Following the success of the Malware Removal Starter Kit, the Solutions Accelerators - Security and Compliance (SA-SC) team has been working to provide a more in depth look at malware. The team would like your input about what you and your peers find beneficial when dealing with malware.
Malware security comes in many flavors, all of which aim to provide layers of defense in depth. These layers should constitute more than just a firewall and antivirus products. We need to look at a more concise solution.
The face of malware is changing rapidly, as most of you are aware threats are getting more sophisticated, and complex . Additionally many organizations continue to rely solely on a firewall to provide most security needs.
With this in mind, we’d like your thoughts on best practices for managing malware; in particular, which of the following do you think a good malware defense should involve?
o client-side security
· personal firewall
o Server-side security
· limit services
o Edge security
· A firewall
Does this basic solution provide an adequate technical solution for most organization, or are there key issues that are overlooked? And when should fledgling companies start their anti-malware efforts, even if they don’t have all the pieces in place for basic anti-malware strategy? What about Messaging, and IM?
We are interested in hearing your ideas. If you would like to voice your position on malware defense, please let us know.
Wow, what a lovely Q; where to start?
Firstly - consumers and small installations may roll "server" and "client" into the same box, may require different strategies, and are relevant because consumer broadband facilitates mass malware spread and DDoS.
Secondly - planning should start with the way the system is set up, the apps that are chosen, where things are stored, etc. Whether you believe in "wipe and rebuild" or "clean", you still have to scope between good and bad. Design that in from the outset.
Thirdly - don't rely on time as your X-axis; malware may be hidden long enough to pervade backups, and old boilerplate code will lack subsequent patches and be exploitable. You have to actively scope these things.
Fouthly - "depth" means planning all the way through, beyond the failure of your defenses. You can't just throw up your hands and give up every time some malware gets traction on a PC, considering the battle to be lost.
For every one infected PC to fix, there will be ten situations that raise the prospect of malware, requiring it to be excluded. If you take the "just wipe and rebuild" approach to its logical conclusion, "perfect" (undetectable, no side-effects) malware would require you wipe and rebuild PCs that show no signs of abnormality at all.
In the blog I neglected to mention that users are now more mobile than ever. Users are connecting remotely thru firewall, and all edge and server defense are reduced to nothing. Additionally have your system admin vpn remotely can touch all the hardened servers just like he was local. Let’s just hope that the admins box is not compromised!
So what’s the next step in moving the boundary? (besides reactive, such as rebuilding an infected system.)
Your point about VPN is a more general problem that applies also to EFS, botlocker, IPSec etc.
The problem is that a hard pipe that connects the inside of something to the inside of something else, also bypasses all edge defenses. Effectively, the linked entities become intimately "local" to each other.
EFS and bitlocker are slightly different, in that problem is more "kicking away the ladder". If malware integrates into a bitlocked system, you may be locked out of formal maintenance, if the only code that can read that system is that which has been infected. Hence the nickname "botlocker".
EFS, bitlocker and VPN are all great technologies, as long as your needs match what they do. The risk is that folks will turn them on because they have "security" in the documentation, without understanding their impact. Even NTFS falls into that category.