Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. Any exchange of information carries with it a degree of risk that malware might be exchanged, which could seriously impact your systems and services. The risk may be reduced by implementing appropriate security controls as part of an overall 'defence in depth' approach.
What is the risk?
Malware infections can cause material harm to your systems. This might include disruption of business services, unauthorised export of sensitive information or loss of access to critical data (eg caused by ransomware).The range, volume and source of information exchanged (as well as the technologies used) provide a range of opportunities for malware to be imported. Examples include:
- Email: Email still provides a primary path for internal and external information exchange. Malicious email attachments can cause their payload to be executed when the file is opened or otherwise processed. Email with malicious content may be specifically targeted at known individuals (known as spear phishing) with access to sensitive information, or at roles with elevated privileges. Alternatively malicious email may include embedded links that direct users to websites hosting malicious content.
- Web browsing: Users could browse (or be directed to) websites that may contain malicious content which seeks to compromise applications (such as the browser) that interact with that content
- Web services: User access to social media and other web based services could provide an ability for users to import a variety of data formats
- Removable media and personally owned devices: Malware can be transferred to a corporate system through the uncontrolled introduction of removable media or the direct connection of untrusted devices. This might include (for example) connecting a smartphone via a USB port, even if intended only to charge the device.
How can the risk be managed?
Develop and implement anti-malware policies: Develop and implement corporate anti-malware policies and standards and ensure that they are consistently implemented across your infrastructure. The approach should be applicable and relevant to all business areas.
Manage all data import and export: All data should be scanned for malicious content at the network perimeter, whether that's internet gateways or facilities to introduce removable media.
Blacklist malicious web sites: Ensure that the perimeter gateway uses blacklisting to block access to known malicious web sites.
Provide dedicated media scanning machines: Stand-alone workstations can be provided and equipped with appropriate anti-virus products. The workstation should be capable of scanning the content contained on any type of media and inspect recursive content within files. Ideally every scan should be binded to a known user.
Establish malware defences: Malware can attack any system process or function so a technical architecture that provides multiple defensive layers (defence in depth) should be considered. This should include the following controls.
- End user device protection: On many platforms host based malware protection is provided by using antivirus applications. However several platforms (such as some smartphones) meet the need to protect against malware using other mechanisms such as application whitelisting. For further information see the NCSC End User Device guidance.
- Deploy antivirus and malicious code checking solutions to scan inbound and outbound objects at the network perimeter. Where host based antivirus is used it may be sensible to use different products to increase overall detection capability. Any suspicious or infected malicious objects should be quarantined for further analysis.
- Deploy a content filtering capability on all external gateways to try to prevent attackers delivering malicious code to common desktop applications such as the web browser.
- Install firewalls where appropriate, configuring them to deny traffic by default.
- If the business processes can support it, consider disabling certain browser plugins or scripting languages.
- Where possible, disable the autorun function to prevent the automatic execution of malicious code from any type of removable media. Equally, if removable media is introduced, the system should automatically scan it for malicious content.
- Ensure systems and components are well configured according to the secure baseline build and kept up to date.
User education and awareness: Users should understand the risks from malware and the day-to-day processes they can follow to help prevent a malware infection from occurring. The user instructions should contain the following:
- Try to stop and think before clicking on links, but don't worry if you think you've clicked on something harmful. Tell your security team as soon as possible and they will help.
- Do not connect any unapproved removable media or personally owned device to the network.
- Report any strange or unexpected system behaviour to the appropriate security team.
- Maintain awareness of how to report a security incident.
Our End User Device Security Guidance provides further guidance on managing the risk from malicious software on user devices.