The client I was working with had a web application hosted on a Windows server with the anti-virus software disabled. When I asked the head of Information Technology about it, he said the company's web application didn't work when anti-virus was running, so they couldn't enable it. They weren't concerned about it as they had a firewall in place with malware protection. I strongly advised them to reconsider that decision. Instead of disabling anti-virus, I recommended they determine why the web application did not work and correct it. They were the only client I had worked with that did not have anti-virus enabled on a Windows web application server. The risk of a Windows server being infected by a virus is high, especially one with a public facing IP address. Additionally, the server did not have recent security patches installed. It was only a matter of time before attackers compromised their web server.
It's commonly accepted that Windows systems must have anti-malware software installed to protect them while Linux and macOS don't need it. That view has been changing the last several years. Linux and macOS are targeted more and more by ransomware and cryptojacking malware. In this post I discuss what I see in my work as an information security auditor in my work clients regarding Center for Internet Security Control 10 - Malware Defenses.
 |
| Back of Old Botany Building along Pattee Mall at Penn State in Autumn |
The Center for Internet Security Controls are 18 critical information security controls that all
organizations and information security professionals should be familiar with and implement to protect their networks and data. The free but valuable document contains high level information that executives can understand and also has specific details about tools and procedures for technical staff to run with. I recommend it to all of my clients for information security guidance. The Overview for Control 10 is - Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Control 10 includes 7 sub-controls or safeguards. They are:
10.1 Deploy and Maintain Anti-Malware Software
10.2 Configure Automatic Anti-Malware Signature Updates
10.3 Disable Autorun and Autoplay for Removable Media
10.4 Configure Automatic Anti-Malware Scanning of Removable Media
10.5 Enable Anti-Exploitation Features
10.6 Centrally Manage Anti-Malware Software
10.7 Use Behavior-Based Anti-Malware Software
Why is this control critical? Malicious software is one of the biggest threats to your company and customer data. Malware can be used to capture user credentials to further exploit your network. Malware can be used by attackers to encrypt and delete your data, preventing you from accessing it unless you pay a ransom for it. Attackers leverage machine learning tools to make more sophisticated and effective malware. Malware enters company networks through vulnerabilities, phishing, and many other avenues. It's necessary to have comprehensive malware defenses to protect your systems and data.
Larger clients I work with generally have good practices in place for preventing malware. They have anti-malware or endpoint detection and response (EDR) tools installed on all of their servers, workstations, and laptops. They manage the tools centrally with a team that checks the status of systems. The team follows up on systems that are not reporting their status to the console, not receiving updates or have been infected by malware.
Some of the most widely used anti-malware/EDR tools by larger clients are from Trend Micro, SentinelOne, CrowdStrike, Symantec, and McAfee. Additionally, network firewalls include filtering of malware traffic prior to reaching endpoints.
Smaller to mid-size clients often don't have much in place to protect systems from malware. They lack the budget or staff resources to manage a centralized anti-malware tool. They rely on the default tools that are installed with the operating systems, such as Windows Defender for Microsoft Windows server and end user systems and XProtect for Apple macOS. Are Defender and XProtect enough? Maybe. But is maybe good enough to protect your company and customer data?
You want assurance that if new malware is spreading across the internet, your systems are fully protected. You also want to know if your systems are affected. Without a central management console for your anti-malware tool, it's difficult to know for sure what is going on in your company's network. Was one system affected or hundreds? It's important to know so you can take immediate action, such as isolate systems, block ports on your network or push out a new security patch.
For Linux servers, most small to mid-sized companies and even some larger companies I work with generally do not deploy anti-malware software. When they do, it's often ClamAV. That's sufficient to protect systems but it does not have centralized management features. Logging and alerting for ClamAV can be leveraged using a SIEM tool if one is in place to get a full picture of the status of systems. Sometimes companies deploy OSSEC, a host intrusion detection tool, to their Linux systems instead of or in addition to deploying ClamAV. OSSEC is not a dedicated anti-malware tool but does include root-kit and malware detection.
OSSEC and popular anti-virus/EDR tools have intrusion detection and file integrity monitoring features to identify changed files. This helps track activity and potential damage or deletion of files. Some of the tools can also stop processes completely based on behavior to better protect your systems and data.
Anti-malware defenses combined with the other CIS Controls can help protect your network, systems, and data. Read the CIS Controls document today.
Next month, I will discuss Center for Internet Security Control 11 - Data Recovery.
No comments:
Post a Comment