How can you be sure your organisation doesn't have insidious viruses or other malware lurking within systems and applications, waiting to inflict damage? You can't.
Malware has grown sophisticated to the point where there's no guarantee that it's actually gone, even when you've applied the latest antivirus software. Making matters worse, IT infrastructures are becoming much more complex, with an ever-growing population of devices that give malware even more possible entry points.
These days, you have to assume there are some infected PCs or other devices on the corporate network.
Get used to it
Malware is everywhere you go
The malware problem is getting worse. According to the Ponemon Institute's 2011 State of Endpoint Risk study, 43 percent of the 782 IT security professionals surveyed reported a "dramatic uptick" in malware in 2010. Fully 98 percent of the organisations surveyed by Ponemon experienced a virus or malware-based network intrusion, and 35 percent said they had experienced 50 malware attempts within a span of just one month, or more than one intrusion per day.
"The current batch of malware we're seeing is very sophisticated and well written, and it hides itself well and avoids detection well," says Fred Rica, principal in the information security advisory practice at the PricewaterhouseCoopers consulting firm.
The good news is that this "living with malware" scenario doesn't have to lead to lost data, unavailable systems or other problems. Companies can and do function despite these intrusions.
Here are some approaches that can help minimise the effect of malware on your network and in your systems so that your company can carry on with business despite the nagging presence of these troublesome programs.
Malware survival tip 1
Practice good data governance
You can help minimise the damage caused by malware by more effectively protecting the specific types of data that many of the malware programs are going after in the first place. In a lot of cases, they're looking to exploit sensitive data such as personal information, trade secrets, research and development findings and other intellectual property, Rica says.
PricewaterhouseCoopers is working with many of its clients to create a strong data governance model that helps the organisations better understand what their most critical data is, where it's stored, how it moves on the corporate networks, and how they can put the right controls in place to maximise the security of that information.
An audit of the information assets at many companies will show that sensitive data such as customer credit card numbers is initially well guarded, Rica says. But eventually it ends up in less protected applications such as spreadsheets or emails, where it is more susceptible to malware.
"We've seen clients lose tens of millions of credit card or Social Security numbers because they're in spreadsheets somewhere outside the HR system," Rica says. "Our approach is to use better data governance models so that this data has the same [security] controls around it regardless of where it resides. Make sure the data is protected through all stages of its lifecycle."
Because all data is not equal, a key part of data governance involves categorising information so that you can identify which data is most critical to the company and its customers. From there, you can apply more stringent access controls.
"Start to separate the infrastructure based on what are your crown jewels versus what's costume jewelry," says Patricia Titus, chief information security officer at technology services provider Unisys. Titus says Unisys uses guidelines created by the National Institute of Standards and Technology (NIST) designed to help organisations characterise the importance of their data and select the right security controls.
Malware survival tip 2
Deploy technologies and tactics that can help keep malware from spreading
Even when some of your systems are infected with a virus to the point where nothing seems to remove it completely, that doesn't mean the virus has to spread to other systems in your organisation.
When you discover or suspect such a virus, take the infected systems offline as soon as possible to reduce the chance of spreading the malware or compromising other systems. Next, reapply a known clean image, says Andy Hayter, the antimalcode programme manager at ICSA Labs, a testing and certification firm.
Putting in a layered defence that includes technologies such as firewalls, antispam, intrusion prevention systems, intrusion detection systems and antivirus software, plus keeping systems up to date with the latest patches, should help prevent the malware from infecting an entire organisation, Hayter says.
"Control gateways between network segments and apply greater monitoring and control over internal networks," adds Richard Zuleg, a consultant at security consulting firm SystemExperts.
Encrypt traffic and data whenever possible, Zuleg advises, and use technology such as server and desktop virtualisation both to quickly redeploy systems or even reset them to clean images and to separate data from the system.
"Companies need to be controlling who has advanced privileges on systems and strictly control access to data," Zuleg says. "If infected PCs are to become an accepted part of a network segment, then you will have no trust in that segment and must consider it to be like the public Internet."
New network analysis tools will soon emerge that let you better identify where malware exists on the network and how to best contain viruses, says Marc Seybold, CIO at the State University of New York. When such technology becomes available, "if devices that Jane Smith uses to access the network are persistently trying to transmit data to outside domains that are in some way anomalous compared to other traffic on the network or her long term patterns, then additional attention would be focused on such a user's devices and remedial action taken," he says. Among the companies working on such technology are Alcatel-Lucent, Riverbed and SonicWall.
At the same time, Seybold says, network traffic flows will start to be more compartmentalised and insulated from each other as network access control and policy-based management are combined with application flow monitoring.
"As these are linked up, full behavioural analysis based on end-to-end application flows bound to specific users will become possible," he says. Eventually there might be predictive analytics that could preemptively intercept malware transmissions based on past user behavior, "but that is still science fiction," he says.