(Malware) Prevention is better than cure


The National Institute of Standards and Technology (NIST) just drafted its Guide to Malware Incident Prevention and Handling for Desktops and Laptops. It's a supplement to another guide, so we can't shake our heads (much) at the speediness. Most of the information is old hat for the folks in the field, but I’d like to discuss what the NIST recommends to lessen your network’s vulnerability.


The NIST recommends five broad areas of prevention:

  • Policy
  • Awareness
  • Vulnerability Mitigation
  • Threat Mitigation
  • Defensive Architecture


While having good policies and procedures in place to prevent malware infections is wonderful, as is teaching your fellow employees how not to click on that executable Kodak Moment(tm) from someone they don't know, let's skip to vulnerability mitigation.


Vulnerability Mitigation

Basically the NIST recommends a combination of patch management and configuration management and host hardening. Well, technically they recommend "security automation technologies with OS and application configuration checklists" and "sound host hardening principles".


For host hardening, they recommend following the least privilege principle, which is to only grant the necessary privileges to users, processors, and hosts. You should also harden applications that are frequently targeted by malware, like email clients and browsers, and disable or restrict macros and browser plug-ins.


These recommendations are either standard operating procedure or on your wish list for most places. If they are on a wish list, perhaps you could get some movement on it by pointing to the NIST recommendations?


Threat Mitigation

The NIST recommendations around threat mitigation are fairly standard and not particularly exciting.  Highlights include:

  • Deploy antivirus software with all the bells and whistles, like boot-disk scanning and browser, email, and chat monitoring
  • Deploy host- and network-based antivirus scanners
  • Use multiple products on key hosts
  • Deploy network- and host-based firewalls
  • Filter delivered content for suspicious file extensions
  • Whitelist applications
  • Deploy network-based intrusion prevention systems (IPS)


Actually, the NIST has a fairly long, in-depth section on IPS products (pages 11-12 in the guide). It's worth reading if you have either the time or inclination.


Defensive Architecture

Their recommendations for defensive architecture do not strike me as easy to deploy for more organizations. The NIST recommends sandboxing, browser separation, and segregation through virtualization.


Sandboxing - running applications in a restricted environment (think emaciated guest accounts) - can be useful in a large organization, but usually breaks down quickly in IT or developer environments. In several companies I've worked for, we only end up sandboxed if we've downloaded a couple of viruses for our IT department's enjoyment.


The browser segregation recommendation is for a specific browser to navigate corporate sites and a different browser to navigate the wilds of the web. It seems excessive for most small to medium organizations.


Segregation through virtualization sounds interesting but impractical. From the examples NIST cites, it looks as if they're recommending people use different virtualized OS instances for different activities.  I'm not entirely sure how practical that currently is-it might be more practical in the future.


With the exception of some parts of defensive architecture, these recommendations are already industry best practices. Keep in mind that some of their recommendations may change.  I think that they should have included mobile platforms in the recommendations, but they might have a separate set of recommendations elsewhere on their site.  Just so you know, SolarWinds has a couple of products that are useful for vulnerability and threat mitigation, the ideal patch management software, Patch Manager, to take care of all your patch management worries and Log and Event Manager.