How can you be sure your organisation doesn't have insidious viruses or other malware lurking within systems and applications, waiting to inflict damage? You can't.
Malware has grown sophisticated to the point where there's no guarantee that it's actually gone, even when you've applied the latest antivirus software. Making matters worse, IT infrastructures are becoming much more complex -- with an ever-growing population of devices that give malware even more possible entry points.
These days, you have to assume there are some infected PCs or other devices on the corporate network.
Here are some approaches that can help minimise the effect of malware on your network and in your systems so that your organisation can carry on with business despite the presence of malicious programs.
1. Practice good data governance
You can help minimise the damage caused by malware by more effectively protecting the specific types of data that many of the malware programs are going after in the first place. In a lot of cases, they're looking to exploit sensitive data such as personal information, trade secrets, research and development findings, and other intellectual property, Rica says.
PricewaterhouseCoopers is working with many of its clients to create a strong data governance model that helps the organizations better understand what their most critical data is, where it's stored, how it moves on the corporate networks, and how they can put the right controls in place to maximise the security of that information.
An audit of the information assets at many companies will show that sensitive data such as customer credit card numbers is initially well-guarded, Rica says. But eventually it ends up in less-protected applications such as spreadsheets or emails, where it is more susceptible to malware.
"We've seen clients lose tens of millions of credit card or Social Security numbers because they're in spreadsheets somewhere outside the HR system," Rica says. "Our approach is to use better data governance models so that this data has the same [security] controls around it regardless of where it resides. Make sure the data is protected through all stages of its lifecycle."
Because all data is not equal, a key part of data governance involves categorising information so that you can identify which data is most critical to the company and its customers. From there, you can apply more stringent access controls.
2. Deploy technologies and tactics that can help keep malware from spreading
Even when some of your systems are infected with a virus to the point where nothing seems to remove it completely, that doesn't mean the virus has to spread to other systems in your organisation.
When you discover or suspect such a virus, take the infected systems offline as soon as possible to reduce the chance of spreading the malware or compromising other systems. Next, reapply a known, clean image, says Andy Hayter, the antimalcode program manager at ICSA Labs, a testing and certification firm.
Putting in a layered defence that includes technologies such as firewalls, antispam, intrusion prevention systems, intrusion detection systems, and antivirus software -- plus keeping systems up to date with the latest patches -- should help prevent the malware from infecting an entire organization, Hayter says.
"Control gateways between network segments and apply greater monitoring and control over internal networks," adds Richard Zuleg, a consultant at security consulting firm SystemExperts.
Encrypt traffic and data whenever possible, Zuleg advises, and use technology such as server and desktop virtualisation both to quickly redeploy systems or even reset them to clean images and to separate data from the system.
"Companies need to be controlling who has advanced privileges on systems and strictly control access to data," Zuleg says. "If infected PCs are to become an accepted part of a network segment, then you will have no trust in that segment and must consider it to be like the public internet."
New network analysis tools will soon emerge that let you better identify where malware exists on the network and how to best contain viruses, says Marc Seybold, CIO at the State University of New York at Old Westbury. When such technology becomes available, "if devices that Jane Smith uses to access the network are persistently trying to transmit data to outside domains that are in some way anomalous compared to other traffic on the network or her long-term patterns, then additional attention would be focused on such a user's devices and remedial action taken," he says. Among the companies working on such technology are Alcatel-Lucent, Riverbed, and SonicWall.
3. Diversify your IT infrastructure to decrease reliance on one or two OSes or browsers
It might make sense to move away from the Windows monoculture, which can be more quickly and easily attacked, and bring in other operating systems and devices so that you know a malware infection can never take down everyone in the organization. Maybe some people who handle critical systems or data can use a Linux PC or a Mac OS X PC so that they're not as likely to be hurt by a virus aimed specifically at a common Windows vulnerability.
Along these lines, consider avoiding a browser monoculture, because a lot of current malware invades systems via the browser. Evaluate browsers such as Internet Explorer, Firefox, Chrome, Safari, and Opera to see which fit best with your enterprise applications and user base.
"Diversity is always good to prevent your entire infrastructure from coming down," says B Clifford Neuman, director of the University of Southern California's Center for Computer Systems Security. "But there is the flip side to this strategy in that it gives an intruder many different possible choices of attacked system in which to get a foothold into your organisation." You trade potentially limiting infection for having more possible infection entry points.
Of course, whenever you make a move to switch operating systems, you might encounter resistance from some quarters. Tony Hildesheim, senior vice president of IT at financial services firm Redwood Credit Union, says his company is reviewing the use of alternative operating systems, browsers, and some business applications. But "none of these options appear to be all that popular with the business units," he notes.
Technology diversity is not always an effective defense per se. ICSA Labs' Hayter points out that malware infections are not limited to desktop PC environments. "There are many serious pieces of malware that can infect other [operating systems] and devices, be they desktop-based or mobile," he says. "Additionally, malware can cross platforms from one OS or device to another, further requiring a layered defense plan."
4. Be sensible about using consumer devices in the workplace
If you believe in allowing lots of data access for everyone and from every conceivable type of device, it might be time to rethink your data management and access strategy. Limit network access via mobile devices to those users who really need this access, and put in place controls so that those who can get in to the network can only reach certain parts of it.
Personal portable devices such as tablets, laptops, and wi-fi-equipped smartphones are becoming ever more popular in the workplace, and users will want to be connected to the corporate network.
But using diligence when granting access -- considering that these devices might be sources of malware -- makes sense. "What we've noticed is that once devices reach a certain threshold of consumer acceptance, malware appears for those platforms," says SUNY Old Westbury's Seybold. "Witness [recent] iPhone and Android attacks."
According to the Ponemon study, the rise of mobile and remote workers, PC vulnerabilities, and the introduction of third-party applications onto the network are the greatest areas of endpoint security risk today. This is a shift from last year's survey, when endpoint security concerns were mainly focused on removable media and data center risks.
Even without the "bring your own device" and "use your own apps" trends to consider how to manage, IT could reduce the ability of malware to spread by rethinking how many apps it deploys for users. "In looking at our line staff, there is no reason they need all the tools loaded on all the systems," says Redwood Credit Union's Hildesheim.
A report released in April 2011 by PandaLabs, Panda Security's antimalware laboratory, showed that the first three months of the year have seen "particularly intense virus activity," including a major attack against Android smartphones and intensive use of Facebook to distribute malware.
The beginning of March saw the largest ever attack on Android to date, the PandaLabs report stated. The assault was launched from malicious applications on Android Market, the official Google app store for the mobile OS. In just four days, these Trojan applications racked up more than 50,000 downloads: "The Trojan in this case was highly sophisticated, not only stealing personal information from cellphones, but also downloading and installing other apps without the user's knowledge."
5. Build a solid security foundation to protect the organisation, rather than to protect devices
Sure, you need antimalware software on PCs and other devices to help prevent infections. But to create an environment where your company can continue to function without malware-related problems even with the existence of malware on some systems, you have to deploy a secure system architecture rather than a security architecture for a system, says USC's Neuman.
"You need to determine issues such as placement of data with an understanding of the application and the risks of compromise of the data, rather than just bolting security solutions onto an existing system," Neuman says. "Good architecture will define multiple protection domains, with successive layers of protection deployed, and fewer users legitimately able to access data as it becomes more and more sensitive."