Threat Management Policy

The threat posed by malware has never been more serious than it is today.

Types of Malware

Malware comes in many forms and is constantly changing as previous attack routes are closed and new ones are found. The most common types of malware found today are:

• Ransomware – a program that performs encryption of victim's files. The attacker then demands a ransom from the victim/company to restore access to the data upon payment
• Virus – a program that performs an unwanted function on the infected computer. This could involve destructive actions or the collection of information that can be used by the attacker
• Trojan – a program that pretends to be legitimate code but conceals other unwanted functions. Often disguised as a game or useful utility program
• Worm – a program that is capable of copying itself onto other computers or devices without user interaction
• Logic bomb – malicious code that has been set to run at a specified date and time or when certain conditions are met
• Rootkit – a program used to disguise malicious activities on a computer by hiding the processes and files from the user
• Keylogger – code that records keystrokes entered by the user
• Backdoor – a program that allows unauthorized access at will to an attacker

For malicious software to carry out its intended purpose, it needs to be installed on the target device or computer. There are several key ways in which malware infects computers and networks, although new ways are being created all the time.

The most common infection techniques are:

1. Phishing

   This method involves tricking the user into taking some action that causes a malicious program to run and infect the computer being used. It is usually achieved via the blanket sending of unsolicited emails (Spam) with file attachments or web links included in them. When the user opens the file or clicks on the link the malicious action is triggered.

   Phishing attacks have become more sophisticated in recent years and can be very believable and enticing to the user. More targeted versions of phishing have appeared such as Spear Phishing (aimed at a particular organization) and even Whaling (aimed at an individual).

2. Websites and Mobile Code

   The widespread use of mobile code such as JavaScript on websites has provided attackers with another route to infect computers with malware. Often websites will be created to host the malware which is activated either upon clicking on a link or in some cases simply by visiting the website.

   Increasingly, legitimate websites are being compromised and end up hosting malware without the owner's knowledge, making this type of attack very difficult for the user to avoid.

3. Removable Media

   USB memory sticks, CDs, DVDs, and other removable media devices provide an effective way of spreading malware onto additional computers. When the media is inserted into the machine the malware will either run and infect the target or will copy itself onto the removable media and prepare to infect the next machine it is plugged into.

4. Hacking

   Or "Cracking" as it is more accurately known, is a more targeted and therefore less common method of introducing malware onto a computer or network by gaining unauthorized access to the network from outside (and sometimes inside) the organization. This method requires more knowledge on the part of the perpetrator and often exploits existing vulnerabilities in the software or network devices being used. Once access has been gained, malware will be installed remotely onto the compromised machine.

To prevent the infection of your organization computers and networks and avoid the potentially dire consequences of such infection, several key controls will be adopted as policy.

The key concept adopted in this policy is "defense in depth" and no single control should be relied upon to provide adequate protection. This is therefore not a choice between controls but a list of necessary controls, all of which should be implemented where possible to guard against the threats outlined in the previous section.

1. Firewall

   A firewall will be installed at all points at which the internal network or cloud environments are connected to the Internet:

   Network - Security Groups, VPCs, on-premise firewalls between the office networks and production environments.

   Host - firewalls are enabled on endpoints, servers, and containers/Kubernetes.

   Application - web application firewall (WAF) and content distribution are configured at the application layer to protect against common web application attacks such as cross-site scripting, injection, and denial-of-service attacks.

2. Endpoint Protection

   Systems and mobile devices must have a form of antivirus, endpoint protection, or mobile protection installed and configured. your organization is using Crowdstrike (or Cylance) agents that offer such protection. These agents are also installed on servers and containers, whenever possible.

3. Anti-Virus

   All anti-virus clients will be set to obtain signature updates regularly, either directly from the vendor website or from a central server within the organization.

   By default, access scanning should be enabled to provide real-time protection. Regular full scans should also be carried out at least once a month.

   Users should not be able to disable the protection which is centrally configured.

4. Spam Filtering

   A system should be installed to filter out unsolicited and potentially harmful emails (spam). Types of attachments known to often contain malware should be blocked or removed before delivery to the user. your organization uses a productivity solution to ensure proper spam filtering and email classification.

5. Software Installation and Scanning

   Users should not have sufficient administrative access to their computer to allow them to install software onto it. Only approved software should be allowed and this must be installed by the IT department upon authorized request.

   Regular scanning of user computers to detect unauthorized software should be carried out.

6. Vulnerability Management

   Information on software vulnerabilities will be collected from vendors and 3rd Party sources and updates applied where available. If possible and if permitted by the organizational change management policy, updates should be applied automatically as soon as they are released. More info in the Vulnerability Management Policy

7. User Awareness Training

   Users should be made aware when starting with the organization of the information security policy and be trained in ways to avoid falling victim to attacks such as phishing. More info in the Security Awareness and Training Policy

8. Threat Monitoring and Alerts

   Information about emerging threats should be obtained from appropriate sources and users proactively alerted of potential attacks, giving as much detail as possible to maximize the chance of recognition. Additional intelligence feeds are received automatically through some of the 3rd party security solutions that have been implemented on the networks and/or endpoints. The data gathered through these external intel feeds is automatically used by the security solutions to analyze events and generate alerts.

9. Audit Reviews

   Regular reviews of business-critical servers and networks will be carried out, in order to identify any malware that has been installed since the last review. This will include taking a snapshot of the configuration for later comparison purposes. More info in the Systems Audit Policy.

10. Incident Management

    If malware is detected on a server, client, network, or other IT component, an information security incident will be raised. This will be managed under the procedures set out in the Incident Response Policy.