Critical Control 12: Malware Defenses

How do attackers exploit the lack of this control?

Malicious software is an integral and dangerous aspect of Internet threats, targeting end-users and organizations via web browsing, email attachments, mobile devices, and other vectors. Malicious code may tamper with the system's contents, capture sensitive data, and spread to other systems. Modern malware aims to avoid signature-based and behavioral detection, and may disable anti-virus tools running on the targeted system. Anti-virus and anti-spyware software, collectively referred to as anti-malware tools, help defend against these threats by attempting to detect malware and block its execution.

How can this control be implemented, automated, and its effectiveness measured?

1. QW: Organizations should monitor workstations, servers, and mobile devices for active, up-to-date anti-malware protection with anti-virus, anti-spyware, and host-based Intrusion Prevention System functionality. Enterprise administrative features should be used to check daily the number of systems that do not have the latest anti-malware signatures, keeping the number of such systems small or eliminating them entirely through rapid and continuous updates. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers.
2. QW: Organizations should employ anti-malware software and signature auto update features or have administrators manually push updates to all machines on a daily basis. After applying an update, automated systems should verify that each system has received its signature update.
3. QW: Organizations should configure laptops, workstations, and servers so that they will not auto-run content from USB tokens (i.e., "thumb drives"), USB hard drives, CDs/DVDs, Firewire devices, external SATA devices, mounted network shares, or other removable media.
4. QW: Organizations should configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.
5. Config/Hygiene: To verify that anti-malware solutions are running, organizations should periodically introduce a benign, non-spreading test case, such as the EICAR anti-virus test file, onto a system in the environment to ensure that it is detected by the anti-malware system, and that the detection is reported to the enterprise anti-malware management system.
6. Advanced: Organizations should deploy honeypots or tarpits as detection mechanisms that can also slow down an attacker's progress inside a network.
7. Advanced: Organizations should deploy Network Access Control (NAC) tools to verify security configuration and patch level compliance before granting access to a network.

Associated NIST SP 800-53 Rev 3 Priority 1 Controls:

SC-18, SC-26, SI-3 (a, b, 1, 2, 5, 6)

Procedures and tools for implementing this control:

Relying on policy and user action to keep anti-malware tools up to date has been widely discredited, as many users have not proven able to keep such tools up to date consistently. To ensure anti-virus signatures are up to date, effective organizations use automation. They use the built-in administrative features of enterprise end-point security suites to verify that anti-virus, anti-spyware, and host-based IDS features are active on every managed system. They run automated assessments daily and review the results to find and mitigate systems that have deactivated such protections, as well as systems that do not have the latest malware definitions. For added security in depth, and for those systems that may fall outside the enterprise anti-malware coverage, some organizations use network access control technology that tests machines for compliance with security policy before allowing them to connect to the network.

On a regular basis, such as monthly, effective organizations download and test the free EICAR file to verify that anti-virus protection is functioning on a sampling of protected workstations and servers. Anti-malware tools should detect this benign file, and security personnel should verify that the detection event is noted in enterprise monitoring and alerting systems.

Some enterprises deploy free or commercial honeypot and tarpit tools to identify attackers in their environment. Security personnel should continuously monitor honeypots and tarpits to determine whether traffic is directed to them and account logins are attempted. When they identify such events, these personnel should gather the source address from which this traffic originates and other details associated with the attack for a follow-on investigation.

List Of Controls

• Critical Control 1: Inventory of Authorized and Unauthorized Devices
• Critical Control 2: Inventory of Authorized and Unauthorized Software
• Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Critical Control 5: Boundary Defense
• Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
• Critical Control 7: Application Software Security
• Critical Control 8: Controlled Use of Administrative Privileges
• Critical Control 9: Controlled Access Based on Need to Know
• Critical Control 10: Continuous Vulnerability Assessment and Remediation
• Critical Control 11: Account Monitoring and Control
• Critical Control 12: Malware Defenses
• Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
• Critical Control 14: Wireless Device Control
• Critical Control 15: Data Loss Prevention

Additional Security Controls

The following sections identify additional controls that are important but that cannot be automatically or continuously monitored.

• Critical Control 16: Secure Network Engineering
• Critical Control 17: Penetration Tests and Red Team Exercises
• Critical Control 18: Incident Response Capability
• Critical Control 19: Data Recovery Capability
• Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps