Creating and Enforcing Anti-Malware Procedures and Practices Within an Organization Diane M. Duhé
AbstractMalware poses a significant threat to all computer networks, whether large or small.Malicious software is responsible for data corruption, loss, misuse, identity theft, andmany types of unauthorized use. All of these contribute to potential liabilities, loss ofservices, damage to a company’s reputation, loss of customers and/or stakeholders andpossibly to the company’s inability to continue doing business.This paper will provide a summarization of the best practices in regard to creating andenforcing anti-malware procedures, as they pertain to enterprise networks, and datasecurity.The Method of Approach will be research, conducted via the ACM Digital Library,IEEE/IEE Electronic Library, professional journals, web articles, white papers, andutilizing personal work experience as a Network Administrator.The Introduction will define the term “malware” and summarize the prevalence of anddamage caused by malware infection in an enterprise.The Best Practices section will discuss creating and implementing Policies, Guidelinesand Procedures for securing systems and networks.The Related Costs section will discuss methods for quantifying costs of malwareattacks, the importance of utilizing “value calculators” and creating/implementingsecurity budgets.IntroductionThe term “Malware” once referred to viruses, worms, and trojans, but current malwarehas evolved into a very selective tool. Malware is no longer written using amateurscripts, or using “copy and paste” methods by script kiddies. Instead, highly trained,paid, programmers are authoring malware, supported via political syndicates, organizedcrime, government sanctioned-unacknowledged (“dark”) ops, and some nation-states.What began as pranks has evolved into serious criminal activity. Malware is now usedfor crimes such as industrial espionage, “transmitting digital copies of trade secrets” customer names, future business plans, and contracts, virtually any and all private orpersonal information.In order to discuss best practices for implementing anti-malware protection, it isnecessary to have a basic understanding of enterprise malware infection and its effects.
The Prevalence of Computer CrimeThe 2010-2011 CSI/FBI report revealed that:• “Malware infection continued to be the most commonly seen attack, with 67.1 percentof respondents reporting it.• Respondents reported markedly fewer financial fraud incidents than in previous years,with only 8.7 percent saying they’d seen this type of incident during the covered period.• Of the approximately half of respondents who experienced at least one securityincident last year, fully 45.6 percent of them reported they’d been the subject of at leastone targeted attack.• Fewer respondents than ever are willing to share specific information about dollarlosses they incurred. Given this result, the report this year does not share specific dollarfigures concerning average losses per respondent. It would appear, however, thataverage losses are very likely down from prior years.• Respondents said that regulatory compliance efforts have had a positive effect on theirsecurity programs.• By and large, respondents did not believe that the activities of malicious insidersaccounted for much of their losses due to cybercrime. 59.1 percent believe that no suchlosses were due to malicious insiders. Only 39.5 percent could say that none of theirlosses were due to non-malicious insider actions.• Slightly over half (51.1 percent) of the group said that their organizations do not usecloud computing. Ten percent, however, say their organizations not only use cloudcomputing, but have deployed cloud-specific security tools.” Best PracticesMalware detection has been accomplished, until very recently, by using “signatures”.Signature based malware detection requires that malware be identified by analysis ofthe malwares’ code and finding code that is unique to the malware. The discoveredcode is then used to create anti- malware software that is based on recognizing thatcode. Once created, the anti-malware software must be installed onto the computersystem, and allowed to scan, detect and remove the malware. This entire process mustbe repeated anew for every novel instance or variant of malware. This method isinsufficient and reactive at best As malware continues to evolve in ways to avoid detection, it is simply not practical tocontinue detection in this manner. Malware is increasingly being written using innovativeand aggressive procedures which help to avoid detection, and sometimes evenwithstanding disinfection efforts. Until new and better proactive detection are available,malware will continue to infect networks and network components, costing the affectedbusinesses time, money and resources.
Frequently, organizations mistakenly treat malware infections as a series ofindependent episodes. When a malicious program is discovered, it is remediated untilthe next occurrence on the next system..This method cannot contain infections beforethey transmit across the network, thereby infecting more components. Spreadingmalware in this way could potentially damage the organizations ability to carry out dailyactivities of business.Disinfecting hundreds or thousands of computers on an enterprise network would be amonumental task. A new, pro-active approach must be undertaken forprevention/detection/disinfection and recovery for enterprises networks. It necessarilymust be different from the methods used for the same purposes on individual systems.The approach must be viewed as “holistic” security comprised of four phases: Plan,Resist, Detect, and Respond. Interesting figures: “80% of businesses without a recovery plan went bankrupt within 1 year of a major data loss 59% of companies cannot conduct business during unscheduled IT downtime 3Computer Security Institute, 15th Annual 2010-2011 Computer Crime and Security Survey 1. PLANNINGCreating written policies and guidelinesPlanning an approach to minimize malware infection includes addressing key issues,such as diversity of system configurations and business requirements within anorganization, the use of assorted technologies within the organization, logisticalchallenges presented by the scattering of systems across various geographic locations,internal political hindrances, as well as the legal/regulatory aspects of IT as they pertainto the organization.Implementing clearly written policies helps to mitigate the risks associated withmalware.A Policy is “A formal, brief, and high-level statement or plan that embraces anorganization’s general beliefs, goals, objectives, and acceptable procedures for aspecified subject area.”  It defines required actions and sets the rules.All policies should include the following attributes:- Require mandatory compliance- Technology objectives, i.e.: why the technology is being provided to the user
- Expectations of privacy including the use of monitoring and logging- Detailed acceptable use, outlining permitted as well as prohibited user actions- Detailed restrictions which may involve issues concerning confidentiality- Defined consequences for violations- Implementation focused- Further defined by guidelines and/or standards.Standards, Guidelines and Procedures:Standards are mandatory rules that are written in conjunction with and designed tosupport a policy. They help makes the policy more effective. Standards usually includespecifications for hardware, software and/or behavior, and describe requirements forvarious configurations.Guidelines are general statements designed to provide a framework within which toimplement the policy. They are not mandatory, and are more like suggestions or “bestpractices”. They provide information on “how” to do something. Guidelines can changefrequently, and must be reviewed more often than Standards or Policies.Procedures are the mechanisms for enforcing policies. They are beneficial in times ofcrisis. They outline “how” the policy is implemented.“Position Statements” are often times precursors to policies, and are much simpler, inthat they focus on a particular technology and the expectations for its use within theorganization. 2. RESISTING Employing a variety of ways to protect networks from infection and intrusion  Implement Security Policies Security Policies must agree with the organizations’ security standards. Policies must be reviewed regularly to reflect the current organizational needs, yet remain compatible with other company policies. Some questions to ask when reviewing a policy are: has the company structure changed? Does the policy reflect the company’s guidelines? Have there been new technology purchases? Are there new State or Federal compliance requirements? Is there new user-behavior to address?
Implement Security Systems Security Systems must be implemented on the network, to protect the network from cybercrime and other threats, such as malware, hacking and information theft. Manage and Control IT Manage and control IT by utilizing an enterprise management system (EMS) to perform network monitoring to ensure policy compliance as well as security at the system level. Implement Group Policy Protecting and securing the network and network resources must occur at both the system and the network level. Group Policy implementation can restrict incoming traffic from the Internet and other less trusted networks, by controlling ports, IP addresses and domains. Group Policy can also control user activity such as what they’re allowed to connect to computer systems, and how removable media, such as USB devices, are to be used. Educate users Ensure network users are educated and informed regarding types of malware attacks, signs of infection, and how to report. Implementing Further Protection:Use a FirewallUtilize Anti-virus/anti malware softwareEnforce: -Email Policies -Password Policies -Acceptable Use PoliciesEnsure: Group Policies and Network Monitoring for: -USB and portable devices -Instant Messaging
-Internet Applications -Public Social Networks -Downloading and/or installing software3. DETECTING Use an Intrusion Detection System- IDSEmploying the use of Intrusion Detection hardware/software on the network will helpcontain possible infections and security breaches. Use a Network Management SystemImplement Network Management and Monitoring4. RESPONDINGThe National Institute of Standards and Technologys “Computer Security IncidentHandling Guide” states that there are three steps involved when responding to aconfirmed malware attack:  Containment Eradication RecoveryPerforming these steps should be supported by the guidelines that were writtenduring the Security Planning phase, outlined above.ContainmentEfforts to contain the spread of the malware should include:  Instructing users what they should and should not do in the situation in order to help contain the spread of the malicious software. (ie: clicking an email link) . Disconnecting affected systems from the network, temporarily.Eradication Eradicating the malware, (also called “disinfecting”) which involves removing the malware and possibly restoring damaged systems from backups, or rebuilding the systems.
“Locking down” systems, patching vulnerabilities, and reconfiguring affected components on the infrastructure. Recovery Focus on returning to normal operation Confirm that the attack has been contained Ensure the malware has been removed Determine which containment actions can now ceaseCollaborating with entities such as legal departments or public relations may also be acomponent of recovery.Response teams should now review their course of action, assess/adjust applicablesecurity mechanisms and agree on methods for improvement. These proceedingsconclude the security cycle, and bring the focus back around to the Planning phaseagain.The Related Costs of MalwareDetermining and balancing the cost of malware is actually an exercise in risk analysis.The first step to determining this expense, is assigning values to all information assets.The second step is to estimate the potential loss.The assigned asset and loss values are then used to determine the single lossexpectancy (SLE), which is defined as the expense of recovering from a single malwareattack. Calculating the SLE includes a summation of the following costs: The cost of purchasing/maintaining anti-malware products The ongoing cost for maintaining anti-malware ie: subscriptions for updates/other related services Assigning a value to the companys data (calculated by determining how much it would cost to restore or re-create different types of lost information, such as sales records, tax information, contact information, emails) Lost revenue Potential cost of fines and penalties for violating confidentiality/privacy agreements Loss of employee productivity Cost of repairing damaged systems Hardware overhead (all anti-malware products consume resources such as processing power, memory and disk space)
Determine the annual loss expectancy (ALE) of a single malware attack based on average number of previous attacks per year Multiply the SLE by the ALE to determine the annual cost of malware for the business. Setting a Security Budget Determine the annual cost of malware. It is crucial to plan an anti-malware budget accordingly. The figures from the above calculations will provide a rough estimation for the planned yearly expenditure for anti-malware protection. Assess the amount of risk that the company is willing to take. For example, some companies might choose to accept a higher level of risk of infection, because it’s been determined that the actual probability of attack is very low, or because the organization has lowered some risks in other ways, such as by purchasing insurance, or the use of offsite backup solutions. These calculations can be used in creating a security budget, and /or for calculating the value of the particular anti-malware tools already in place. CalculatorsThere are many risk calculators available online as shareware. They are easy to use,and will generate an estimate of various risks, using several of the variables mentionedabove.One such calculator was used to estimate the financial risk for a fictitious organization of1,000 employees.The calculator located at http://www.cmsconnect.com/Marketing/viruscalc.htm,analyzed the organizations’ workplace and email environment, (using number ofemployees with email access, number of minutes of email usage per employee per day,and average employee salary) along with the number of IT staff, and average salaryThe effects of an email malware attack in regards to salary and productivity are foundas follows:It was determined that a fictitious organization of 1,000 employees earning an averagee of $25/hr, and using email for approximately 30 minutes per day, would cost thecompany 524 hours, which translates into $13,700.00 in lost salaries per day (or$570.83 per hour)
Return on InvestmentWhen using Return on Investment to justify purchasing security technology it isimportant to remember that avoiding a possible loss is much different than generatingincome. Use ROI cautiously.FindingsMalware affects networks of all sizes, and is installed via various means, many timeswithout a users consent or knowledge. It is costly to businesses in regard to preventionas well as recovery.Malware is no longer viewed as a prank created by script kiddies. Malware is nowdeveloped by professional programmers who are paid for their work, and is used tosteal information of all kinds. New types of malware are continuously being developed inorder to avoid detection.Detection and disinfection can be costly. The way that the enterprise behavesthroughout all four phases of the security cycle determines its success in protecting itsnetwork and data from malware. RecommendationsRisk analysis and assessment must be performed and are a necessary element inassessing the necessary expenditures that a business should prepare to incur.Creating and implementing a security budget are essential in order to protectinformation assets, privacy, confidentiality, and the network infrastructure.ValueI feel that in doing the research for this paper, I have learned about the processes thatmust be in place to secure an enterprise network and data. I’ve learned about theimportance and benefits of policies, guidelines and procedures, I’ve learned about thesteps that are necessary for protecting a valuable asset such as an organizationsnetwork and that the hardware and software are indeed valuable, but the information
and data that belong to the company have much value as well- indeed maybe morevalue than the former.It’s not just the computers, hardware, software and employees that enable the companyto do business and to remain in business. It is those things in addition to maintainingdata integrity, privacy, availability and confidentiality as well.Risk Assessment, Risk Management, and Disaster Recovery are all areas that I havebecome interested in, recently, and I feel that this paper has introduced me to severalkey concepts in all of those areas and given me a basic understanding of them. I maymake a career change after I graduate, leaving Network Administration, and enteringthe realm of Risk Management or Security.
References1. George Ledin, Jr,( (February 2011 vol. 54 - 2)The Growing Harm of Not TeachingMalware, Communications of the ACM2. Steve Lohr, January 17, 2010, Companies Fight Endless War Against ComputerAttacks , NYTimes.com, retrieved 05/27/2011 from:http://www.nytimes.com/2010/01/18/technology/internet/18defend.html3. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the-enterprise.html4.Ellen Messmer, (2008) Security vendors leaving old school malware detectionmethods behind, NetworkWorld, retrieved on 06/06/11 from:http://www.networkworld.com/news/2008/121208-crystal-ball-antivirus.html5. (Source: AbleOne Systems, http://www.ableone.com)6. Lenny Zeltser, 4 Steps To Combat Malware Enterprise-Wide, Zeltser.com, retrievedon 06/26 from: http://zeltser.com/combating-malicious-software/malware-in-the-enterprise.html7. The SANS Institute, (2007) A Short Primer for Developing Security Policies8. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the-enterprise.html9. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the-enterprise.html10. Karen Scarfone, Tim Grance, Kelly Masone, Recommendations of the NationalInstitute of Standards and Technology The National Institute of Standards andTechnology, Special Publication 800-61 Revision 1, Computer Security IncidentHandling Guide
11. John Edwards, April 30, 2009, Money for Nothing: The Real Cost of Malware,Focus, retrieved 06/028/11 from: http://www.focus.com/briefs/it-security/money-nothing-real-cost-malware/12. John Edwards, (2008) The Malware Burden, Network Security Journal,retrieved onJune 28, 2011 from: http://www.networksecurityjournal.com/features/malware-burden-012208/913. Balancing the cost and benefits of countermeasures, SearchSecurity.com, retrievedon June29 2011 from: http://searchsecurity.techtarget.com/feature/Balancing-the-cost-and-benefits-of-countermeasures14. 3Computer Security Institute, 15th Annual 2010-2011 Computer Crime and SecuritySurveyOther Resources:-Quest Software, Best Practices in Instant Messaging Managementhttp://www.idgconnect.com/view_abstract/2619/best-practices-instant-messaging-management-2619-Mark Merkow, Jim Breithaupt, Information Security Principles and Practices, PearsonEducation Inc, 2006- Applegate, L. M., F. W. McFarlan, and R. D. Austin. Corporate Information Strategyand Management: Text and Cases. 6th ed. New York: McGraw Hill, 2003.Acknowledgements 1. Dr. Halstead-Nussloch, my professor for this course, IT6683, for providing the opportunity to research and write this paper 2. Dr. Rutherfoord, my professor for IT5102 “Into to Security”, for her interesting power-point presentations, and all that I have learned from her. 3. Dr. Kim Kenneth Metcalf of UWG, my Fiancé, for challenging and encouraging me.
4. Arden Peterkin, Network Security Consultant for GCPS, for providing invaluable information about the most current network threats detected and remediated there.