Four Steps to Prevent Malware Threats
Four steps to prevent malware threats
Fortunately, there are four concrete steps you can take to prevent malware threats in your organization:
Step No. 1: Have a corporate anti-malware solution
With malware's continued relevance as a core security problem, no enterprise should be without an anti-malware solution. And since most malware affects user computers, that is where the focus should be: on every user desktop in the enterprise.
Furthermore, since remote access is ubiquitous these days, remote users should have the same kind of protection in place. In fact, a complete endpoint security solution for remote users is a good idea, including patch and firewall management as well as anti-malware software. Finally, consider deploying an intrusion prevention system (IPS) to intercept and prevent certain kinds of attacks originating from remote users.
Step No. 2: Patch!
Because the security arena changes so rapidly, it is important to stay current with vendor software releases. While it would be ideal to have someone in the organization keep tabs on CERT advisories, flaw disclosure mailing lists and so forth, you can get a lot of bang for your security buck just by keeping current with vendor patches. Yes, there will be times when vendors are late with patches but, by and large, you will be in a much safer position.
Step No. 3: Deploy strong authentication
A great many enterprise attacks depend on single-factor authentication. Traditional phishing and keylogging attacks fall into this category, as do attacks such as the Twitter example described earlier. These attacks harvest credentials (for example, user names and passwords), which are later used to gain access to the users' accounts. Deploying an additional authentication mechanism can protect against these attacks by requiring users to verify their identity using something they own (such as a security device) or something they are (such as a voiceprint or fingerprint). All of them can be defeated by deploying a multifactor authentication system.
Because these attacks can harvest information, such as the answers to your security questions, additional information-based authentication does not provide additional protection. And this also goes for digital certificates; because they are generally easy to copy or steal, they will not help prevent these attacks on their own.
Current best practice when selecting an authentication solution is to look for an out-of-band, two-factor system since malware has been found in the wild that can defeat traditional in-band, two-factor systems. Additionally, consider adding biometric authentication to the mix with a voice-based, fingerprint-based or other three-factor authentication system. By using a separate channel such as the telephone network for the second factor of authentication, you can circumvent malware installed on the user's device.
Step No. 4: Use transaction verification
If you work for an organization such as a bank that does user-initiated transactions, you should be aware of a new malware threat that, essentially, waits for the user to log in and then sends chosen transactions through the SSL tunnel without the user's knowledge.
These attacks are easy to mitigate with an out-of-band transaction verification system. Whenever a user submits a transaction (or perhaps only for selected transactions), the bank makes an automated phone call to the user's registered phone number, playing back the exact details of the proposed transaction to the user. The user must approve the transaction before it takes place. This makes it impossible for a piece of malware to sneak something by.
Steve Dispensa is co-founder and Chief Technology Officer of PhoneFactor. Steve is a leader in the field of data security and device driver development technology, holding numerous patents in the fields of computer science and telecommunications. Steve also hosts Security Break Live, an Internet radio talk show, as well as a blog of the same name. Visit it at securitybreaklive.com. He can also be reached at firstname.lastname@example.org.