1. Creating and Enforcing Anti-Malware Procedures
and
Practices Within an Organization
Diane M. Duhé
2. Abstract
Malware poses a significant threat to all computer networks, whether large or small.
Malicious software is responsible for data corruption, loss, misuse, identity theft, and
many types of unauthorized use. All of these contribute to potential liabilities, loss of
services, damage to a company’s reputation, loss of customers and/or stakeholders and
possibly to the company’s inability to continue doing business.
This paper will provide a summarization of the best practices in regard to creating and
enforcing anti-malware procedures, as they pertain to enterprise networks, and data
security.
The Method of Approach will be research, conducted via the ACM Digital Library,
IEEE/IEE Electronic Library, professional journals, web articles, white papers, and
utilizing personal work experience as a Network Administrator.
The Introduction will define the term “malware” and summarize the prevalence of and
damage caused by malware infection in an enterprise.
The Best Practices section will discuss creating and implementing Policies, Guidelines
and Procedures for securing systems and networks.
The Related Costs section will discuss methods for quantifying costs of malware
attacks, the importance of utilizing “value calculators” and creating/implementing
security budgets.
Introduction
The term “Malware” once referred to viruses, worms, and trojans, but current malware
has evolved into a very selective tool. Malware is no longer written using amateur
scripts, or using “copy and paste” methods by script kiddies. Instead, highly trained,
paid, programmers are authoring malware, supported via political syndicates, organized
crime, government sanctioned-unacknowledged (“dark”) ops, and some nation-states.
[1]
What began as pranks has evolved into serious criminal activity. Malware is now used
for crimes such as industrial espionage, “transmitting digital copies of trade secrets” [2]
customer names, future business plans, and contracts, virtually any and all private or
personal information.
In order to discuss best practices for implementing anti-malware protection, it is
necessary to have a basic understanding of enterprise malware infection and its effects.
3. The Prevalence of Computer Crime
The 2010-2011 CSI/FBI report revealed that:
• “Malware infection continued to be the most commonly seen attack, with 67.1 percent
of respondents reporting it.
• Respondents reported markedly fewer financial fraud incidents than in previous years,
with only 8.7 percent saying they’d seen this type of incident during the covered period.
• Of the approximately half of respondents who experienced at least one security
incident last year, fully 45.6 percent of them reported they’d been the subject of at least
one targeted attack.
• Fewer respondents than ever are willing to share specific information about dollar
losses they incurred. Given this result, the report this year does not share specific dollar
figures concerning average losses per respondent. It would appear, however, that
average losses are very likely down from prior years.
• Respondents said that regulatory compliance efforts have had a positive effect on their
security programs.
• By and large, respondents did not believe that the activities of malicious insiders
accounted for much of their losses due to cybercrime. 59.1 percent believe that no such
losses were due to malicious insiders. Only 39.5 percent could say that none of their
losses were due to non-malicious insider actions.
• Slightly over half (51.1 percent) of the group said that their organizations do not use
cloud computing. Ten percent, however, say their organizations not only use cloud
computing, but have deployed cloud-specific security tools.” [3]
Best Practices
Malware detection has been accomplished, until very recently, by using “signatures”.
Signature based malware detection requires that malware be identified by analysis of
the malwares’ code and finding code that is unique to the malware. The discovered
code is then used to create anti- malware software that is based on recognizing that
code. Once created, the anti-malware software must be installed onto the computer
system, and allowed to scan, detect and remove the malware. This entire process must
be repeated anew for every novel instance or variant of malware. This method is
insufficient and reactive at best [4]
As malware continues to evolve in ways to avoid detection, it is simply not practical to
continue detection in this manner. Malware is increasingly being written using innovative
and aggressive procedures which help to avoid detection, and sometimes even
withstanding disinfection efforts. Until new and better proactive detection are available,
malware will continue to infect networks and network components, costing the affected
businesses time, money and resources.
4. Frequently, organizations mistakenly treat malware infections as a series of
independent episodes. When a malicious program is discovered, it is remediated until
the next occurrence on the next system..This method cannot contain infections before
they transmit across the network, thereby infecting more components. Spreading
malware in this way could potentially damage the organizations ability to carry out daily
activities of business.
Disinfecting hundreds or thousands of computers on an enterprise network would be a
monumental task. A new, pro-active approach must be undertaken for
prevention/detection/disinfection and recovery for enterprises networks. It necessarily
must be different from the methods used for the same purposes on individual systems.
The approach must be viewed as “holistic” security comprised of four phases: Plan,
Resist, Detect, and Respond. [5]
Interesting figures:
“80% of businesses without a recovery plan went bankrupt within 1 year of a
major data loss
59% of companies cannot conduct business during unscheduled IT
downtime
3Computer Security Institute, 15th Annual 2010-2011 Computer Crime and
Security Survey
1. PLANNING
Creating written policies and guidelines
Planning an approach to minimize malware infection includes addressing key issues,
such as diversity of system configurations and business requirements within an
organization, the use of assorted technologies within the organization, logistical
challenges presented by the scattering of systems across various geographic locations,
internal political hindrances, as well as the legal/regulatory aspects of IT as they pertain
to the organization.
Implementing clearly written policies helps to mitigate the risks associated with
malware.
A Policy is “A formal, brief, and high-level statement or plan that embraces an
organization’s general beliefs, goals, objectives, and acceptable procedures for a
specified subject area.” [7] It defines required actions and sets the rules.
All policies should include the following attributes:
- Require mandatory compliance
- Technology objectives, i.e.: why the technology is being provided to the user
5. - Expectations of privacy including the use of monitoring and logging
- Detailed acceptable use, outlining permitted as well as prohibited user actions
- Detailed restrictions which may involve issues concerning confidentiality
- Defined consequences for violations
- Implementation focused
- Further defined by guidelines and/or standards.
Standards, Guidelines and Procedures:
Standards are mandatory rules that are written in conjunction with and designed to
support a policy. They help makes the policy more effective. Standards usually include
specifications for hardware, software and/or behavior, and describe requirements for
various configurations.
Guidelines are general statements designed to provide a framework within which to
implement the policy. They are not mandatory, and are more like suggestions or “best
practices”. They provide information on “how” to do something. Guidelines can change
frequently, and must be reviewed more often than Standards or Policies.
Procedures are the mechanisms for enforcing policies. They are beneficial in times of
crisis. They outline “how” the policy is implemented.
“Position Statements” are often times precursors to policies, and are much simpler, in
that they focus on a particular technology and the expectations for its use within the
organization.
2. RESISTING
Employing a variety of ways to protect networks from infection and intrusion [8]
Implement Security Policies
Security Policies must agree with the organizations’ security standards.
Policies must be reviewed regularly to reflect the current organizational needs, yet
remain compatible with other company policies. Some questions to ask when
reviewing a policy are: has the company structure changed? Does the policy reflect
the company’s guidelines? Have there been new technology purchases? Are there
new State or Federal compliance requirements? Is there new user-behavior to
address?
6. Implement Security Systems
Security Systems must be implemented on the network, to protect the network from
cybercrime and other threats, such as malware, hacking and information theft.
Manage and Control IT
Manage and control IT by utilizing an enterprise management system (EMS) to
perform network monitoring to ensure policy compliance as well as security at the
system level.
Implement Group Policy
Protecting and securing the network and network resources must occur at both the
system and the network level. Group Policy implementation can restrict incoming
traffic from the Internet and other less trusted networks, by controlling ports, IP
addresses and domains.
Group Policy can also control user activity such as what they’re allowed to connect
to computer systems, and how removable media, such as USB devices, are to be
used.
Educate users
Ensure network users are educated and informed regarding types of malware
attacks, signs of infection, and how to report.
Implementing Further Protection:
Use a Firewall
Utilize Anti-virus/anti malware software
Enforce:
-Email Policies
-Password Policies
-Acceptable Use Policies
Ensure:
Group Policies and Network Monitoring for:
-USB and portable devices
-Instant Messaging
7. -Internet Applications
-Public Social Networks
-Downloading and/or installing software
3. DETECTING
Use an Intrusion Detection System- IDS
Employing the use of Intrusion Detection hardware/software on the network will help
contain possible infections and security breaches.
Use a Network Management System
Implement Network Management and Monitoring
4. RESPONDING
The National Institute of Standards and Technology's “Computer Security Incident
Handling Guide” states that there are three steps involved when responding to a
confirmed malware attack: [9]
Containment
Eradication
Recovery
Performing these steps should be supported by the guidelines that were written
during the Security Planning phase, outlined above.
Containment
Efforts to contain the spread of the malware should include: [10]
Instructing users what they should and should not do in the situation in order to
help contain the spread of the malicious software. (ie: clicking an email link) .
Disconnecting affected systems from the network, temporarily.
Eradication
Eradicating the malware, (also called “disinfecting”) which involves removing the
malware and possibly restoring damaged systems from backups, or rebuilding
the systems.
8. “Locking down” systems, patching vulnerabilities, and reconfiguring affected
components on the infrastructure.
Recovery
Focus on returning to normal operation
Confirm that the attack has been contained
Ensure the malware has been removed
Determine which containment actions can now cease
Collaborating with entities such as legal departments or public relations may also be a
component of recovery.
Response teams should now review their course of action, assess/adjust applicable
security mechanisms and agree on methods for improvement. These proceedings
conclude the security cycle, and bring the focus back around to the Planning phase
again.
The Related Costs of Malware
Determining and balancing the cost of malware is actually an exercise in risk analysis.
The first step to determining this expense, is assigning values to all information assets.
The second step is to estimate the potential loss.
The assigned asset and loss values are then used to determine the single loss
expectancy (SLE), which is defined as the expense of recovering from a single malware
attack.
[11]
Calculating the SLE includes a summation of the following costs:
The cost of purchasing/maintaining anti-malware products
The ongoing cost for maintaining anti-malware ie: subscriptions for
updates/other related services
Assigning a value to the company's data (calculated by determining how
much it would cost to restore or re-create different types of lost information,
such as sales records, tax information, contact information, emails)
Lost revenue
Potential cost of fines and penalties for violating confidentiality/privacy
agreements
Loss of employee productivity
Cost of repairing damaged systems
Hardware overhead (all anti-malware products consume resources such as
processing power, memory and disk space)
9. Determine the annual loss expectancy (ALE) of a single malware attack
based on average number of previous attacks per year
Multiply the SLE by the ALE to determine the annual cost of malware for the
business. [12]
Setting a Security Budget
Determine the annual cost of malware. It is crucial to plan an anti-malware
budget accordingly. The figures from the above calculations will provide a
rough estimation for the planned yearly expenditure for anti-malware
protection.
Assess the amount of risk that the company is willing to take. For
example, some companies might choose to accept a higher level of risk of
infection, because it’s been determined that the actual probability of attack
is very low, or because the organization has lowered some risks in other
ways, such as by purchasing insurance, or the use of offsite backup
solutions.
These calculations can be used in creating a security budget, and /or for
calculating the value of the particular anti-malware tools already in place. [13]
Calculators
There are many risk calculators available online as shareware. They are easy to use,
and will generate an estimate of various risks, using several of the variables mentioned
above.
One such calculator was used to estimate the financial risk for a fictitious organization of
1,000 employees.
The calculator located at http://www.cmsconnect.com/Marketing/viruscalc.htm,
analyzed the organizations’ workplace and email environment, (using number of
employees with email access, number of minutes of email usage per employee per day,
and average employee salary) along with the number of IT staff, and average salary
The effects of an email malware attack in regards to salary and productivity are found
as follows:
It was determined that a fictitious organization of 1,000 employees earning an average
e of $25/hr, and using email for approximately 30 minutes per day, would cost the
company 524 hours, which translates into $13,700.00 in lost salaries per day (or
$570.83 per hour)
10. Return on Investment
When using Return on Investment to justify purchasing security technology it is
important to remember that avoiding a possible loss is much different than generating
income. Use ROI cautiously.
Findings
Malware affects networks of all sizes, and is installed via various means, many times
without a users consent or knowledge. It is costly to businesses in regard to prevention
as well as recovery.
Malware is no longer viewed as a prank created by script kiddies. Malware is now
developed by professional programmers who are paid for their work, and is used to
steal information of all kinds. New types of malware are continuously being developed in
order to avoid detection.
Detection and disinfection can be costly. The way that the enterprise behaves
throughout all four phases of the security cycle determines its success in protecting its
network and data from malware. [14]
Recommendations
Risk analysis and assessment must be performed and are a necessary element in
assessing the necessary expenditures that a business should prepare to incur.
Creating and implementing a security budget are essential in order to protect
information assets, privacy, confidentiality, and the network infrastructure.
Value
I feel that in doing the research for this paper, I have learned about the processes that
must be in place to secure an enterprise network and data. I’ve learned about the
importance and benefits of policies, guidelines and procedures, I’ve learned about the
steps that are necessary for protecting a valuable asset such as an organizations
network and that the hardware and software are indeed valuable, but the information
11. and data that belong to the company have much value as well- indeed maybe more
value than the former.
It’s not just the computers, hardware, software and employees that enable the company
to do business and to remain in business. It is those things in addition to maintaining
data integrity, privacy, availability and confidentiality as well.
Risk Assessment, Risk Management, and Disaster Recovery are all areas that I have
become interested in, recently, and I feel that this paper has introduced me to several
key concepts in all of those areas and given me a basic understanding of them. I may
make a career change after I graduate, leaving Network Administration, and entering
the realm of Risk Management or Security.
12. References
1. George Ledin, Jr,( (February 2011 vol. 54 - 2)The Growing Harm of Not Teaching
Malware, Communications of the ACM
2. Steve Lohr, January 17, 2010, Companies Fight Endless War Against Computer
Attacks , NYTimes.com, retrieved 05/27/2011 from:
http://www.nytimes.com/2010/01/18/technology/internet/18defend.html
3. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved
06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the-
enterprise.html
4.Ellen Messmer, (2008) Security vendors leaving 'old school' malware detection
methods behind, NetworkWorld, retrieved on 06/06/11 from:
http://www.networkworld.com/news/2008/121208-crystal-ball-antivirus.html
5. (Source: AbleOne Systems, http://www.ableone.com)
6. Lenny Zeltser, 4 Steps To Combat Malware Enterprise-Wide, Zeltser.com, retrieved
on 06/26 from: http://zeltser.com/combating-malicious-software/malware-in-the-
enterprise.html
7. The SANS Institute, (2007) A Short Primer for Developing Security Policies
8. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved
06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the-
enterprise.html
9. 4 Steps To Combat Malware Enterprise-Wide, Lennie Zeltser, Zeltser.com, Retrieved
06/19/11 from: http://zeltser.com/combating-malicious-software/malware-in-the-
enterprise.html
10. Karen Scarfone, Tim Grance, Kelly Masone, Recommendations of the National
Institute of Standards and Technology The National Institute of Standards and
Technology, Special Publication 800-61 Revision 1, Computer Security Incident
Handling Guide
13. 11. John Edwards, April 30, 2009, Money for Nothing: The Real Cost of Malware,
Focus, retrieved 06/028/11 from: http://www.focus.com/briefs/it-security/money-nothing-
real-cost-malware/
12. John Edwards, (2008) The Malware Burden, Network Security Journal,retrieved on
June 28, 2011 from: http://www.networksecurityjournal.com/features/malware-burden-
012208/
9
13. Balancing the cost and benefits of countermeasures, SearchSecurity.com, retrieved
on June29 2011 from: http://searchsecurity.techtarget.com/feature/Balancing-the-cost-
and-benefits-of-countermeasures
14. 3Computer Security Institute, 15th Annual 2010-2011 Computer Crime and Security
Survey
Other Resources:
-Quest Software, Best Practices in Instant Messaging Management
http://www.idgconnect.com/view_abstract/2619/best-practices-instant-messaging-
management-2619
-Mark Merkow, Jim Breithaupt, Information Security Principles and Practices, Pearson
Education Inc, 2006
- Applegate, L. M., F. W. McFarlan, and R. D. Austin. Corporate Information Strategy
and Management: Text and Cases. 6th ed. New York: McGraw Hill, 2003.
Acknowledgements
1. Dr. Halstead-Nussloch, my professor for this course, IT6683, for providing the
opportunity to research and write this paper
2. Dr. Rutherfoord, my professor for IT5102 “Into to Security”, for her interesting
power-point presentations, and all that I have learned from her.
3. Dr. Kim Kenneth Metcalf of UWG, my Fiancé, for challenging and encouraging
me.
14. 4. Arden Peterkin, Network Security Consultant for GCPS, for providing invaluable
information about the most current network threats detected and remediated
there.