CYB-DOC-05-1 Anti-Malware Policy

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

This document defines the organisation’s policy about protection against malicious software.

Areas of Cyber Essentials addressed

The following areas of Cyber Essentials are addressed by this document:

• Control 5: Malware Protection

General guidance

Anti-malware is largely driven by use of appropriate software to spot viruses and prevent them from spreading. You will need to look carefully at the software you use for this and satisfy yourself that it is good enough, possibly by reading reviews online or in magazines.

This document sets out the main points of a strategy to protect the organisation from malware. If there are any controls that are not appropriate for your environment, you should remove them from this document.

Review frequency

Given the pace of change with malware, we would recommend that this document is reviewed quarterly and upon significant change to the organisation.

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

To update this field (and any others that may exist in this document):

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Disclaimer

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will

create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Anti-Malware Policy

DOCUMENT REF

CYB-DOC-05-1

VERSION 1

DATED [Insert date]

DOCUMENT AUTHOR [Insert name]

DOCUMENT OWNER [Insert name/role]

Revision history

Approval

1 Introduction

The threat posed by malware has never been more serious than it is today. [Organization Name] systems and users are under a constant bombardment of attempts to circumvent security to make gain or to disrupt the normal operation of the organisation.

This threat can come from sources including:

• Organised gangs attempting to steal money or commit blackmail

• Competitor organisations trying to obtain confidential information

• Politically motivated groups

• Rogue employees within the organisation

• Nation state sponsored “cyber-warfare” units

• Individuals exercising curiosity or testing their skills

Whatever the source, the result of a successful security breach is that the organisation and its stakeholders are affected, sometimes seriously, and harm is caused.

One of the primary tools used by such attackers is malware, and it is essential that effective precautions are taken by [Organization Name] to protect itself against this threat.

This document sets out the organisation’s policy about defence against malware.

This control applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.

The following policies are relevant to this document:

• Mobile Device Policy

• Acceptable Use Policy

• Electronic Messaging Policy

• Software Policy

• Patch Management Policy

2 The malware threat

There is no single definition of the term “malware” in use but, for the purposes of this policy, the following definition is used:

“Malware is any code or software that may be harmful or destructive to the informationprocessing capabilities of the organisation”

The term is derived from the phrase “malicious software” and may also be called malicious code or commonly (but inaccurately) a virus.

Malware comes in many forms and is constantly changing as previous attack routes are closed and new ones are found. The most common types of malware found today are:

• Virus: a program that performs an unwanted function on the infected computer. This could involve destructive actions or the collection of information that can be used by the attacker.

• Trojan: a program that pretends to be legitimate code but conceals other unwanted functions. Often disguised as a game or useful utility program.

• Worm: a program capable of copying itself on to other computers or devices without user interaction.

• Logic bomb: malicious code set to run at a specified date and time, or when certain conditions are met.

• Rootkit: a program used to disguise malicious activities on a computer by hiding the processes and files from the user.

• Keylogger: code that records keystrokes entered by the user.

• Backdoor: a program that allows unauthorised access at will to an attacker.

Often, these types of malware will be used in combination with each other. For example, an attacker will encourage an unwitting user to infect a computer with a virus which will allow unauthorised access. This initial access will then be used to install a rootkit to disguise further activities, a keylogger to capture keystrokes and a backdoor to allow future access without detection.

For malicious software to carry out its intended purpose, it needs to be installed on the target device or computer. There are a number of key ways in which malware infects computers and networks, although new ways are being created all the time.

Phishing involves tricking the user into taking some action that causes a malicious program to run and infect the computer. It is usually achieved via the blanket sending of unsolicited emails (spam) with file attachments or web links included in them. When the user opens the file or clicks on the link, the malicious action is triggered.

Phishing attacks have become more sophisticated in recent years and can be believable and enticing to the user. More targeted versions of phishing have appeared, such as spear phishing (aimed at a particular organisation) and even whaling (aimed at one individual).

The widespread use of mobile code such as JavaScript on websites has provided attackers with another route to infect computers with malware. Often, websites will be created to host the malware, which is activated either upon clicking a link or, in some cases, simply by visiting the website.

Increasingly, legitimate websites are being compromised and made to host malware without the owner’s knowledge, making this type of attack difficult for the user to avoid.

USB memory sticks, CDs, DVDs and other removable media devices provide an effective way of spreading malware on to additional computers. When the media is inserted into the machine, the malware will either run and infect the target or will copy itself onto the removable media in order to prepare to infect the next machine it is plugged into.

Hacking, or “cracking” as it is more accurately known, is a more targeted and therefore less common method of introducing malware on to a computer or network by gaining unauthorised access to the network from outside (and sometimes inside) the organisation. This method requires more knowledge on the part of the perpetrator and often exploits existing vulnerabilities in the software or network devices being used. Once access has been gained, malware will be installed remotely onto the compromised machine.

3 Anti-malware policy

To prevent the infection of [Organization Name] computers and networks, and avoid the potentially dire consequences of such infection, there are a number of key controls that will be adopted as policy.

The key concept adopted in this policy is that no single control should be relied upon to provide adequate protection. This is therefore not a choice between controls but a list of controls, all of which should be implemented where possible to guard against the threats outlined in the previous section.

A firewall will be installed at all points at which the internal network is connected to the Internet. Where possible, individual firewalls will be enabled on client computers. Access permissions must be set such that the user cannot disable the firewall.

3.1 Anti-malware software

A commercial, supported antivirus platform will be installed on devices used by the organisation at key locations:

• Firewall

• Email servers

• Proxy servers

• All other servers

• All user computers

• Mobile devices, including laptops, phones and tablets where possible

• In cloud environments where [Organization Name] is responsible for malware protection

All antivirus clients will be set to obtain antivirus signature updates (where used) on a regular basis, either directly from the vendor website or from a central server within the organisation.

By default, real time scanning must be permanently enabled to provide protection. Regular full scans must also be carried out at least weekly

Users must not be able to disable the protection which is configured centrally.

A system will be installed to filter out unsolicited and potentially harmful emails (spam). Types of attachments known to often contain malware must be blocked or removed before delivery to the user.

3.2 Application installation

Users must not have sufficient administrative access to their computer to allow them to install unauthorised software onto it. Only approved software will be allowed, and this must be installed upon authorised request, except in the case of software made available via an approved app store, which may be installed by the user directly with no involvement from the technical team.

An allow-list of permitted software applications will be maintained and configured on systems that support this type of control.

Regular scanning of user computers to detect unauthorised software must be carried out.

Where available, application installations that support code-signing will be used, to guarantee the integrity and origin of the provided software.

3.3 Software vulnerabilities

Information on software vulnerabilities will be collected from vendors and third-party sources, and updates applied where available. If possible, and if permitted by the organisational policy, updates will be applied automatically as soon as they are released.

Vulnerability scanning must be carried out regularly, particularly on business-critical servers and networks.

For new vulnerabilities identified by [Organization Name] employees, a co-ordinated disclosure policy will apply.

3.4 Threat awareness

Users must be made aware when starting with the organisation of the information security policy and be trained in ways to avoid falling victim to attacks such as phishing.

This awareness training must be repeated on a regular basis to all employees who make use of IT equipment.

Information about emerging threats will be obtained from appropriate sources and users alerted proactively of potential attacks, giving as much detail as possible to maximise the chance of recognition.

Regular reviews will be carried out of business-critical servers, networks and cloud services to identify any malware installed since the last review.