- The National Institute of Standards and Technology (NIST) updated its cross-industry “Guide to Malware Incident Prevention and Handling for Desktops and Laptops” with Revision 1 to highlight some changes and current areas of focus in the malware threat landscape.
As opposed to technical threats of years passed that were, according to NIST, infiltrated systems quickly and were noticeable, the malware threats of today are more geared to live in the background of an organization’s infrastructure. Now these malware programs collect data over a long period of time and slowly pull personally identifiable data (PII). While not specific to healthcare, NIST’s revisions are applicable to the threats that a healthcare CISO or privacy officer may have to protect their information against now and in the future.
NIST says that taking these recommendations into consideration for malware incident response activities for federal departments and agencies:
Organizations should develop and implement an approach to malware incident prevention
Organizations should plan and implement an approach to malware incident prevention based on the attack vectors that are most likely to be used currently and in the near future. Because the effectiveness of prevention techniques may vary depending on the environment (i.e., a technique that works well in a managed environment might be ineffective in a non-managed environment), organizations should choose preventive methods that are well-suited to their environment and hosts. An organization’s approach to malware incident prevention should incorporate policy considerations, awareness programs for users and information technology (IT) staff, vulnerability and threat mitigation efforts, and defensive architecture considerations.
Organizations should ensure that their policies address prevention of malware incidents
An organization’s policy statements should be used as the basis for additional malware prevention efforts, such as user and IT staff awareness, vulnerability mitigation, threat mitigation, and defensive architecture. If an organization does not state malware prevention considerations clearly in its policies, it is unlikely to perform malware prevention activities consistently and effectively throughout the organization. Malware prevention–related policy should be as general as possible to provide flexibility in policy implementation and to reduce the need for frequent policy updates, but should also be specific enough to make the intent and scope of the policy clear. Malware prevention–related policy should include provisions related to remote workers—both those using hosts controlled by the organization and those using hosts outside of the organization’s control (e.g., contractor computers, employees’ home computers, business partners’ computers, mobile devices).
Organizations should incorporate malware incident prevention and handling into their awareness programs
Organizations should implement awareness programs that include guidance to users on malware incident prevention. All users should be made aware of the ways that malware enters and infects hosts, the risks that malware poses, the inability of technical controls to prevent all incidents, and the importance of users in preventing incidents, with an emphasis on avoiding social engineering attacks. Awareness programs should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users might need to do to assist with incident handling. In addition, the organization should conduct awareness activities for IT staff involved in malware incident prevention and provide training on specific tasks.
Organizations should have vulnerability mitigation capabilities to help prevent malware incidents
Organizations should have documented policy, processes, and procedures to mitigate known vulnerabilities that malware might exploit. Because a vulnerability usually can be mitigated through one or more methods, organizations should use an appropriate combination of techniques, including security automation technologies with security configuration checklists and patch management, and additional host hardening measures so that effective techniques are readily available for various types of vulnerabilities.
Organizations should have threat mitigation capabilities to assist in containing malware incidents
Organizations should perform threat mitigation to detect and stop malware before it can affect its targets. The most commonly used malware threat mitigation technical control is antivirus software; organizations should deploy antivirus software on all hosts for which satisfactory antivirus software is available. Additional technical controls that are helpful for malware threat mitigation include intrusion prevention systems, firewalls, content filtering and inspection, and application whitelisting. The System and Information Integrity family of security controls in NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations, recommends having malware protection mechanisms on various types of hosts, including workstations, servers, mobile computing devices, firewalls, email servers, web servers, and remote access servers.
Organizations should consider using defensive architecture methods to reduce the impact of malware incidents
No matter how rigorous vulnerability and threat mitigation efforts are, malware incidents will still occur. Organizations should consider altering the defensive architecture of their hosts’ software to help mitigate those incidents that still occur. One technique is sandboxing, which is a security model where applications are run within a controlled environment that restricts what operations the applications can perform and isolates them from other applications. Another technique is browser separation, which involves using different web browsers for different types of website access (corporate applications, general access, etc.) Finally, segregation through virtualization techniques separate applications or operating systems from each other through the use of virtualization, such as having one OS instance for corporate applications and another OS instance for all other activity.