Creating and Enforcing Anti-Malware Procedures

and

Practices Within an Organization

Diane M. Duhé

AbstractMalware poses a significant threat to all computer networks, whether large or small. Malicious software is responsible for data corruption, loss, misuse, identity theft, and many types of unauthorized use. All of these contribute to potential liabilities, loss of services, damage to a company’s reputation, loss of customers and/or stakeholders and possibly to the company’s inability to continue doing business.

This paper will provide a summarization of the best practices in regard to creating and enforcing anti-malware procedures, as they pertain to enterprise networks, and data security.

The Method of Approach will be research, conducted via the ACM Digital Library, IEEE/IEE Electronic Library, professional journals, web articles, white papers, and utilizing personal work experience as a Network Administrator.

The Introduction will define the term “malware” and summarize the prevalence of and damage caused by malware infection in an enterprise.

The Best Practices section will discuss creating and implementing Policies, Guidelines and Procedures for securing systems and networks.

The Related Costs section will discuss methods for quantifying costs of malware attacks, the importance of utilizing “value calculators” and creating/implementing security budgets.

IntroductionThe term “Malware” once referred to viruses, worms, and trojans, but current malware has evolved into a very selective tool. Malware is no longer written using amateur scripts, or using “copy and paste” methods by script kiddies. Instead, highly trained, paid, programmers are authoring malware, supported via political syndicates, organized crime, government sanctioned-unacknowledged (“dark”) ops, and some nation-states. [1]

What began as pranks has evolved into serious criminal activity. Malware is now used for crimes such as industrial espionage, “transmitting digital copies of trade secrets” [2]

customer names, future business plans, and contracts, virtually any and all private or personal information.

In order to discuss best practices for implementing anti-malware protection, it is necessary to have a basic understanding of enterprise malware infection and its effects.

The Prevalence of Computer CrimeThe 2010-2011 CSI/FBI report revealed that:• “Malware infection continued to be the most commonly seen attack, with 67.1 percent of respondents reporting it.• Respondents reported markedly fewer financial fraud incidents than in previous years,with only 8.7 percent saying they’d seen this type of incident during the covered period.• Of the approximately half of respondents who experienced at least one security incident last year, fully 45.6 percent of them reported they’d been the subject of at least one targeted attack.• Fewer respondents than ever are willing to share specific information about dollar losses they incurred. Given this result, the report this year does not share specific dollar figures concerning average losses per respondent. It would appear, however, that average losses are very likely down from prior years.• Respondents said that regulatory compliance efforts have had a positive effect on theirsecurity programs.• By and large, respondents did not believe that the activities of malicious insiders accounted for much of their losses due to cybercrime. 59.1 percent believe that no suchlosses were due to malicious insiders. Only 39.5 percent could say that none of theirlosses were due to non-malicious insider actions.• Slightly over half (51.1 percent) of the group said that their organizations do not use cloud computing. Ten percent, however, say their organizations not only use cloud computing, but have deployed cloud-specific security tools.” [3]

Best Practices

Malware detection has been accomplished, until very recently, by using “signatures”. Signature based malware detection requires that malware be identified by analysis of the malwares’ code and finding code that is unique to the malware. The discovered code is then used to create anti- malware software that is based on recognizing that code. Once created, the anti-malware software must be installed onto the computer system, and allowed to scan, detect and remove the malware. This entire process must be repeated anew for every novel instance or variant of malware. This method is insufficient and reactive at best [4]

As malware continues to evolve in ways to avoid detection, it is simply not practical to continue detection in this manner. Malware is increasingly being written using innovative and aggressive procedures which help to avoid detection, and sometimes even withstanding disinfection efforts. Until new and better proactive detection are available, malware will continue to infect networks and network components, costing the affected businesses time, money and resources.

Frequently, organizations mistakenly treat malware infections as a series of independent episodes. When a malicious program is discovered, it is remediated until the next occurrence on the next system..This method cannot contain infections before they transmit across the network, thereby infecting more components. Spreading malware in this way could potentially damage the organizations ability to carry out daily activities of business.

Disinfecting hundreds or thousands of computers on an enterprise network would be a monumental task. A new, pro-active approach must be undertaken for prevention/detection/disinfection and recovery for enterprises networks. It necessarily must be different from the methods used for the same purposes on individual systems. The approach must be viewed as “holistic” security comprised of four phases: Plan, Resist, Detect, and Respond. [5]

Interesting figures:

“80% of businesses without a recovery plan went bankrupt within 1 year of a major data loss

59% of companies cannot conduct business during unscheduled IT downtime

3Computer Security Institute, 15th Annual 2010-2011 Computer Crime and Security Survey

1. PLANNING Creating written policies and guidelines

Planning an approach to minimize malware infection includes addressing key issues, such as diversity of system configurations and business requirements within an organization, the use of assorted technologies within the organization, logistical challenges presented by the scattering of systems across various geographic locations, internal political hindrances, as well as the legal/regulatory aspects of IT as they pertain to the organization.

Implementing clearly written policies helps to mitigate the risks associated with malware.

A Policy is “A formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for a specified subject area.” [7] It defines required actions and sets the rules.

All policies should include the following attributes:- Require mandatory compliance- Technology objectives, i.e.: why the technology is being provided to the user

- Expectations of privacy including the use of monitoring and logging- Detailed acceptable use, outlining permitted as well as prohibited user actions - Detailed restrictions which may involve issues concerning confidentiality- Defined consequences for violations - Implementation focused- Further defined by guidelines and/or standards.

Standards, Guidelines and Procedures:Standards are mandatory rules that are written in conjunction with and designed to support a policy. They help makes the policy more effective. Standards usually include specifications for hardware, software and/or behavior, and describe requirements for various configurations.

Guidelines are general statements designed to provide a framework within which to implement the policy. They are not mandatory, and are more like suggestions or “best practices”. They provide information on “how” to do something. Guidelines can change frequently, and must be reviewed more often than Standards or Policies.

Procedures are the mechanisms for enforcing policies. They are beneficial in times of crisis. They outline “how” the policy is implemented.

“Position Statements” are often times precursors to policies, and are much simpler, in that they focus on a particular technology and the expectations for its use within the organization.

2. RESISTING Employing a variety of ways to protect networks from infection and intrusion [8]

Implement Security Policies

Security Policies must agree with the organizations’ security standards.Policies must be reviewed regularly to reflect the current organizational needs, yet remain compatible with other company policies. Some questions to ask when reviewing a policy are: has the company structure changed? Does the policy reflect the company’s guidelines? Have there been new technology purchases? Are there new State or Federal compliance requirements? Is there new user-behavior to address?

Implement Security Systems

Security Systems must be implemented on the network, to protect the network from cybercrime and other threats, such as malware, hacking and information theft.

Manage and Control IT

Manage and control IT by utilizing an enterprise management system (EMS) to perform network monitoring to ensure policy compliance as well as security at the system level.

Implement Group Policy

Protecting and securing the network and network resources must occur at both the system and the network level. Group Policy implementation can restrict incoming traffic from the Internet and other less trusted networks, by controlling ports, IP addresses and domains.

Group Policy can also control user activity such as what they’re allowed to connect to computer systems, and how removable media, such as USB devices, are to be used.

Educate users

Ensure network users are educated and informed regarding types of malware attacks, signs of infection, and how to report.

Implementing Further Protection:

Use a FirewallUtilize Anti-virus/anti malware softwareEnforce:

-Email Policies -Password Policies-Acceptable Use Policies

Ensure:Group Policies and Network Monitoring for:-USB and portable devices-Instant Messaging

-Internet Applications -Public Social Networks -Downloading and/or installing software

3. DETECTING

Use an Intrusion Detection System- IDS

Employing the use of Intrusion Detection hardware/software on the network will help contain possible infections and security breaches.

Use a Network Management System

Implement Network Management and Monitoring

4. RESPONDING

The National Institute of Standards and Technology's “Computer Security Incident Handling Guide” states that there are three steps involved when responding to a confirmed malware attack: [9]

Containment

Eradication

Recovery

Performing these steps should be supported by the guidelines that were written during the Security Planning phase, outlined above.

Containment

Efforts to contain the spread of the malware should include: [10]

Instructing users what they should and should not do in the situation in order to help contain the spread of the malicious software. (ie: clicking an email link) .

Disconnecting affected systems from the network, temporarily.

Eradication

Eradicating the malware, (also called “disinfecting”) which involves removing the malware and possibly restoring damaged systems from backups, or rebuilding the systems.

“Locking down” systems, patching vulnerabilities, and reconfiguring affected components on the infrastructure.

Recovery

Focus on returning to normal operation

Confirm that the attack has been contained

Ensure the malware has been removed

Determine which containment actions can now cease

Collaborating with entities such as legal departments or public relations may also be a component of recovery.

Response teams should now review their course of action, assess/adjust applicable security mechanisms and agree on methods for improvement. These proceedings conclude the security cycle, and bring the focus back around to the Planning phase again.

The Related Costs of Malware

Determining and balancing the cost of malware is actually an exercise in risk analysis. The first step to determining this expense, is assigning values to all information assets. The second step is to estimate the potential loss.

The assigned asset and loss values are then used to determine the single loss expectancy (SLE), which is defined as the expense of recovering from a single malware attack.

Calculating the SLE includes a summation of the following costs: [11]

The cost of purchasing/maintaining anti-malware products The ongoing cost for maintaining anti-malware ie: subscriptions for

updates/other related services Assigning a value to the company's data (calculated by determining how

much it would cost to restore or re-create different types of lost information, such as sales records, tax information, contact information, emails)

Lost revenue Potential cost of fines and penalties for violating confidentiality/privacy

agreements Loss of employee productivity Cost of repairing damaged systems Hardware overhead (all anti-malware products consume resources such as

processing power, memory and disk space)

Determine the annual loss expectancy (ALE) of a single malware attack based on average number of previous attacks per year

Multiply the SLE by the ALE to determine the annual cost of malware for the business. [12]

Setting a Security Budget

Determine the annual cost of malware. It is crucial to plan an anti-malware budget accordingly. The figures from the above calculations will provide a rough estimation for the planned yearly expenditure for anti-malware protection.

Assess the amount of risk that the company is willing to take. For example, some companies might choose to accept a higher level of risk of infection, because it’s been determined that the actual probability of attack is very low, or because the organization has lowered some risks in other ways, such as by purchasing insurance, or the use of offsite backup solutions.

These calculations can be used in creating a security budget, and /or for calculating the value of the particular anti-malware tools already in place. [13]

CalculatorsThere are many risk calculators available online as shareware. They are easy to use, and will generate an estimate of various risks, using several of the variables mentioned above.One such calculator was used to estimate the financial risk for a fictitious organization of 1,000 employees.The calculator located at http://www.cmsconnect.com/Marketing/viruscalc.htm, analyzed the organizations’ workplace and email environment, (using number of employees with email access, number of minutes of email usage per employee per day, and average employee salary) along with the number of IT staff, and average salary The effects of an email malware attack in regards to salary and productivity are found as follows:It was determined that a fictitious organization of 1,000 employees earning an average e of $25/hr, and using email for approximately 30 minutes per day, would cost the company 524 hours, which translates into $13,700.00 in lost salaries per day (or $570.83 per hour)

Return on Investment

When using Return on Investment to justify purchasing security technology it is important to remember that avoiding a possible loss is much different than generating income. Use ROI cautiously.

Findings Malware affects networks of all sizes, and is installed via various means, many times without a users consent or knowledge. It is costly to businesses in regard to prevention as well as recovery.

Malware is no longer viewed as a prank created by script kiddies. Malware is now developed by professional programmers who are paid for their work, and is used to steal information of all kinds. New types of malware are continuously being developed in order to avoid detection.

Detection and disinfection can be costly. The way that the enterprise behaves throughout all four phases of the security cycle determines its success in protecting its network and data from malware. [14]

RecommendationsRisk analysis and assessment must be performed and are a necessary element in assessing the necessary expenditures that a business should prepare to incur.

Creating and implementing a security budget are essential in order to protect information assets, privacy, confidentiality, and the network infrastructure.

Value

I feel that in doing the research for this paper, I have learned about the processes that must be in place to secure an enterprise network and data. I’ve learned about the importance and benefits of policies, guidelines and procedures, I’ve learned about the steps that are necessary for protecting a valuable asset such as an organizations network and that the hardware and software are indeed valuable, but the information and data that belong to the company have much value as well- indeed maybe more value than the former.

It’s not just the computers, hardware, software and employees that enable the company to do business and to remain in business. It is those things in addition to maintaining data integrity, privacy, availability and confidentiality as well.

Risk Assessment, Risk Management, and Disaster Recovery are all areas that I have become interested in, recently, and I feel that this paper has introduced me to several key concepts in all of those areas and given me a basic understanding of them. I may make a career change after I graduate, leaving Network Administration, and entering the realm of Risk Management or Security.

References

1. George Ledin, Jr,( (February 2011 vol. 54 - 2)The Growing Harm of Not Teaching Malware, Communications of the ACM

2. Steve Lohr, January 17, 2010, Companies Fight Endless War Against Computer Attacks , NYTimes.com, retrieved 05/27/2011 from: http://www.nytimes.com/2010/01/18/technology/internet/18defend.html

3. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved 06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the-enterprise.html

4.Ellen Messmer, (2008) Security vendors leaving 'old school' malware detection methods behind, NetworkWorld, retrieved on 06/06/11 from: http://www.networkworld.com/news/2008/121208-crystal-ball-antivirus.html

5. (Source: AbleOne Systems, http://www.ableone.com)

6. Lenny Zeltser, 4 Steps To Combat Malware Enterprise-Wide, Zeltser.com, retrieved on 06/26 from: http://zeltser.com/combating-malicious-software/malware-in-the-enterprise.html

7. The SANS Institute, (2007) A Short Primer for Developing Security Policies

8. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved 06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the-enterprise.html

9. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved 06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the-enterprise.html

10. Karen Scarfone, Tim Grance, Kelly Masone, Recommendations of the National Institute of Standards and Technology The National Institute of Standards and Technology, Special Publication 800-61 Revision 1, Computer Security Incident Handling Guide

11. John Edwards, April 30, 2009, Money for Nothing: The Real Cost of Malware, Focus, retrieved 06/028/11 from: http://www.focus.com/briefs/it-security/money-nothing-real-cost-malware/

12. John Edwards, (2008) The Malware Burden, Network Security Journal,retrieved on June 28, 2011 from: http://www.networksecurityjournal.com/features/malware-burden-012208/9

13. Balancing the cost and benefits of countermeasures, SearchSecurity.com, retrieved on June29 2011 from: http://searchsecurity.techtarget.com/feature/Balancing-the-cost-and-benefits-of-countermeasures

14. 3Computer Security Institute, 15th Annual 2010-2011 Computer Crime and Security Survey

Other Resources:

-Quest Software, Best Practices in Instant Messaging Management http://www.idgconnect.com/view_abstract/2619/best-practices-instant-messaging-management-2619

-Mark Merkow, Jim Breithaupt, Information Security Principles and Practices, Pearson Education Inc, 2006

- Applegate, L. M., F. W. McFarlan, and R. D. Austin. Corporate Information Strategy and Management: Text and Cases. 6th ed. New York: McGraw Hill, 2003.

Acknowledgements

1. Dr. Halstead-Nussloch, my professor for this course, IT6683, for providing the opportunity to research and write this paper

2. Dr. Rutherfoord, my professor for IT5102 “Into to Security”, for her interesting power-point presentations, and all that I have learned from her.

3. Dr. Kim Kenneth Metcalf of UWG, my Fiancé, for challenging and encouraging me.

4. Arden Peterkin, Network Security Consultant for GCPS, for providing invaluable information about the most current network threats detected and remediated there.