Malware Busters
I've been seeing many organizations struggle with malware lately, so I thought I'd offer a refresher on dealing with malicious software and all the ways it can creep into your organization. Removing malware and rebuilding infected systems eats up IT time and resources (not to mention the potential fallout from any stolen information), so your best bet is to prevent the compromise in the first place. Here's how.
July 9, 2010
I've been seeing many organizations struggle with malware lately, so I thought I'd offer a refresher on dealing with malicious software and all the ways it can creep into your organization. Removing malware and rebuilding infected systems eats up IT time and resources (not to mention the potential fallout from any stolen information), so your best bet is to prevent the compromise in the first place. Here's how.
Malware has a limited number of entry points into the organization. E-mail, Web downloads, and VPN connections are common entrances. Let's start with e-mail. Make sure your e-mail gateway scans not only for spam and viruses, but also checks Website links against known blacklists of bad sites. I also recommend a more aggressive approach when you quarantine suspect messages. Don't just tag e-mails as potentially harmful and send them on to your end users, because many will flag it as OK and open it. Instead, configure the gateway to block delivery, then quarantine the message.
Next, send an e-mail to the end user stating that a message has been held, why it's in quarantine, who it was from, the subject, and how to contact IT if they believe the message should be delivered. This step forces the user to decide whether it's worth going through the extra effort to have it delivered. When it comes to products, I've had success with IronPort in numerous engagements. I also recommend Barracuda for an on-site solution. If you need hosted solutions check out Appriver and Symantec's MessageLabs.
Next is the Web. Today, the browser is the most common vector for malware infection. Attackers serve up malware through advertising systems, from malicious sites, and by comprising legitimate sites. A URL filter that blocks known, malicious sites is a good start, but will not help when legitimate sites are hijacked. Therefore, it's essential to scan incoming Web traffic for malware and viruses. For onsite products I like WebSense and M86. M86 is innovative because it can detect attacks that combine technologies such as JavaScript and Flash. Purewire, acquired by Barracuda, and Zscaler offer SaaS-based Web filtering.
VPN entry points are another area malware comes through. This has always been an area I've struggled with, because users want the same access over the VPN that they have in the office. But sometimes it's just not possible because you can't always control the end points. The best approach to blocking most malware from coming across is to implement a SSL VPN or use terminal servers so users don't directly access the network. When these options aren't isn't feasible, consider adding a security device to monitor network traffic for virus and malware signature. An IPS or IDS such as those from Juniper Networks, HP (via TippingPoint), and Snort can help.
It goes without saying that you should have client-based malware protection on end users' PCs and laptops, particularly for employees that have to travel and will connect to unprotected networks in hotels, airports and coffee shops. I also recommend network access control (NAC), so that when these laptops do come home, they can be quarantined and cleaned before being added to your network. Kaspersky, McAfee, Sophos, Trend Micro and Symantec are the usual suspects for client-based anti-malware software. Network vendors such as Cisco Systems offer NAC systems.
I've implemented this layered approach (e-mail, Web, VPN and client) numerous times, and as each layer comes online, I've seen malware infections drop. However, this approach requires a lot of technology to purchase and put in place. If you don't have the budget or IT staff to support all these layers, start with end point protection.
If you can deploy two, add the Web malware filters next. A few years ago I would have recommended an e-mail filter before the Web, but for most organizations Web-based malware represents the greatest threat. You can also protect your mail system by configuring your e-mail clients securely and filtering by file extension. Note that there are no perfect solutions to this problem. Malware writers always have the upper hand when it comes to thwarting detection, but a little work goes a long way to protecting your organization.
About the Author
You May Also Like