Virus protection - what does NIST tell us?
It is possible to familiarize with what requirements domestic regulators impose to systems of protection against malicious programs here . Even a superficial analysis shows that the protection system, implemented in accordance with these requirements, and products with the functionality required by the regulators, will protect only from comments during the inspections of these regulators. I think that this result is predictable for anyone who has ever encountered the quality level of our laws and orders.
And what about foreign standards?
Probably the most famous source of safety standards is NIST (National Institute of Standards and Technology) (those who are not at odds with English can appreciate the scope of NIST activities here ). And we will open NIST SP 800-83 Antivirus protection of stationary and mobile workplaces of employees .
The document is large (about 100 pages), it is impossible to consider it in one publication, so we limit ourselves to considering recommendations (not requirements!) On protection measures.
')
The first section in the section Malware Incident Prevention in a series of chapters on protection measures - and this is already unusual - is the section Policy.
Or in a free retelling:
Unless an organization creates a virus incident prevention policy, it is unlikely to be able to prevent the effects of malware consistently and effectively throughout the organization. This policy should be as general as possible in order to provide flexibility in strategic implementation and reduce the need for frequent strategic updates, but also sufficiently defined to define an explicit policy objective. The policy should include conditions related to remote workplaces, as well as systems that are outside the company's security system (for example, contractor computers, employees' home computers, business partners, mobile devices).
Holy words. I will not even comment.
What actions are recommended to be included in the policy (as before, each quote from the document will be accompanied by a brief summary in Russian)?
Check removable media on individual computers before using them.
This item can be considered obsolete, since so far unknown to the anti-virus software Trojans and viruses naturally pass such a check.
Do not open attachments from letters, but save them to disk and check there, and only then open. It is not entirely clear why this is necessary. Not to mention that unknown malware will pass this check. Perhaps the measure is directed against exploiting email client vulnerabilities.
Limiting the types of files that can be sent in attachments - temporarily or permanently. Quite frequent requirement. Most gateway solutions and traffic filtering systems support it.
The ban on the use of other software, as well as software that duplicates the functions of the services provided by the company. Extremely important thing. The second part is also very important - we all remember, for example, how often employees use personal, rather than corporate mail.
Restriction of user rights to the minimum necessary. An extremely important thing to fight against viruses (and playful pens).
Install updates for all used software, not just for the Windows operating system. How many hacks occur through non-updated software?
Restriction on the use of removable media of all types. And it was possible not to clarify that this is especially important at places with a high risk of infection.
Restricting access to resources of other networks and providing access to them by the company. Who does the staff use for street networks while working?
This item rather refers to the use of software on various services.
Restriction on the use of mobile devices.
Next is the Awareness section. The section stresses the importance of increasing employee awareness. All users should know (made knowing, as the autotranslator said) how viruses get into the system, how malware is spread. They should also be aware that technical means cannot prevent all incidents. In general, according to the document, a very important role in preventing incidents of users is constantly being asserted. Users need to know how to behave not only at work, but also in hotels, cafes ...
We note especially that users should know what they should do if an incident is detected — say, an infection, a demand for data redemption, and so on.
Next, in SP800-83, the rules for working with mail messages are listed, or rather, actions in response to phisher emails. These rules are standard, so we’ll omit them (leaving aside. Those who are sure that they can easily recognize phishing can pass a test of knowledge of phishing techniques. Unfortunately in English).
Also in this section emphasizes the importance of continuous updating of knowledge about current threats, constant work on raising awareness.
The third section that we look at is Vulnerability Mitigation. Section describes measures to combat vulnerabilities. Interestingly, at the beginning of the section, the role of anti-virus software is emphasized, which can detect and stop malicious software before it can begin to perform its malicious tasks. This chapter itself is divided into three parts: Patch Management (update management), Least Privilege (Minimizing user rights), and Other Host Hardening Measures. In essence, the latter part deals with measures that are additional to those considered in the first two. As such measures are considered:
Deletion of all unnecessary, including services, unused users and so on.
Use authentication before accessing services.
Ban automatic execution.
It is also recommended to use checklists and configuration instructions, as well as periodically conduct system vulnerability checks, in particular due to the fact that installing a single patch can lead to other vulnerabilities, including in places not affected by the patch:
Requirements for the anti-virus subsystem are located in the Threat Mitigation section. Suddenly, yes.
It is recommended that the anti-virus software used has the following capabilities:
Ability to check critical areas of the system. Apparently, periodic anti-virus checks are meant here.
Anti-virus scanning of mail incoming and outgoing traffic, as well as all downloaded files. Using the file monitor, monitor the system for suspicious activity. The latter most likely implies a behavioral analyzer.
Using a behavioral analyzer.
Scan to find known types of malicious files.
Antiviruses should ensure the detection of any types of malicious files. The use of additional utilities is permissible if the antivirus does not detect certain types of malicious files.
This item is outdated. In connection with the widespread use of cryptographers, it is recommended that quarantine be used as the default action.
Antivirus should be installed wherever possible, and on all systems for which there are anti-virus solutions. Antivirus should be installed immediately after OS deployment. Antivirus must be able to scan the entire system. Antivirus must be kept up to date.
A centralized management system should be used. System users should not be able to remove or disable antivirus.
In the event that a centralized management system is not used, it is recommended to organize a system for notifying necessary actions, as well as organizing a system for increasing the level of safety knowledge. True recommendation to be updated once a day is also already outdated.
It is recommended to use a fault-tolerant system for managing and distributing updates. It is recommended to use different operating systems at the same time to reduce risks.
The recommendation to use several anti-virus solutions in parallel can be considered obsolete due to the changed malware development system.
This recommendation should be recognized as partially relevant. If the use of a spam filtering system as a measure of protection against malicious software (especially unknown) is fully justified, then the use of some additional utilities for antivirus software is not.
The description of the recommendations for the antivirus ends there. Next come the chapters on IPS and firewalls. For the most part, the content of the relevant chapters is devoted to the description of the purpose of these protective agents.
The last section - Application Settings
At the beginning of the section, it is once again recommended to disable unnecessary services and functionality, as well as to configure the tools used by attackers to deliver malware, so that the delivered content is automatically filtered:
Filter the file types most frequently used for malware delivery.
Use antispam.
Restrict access to suspicious sites and filter Internet traffic.
Restrict or prohibit the use of mobile code, including JavaScript.
Limit your ability to save cookies.
Prevent pop-ups.
Limit the ability to install new software using a web browser.
Restriction on downloading images in e-mail messages.
Cancel the ability to automatically launch applications for a number of extensions.
Permission to use macros only from trusted sources.
Prevent the possibility of mailing without authorization.
Replacing the zoo of the software used with one, possibly cloudy.
We reviewed the current version of the standard. At the moment there is a development of a new version . The document is much shorter than the current standard.
What is interesting about the American approach? The main striking difference from our standards is not a reliance on a description of a certain functional, but on a description of processes. Not on the requirements, but on the recommendations. One, but very important quote:
Holy words. There should always be a balance in everything that domestic regulators do not understand.
Reading this standard, you understand that protection does not begin and does not end with the installation and configuration of software. Naturally there are flaws in the document (and who does not have them?). Not quite clear descriptions of the requirements for specific protective equipment, the lack of required functionality, to ensure security, etc. But the fact is that if our documents of information security regulators (with the exception of the STO BR RF) are transfers of protective equipment functions, often artificially distributed across some levels, then it is invisible, as the main thing is to ensure the correct processing procedure situations, preparedness for them.
Unlike domestic documents, any security software is only a measure to reduce the level of threat - along with maintaining security policies, user training, settings management and software relevance. Beg a big quote .
In general, I highly recommend that you familiarize yourself with this document, not even in the part of the functionality of protective equipment, but in the parts related to the development of policies and actions during security incidents.
And what about foreign standards?
Probably the most famous source of safety standards is NIST (National Institute of Standards and Technology) (those who are not at odds with English can appreciate the scope of NIST activities here ). And we will open NIST SP 800-83 Antivirus protection of stationary and mobile workplaces of employees .
The document is large (about 100 pages), it is impossible to consider it in one publication, so we limit ourselves to considering recommendations (not requirements!) On protection measures.
')
The first section in the section Malware Incident Prevention in a series of chapters on protection measures - and this is already unusual - is the section Policy.
If an organization doesn’t state malware, it’s not consistently and effectively throughout the organization. It is clear that there is a possibility that (eg, contractor computers, employees. home computers, mobile computers).
Or in a free retelling:
Unless an organization creates a virus incident prevention policy, it is unlikely to be able to prevent the effects of malware consistently and effectively throughout the organization. This policy should be as general as possible in order to provide flexibility in strategic implementation and reduce the need for frequent strategic updates, but also sufficiently defined to define an explicit policy objective. The policy should include conditions related to remote workplaces, as well as systems that are outside the company's security system (for example, contractor computers, employees' home computers, business partners, mobile devices).
Holy words. I will not even comment.
What actions are recommended to be included in the policy (as before, each quote from the document will be accompanied by a brief summary in Russian)?
- They can be used
Check removable media on individual computers before using them.
This item can be considered obsolete, since so far unknown to the anti-virus software Trojans and viruses naturally pass such a check.
- Require that e-mail file attachments, such as compressed files (eg, .zip files)
Do not open attachments from letters, but save them to disk and check there, and only then open. It is not entirely clear why this is necessary. Not to mention that unknown malware will pass this check. Perhaps the measure is directed against exploiting email client vulnerabilities.
- For example, it’s not a problem. Forbidding the malware threat
Limiting the types of files that can be sent in attachments - temporarily or permanently. Quite frequent requirement. Most gateway solutions and traffic filtering systems support it.
- It is often used to transfer malware, for example. needed or duplicate the organization and might contain additional vulnerabilities that could be exploited by malware
The ban on the use of other software, as well as software that duplicates the functions of the services provided by the company. Extremely important thing. The second part is also very important - we all remember, for example, how often employees use personal, rather than corporate mail.
- Restricting the use of computer security systems.
Restriction of user rights to the minimum necessary. An extremely important thing to fight against viruses (and playful pens).
- Require that systems be kept up-to-date with OS and application upgrades
Install updates for all used software, not just for the Windows operating system. How many hacks occur through non-updated software?
- Restricting the use of removable media, for example, floppy disks, CDRD, CDRDs, especially as publicly accessible kiosks
Restriction on the use of removable media of all types. And it was possible not to clarify that this is especially important at places with a high risk of infection.
- Permitting access to other networks (including the Internet) only through organization-approved and secured mechanisms
Restricting access to resources of other networks and providing access to them by the company. Who does the staff use for street networks while working?
- It can be used for various systems (eg, internal Web servers, other organizations. Web servers).
This item rather refers to the use of software on various services.
- Restricting
Restriction on the use of mobile devices.
Next is the Awareness section. The section stresses the importance of increasing employee awareness. All users should know (made knowing, as the autotranslator said) how viruses get into the system, how malware is spread. They should also be aware that technical means cannot prevent all incidents. In general, according to the document, a very important role in preventing incidents of users is constantly being asserted. Users need to know how to behave not only at work, but also in hotels, cafes ...
We note especially that users should know what they should do if an incident is detected — say, an infection, a demand for data redemption, and so on.
Next, in SP800-83, the rules for working with mail messages are listed, or rather, actions in response to phisher emails. These rules are standard, so we’ll omit them (leaving aside. Those who are sure that they can easily recognize phishing can pass a test of knowledge of phishing techniques. Unfortunately in English).
Also in this section emphasizes the importance of continuous updating of knowledge about current threats, constant work on raising awareness.
The third section that we look at is Vulnerability Mitigation. Section describes measures to combat vulnerabilities. Interestingly, at the beginning of the section, the role of anti-virus software is emphasized, which can detect and stop malicious software before it can begin to perform its malicious tasks. This chapter itself is divided into three parts: Patch Management (update management), Least Privilege (Minimizing user rights), and Other Host Hardening Measures. In essence, the latter part deals with measures that are additional to those considered in the first two. As such measures are considered:
- Disabling or removing unneeded services (including network services), which could contain vulnerabilities
- Eliminating unsecured file shares, which are a common infection mechanism for worms
- Removing or changing the default usernames and passwords for unauthorized access to systems
Deletion of all unnecessary, including services, unused users and so on.
- Require authentication before a network service
Use authentication before accessing services.
- Disabling automatic execution of binaries and scripts.
Ban automatic execution.
It is also recommended to use checklists and configuration instructions, as well as periodically conduct system vulnerability checks, in particular due to the fact that installing a single patch can lead to other vulnerabilities, including in places not affected by the patch:
install to an insecure default.
Requirements for the anti-virus subsystem are located in the Threat Mitigation section. Suddenly, yes.
It is recommended that the anti-virus software used has the following capabilities:
- Scanning critical system components such as startup files and boot records.
Ability to check critical areas of the system. Apparently, periodic anti-virus checks are meant here.
- Watching for suspicious activity; a common example is scanning all e-mail attachments for viruses as e-mails are sent and received. Antivirus software should not be configured as the scanning software.
Anti-virus scanning of mail incoming and outgoing traffic, as well as all downloaded files. Using the file monitor, monitor the system for suspicious activity. The latter most likely implies a behavioral analyzer.
- Monitoring the behavior of common applications, such as e-mail clients, Web browsers, file transfer programs, and instant messaging software. Antivirus software can be used to infect systems.
Using a behavioral analyzer.
- Scanning files for known viruses. It can be used to ensure that it can be used. Users should not be able to scan.
Scan to find known types of malicious files.
- Identify common types of malware threats, viruses, worms, threats and blended threats such as keystroke loggers and backdoors. Most antivirus products are spyware. It is described in Section 3.4.2, spyware detection and removal of spyware handling capabilities.
Antiviruses should ensure the detection of any types of malicious files. The use of additional utilities is permissible if the antivirus does not detect certain types of malicious files.
- Disinfecting files that can be used for disinfection or disinfection. Disinfecting the file restored; however, many infected files cannot be disinfected. Quarantine or delete files that can not be disinfected.
This item is outdated. In connection with the widespread use of cryptographers, it is recommended that quarantine be used as the default action.
NIST strongly recommends that organizations establish antivirus software. Antivirus software should be installed as soon as possible, then it will be updated with the latest signatures and antivirus software patches. To identify any potential infections. It must be safe to detect and stop the malware.
Antivirus should be installed wherever possible, and on all systems for which there are anti-virus solutions. Antivirus should be installed immediately after OS deployment. Antivirus must be able to scan the entire system. Antivirus must be kept up to date.
Antivirus administrators, who are also typically responsible for antivirus software, are controlled and monitored for antivirus software. In general, you shouldn’t be able to use it.
A centralized management system should be used. System users should not be able to remove or disable antivirus.
In the non-managed environments, there is a need for their systems ... to keep you informed about the level of awareness of distribute step-by-step instructions for updating systems; new threats emerge that necessitates updating of antivirus signatures. The antivirus software should always be checked at the same time as the organization.
In the event that a centralized management system is not used, it is recommended to organize a system for notifying necessary actions, as well as organizing a system for increasing the level of safety knowledge. True recommendation to be updated once a day is also already outdated.
organizations could have multiple antivirus servers. If it’s not possible, it’s possible to use it. Organizations should also consider using antivirus servers.
It is recommended to use a fault-tolerant system for managing and distributing updates. It is recommended to use different operating systems at the same time to reduce risks.
It is possible to use multiple antivirus products for key systems, such as e-mail servers.
The recommendation to use several anti-virus solutions in parallel can be considered obsolete due to the changed malware development system.
The sys- tem of the interim control system can be used at the workstations, or mobile computing devices on the network ... "
This recommendation should be recognized as partially relevant. If the use of a spam filtering system as a measure of protection against malicious software (especially unknown) is fully justified, then the use of some additional utilities for antivirus software is not.
The description of the recommendations for the antivirus ends there. Next come the chapters on IPS and firewalls. For the most part, the content of the relevant chapters is devoted to the description of the purpose of these protective agents.
The last section - Application Settings
At the beginning of the section, it is once again recommended to disable unnecessary services and functionality, as well as to configure the tools used by attackers to deliver malware, so that the delivered content is automatically filtered:
- Blocking Suspicious E-Mail Attachments. Many organizations prevent users from being able to identify files. For example, many organizations block attachments with file extensions that are often associated with malware (eg, .pif, .vbs) and suspicious file extension combinations (eg, .txt.vbs, .htm.exe). Although it might also be unknown threats, legitimate activity. Some organizations alter suspicious e-mail attachment file sharing functionality and security.
Filter the file types most frequently used for malware delivery.
- Filtering Spam ... you can significantly reduce the amount of spam-malware malware that you use.
Use antispam.
- Filtering Web Site Content. Although it is inappropriate for the workplace, it can also be used as a hostile (ie, attempting to distribute malware to visitors). Web content filtering software can also block undesired file types, such as by file extension.
Restrict access to suspicious sites and filter Internet traffic.
- Limiting Mobile Code Execution. It can be configured to allow users to access their mobile phone (eg, Javascript, ActiveX, Java). .Web content filtering software can be deployed to monitor network untrusted locations.
Restrict or prohibit the use of mobile code, including JavaScript.
- Restricting Web Browser Cookies. Permitting first-party cookies and blocking third-party cookies placed on a system.
Limit your ability to save cookies.
- Blocking Web Browser Popup Windows.
Prevent pop-ups.
- Preventing Software Installation Within Web Browsers. Web browser can be configured with web browser plug-ins. Some browsers can even prevent you from browsing software on the client. These settings are particularly helpful for web browsers.
Limit the ability to install new software using a web browser.
- Preventing Automatic Loading of E-Mail Images. Most e-mail clients can not be configured.
Restriction on downloading images in e-mail messages.
- Altering File Associations. There are various operating systems, such as opening .txt files with a text editor. This is an operating system. Although it is convenient for users, it is also helpful to malware; for example, it could be tricked up trying to open an e-mail file attachment by the operating system. For organizations that are the most frequently used by malware (eg, .pif, .vbs).
Cancel the ability to automatically launch applications for a number of extensions.
- Restricting Macro Use. If you’re trying to complete a program, you’ll be able to use it.
Permission to use macros only from trusted sources.
- Preventing Open Relaying of E-Mail.
Prevent the possibility of mailing without authorization.
Organizations should also be mindful of. For example, client systems and clients can be configured with various configuration options. The organization might also offer a client-wide e-mail client option.
Replacing the zoo of the software used with one, possibly cloudy.
We reviewed the current version of the standard. At the moment there is a development of a new version . The document is much shorter than the current standard.
What is interesting about the American approach? The main striking difference from our standards is not a reliance on a description of a certain functional, but on a description of processes. Not on the requirements, but on the recommendations. One, but very important quote:
It should be noted.
Holy words. There should always be a balance in everything that domestic regulators do not understand.
Reading this standard, you understand that protection does not begin and does not end with the installation and configuration of software. Naturally there are flaws in the document (and who does not have them?). Not quite clear descriptions of the requirements for specific protective equipment, the lack of required functionality, to ensure security, etc. But the fact is that if our documents of information security regulators (with the exception of the STO BR RF) are transfers of protective equipment functions, often artificially distributed across some levels, then it is invisible, as the main thing is to ensure the correct processing procedure situations, preparedness for them.
Unlike domestic documents, any security software is only a measure to reduce the level of threat - along with maintaining security policies, user training, settings management and software relevance. Beg a big quote .
But what to do if the infection still happened? You should not despair, because you can be ready for this. NIST identifies four main phases: preparation for response, detection and analysis, deterrence, destruction and recovery, post-incident activity.
The virus infection prevention procedures discussed earlier are performed during the preparation phase of the response. In addition, an incident response plan is being developed here, a response team and all staff involved in the intrusion response process are being trained, roles and responsibilities are being distributed. It is recommended to conduct regular exercises and training to combat viruses, and include in the response teams, including programmers and computer crime specialists ...
If, despite all the measures taken, a virus infection did occur, then timely detection of this fact and its localization is important. It is necessary as soon as possible to find out the type of infection, its severity, extent. Note that NIST considers at this phase not only the detection of an actual occurrence of the infection, but also the identification of the prerequisites for the infection.
Under the control of viruses, two things are understood: preventing the further spread of infection and the further collapse of the information system. It is necessary to clearly understand the difference between these concepts and the fact that stopping a virus outbreak does not at all mean saving an infected computer. It is clear that it is not difficult to restrain viruses during local infection: the machine can simply be turned off. Although if this computer plays an important role and it can not be turned off without loss, then it is necessary to pre-evaluate the relevant risks. Just when creating a response policy, decisions are made on the least of the evils: it may be better to infect other computers than turn off an important server. If the infection takes a global character, then in order to successfully combat it, it is all the more necessary to think out in advance (and state in the relevant policy) the procedure for localizing the problem.
The containment of virus infection is achieved through the mandatory participation of all users in this process, as well as the use of anti-virus tools, the prohibition of certain services and the disruption of network connections.
The process of destroying viruses should not be limited to removing the infection with the help of appropriate means. We must not forget about closing the vulnerability that the virus used, and about installing the necessary patches. The following picture is often observed: they did not have time to remove the virus, as it appeared again. And the patches seem to be all set. This is a signal that the system may have a rootkit running as administrator. In this case, NIST recommends reinstalling the system.
Finally, the recovery process after the incident includes two components: the actual restoration of programs and data and the elimination of temporarily taken measures.
The incident gives food for thought, the results of which are embodied in the revised instructions and policies. Thus, the circle is closed, and we are again in the preparation phase for the incident.
In general, I highly recommend that you familiarize yourself with this document, not even in the part of the functionality of protective equipment, but in the parts related to the development of policies and actions during security incidents.
Source: https://habr.com/ru/post/264073/
All Articles