Professional Documents
Culture Documents
Critical control 5
CPNICentrefortheProtectionofNationalInfrastructure
Criticalcontrol5:Malwaredefences
Blockmaliciouscodefromtamperingwithsystemsettingsorcontents,capturingsensitivedata,orspreading. Useautomatedantivirusandantispywaresoftwaretocontinuouslymonitorandprotectworkstations,servers, andmobiledevices.Automaticallyupdatesuchantimalwaretoolsonallmachinesonadailybasis.Prevent systemsfromusingautorunprogramstoaccessremovablemedia. Share 4
Howdoattackersexploittheabsenceofthiscontrol?
Howtoimplement,automateandmeasuretheeffectivenessofthiscontrolusingthe subcontrolsbelow
5.1Quickwins:Organisationsshouldemployautomatedtoolstocontinuouslymonitorworkstations,servers, andmobiledevicesforactive,uptodateantimalwareprotectionwithantivirus,antispyware,personal firewalls,andhostbasedIPSfunctionality.Allmalwaredetectioneventsshouldbesenttoenterpriseanti malwareadministrationtoolsandeventlogservers. 5.2Quickwins:Organisationsshouldemployantimalwaresoftwareandsignatureautoupdatefeaturesor haveadministratorsmanuallypushupdatestoallmachinesonadailybasis.Afterapplyinganupdate, automatedsystemsshouldverifythateachsystemhasreceiveditssignatureupdate. 5.3Quickwins:Organisationsshouldconfigurelaptops,workstations,andserverssothattheywillnotauto runcontentfromUSBtokens(i.e.,thumbdrives),USBharddrives,CDs/DVDs,Firewiredevices,externalserial advancedtechnologyattachmentdevices,mountednetworkshares,orotherremovablemedia. 5.4Quickwins:Organisationsshouldconfiguresystemssothattheyconductanautomatedantimalwarescan ofremovablemediawhenitisinserted. 5.5Quickwins:Allattachmentsenteringtheorganisationsemailgatewayshouldbescannedandblockedif theycontainmaliciouscodeorfiletypesunneededfortheorganisationsbusiness.Thisscanningshouldbe donebeforetheemailisplacedintheusersinbox.Thisincludesemailcontentfilteringandwebcontent filtering. 5.6Visibility/Attribution:Automatedmonitoringtoolsshouldusebehaviourbasedanomalydetectionto complementandenhancetraditionalsignaturebaseddetection. 5.7Configuration/Hygiene:Organisationsshoulddeploynetworkaccesscontroltoolstoverifysecurity configurationandpatchlevelcompliancebeforegrantingaccesstoanetwork. 5.8Advanced:Continuousmonitoringshouldbeperformedonoutboundtraffic.Anylargetransfersofdataor unauthorizedencryptedtrafficshouldbeflaggedand,ifvalidatedasmalicious,thecomputershouldbemoved toanisolatedVLAN. 5.9Advanced:OrganisationsshouldimplementanincidentresponseprocessthatallowstheirITsupportteam tosupplytheirsecurityteamwithsamplesofmalwarerunningundetectedoncorporatesystems.Samples shouldbeprovidedtotheantivirusvendorforoutofbandsignaturecreationanddeployedtotheenterprise bysystemadministrators. ViewCPNIadviceandguidanceonhowtoimplement,automateandmeasuretheeffectivenessofthiscontrol.
Share
www.cpni.gov.uk/advice/cyber/Critical-controls/in-depth/critical-control5/
1/2
12/15/12
Critical control 5
AboutCPNI
CPNIincontext WhatistheCNI? Whoweworkwith
Threats
Espionage Terrorism Cyberandotherthreats
Securityadvice
Cybersecurity Personnelsecurity Physicalsecurity
Securityplanning
Businesscontinuityplanning Stafftrainingandawareness Standardsandspecifications Accessibility Cymraeg Privacyandcookies Sitemap Termsandconditions
www.cpni.gov.uk/advice/cyber/Critical-controls/in-depth/critical-control5/
2/2