Notes from the Field: Center for Internet Security Control 10 – Malware Defenses
by Greg Halpin / September 14th, 2023
The client I was working with had a web application hosted on a Windows server with the anti-virus software disabled. When I asked the head of Information Technology about it, he said the company’s web application didn’t work when anti-virus was running, so they couldn’t enable it. They weren’t concerned about it as they had a firewall in place with malware protection. I strongly advised them to reconsider that decision. Instead of disabling anti-virus, I recommended they determine why the web application did not work and correct it. They were the only client I had worked with that did not have anti-virus enabled on a Windows web application server. The risk of a Windows server being infected by a virus is high, especially one with a public facing IP address. Additionally, the server did not have recent security patches installed. It was only a matter of time before attackers compromised their web server.
It’s commonly accepted that Windows systems must have anti-malware software installed to protect them while Linux and macOS don’t need it. That view has been changing over the last several years. Linux and macOS are targeted more and more by ransomware and cryptojacking malware.
This is the tenth instalment of Greg Halpin’s Center for Internet Security (CIS) Controls series, focusing on CIS Control 10- Malware Defenses. As a reminder, the Center for Internet Security Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. The free but valuable document contains high level information that executives can understand and also has specific details about tools and procedures for technical staff to run with.
The Overview for Control 10 – Malware Defenses is- Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Why is malware defense critical?
Malicious software is one of the biggest threats to your company and customer data. Malware can be used to capture user credentials to further exploit your network and can be used by attackers to encrypt and delete your data, preventing you from accessing it unless you pay a ransom for it. Attackers leverage machine learning tools to make more sophisticated and effective malware. Malware enters company networks through vulnerabilities, phishing, and many other avenues. It’s necessary to have comprehensive malware defenses to protect your systems and data.
Control 10 includes 7 sub-controls or safeguards. They are:
10.1 Deploy and Maintain Anti-Malware Software
10.2 Configure Automatic Anti-Malware Signature Updates
10.3 Disable Autorun and Autoplay for Removable Media
10.4 Configure Automatic Anti-Malware Scanning of Removable Media
10.5 Enable Anti-Exploitation Features
10.6 Centrally Manage Anti-Malware Software
10.7 Use Behavior-Based Anti-Malware Software
Larger clients I work with generally have good practices in place for preventing malware. They have anti-malware or endpoint detection and response (EDR) tools installed on all of their servers, workstations, and laptops. They manage the tools centrally with a team that checks the status of systems. The team follows up on systems that are not reporting their status to the console, not receiving updates, or have been infected by malware.
Some of the most widely used anti-malware/EDR tools by larger clients are from Trend Micro, SentinelOne, CrowdStrike, Symantec, and McAfee. Additionally, network firewalls include filtering of malware traffic prior to reaching endpoints.
Smaller to mid-size clients often don’t have much in place to protect systems from malware. They lack the budget or staff resources to manage a centralized anti-malware tool. They rely on the default tools that are installed with the operating systems, such as Windows Defender for Microsoft Windows server end user systems and XProtect for Apple macOS. Are Defender and XProtect enough? Maybe. But is maybe good enough to protect your company and customer data?
You want assurance that if new malware is spreading across the internet, your systems are fully protected. You also want to know if your systems are affected. Without a central management console for your anti-malware tool, it’s difficult to know for sure what is going on in your company’s network. Was one system affected or hundreds? It’s important to know so you can take immediate action, such as isolating systems, blocking ports on your network, or pushing out a new security patch.
For Linux servers, most small to mid-sized companies, and even some larger companies I work with, generally do not deploy anti-malware software. When they do, it’s often ClamAV. That’s sufficient to protect systems but it does not have centralized management features. Logging and alerting for ClamAV can be leveraged using a SIEM tool if one is in place to get a full picture of the status of systems. Sometimes companies deploy OSSEC, a host intrusion detection tool, to their Linux systems instead of, or in addition to, deploying ClamAV. OSSEC is not a dedicated anti-malware tool but does include root-kit and malware detection.
OSSEC and popular anti-virus/EDR tools have intrusion detection and file integrity monitoring features to identify changed files. This helps track activity and potential damage or deletion of files. Some of the tools can also stop processes completely based on behavior to better protect your systems and data.
Anti-malware defenses combined with the other CIS Controls can help protect your network, systems, and data. Check out the CIS Controls document to learn more.
Do you need help defending your organization?
Defending your organization against malware can feel like an intimidating process, especially with advanced and evolving malware that poses a bigger threat than ever before. Following the CIS guidelines is a great way to begin to secure your environment, but partnering with cybersecurity and compliance experts will provide an added level of assurance. Connect with a KirkpatrickPrice expert to start achieving your security and compliance goals today.
