ISO 27001 Protection of Malware can often be interpreted as just anti-virus or anti-malware controls, where organisations think that purchasing an enterprise AV solution will render them compliant with this control. In reality, this control goes beyond the technical controls used to protect organisations from malicious code/software and recommends a defense in depth approach.
An effective implementation of this control consists of the following elements:
- Formal policies prohibiting the use of unauthorized software, and establishing rules regarding acceptable use of systems.
- Technical controls to identify malicious code at the boundary and on the end user device for both email and web traffic.
- Awareness training to reduce the risk of accidental compromise through, for example, phishing attacks.
- Incident response procedures to respond effectively in the event of a malware incident.
AV alone is no longer sufficient to manage the risk from malware, so under ISO 27001 Protection from Malware seeks to implement defense in depth controls to manage the risk from a policy, personnel, procedural and technical perspective. So, where should implementation of protection from malware controls start? As always, we recommend a top down approach beginning with setting policy in the organisation.
ISO 27001 Protection from Malware: Policy
Policy should be established that seeks to prohibit the use of unauthorized software and downloads. The organisation should seek to establish a culture where only approved applications are to be used by employees, and ensure that all web traffic is logged and monitored. This should be made clear in policy, ensuring employees are aware they are accountable for any unauthorized downloads.
This acts as both a preventative measure and a detective measure in that malware can quickly be identified and contained.
Policies can take the form of information security policies, acceptable use policies or topic specific policies regarding malware. Whichever form policy takes, it should be clearly communicated to all employees with access to systems on the network and regularly reminded. Employees that are aware of their responsibilities and possible consequences are much more likely to be diligent when using email and web.
ISO 27001 Protection from Malware: Technical Controls
Technical controls may include anti-virus on both the boundary and on the end user device. This can take the form of basic AV signature based controls through to anti-malware, real-time services. As with all technical controls, configuration and management are key.
Signature based detection is reliant on up to date signatures so these should be pushed out to all client/servers on a regular basis. Signatures should also be updated following any new strains of malware being identified, and the organisation should utilize threat feeds from vendors to ensure controls are up to date.
Additionally, the organisation should investigate email scanning and web filtering services. Email scanning should inspect SMTP traffic at the gateway for malicious links or attached files, and prevent any suspect email to go through. Furthermore, web traffic should be scanned at the gateway, and URL filtering services should be in place to prevent users browsing to potentially harmful sites.
Finally, removable media controls should be in place to reduce the risk of malware introduced through USB sticks, for example. AV scans should be undertaken on all media connected to devices on the network, and controls should be in place to prevent auto-run. This will ensure that any malware present on devices cannot auto-execute and spread through the network without user intervention.
ISO 27001 Protection from Malware: Training and Procedures
Security awareness training is another key control that organisations must consider to protect their network from malicious code. As ever, users are the weakest link when it comes to security and all the technical controls in the world cannot prevent a user clicking a malicious link in a phishing email. Providing users with regular training on malware, and how to report suspicious emails, files etc. is imperative. This should be tracked, monitored and delivered periodically.
In addition to training, procedures should be established to manage malware incidents when they occur. These should include reporting procedures for users and handling procedures for technical staff.
Malware incidents shall be escalated through appropriate channels efficiently, and malware contained, investigated and removed as securely as possible. This may consist of an incident response framework, with individual playbook’s for malware based scenarios e.g. ransom ware, virus, Trojans etc. The organisation should invest in red team exercises to test the effectiveness of these responses, and ensure that any incidents can be managed effectively.
Conclusion
In ISO 27001 Protection from Malware, technical controls are no longer sufficient to manage risk effectively. An effective framework, consisting of technical, procedural, policy and personnel based controls should be in place and continuously matured. Users must be aware of the risks of malware, and technical controls must be in place to identify any breaches and respond effectively.
Policy should state the organisations stance on malware, and procedures should support the principles defined in policy. Under ISO 27001 Protection from Malware, the organisation must be able to recover from malware incidents effectively and return to operations as quickly as possible.
As this such a critical control, many organisations can spend a long time implementing this control effectively, and this is often recommended as malware can cripple organisations and compromise the confidentiality, integrity and availability of data.
