Page 1

Anti-Malware Policy

Cyber Essentials Toolkit Version 1 ©CertiKit


Anti-Malware Policy

Implementation Guidance (The header page and this section must be removed from final version of the document)

Purpose of this document This document defines the organisation’s policy with regard to protection against malicious software.

Areas of the standard addressed The following areas of Cyber Essentials are addressed by this document: Control 4 – Malware Protection

General Guidance Anti-malware is largely driven by the use of appropriate software to spot viruses and prevent them from spreading. You will need to look carefully at the software you use for this and satisfy yourself that it’s good enough, possibly by reading reviews online or in magazines. This document sets out the main points of a strategy to protect the organisation from malware. If there are any controls that are not appropriate for your environment, you should remove them from this document.

Review Frequency Given the pace of change with malware, we would recommend that this document is reviewed quarterly and upon significant change to the organisation.

Toolkit Version Number Cyber Essentials Toolkit Version 1 ©CertiKit.

Document Fields This document may contain fields which need to be updated with your own information, including a field for Organisation Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File

Version 1

Page 2 of 12

[Insert date]


Anti-Malware Policy

> Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.

Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.

Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional

Version 1

Page 3 of 12

[Insert date]


Anti-Malware Policy

advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1

Page 4 of 12

[Insert date]


Anti-Malware Policy

[Replace with your logo]

Anti-Malware Policy

Document Ref. Version: Dated: Document Author: Document Owner:

Version 1

Page 5 of 12

CYB-DOC-04-1 1 [Insert date]

[Insert date]


Anti-Malware Policy

Revision History Version Date

Revision Author

Summary of Changes

Distribution Name

Title

Approval Name

Version 1

Position

Signature

Page 6 of 12

Date

[Insert date]


Anti-Malware Policy

Contents 1

INTRODUCTION ....................................................................................................................................... 8

2

THE MALWARE THREAT ...................................................................................................................... 9

3

ANTI-MALWARE POLICY ................................................................................................................... 11

Version 1

Page 7 of 12

[Insert date]


Anti-Malware Policy

1 Introduction The threat posed by malware has never been more serious than it is today. [Organization Name] systems and users are under a constant bombardment of attempts to circumvent security in order to make some kind of gain or to disrupt the normal operation of the organisation. This threat can come from sources including: • • • • • •

Organised gangs attempting to steal money or commit blackmail Competitor organisations trying to obtain confidential information Politically motivated groups Rogue employees within the organisation Nation state sponsored “cyber-warfare” units Individuals exercising curiosity or testing their skills

Whatever the source, the result of a successful security breach is that the organisation and its stakeholders are affected, sometimes seriously, and harm is caused. One of the primary tools used by such attackers is malware, and it is essential that effective precautions are taken by [Organization Name] to protect itself against this threat. This document sets out the organisation’s policy with regard to defence against malware. This control applies to all systems, people and processes that constitute the organisation’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems. The following policies are relevant to this document: • • •

Mobile Device Policy Acceptable Use Policy Electronic Messaging Policy

Version 1

Page 8 of 12

[Insert date]


Anti-Malware Policy

2 The Malware Threat There is no single definition of the term “malware” in use but, for the purposes of this policy, the following definition is used: “Malware is any code or software that may be harmful or destructive to the information-processing capabilities of the organisation” The term is derived from the phrase “malicious software” and may also be called malicious code or commonly (but inaccurately) a virus. Malware comes in many forms and is constantly changing as previous attack routes are closed and new ones are found. The most common types of malware found today are: • • • • • • •

Virus – a program that performs an unwanted function on the infected computer. This could involve destructive actions or the collection of information that can be used by the attacker. Trojan – a program that pretends to be legitimate code but conceals other unwanted functions. Often disguised as a game or useful utility program. Worm – a program capable of copying itself on to other computers or devices without user interaction. Logic bomb – malicious code set to run at a specified date and time, or when certain conditions are met. Rootkit – a program used to disguise malicious activities on a computer by hiding the processes and files from the user. Keylogger – code that records keystrokes entered by the user. Backdoor – a program that allows unauthorised access at will to an attacker.

Often, these types of malware will be used in combination with each other. For example, an attacker will encourage an unwitting user to infect a computer with a virus which will allow unauthorised access. This initial access will then be used to install a rootkit to disguise further activities, a keylogger to capture keystrokes and a backdoor to allow future access without detection. In order for malicious software to carry out its intended purpose, it needs to be installed on the target device or computer. There are a number of key ways in which malware infects computers and networks, although new ways are being created all the time. Phishing involves tricking the user into taking some action that causes a malicious program to run and infect the computer. It is usually achieved via the blanket sending of unsolicited emails (spam) with file attachments or web links included in them. When the user opens the file or clicks on the link, the malicious action is triggered. Phishing attacks have become more sophisticated in recent years and can be believable and enticing to the user. More targeted versions of phishing have

Version 1

Page 9 of 12

[Insert date]


Anti-Malware Policy

appeared, such as spear phishing (aimed at a particular organisation) and even whaling (aimed at one individual). The widespread use of mobile code such as JavaScript on websites has provided attackers with another route to infect computers with malware. Often, websites will be created to host the malware, which is activated either upon clicking a link or, in some cases, simply by visiting the website. Increasingly, legitimate websites are being compromised and made to host malware without the owner’s knowledge, making this type of attack difficult for the user to avoid. USB memory sticks, CDs, DVDs and other removable media devices provide an effective way of spreading malware on to additional computers. When the media is inserted into the machine, the malware will either run and infect the target or will copy itself onto the removable media in order to prepare to infect the next machine it is plugged into. Hacking, or “cracking� as it is more accurately known, is a more targeted and therefore less common method of introducing malware on to a computer or network by gaining unauthorised access to the network from outside (and sometimes inside) the organisation. This method requires more knowledge on the part of the perpetrator and often exploits existing vulnerabilities in the software or network devices being used. Once access has been gained, malware will be installed remotely onto the compromised machine.

Version 1

Page 10 of 12

[Insert date]


Anti-Malware Policy

3 Anti-Malware Policy In order to prevent the infection of [Organization Name] computers and networks, and avoid the potentially dire consequences of such infection, there are a number of key controls that will be adopted as policy. The key concept adopted in this policy is that no single control should be relied upon to provide adequate protection. This is therefore not a choice between controls but a list of controls, all of which should be implemented where possible to guard against the threats outlined in the previous section. A firewall will be installed at all points at which the internal network is connected to the Internet. Where possible, individual firewalls will be enabled on client computers. Access permissions must be set such that the user cannot disable the firewall. A commercial, supported antivirus platform will be installed within the organisation at key locations: • • • • • •

Firewall Email servers Proxy servers All other servers All user computers Mobile devices, including laptops, phones and tablets where possible

All antivirus clients will be set to obtain antivirus signature updates on a regular basis, either directly from the vendor website or from a central server within the organisation. By default, real time scanning must be enabled to provide protection at all times. Regular full scans must also be carried out at least weekly. Users must not be able to disable the protection which is configured centrally. A system will be installed to filter out unsolicited and potentially harmful emails (spam). Types of attachments known to often contain malware must be blocked or removed before delivery to the user. Users must not have sufficient administrative access to their computer to allow them to install software onto it. Only approved software will be allowed and this must be installed upon authorised request. A whitelist of permitted software applications will be maintained and configured on systems that support this type of control. Where available, software applications that support sandboxing (a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading) will be used.

Version 1

Page 11 of 12

[Insert date]


Anti-Malware Policy

Regular scanning of user computers to detect unauthorised software must be carried out. Information on software vulnerabilities will be collected from vendors and third-party sources, and updates applied where available. If possible, and if permitted by the organisational policy, updates will be applied automatically as soon as they are released. Vulnerability scanning must be carried out regularly, particularly on business-critical servers and networks. For new vulnerabilities identified by [Organization Name] employees, a co-ordinated disclosure policy will apply. Users must be made aware when starting with the organisation of the information security policy and be trained in ways to avoid falling victim to attacks such as phishing. This awareness training must be repeated on a regular basis to all employees who make use of IT equipment. Information about emerging threats will be obtained from appropriate sources and users alerted proactively of potential attacks, giving as much detail as possible to maximise the chance of recognition. Regular reviews will be carried out of business-critical servers and networks to identify any malware installed since the last review.

Version 1

Page 12 of 12

[Insert date]

Profile for CertiKit Limited

CYB-DOC-04-1 Anti-Malware Policy  

CYB-DOC-04-1 Anti-Malware Policy  

Profile for public-it