an integral and a dangerous aspect of internet based threats which target end-users and organizations through modes like web browsing, email
attachments, mobile devices, and other vectors. Malicious code may tamper with a system's contents, and capture sensitive data. It can also spread to other systems.
Modern malware aims to avoid signature-based and behavioral detection, and may disable anti-virus tools running on the targeted system. Anti-virus and anti-spyware software, collectively referred to as anti-malware tools, help defend against these threats by
attempting to detect malware and block their execution.
Description × × × × × × ×
33 IS198
ii. Typical controls to protect against malicious code use layered combinations of technology, policies and procedures and training. The controls are of the preventive and detective / corrective in nature. Controls are applied at the host, network, and user levels:
Description × × × × × × ×
33 IS199
• At host level: The various measures at the host level include host hardening(including patch application and proper security
configurations of the operating system (OS), browsers, and other network-aware software), considering implementing host-based firewalls on each internal computer and especially laptops assigned to mobile users. Many host-based firewalls also have application hashing capabilities, which are helpful in identifying applications that may have been trojanized after initial installation, considering host IPS and integrity checking software combined with strict change controls and configuration management, periodic auditing of host configurations, both manual and automated.
Detailed
33 IS200
• At network level: The various measures include limiting the transfer of executable files through the perimeter, IDS and IPS monitoring of incoming and outgoing network traffic, including anti- virus, anti-spyware and signature and anomaly-based traffic monitors, routing Access Control Lists(ACLs) that limit incoming and outgoing connections as well as internal connections to those necessary for business
purposes, proxy servers that inspect incoming and outgoing packets for indicators of malicious code and block access to known or suspected malware distribution servers, filtering to protect against attacks such as cross-site scripting and SQL injection.
Detailed
Activities × √ × × × √ √ DSS05 02 3
33 IS201 ActivitiesDetailed × √ × × × √ √ DSS05 01 6
33 IS201.1 ActivitiesDetailed × √ × × × √ √ DSS06 06 2
34 IS202
iii. Enterprise security administrative features may be used daily to check the number of systems that do not have the latest anti- malware signatures. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers.
Detailed
Activities × √ × × × √ × DSS05 01
34 IS203
iv. Banks should employ anti-malware software and signature auto update features to automatically update signature files and scan engines whenever the vendor publishes updates. After applying an update, automated systems should verify that each system has received its signature update. The bank should monitor anti-virus console logs to correct any systems that failed to be updated. The systems deployed for client security should be delivering simplified administration through central management and providing critical visibility into threats and vulnerabilities. It should also integrate with existing infrastructure software, such as Active Directory for enhanced protection and greater control.
Detailed
Activities × √ × × × √ × DSS05 01
• At user level: User education in awareness, safe computing practices, indicators of malicious code, and response actions.
34 IS204
v. Administrators should not rely solely on AV software and email filtering to detect worm infections. Logs from firewalls, intrusion detection and prevention sensors, DNS servers and proxy server logs should be monitored on a daily basis for signs of worm infections including but not limited to:
• Outbound SMTP connection attempts from anything other than a bank‘s SMTP mail gateways
• Excessive or unusual scanning on TCP and UDP ports 135-139 and 445
• Connection attempts on IRC or any other ports that are unusual for the environment
• Excessive attempts from internal systems to access non-business web sites
• Excessive traffic from individual or a group of internal systems • Excessive DNS queries from internal systems to the same host name and for known ―nonexistent‖ host names. Using a centralized means such as a syslog host to collect logs from various devices and systems can help in the analysis of the information
Detailed
Activities × √ × × × √ × DSS05 07
34 IS205
vi. Banks should configure laptops, workstations, and servers so that they do not auto-run content from USB tokens, USB hard drives, CDs/DVDs, external SATA devices, mounted network shares, or other removable media.
Detailed
Activities × √ × × × √ × DSS05 07
34 IS207
viii. Banks can also consider deploying the Network Access Control (NAC) tools to verify security configuration and patch level
compliance of devices before granting access to a network. Network Admission Control (NAC) restricts access to the network based on the identity or security posture of an organization. When NAC is implemented, it will force a user or a machine seeking network access for authentication prior to granting actual access to the network. A typical (non-free) Wi-Fi connection is a form of NAC. The user must present some sort of credentials (or a credit card) before being granted access to the network. The network admission control systems allow noncompliant
devices to be denied access, placed in a quarantined area, or given restricted access to computing resources, thus keeping insecure nodes from infecting the network. The key component of the Network Admission Control program is the Trust Agent, which resides on an endpoint system and communicates with routers on the network. The information is then relayed to a Secure Access Control Server (ACS) where access control decisions are made. The ACS directs the router to perform enforcement against the endpoint.
Detailed
Activities × √ × × × √ × DSS06 03
34 IS208
ix. Email Attachment Filtering - Banks should filter various
attachment types at the email gateway, unless required for specific business use. Some examples include .ade .cmd .eml .ins .mdb .mst .reg .url .wsf .adp .com .exe .isp .mde .pcd .scr .vb .wsh .bas .cpl .hlp .js .msc .pif .sct .vbe .bat .crt .hta .jse .msi .pl .scx .vbs .chm .dll .inf.lnk .msp .pot .shs .wsc… etc. Banks should consider only allowing file extensions with a documented business case and filtering all others.
Detailed
Activities × √ × × × × × DSS05 03
35 IS209