Post Wed Jul 02, 2008 4:21 pm

Malware Resistance Assessment

We all have heard of a "Vulnerability Assessment" or a "Network Security Assessment", but what's about a "Malwares Resistance Assessment”?

Well, it came to my mind this morning while talking to one of my customers about hardening their machines to be more "resistant" to malware infections.

It’s not clear if there is any kind of a standard to follow when we need to measure the “resistance level” of our network against malwares, but based on my knowledge and experience, I’d like to craft an essential checklist of questions to answer them by yourself:

1) Do you have the latest version of the current antivirus which is running on your system?

2) Is the antivirus capable to detect known malwares, rootkits, zer0-day exploits using a proactive technique?

3) Is the antivirus capable to detect unknown malwares, rootkits, zer0-day exploits using a proactive technique?

4) Do you have a patch-management strategy to fix operating systems and third-party applications vulnerabilities?

5) Do you have an Internet content filtering solution to block access to websites that host malicious codes?

6) Do you have an antispam solution to filter spams and scan for malicious attachments and embedded links?

7) Do you have the latest versions of the running softwares/applications that require installing an Activex component?

8 ) Do you have the latest version of the running Internet browser? “The latest browser have been engineered to add phishing/malware filtering”

9) Do you have a policy that forbid and block the usage of removable drives in your network?

10) Do you have a policy that forbid and block to install unapproved softwares?

11) Do you have a bandwidth monitoring solution to track network and Internet protocols usage in real-time?

12) Do you have a firewall/UTM solution that supports Internet traffic virus scanning?

13) Do you have an IDS/IPS solution that can observe malwares activities in your network?

14) Do you run a honeypot that monitors the dark-space in your network/DMZ for malware propagations?

15) Do you have the proper FW ACL’s that prevent inbound/outbound traffic related to malware communications?

16) Do you have a “malware outbreak incident response” plan?

17) Do you follow the concept of “Least Privilege” whenever you install/configure a software/service?

18) Do you have a training program that gives you or your team the needed malware-related skills?

19) Do you have a “malware containment strategy” in case of any large-scale propagation?

20) Do you have a solid backup & recovery of data and system in case of data loss due to a malware infection?

21) Do you have security awareness training for users to reduce the number of infections or to improve the user’s actions in reporting incidents?

22) Do you have a secure deployment of new machines in your network? (Up-to-date OS, up-to-date AV, hardened OS, approved applications are installed, limited user permissions).

23) Do you follow a password security policy in your network? (network shares passwords, administrator account password, complex passwords, password expiration, changing default passwords)

If you have anything not mentioned in this list, you’re welcome.
Do it securely, or not at all

Symantec STS