Malware is any piece of software that is put onto your network without your consent and whose purpose is to harm your organization in some manner. The most well-known forms of malware include viruses, spyware and Trojans. Others include keystroke recorders ("keyloggers") and even custom software that an employee may have intentionally installed to mail sensitive data to his personal email address.
So what can you do to protect your financial organization from the threat of malware? The answers fall into two distinct categories: technical tools and policies.
The technical tools are often the easiest to implement, since it's typically a matter of purchasing the right ones and implementing them. Examples include corporate-class antivirus and antispyware software that is installed not just on workstations, but also file and mail servers. Most modern firewalls have built-in antispyware and antivirus capabilities; they just need to be activated in order to do their job. Whichever you choose, it should be current, from a reputable vendor and installed by an individual or organization that truly knows the intricacies of the product. Never accept just the default settings, as they are usually inadequate for any business that values its data.
Email and Web browsing are two of the most typical mechanisms by which malware can be introduced into your network. For example, many email messages claim to come from a trusted source, such as Microsoft or your own financial institution, and will contain either hyperlinks to sites that try to collect your personal information, or attachments that the sender claims are needed to patch your computer. Similarly, websites will often try to deceive you into thinking that you have spyware and will contain a link for you to scan and clean your system, when the fact is that your system was already clean and the software that you will be downloading is the actual malware! This is where training is very important.
Along with the tools such as firewalls, antispyware and antivirus, it is critical to educate users about the threats and what they can do to mitigate them. To continue with the previous example regarding fake patches from Microsoft, users should be reminded over and over again that Microsoft and most other major vendors would never send these updates by email. Rather, they will provide a hyperlink for the user, or preferably the network administrator, to go to the vendor site to manually download the patches.
Procedural solutions to the malware threat are more difficult to manage and enforce. The weakest point in any organization is often the end-user, and as we all know, placing any restrictions on habits which might inconvenience the end-user can result in an unpleasant workplace. None the less, it is imperative to have these in place to protect your organization.
Two examples of policies include:
Having policies alone will not protect a financial institution's network against malware. Rather, they will help to minimize the likelihood that malware will ever become a problem by educating end-users and placing potential consequences on their actions.
About the author:
Brad is a Microsoft MVP in Enterprise Security, one of less than forty worldwide to possess the award in this category. He is also a Microsoft Certified Systems Engineer (MCSE), a Certified SonicWall Security Administrator and a Certified 3Com IP Telephony Expert. He is the founder and president of the National Information Security Group, an active member of the FBI's Infragard program and a member of the Microsoft IT Advisory Council. He holds a Ph.D. in physics to help him determine how long it will take his monitor to be launched across the local highway.
This was first published in October 2008