How to Live With Malware Infections
How can you be sure your organization doesn't have insidious viruses or other malware lurking within systems and applications, waiting to inflict damage? You can't.
Malware has grown sophisticated to the point where there's no guarantee that it's actually gone, even when you've applied the latest antivirus software. Making matters worse, IT infrastructures are becoming much more complex -- with an ever-growing population of devices that give malware even more possible entry points.
[ Your executives are big, fat, juicy targets for spearphishing attacks. Learn how to protect them from being harpooned. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]
These days, you have to assume there are some infected PCs or other devices on the corporate network.
Get used to it: Malware is everywhere you go The malware problem is getting worse. According to the Ponemon Institute's 2011 State of Endpoint Risk study, 43 percent of the 782 U.S.-based IT and IT security professionals surveyed reported a "dramatic uptick" in malware in 2010. Fully 98 percent of the organizations surveyed by Ponemon experienced a virus or malware-based network intrusion, and 35 percent said they had experienced 50 malware attempts within a span of just one month, or more than one intrusion per day.
"The current batch of malware we're seeing is very sophisticated and well written, and it hides itself well and avoids detection well," says Fred Rica, principal in the information security advisory practice at the PricewaterhouseCoopers consulting firm.
The good news is that this "living with malware" scenario doesn't have to lead to lost data, unavailable systems, or other problems. Companies can and do function despite these intrusions.
Here are some approaches that can help minimize the effect of malware on your network and in your systems so that your company can carry on with business despite the nagging presence of these troublesome programs.
Malware survival tip No. 1: Practice good data governance You can help minimize the damage caused by malware by more effectively protecting the specific types of data that many of the malware programs are going after in the first place. In a lot of cases, they're looking to exploit sensitive data such as personal information, trade secrets, research and development findings, and other intellectual property, Rica says.
PricewaterhouseCoopers is working with many of its clients to create a strong data governance model that helps the organizations better understand what their most critical data is, where it's stored, how it moves on the corporate networks, and how they can put the right controls in place to maximize the security of that information.
An audit of the information assets at many companies will show that sensitive data such as customer credit card numbers is initially well-guarded, Rica says. But eventually it ends up in less-protected applications such as spreadsheets or emails, where it is more susceptible to malware.
"We've seen clients lose tens of millions of credit card or Social Security numbers because they're in spreadsheets somewhere outside the HR system," Rica says. "Our approach is to use better data governance models so that this data has the same [security] controls around it regardless of where it resides. Make sure the data is protected through all stages of its lifecycle."
Because all data is not equal, a key part of data governance involves categorizing information so that you can identify which data is most critical to the company and its customers. From there, you can apply more stringent access controls.
"Start to separate the infrastructure based on what are your crown jewels versus what's costume jewelry," says Patricia Titus, chief information security officer at technology services provider Unisys. Titus says Unisys uses guidelines created by the National Institute of Standards and Technology (NIST) designed to help organizations characterize the importance of their data and select the right security controls.
Malware survival tip No. 2: Deploy technologies and tactics that can help keep malware from spreading Even when some of your systems are infected with a virus to the point where nothing seems to remove it completely, that doesn't mean the virus has to spread to other systems in your organization.
When you discover or suspect such a virus, take the infected systems offline as soon as possible to reduce the chance of spreading the malware or compromising other systems. Next, reapply a known, clean image, says Andy Hayter, the antimalcode program manager at ICSA Labs, a testing and certification firm.
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
Putting in a layered defense that includes technologies such as firewalls, antispam, intrusion prevention systems, intrusion detection systems, and antivirus software -- plus keeping systems up to date with the latest patches -- should help prevent the malware from infecting an entire organization, Hayter says.
"Control gateways between network segments and apply greater monitoring and control over internal networks," adds Richard Zuleg, a consultant at security consulting firm SystemExperts.
Encrypt traffic and data whenever possible, Zuleg advises, and use technology such as server and desktop virtualization both to quickly redeploy systems or even reset them to clean images and to separate data from the system.
"Companies need to be controlling who has advanced privileges on systems and strictly control access to data," Zuleg says. "If infected PCs are to become an accepted part of a network segment, then you will have no trust in that segment and must consider it to be like the public Internet."
New network analysis tools will soon emerge that let you better identify where malware exists on the network and how to best contain viruses, says Marc Seybold, CIO at the State University of New York at Old Westbury. When such technology becomes available, "if devices that Jane Smith uses to access the network are persistently trying to transmit data to outside domains that are in some way anomalous compared to other traffic on the network or her long-term patterns, then additional attention would be focused on such a user's devices and remedial action taken," he says. Among the companies working on such technology are Alcatel-Lucent, Riverbed, and SonicWall.
At the same time, Seybold says, network traffic flows will start to be more compartmentalized and insulated from each other as network access control and policy-based management are combined with application flow monitoring. "As these are linked up, full behavioral analysis based on end-to-end application flows bound to specific users will become possible," he says. Eventually there might be predictive analytics that could preemptively intercept malware transmissions based on past user behavior, "but that is still science fiction," he says.
Next page: more tips