OPS.1.1.4 Protection Against Malware
Malware consists of programs that typically execute harmful functions on an IT system without the knowledge and consent of the users. These harmful functions can cover a broad range, from espionage to extortion (so-called ransomware) to sabotage and destruction of information or even devices.
Description
Introduction
Malware consists of programs that typically execute harmful functions on an IT system without the knowledge and consent of the users. These harmful functions can cover a broad range, from espionage to extortion (so-called ransomware) to sabotage and destruction of information or even devices.
Malware can in principle run on all operating systems and IT systems. These include not only classic IT systems such as clients and servers but also mobile devices such as smartphones. Network components such as routers, industrial control systems, and even IoT devices such as networked cameras are nowadays also frequently at risk from malware.
Malware spreads on classic IT systems mainly via email attachments, manipulated websites (drive-by downloads), or data carriers. Smartphones are typically infected via the installation of malicious apps; drive-by downloads are also possible. In addition, open network interfaces, faulty configurations, and software vulnerabilities are common entry points on all IT systems.
In this building block, the term “antivirus software” is used. “Viruses” here stand as a synonym for all types of malware. “Antivirus software” therefore means a program to protect against any type of malware.
Objective
This building block describes requirements that must be met and implemented to protect an institution effectively against malware.
Scope and Modeling
The building block OPS.1.1.4 Protection Against Malware is to be applied once to the information domain.
This building block describes the general requirements for protection against malware. Specific requirements to protect certain IT systems of the institution from malware can be found if needed in the respective building blocks of the SYS IT Systems layer. If an identified piece of malware leads to a security incident, the requirements of building block DER.2.1 Security Incident Response SHOULD be taken into account. The requirements of building block DER.2.3 Remediation of Extensive Security Incidents help to remove identified malware and restore a cleaned state.
The antivirus software deployed within the scope of this building block should generally also be taken into account in patch and change management (OPS.1.1.3 Patch and Change Management). Furthermore, the topic of protection against malware should be addressed in the context of building block ORP.3 Information Security Awareness and Training and CON.3 Data Backup Concept.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block OPS.1.1.4 Protection Against Malware.
Software Vulnerabilities and Drive-by Downloads
If IT systems are not adequately protected against malware, software vulnerabilities can be exploited in attacks to execute malicious code. This can happen, among other things, when patches are not applied promptly and protective mechanisms of application programs such as browsers are not configured correctly. With so-called drive-by downloads, for example, it is sufficient to visit a website infected with malicious code. A vulnerability in the browser or in an installed plug-in such as Java or Adobe Flash can then be exploited to infect the IT system and give attackers extensive control as well as access to an institution’s network. IT systems that are not regularly updated are particularly at risk here, e.g. many smartphones.
Extortion by Ransomware
A widespread type of malware is so-called ransomware. This encrypts the data of the infected IT system as well as frequently additional data that is accessible via network shares. Attackers typically use encryption methods that cannot be reversed without knowledge of the key, and use this to extort their victims for large sums of money. If there is no effective protection against malware and no supplementary precautions such as data backups are taken, the availability of information can be significantly impaired, data can be lost, and massive financial and reputational damage can result.
Targeted Attacks and Social Engineering
Institutions are frequently attacked with tailored malware. For example, executives are led via social engineering methods to open malicious email attachments. Tailored malware can also frequently not be detected immediately by antivirus software. The HR department of an institution can also be a target, for example, when malware-infected applications are sent electronically. If attackers have managed to infect an IT system in this way, they can spread throughout the institution and, for example, view, manipulate, or destroy information.
Botnets
Malware can cause IT systems of an institution to become part of so-called botnets. Attackers who control thousands of systems in such a botnet can use them, for example, to send spam or launch distributed denial-of-service (DDoS) attacks against third parties. Even if the institution itself is not directly damaged, this can nonetheless negatively affect the availability and integrity of its own services and IT systems and even lead to legal problems. For example, if the institution’s email server ends up on a blocklist, it may no longer be possible to send and receive emails.
Infection of Production Systems and IoT Devices
In addition to classic IT systems, devices that do not appear to be obvious targets at first glance are increasingly being attacked by malware. In an attack, for example, a surveillance camera accessible via the internet could be infected to spy within the institution. But a networked light bulb or a coffee machine with app control can also serve as an entry point into the institution’s network or as part of a botnet if these devices are not adequately protected against malware. Networked production systems or industrial controls can also be manipulated or even destroyed by malware, which can lead to outages and many further threats to the institution and its employees, e.g. through fires.
Requirements
The following are the specific requirements of building block OPS.1.1.4 Protection Against Malware. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
The IT-Grundschutz Compendium additionally defines further roles. They should be staffed insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Users |
Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, this role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
OPS.1.1.4.A1 Creation of a Concept for Protection Against Malware (B)
A concept MUST be created that describes which IT systems must be protected against malware. IoT devices and production systems MUST also be taken into account here. Furthermore, it MUST be documented how the protection is to be implemented. If reliable protection is not possible, the identified IT systems SHOULD NOT be operated. The concept SHOULD be traceably documented and kept up to date.
OPS.1.1.4.A2 Use of System-Specific Protection Mechanisms (B)
It MUST be checked what protection mechanisms the IT systems used, as well as the operating systems and applications used on them, offer. These mechanisms MUST be used, unless there is at least an equivalent substitute or good reasons speak against it. If they are not used, this MUST be justified and documented.
OPS.1.1.4.A3 Selection of an Antivirus Program (B)
Depending on the operating system used, other existing protection mechanisms, and the availability of suitable antivirus software, an appropriate protection program MUST be selected and installed for the specific application. An appropriate antivirus program MUST be selected and installed for gateways and IT systems used for data exchange.
ONLY products for the enterprise sector with service and support tailored to the institution MAY be used. Products for purely home use or products without support MUST NOT be used in professional operational environments.
Cloud services to improve the detection performance of antivirus software SHOULD be used. If cloud features of such products are used, it MUST be ensured that this does not conflict with data protection or classified information protection requirements. In addition to real-time and on-demand scans, a deployed solution MUST offer the ability to also scan compressed data for malware.
OPS.1.1.4.A4 DISCONTINUED (B)
This requirement has been discontinued.
OPS.1.1.4.A5 Operation and Configuration of Antivirus Programs (B)
The antivirus program MUST be configured appropriately for its deployment environment. Detection performance SHOULD be the primary focus, unless data protection or performance reasons in a specific case speak against it. If security-relevant functions of the antivirus program are not used, this SHOULD be justified and documented. For protection programs specifically optimized for desktop virtualization, it SHOULD be traceably documented whether certain detection methods are being dispensed with in favor of performance. It MUST be ensured that users cannot make security-relevant changes to the settings of the antivirus programs.
OPS.1.1.4.A6 Regular Updating of Deployed Antivirus Programs (B)
On the IT systems equipped with them, the antivirus programs MUST be updated regularly and promptly in accordance with the recommendations of the manufacturing institution.
OPS.1.1.4.A7 Awareness and Commitment of Users (B) [Users]
Users MUST be regularly informed about the threat from malware. They MUST follow the basic rules of conduct to reduce the risk of malware infection. Files, emails, websites, etc. from untrustworthy sources SHOULD NOT be opened. They MUST be aware of the contact persons to consult in the event of a suspected malware infection. They MUST contact the contact persons named to them if a malware infection is suspected.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
OPS.1.1.4.A8 DISCONTINUED (S)
This requirement has been discontinued.
OPS.1.1.4.A9 Reporting of Malware Infections (S) [Users]
The deployed antivirus program SHOULD automatically block and report a malware infection. The automatic notification SHOULD be received at a central location. The responsible employees SHOULD decide on further action depending on the situation. The procedure for notifications and alarms from antivirus programs SHOULD be planned, documented, and tested. In particular, it SHOULD be regulated what must happen in the event of a confirmed infection.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.
OPS.1.1.4.A10 Use of Special Analysis Environments (H)
Automated analyses in a special test environment (based on sandboxes or separate virtual or physical systems) SHOULD be used additionally for evaluating suspicious files.
OPS.1.1.4.A11 Use of Multiple Scan Engines (H)
To improve detection performance, antivirus programs with multiple alternative scan engines SHOULD be used for particularly protection-worthy IT systems such as gateways and IT systems for data exchange.
OPS.1.1.4.A12 Use of Data Carrier Locks (H)
Before data carriers from third parties in particular are connected to the institution’s IT systems, they SHOULD be checked through a data carrier lock.
OPS.1.1.4.A13 Handling Untrusted Files (H)
If it is necessary to open untrusted files, this SHOULD only be done on an isolated IT system. The affected files SHOULD there be converted to a safe format or printed, for example, if this reduces the risk of infection by malware.
OPS.1.1.4.A14 Selection and Use of Cybersecurity Products Against Targeted Attacks (H)
The use and added value of products and services that offer extended protection scope compared to conventional antivirus programs SHOULD be examined. Such security products against targeted attacks SHOULD be used, for example, when executing files in special analysis environments, when hardening clients, or when encapsulating processes. Before a purchasing decision is made for a security product, the protection effectiveness and compatibility with the institution’s own IT environment SHOULD be tested.
OPS.1.1.4.A15 DISCONTINUED (H)
This requirement has been discontinued.
Additional Information
Good to Know
The International Organization for Standardization (ISO) provides requirements for protection against malware in ISO/IEC 27001:2013, particularly in Annex A, A.12.2 “Protection from Malware.”
The Information Security Forum (ISF) provides requirements for protection against malware in its standard “The Standard of Good Practice for Information Security,” particularly in Area TS1 Security Solutions.