external-facing devices immediately (referring to our guidance on how to manage vulnerabilities within your organization if necessary), and follow vendor remediation guidance including the installation of new patches as soon as they become available
Prevent malware from running on devices
A 'defense in depth' approach assumes that malware will reach your devices. You should therefore take steps to prevent malware from running. The measures required will vary for each device type, OS, and version, but in general, you should look to use device-level security features. Organizations should:
centrally manage devices in order to only permit applications trusted by the enterprise to run on devices, using technologies including AppLocker, or from trusted app stores (or other trusted locations)
consider whether enterprise antivirus or anti-malware products are necessary, and keep the software (and its definition files) up to date
provide security education and awareness training to your people, for example, NCSC's Top Tips for Staff
disable or constrain scripting environments and macros, by:
enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy - you can use AppLocker as an interface to UMCI to automatically apply Constrained Language mode
protecting your systems from malicious Microsoft Office macros
disable autorun for mounted media (prevent the use of removable media if it is not needed)
In addition, attackers can force their code to execute by exploiting vulnerabilities in the device. Prevent this by keeping devices well-configured and up to date. We recommend that you:
install security updates as soon as they become available in order to fix exploitable bugs in your products
enable automatic updates for OSs, applications, and firmware if you can
use the latest versions of OSs and applications to take advantage of the latest security features
configure host-based and network firewalls, disallowing inbound connections by default
Prepare for an incident
Malware attacks, in particular ransomware attacks, can be devastating for organizations because computer systems are no longer available to use, and in some cases, data may never be recovered. If recovery is possible, it can take several weeks, but your corporate reputation and brand value could take a lot longer to recover. The following will help to ensure your organization can recover quickly.
Identify your critical assets and determine the impact to these if they were affected by a malware attack.
Plan for an attack, even if you think it is unlikely. There are many examples of organizations that have been impacted by collateral malware, even though they were not the intended target.
Develop an internal and external communication strategy. It is important that the right information reaches the right stakeholders in a timely fashion.
Determine how you will respond to the ransom demand and the threat of your organization's data being published.
Ensure that incident management playbooks and supporting resources such as checklists and contact details are available if you do not have access to your computer systems.
Identify your legal obligations regarding the reporting of incidents to regulators, and understand how to approach this.
Exercise your incident management plan. This helps clarify the roles and responsibilities of staff and third parties, and to prioritize system recovery. For example, if a widespread ransomware attack meant a complete shutdown of the network was necessary, you would have to consider:
how long it would take to restore the minimum required number of devices from images and re-configure for use
how you would rebuild any virtual environments and physical servers
what processes need to be followed to restore servers and files from your backup solution
what processes need to be followed if onsite systems and cloud backup servers are unusable, and you need to rebuild from offline backups
how you would continue to operate critical business services
After an incident, revise your incident management plan to include lessons learned to ensure that the same event cannot occur in the same way again.
Steps to take if your organization is already infected
If your organization has already been infected with malware, these steps may help limit the impact:
Immediately disconnect the infected computers, laptops, or tablets from all network connections, whether wired, wireless or mobile phone-based.
In a very serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary.
Reset credentials including passwords (especially for administrator and other system accounts) - but verify that you are not locking yourself out of systems that are needed for recovery.
Safely wipe the infected devices and reinstall the OS.
Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device you're connecting it to are clean.
Connect devices to a clean network in order to download, install, and update the OS and all other software.
Install, update, and run antivirus software.
Reconnect to your network.
Monitor network traffic and run antivirus scans to identify if any infection remains.