Other Hot Topics: Cloud Computing Security | Cloud Data Storage Solutions | Community Based Security Awareness | Copier and Multi-Function Device Security | Full Disk Encryption | Mobile Device Security | Social Networking Security | Statewide Longitudinal Data Systems
Anchor | ||||
---|---|---|---|---|
|
How to Limit the Impact of Malware
...
- Where practicable, do not grant administrative or root/superuser privileges to end-users.
- Commonly called LUA (least user access)
- Know where your data are.
- The tools listed below can help you locate sensitive data on your systems:
- Securely erase data if it is no longer needed.
- Concentrate security resources on systems containing sensitive data.
- Microsoft Windows continues to be a major target - focus your efforts here first. Having said that, ensure the rest of your technology environment is also well managed.
- Install important security updates on all affected systems (Microsoft Windows, Apple Mac OS, Linux, Unix, etc.) as soon as practicable.
- Harden passwords to prevent password guessing worms from infecting your system via File Sharing, RDP, etc
- Watch systems for new unexplained listening network ports
- Follow established best-practices for securing mission-critical systems or systems that store, process or transmit sensitive information.
- Regularly participate in security training and awareness events.
- For IT staff:
- SANS Institute
- SANS Partnership Series (discounts for higher-ed)
- EDUCAUSE/Internet2 Security Professionals Conference
- For everyone else:
- For IT staff:
- Install and appropriately maintain end-point defenses.
- Use centrally managed anti-virus and anti-spyware software where appropriate.
- Enable and appropriately configure host-based firewalls where practicable. This is particularly important for out-bound traffic.
- Enable Windows advanced firewall and push In/Out rules via group policy (if possible) for consistent application: link
- Install host-based intrusion prevention software where practicable.
- Where feasible, make available protection software licensed for home use.
- Use an intrusion detection/prevention system where practicable.
- Snort, Bro, Fireeye, eEye, Tippingpoint
- Use DNS based protection where practicable.
- Sink-holes, OpenDNS, guidance from the MAAWG, host file
- Use web filtering software, services or appliances where practicable.
- Implement application white-listing where practicable.
- Know where you are vulnerable.
- Gather vulnerability and threat information from online sources.
- For vulnerabilities in software
- For current threats
- Monitor available logs and network activity for indicators of malicious software.
- Regularly check anti-virus logs.
- Regularly check DNS traffic for queries to known malware hosting domains.
- Subscribe to Shadowserver notifications for networks you manage.
- Centralize event log management and apply appropriate logic to identify out-of-spec results
- Have a back-up strategy for your endpoints.
- Ensure backup stream is encrypted over the wire.
- Make sure people can report problems to you.
- Are all your points of contact in whois current (e.g., for your domain, and for your IP blocks, and for your ASN)?
- Do you have RFC2142 standard abuse reporting addresses?
- If someone checks for your domain at www.abuse.net, will they find reasonable abuse reporting contacts listed?
- Know where to get help.
- Share your knowledge.
- Submit new malware samples to your anti-virus vendor. Doing so may result in early/beta signature files to help with current problems.
- Learn what the submission process is for your vendor as soon as possible so you don't waste precious time during a crisis figuring out who to talk to and how to submit your sample.
- Submit new malware samples to VirusTotal.
- Participate in the REN-ISAC.
- Participate in EDUCAUSE.
- Participate in DSHIELD
- Submit new malware samples to your anti-virus vendor. Doing so may result in early/beta signature files to help with current problems.
- Ensure your incident management/response process is current.
- The following guidance is available from the Internet2 Computer Security Incidents working group: Security Incident Management Essentials
...