ISO 27001:2022 A 8.7 Protection against malware

Audio version of the article

Malware – short for malicious software – is software that infects your computer so that cyber criminals can infiltrate or damage your system or device. A cyber criminal may use malware to steal information or carry out malicious activities. Malware represents the single largest threat to business continuity and information security faced by businesses in the digital age. The global commercial community faces innumerable daily threats from a broad range of attack vectors that seek to gain unauthorized access to sensitive systems and data, extract information and money, dupe unassuming employees and leverage ransomed data for extortionate sums of money. An organisation’s approach to malware protection should be front and centre of any information security policy.an array of measures that helps organisations to educate their employees as to the dangers of malicious software, and implement meaningful practical measures that stop internal and external attacks before they have a chance to cause disruption and data loss.Downloading programs is the most common way to infect your device with malware. For example, you may download a software application that looks legitimate but that is actually malware designed to hack your computer. But direct downloads while browsing websites aren’t the only way you can get malware. You might infect your computer or device by opening or downloading attachments or clicking on links in emails or text messages.

Control

Protection against malware should be implemented and supported by appropriate user awareness.

Purpose

To ensure information and other associated assets are protected against malware.

ISO 27002 Implementation Guidance

Protection against malware should be based on malware detection and repair software, information security awareness, appropriate system access and change management controls. Use of malware detection and repair software alone is not usually adequate. The following guidance should be considered:

1. implementing rules and controls that prevent or detect the use of unauthorized software [e.g. application allow listing (i.e. using a list providing allowed applications)] ;
2. implementing controls that prevent or detect the use of known or suspected malicious websites (e.g. blocklisting);
3. reducing vulnerabilities that can be exploited by malware (e.g. through technical vulnerability management );
4. conducting regular automated validation of the software and data content of systems, especially for systems supporting critical business processes; investigating the presence of any unapproved files or unauthorized amendments;
5. establishing protective measures against risks associated with obtaining files and software either from or via external networks or on any other medium;
6. installing and regularly updating malware detection and repair software to scan computers and electronic storage media. Carrying out regular scans that include:
   • 1) scanning any data received over networks or via any form of electronic storage media, for malware before use;
   • 2) scanning email and instant messaging attachments and downloads for malware before use. Carrying out this scan at different places (e.g. at email servers, desktop computers) and when entering the network of the organization;
   • 3) scanning web pages for malware when accessed;
7. determining the placement and configuration of malware detection and repair tools based on risk assessment outcomes and considering:
   • 1) defense in depth principles where they would be most effective. For example, this can lead to malware detection in a network gateway (in various application protocols such as email, file transfer and web) as well as user endpoint devices and servers;
   • 2) the evasive techniques of attackers (e.g. the use of encrypted files) to deliver malware or the use of encryption protocols to transmit malware;
8. taking care to protect against the introduction of malware during maintenance and emergency procedures, which can bypass normal controls against malware;
9. implementing a process to authorize temporarily or permanently disable some or all measures against malware, including exception approval authorities, documented justification and review date. This can be necessary when the protection against malware causes disruption to normal operations;
10. preparing appropriate business continuity plans for recovering from malware attacks, including all necessary data and software backup (including both online and offline backup) and recovery measures;
11. isolating environments where catastrophic consequences can occur;
12. defining procedures and responsibilities to deal with protection against malware on systems, including training in their use, reporting and recovering from malware attacks;
13. providing awareness or training to all users on how to identify and potentially mitigate the receipt, sending or installation of malware infected emails, files or programs [the information collected in n14 and 15) can be used to ensure awareness and training are kept up-to-date];
14. implementing procedures to regularly collect information about new malware, such as subscribing to mailing lists or reviewing relevant websites;
15. verifying that information relating to malware, such as warning bulletins, comes from qualified and reputable sources (e.g. reliable internet sites or suppliers of malware detection software) and is accurate and informative.

Other information

It is not always possible to install software that protects against malware on some systems (e.g. some industrial control systems). Some forms of malware infect computer operating systems and computer firmware such that common malware controls cannot clean the system and a full re imaging of the operating system software and sometimes the computer firmware is necessary to return to a secure state.

It’s rare for modern hackers to physically enter building premises because they may be caught or apprehended. Physical facility controls have a limited purpose in information security, to simply provide a local barrier for the physical intrusion. These localized barriers protect against common crimes by persons entering and leaving the facility. With the advent of the Internet, a smaller percentage of criminals will chance the risks of committing a physical crime. The new persistent threat is through electronic attacks. A hacker can commit the crime at a safe distance without fear of being physically caught. Attacks may originate from anywhere in the world or even be sponsored by a foreign government to gather intelligence data. Technical controls to protect against electronic attacks are usually spotty and inconsistent because of a lack of awareness for specific threats or lopsided implementations. It is very easy for the technical staff to inadvertently focus on only a few areas, thereby neglecting serious threats that still exist in others. Technical threats against software are usually difficult for lay-persons to visualize in the physical world. The adage out of sight, out of mind also means outside of the budget. Let’s take a moment to understand how the electronic threat will manifest in our clients’ environment.

1. Malware: This title refers to every malicious software program ever created, whether it exploits a known vulnerability or creates its own. There are so many different ones, it’s easier to just call the entire group by the title of malware. The king of the malware threat is known as the Trojan horse.
2. Trojan Horse: A revised concept of the historical Trojan horse has been adapted to attack computers. In a tale from the Trojan war, soldiers hid inside a bogus gift known as the Trojan horse. The unassuming recipients accepted the horse and brought it inside their fortress, only to be attacked by enemy soldiers hiding within. Malicious programs frequently use the Trojan horse concept to deliver viruses, worms, logic bombs, and other rootkits through downloaded files.
3. Virus: The goal of a virus is to disrupt operations. Users inadvertently download a program built like a Trojan horse containing the virus. The attacker’s goal is usually to damage your programs or data files. Viruses append themselves to the end-of-file (EOF) marker on computerized files.
4. Internet Worm: An Internet worm operates in a similar manner to the Trojan or virus, with one major exception. Worm programs can freely travel between computers because they exploit unprotected data transfer ports (software programming sockets) to access other systems. Internet worms started by trying to access the automatic update (file transfer) function through software ports with poor authentication or no authentication mechanism. It is the responsibility of the IS programmer to implement the security of the ports and protocols. IT technicians for hardware and operating system support cannot fix poor programming implementations. For IT technicians, the only choice is to disable software ports, but that won’t happen if the programmer requires the port left open for the user’s application program to operate.
5. Logic Bomb: The concept of the logic bomb is designed around a dormant program code that is waiting for a trigger event to cause detonation. Unlike a virus or worm, logic bombs do not travel. The logic bomb remains in one location, awaiting detonation. Logic bombs are difficult to detect. Some logic bombs are intentional, and others are the unintentional result of poor programming. Intentional logic bombs can be set to detonate after the perpetrator is gone.
6. Time Bomb: Programmers can install time bombs in their program to disable the software upon a predetermined date. Time bombs might be used to kill programs on symbolic dates such as April Fools’ Day or the anniversary of a historic event. Free trial evaluation versions of software use the time bomb mechanism to disable their program after 30–60 days with the intention of forcing the user to purchase a license. Time bombs can be installed by the vendor to eliminate perpetual customer support issues by forcing upgrades after a few years. The software installation utility will no longer run or install, because the programmer’s time bomb setting disabled the program. Now when trying to run the software, a message directs the user to contact customer support to purchase an upgrade. Hackers use the same technique to disrupt operations.
7. Trapdoor: Computer programmers frequently install a shortcut, also known as a trapdoor, for use during software testing. The trapdoor is a hidden access point within the computer software. A competent programmer will remove the majority of trapdoors before releasing a production version of the program. However, several vendors routinely leave a trapdoor in a computer program to facilitate user support. Commercial encryption software began to change in 1996 with the addition of “key recovery” features. This is basically a trap door feature to recover lost encryption keys and to allow the government to read encrypted files, if necessary.
8. RootKit: One of the most threatening attacks is the secret compromise of the operating system kernel. Attackers embed a rootkit into the downloadable software. This malicious software will subvert security settings by linking itself directly into the kernel processes, system memory, address registers, and swap space. Rootkits operate in stealth to hide their presence. Hackers designed rootkits to never display their execution as running applications. The system resource monitor does not show any activity related to the presence of the rootkit. After the rootkit is installed, the hacker has control over the system. The computer is completely compromised. Automatic update features use the same techniques as malicious rootkits to allow the software vendor to bypass your security settings. Vendors know that using the term rootkit may alarm users. The software agent is just another name for a rootkit.
9. Brute Force: Attack Brute force is the use of extreme effort to overcome an obstacle. For example, an amateur could discover the combination to a safe by dialling all of the 63,000 possible combinations. There is a mathematical likelihood that the actual combination will be determined after trying less than one-third of the possible combinations. Brute force attacks are frequently used against user login IDs and passwords. In one particular attack, all of the encrypted computer passwords are compared against a list of all the words encrypted from a language dictionary. After the match is identified, the attacker will use the unencrypted word that created the password match. This is why it is important to use passwords that do not appear in any language dictionary.
10. Denial of Service (DoS): Attackers can disable a computer by rendering legitimate use impossible. The objective is to remotely shut down service by overloading the system or disable the user environment (shell) and thereby prevent the normal user from processing anything on the computer. Denial-of-service (DoS) attacks may look similar to the loss of service while your system is downloading and installing vendor updates. The message “please wait, installing update 6 of 41…” makes your system unavailable for an hour or more. That is exactly how DoS operates.
11. Distributed Denial of Service (DDoS): The denial of service has evolved to use multiple systems for targeted attacks against another computer, to force its crash. This type of attack, distributed denial of service (DDoS), is also known as the reflector attack. Your own computer is being used by the hacker to launch remote attacks against someone else. Hackers start the attack from unrelated systems that the hacker has already compromised. The attacking computers and target are drawn into the battle—similar in concept to starting a vicious rumour between two strangers, which leads them to fight each other. The hackers sit safely out of the way while this battle wages.

Organisations to adopt an approach to malware protection that encompasses four key areas:

• Anti-malware software
• Organisational information security awareness (user training)
• Controlled systems and account access
• Change management

ISO categorically points out that it is a mistake to assume that anti malware software alone represents an adequate set of measures. Control 8.7 instead asks organisations to take an end-to-end approach to malware protection that begins with user education and ends with a tightly-controlled network that minimizes the risk of intrusion across a variety of attack vectors. To achieve this goal, organisations should implement controls that:

1. Prevent the use of unauthorized software .
2. Block traffic to malicious or inappropriate websites.
3. Minimize the amount of vulnerabilities resident on their network that have the potential to be exploited by malware or malicious intent
4. Carry out regular software audits that scan the network for unauthorised software, system amendments and/or data.
5. Ensure that data and applications are obtained with minimal risk, either internally or as an external acquisition.
6. Establish a malware detection policy that includes regular and thorough scans of all relevant systems and files, based upon the unique risks of each area to be scanned. Organisations should adopt a ‘defence in depth’ approach that encompasses endpoint devices and gateway controls, and takes into consideration a broad range of attack vectors (e.g. ransomware).
7. Protect against intrusions that emanate from emergency procedures and protocols – especially during an incident or high-risk maintenance activities.
8. Draft a process that allows for technical staff to disable some or all anti malware efforts, especially when such activities are hampering the organisation’s ability to do business.
9. Implement a robust backup and disaster recovery (BUDR) plan that allows the organisation to resume operational activity as quickly as possible, following disruption (see Control 8.13). This should include procedures that deal with software which isn’t able to be covered by anti malware software (i.e. machinery software).
10. Partition off areas of the network and/or digital and virtual working environments that may cause catastrophic disruption in the event of an attack.
11. Provide all relevant employees with anti malware awareness training that educates users on a broad range of topics, including (but not limited to):
    • Social engineering
    • Email security
    • Installing malicious software
12. Collect industry-related information about the latest developments in malware protection.
13. Ensure that notifications about potential malware attacks (particularly from software and hardware vendors) originate from a trusted source and are accurate.

There are numerous ways to protect and remove malware from our computers. No one method is enough to ensure the computer is secure. The more layers of defense, the harder for hackers to use the computer.

1. Install a Firewall:
   A firewall enacts the role of a security guard. There are two types of firewalls: a software firewall and a hardware firewall. Each serves similar, but different purposes. A firewall is the first step to provide security to the computer. It creates a barrier between the computer and any unauthorized program trying to come in through the Internet. If you are using a system at home, turn on the firewall permanently. It makes you aware if there are any unauthorized efforts to use your system.
2. Install Antivirus Software:
   Antivirus is one other means to protect the computer. It is software that helps to protect the computer from any unauthorized code or software that creates a threat to the system. Unauthorized software includes viruses, keyloggers, trojans, etc. This might slow down the processing speed of your computer, delete important files and access personal information. Even if your system is virus-free, you must install antivirus software to prevent the system from the further attack of the virus. Antivirus software plays a major role in real-time protection, its added advantage of detecting threats helps computers and the information in it to be safe. Some advanced antivirus programs provide automatic updates, this further helps to protect the PC from newly created viruses.
3. Install Anti-Spyware Software:
   Spyware is a software program that collects personal information or information about an organization without its approval. This information is redirected to a third-party website. Spyware is designed in such a way that they are not easy to be removed. Anti-Spyware software is solely dedicated to combat spyware. Similar to antivirus software, the anti-spyware software offers real-time protection. It scans all the incoming information and helps in blocking the threat once detected.
4. Check on the Security Settings of the Browser:
   Browsers have various security and privacy settings that you should review and set to the level you desire. Recent browsers give you the ability to tell websites that do not track your movements, increasing your privacy and security.
5. Use secure authentication methods.
   The following best practices help keep accounts safe:
   • Require strong passwords with at least eight characters, including an uppercase letter, a lowercase letter, a number and a symbol in each password.
   • Enable multi-factor authentication, such as a PIN or security questions in addition to a password.
   • Use biometric tools like fingerprints, voiceprints, facial recognition and iris scans.
   • Never save passwords on a computer or network. Use a secure password manager if needed.
6. Use administrator accounts only when absolutely necessary.
   Malware often has the same privileges as the active user. Non-administrator accounts are usually blocked from accessing the most sensitive parts of a computer or network system. Therefore:
   • Avoid using administrative privileges to browse the web or check email.
   • Log in as an administrator only to perform administrative tasks, such as to make configuration changes.
   • Install software using administrator credentials only after you have validated that the software is legitimate and secure.
7. Keep software updated.
   No software package is completely safe against malware. However, software vendors regularly provide patches and updates to close whatever new vulnerabilities show up. As a best practice, validate and install all new software patches:
   • Regularly update your operating systems, software tools, browsers and plug-ins.
   • Implement routine maintenance to ensure all software is current and check for signs of malware in log reports.
8. Control access to systems.
   There are multiple ways to regulate your networks to protect against data breaches:
   • Install or implement a firewall, intrusion detection system (IDS) and intrusion prevention system (IPS).
   • Never use unfamiliar remote drives or media that was used on a publicly accessible device.
   • Close unused ports and disable unused protocols.
   • Remove inactive user accounts.
   • Carefully read all licensing agreements before installing software.
9. Adhere to the least-privilege model.
   Adopt and enforce the principle of least-privilege: Grant users in your organization the minimum access to system capabilities, services and data they need to complete their work.
10. Limit application privileges.
    A hacker only needs an open door to infiltrate your business. Limit the number of possible entryways by restricting application privileges on your devices. Allow only the application features and functions that are absolutely necessary to get work done.
11. Implement email security and spam protection.
    Email is an essential business communication tool, but it’s also a common malware channel. To reduce the risk of infection:
    • Scan all incoming email messages, including attachments, for malware.
    • Set spam filters to reduce unwanted emails.
    • Limit user access to only company-approved links, messages and email addresses.
12. Monitor for suspicious activity.
    Monitor all user accounts for suspicious activity. This includes:
    • Logging all incoming and outgoing traffic
    • Baselining normal user activity and proactively looking for aberrations
    • Investigating unusual actions promptly
13. Educate your users.
    At the end of the day, people are the best line of defense. By continually educating users, you can help reduce the risk that they will be tricked by phishing or other tactics and accidentally introduce malware into your network. In particular:
    • Build awareness of common malware attacks.
    • Keep users up to date on basic cybersecurity trends and best practices.
    • Teach users how to recognize credible sites and what to do if they stumble onto a suspicious one.
    • Encourage users to report unusual system behavior.
    • Advise users to only join secure networks and to use VPNs when working outside the office.