Malicious Code Prevention

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Malicious Code Prevention

Malicious code is any program that acts in unexpected and potentially damaging ways. Common types of malicious code are viruses, worms, Trojan horses, monitoring programs such as spyware, and cross-site scripts. The functions of each were once mutually exclusive; however, developers combined functions to create more powerful malicious code.

Malicious code can:

  • Replicate itself within a computer and transmit itself between computers.
  • Change, delete, or insert data, transmit data outside the institution, and insert back doors into institution systems.
  • Attack institutions at either the server or the client level.
  • Attack routers, switches, and other parts of the institution infrastructure.
  • Malicious code can also monitor users in many ways, such as logging keystrokes and transmitting screen-shots to the attacker.

Typically malicious code is mobile, using e-mail, Instant Messenger, and other peer-to-peer (P2P) applications, or active content attached to Web pages as transmission mechanisms. The code also can be hidden in programs that are downloaded from the Internet or brought into the institution on diskette. At times, the malicious code can be created on the institution’s systems either by intruders or by authorized users. The code can also be introduced to a Web server in numerous ways, such as entering the code in a response form on a Web page.

Malicious code does not have to be targeted at the institution to damage the institution’s systems or steal the institution’s data. Most malicious code is general in application, potentially affecting all Internet users with whatever operating system or application the code needs to function.

Controls to Protect Against Malicious Code

Typical controls to protect against malicious code use technology, policies and procedures, and training, all applied in a layered manner from perimeters inward to hosts and data. The controls are of the preventative and detective and or corrective variety.

HORSE FACTS: Financial institutions should protect against the risk of malicious code by implementing appropriate controls at the host and network level to prevent and detect malicious code, as well as engage in appropriate user education.

Controls are applied at the host, network, and user levels:

Host Level

  • Host hardening, including patch application and security-minded configurations of the operating system (OS), browsers, and other network-aware software.
  • Host IPS, including anti-virus, anti-spyware, and anti-rootkit software. An additional technology is software that limits applications calls to the OS to the minimum necessary for the application to function.
  • Integrity checking software, combined with strict change controls and configuration management.
  • Application of known-good configurations at boot-up.
  • Periodic auditing of host configurations, both manual and automated.

Network Level

  • Limiting the transfer of executable files through the perimeter.
  • IDS and IPS monitoring of incoming and outgoing network traffic, including anti-virus, anti-spyware and signature and anomaly-based traffic monitors.
  • Routing ACLs that limit incoming and outgoing connections as well as internal connections to those necessary for business purposes.
  • Proxy servers that inspect incoming and outgoing packets for indicators of malicious code and block access to known or suspected malware distribution servers.
  • Filtering to protect against attacks such as cross-site scripting and SQL injection.

User Level

  • User education in awareness, safe computing practices, indicators of malicious code, and response actions.

HORSE FACTS: Rootkits can enable the hiding and surreptitious execution of malicious code.

Retrieved from "http://horseproject.wiki/index.php?title=Malicious_Code_Prevention&oldid=4054"