C – Containing Malware Infections

Even when applying common sense principles, there are many ways a computer can get infected – whether through malware, worms, trojans, or other means. The Department of Homeland Security (DHS), recognizing this persistent danger, has put together a guide to help prevent and contain these threats. 

Though many of these instructions may be oriented towards administrators, there are a few important lessons for the common user. First, prevention is equally as important as containment, and special care should be taken with shared devices. Second, convenience shouldn’t override security, and access should be restricted where it’s not needed; for example, users should use a normal user account, rather than a privileged administrator account. Lastly, infections shouldn’t just be fixed, but studied to prevent future issues of a similar manner. 

First, one must identify potential sources of infection which are commonly called distribution vectors. While malware can target any computer or software, certain kinds are at specific risks: enterprise applications, centralized servers, and networking hardware. If these points were compromised, the entire network would be at risk; thus, users and administrators alike must take special care when using these devices. 

Second, one must consider how to prevent possible infection of these vectors. By segmenting a network into various subnetworks, we can use communication flow, or lack thereof, to ensure that the infection of one subnetwork will not imply the infection of the whole network. This can be implemented physically, such as with cables, or with access-control lists. Access control is itself a method of protection, ensuring that users have exactly the permissions they require, which in turn limits their potential damage. 

Third, in case of an infection, the DHS provides a general set of instructions. First, one must ascertain which machines were infected, and through what vector. Then, mitigation must be applied to both the immediate threats and the origin; infected machines should be isolated, known as “sandboxing,” and then the original security hole should be filled. 

While there isn’t an end in sight for malware infections, we must be forever diligent on all levels, administration and user, to reduce its access and effect. 

Author: Grey Ruessler