Malware survival tip No. 2: Deploy technologies and tactics that can help keep malware from spreading
Even when some of your systems are infected with a virus to the point where nothing seems to remove it completely, that doesn't mean the virus has to spread to other systems in your organization.
When you discover or suspect such a virus, take the infected systems offline as soon as possible to reduce the chance of spreading the malware or compromising other systems. Next, reapply a known, clean image, says Andy Hayter, the antimalcode program manager at ICSA Labs, a testing and certification firm.
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
Putting in a layered defense that includes technologies such as firewalls, antispam, intrusion prevention systems, intrusion detection systems, and antivirus software -- plus keeping systems up to date with the latest patches -- should help prevent the malware from infecting an entire organization, Hayter says.
"Control gateways between network segments and apply greater monitoring and control over internal networks," adds Richard Zuleg, a consultant at security consulting firm SystemExperts.
Encrypt traffic and data whenever possible, Zuleg advises, and use technology such as server and desktop virtualization both to quickly redeploy systems or even reset them to clean images and to separate data from the system.
"Companies need to be controlling who has advanced privileges on systems and strictly control access to data," Zuleg says. "If infected PCs are to become an accepted part of a network segment, then you will have no trust in that segment and must consider it to be like the public Internet."
New network analysis tools will soon emerge that let you better identify where malware exists on the network and how to best contain viruses, says Marc Seybold, CIO at the State University of New York at Old Westbury. When such technology becomes available, "if devices that Jane Smith uses to access the network are persistently trying to transmit data to outside domains that are in some way anomalous compared to other traffic on the network or her long-term patterns, then additional attention would be focused on such a user's devices and remedial action taken," he says. Among the companies working on such technology are Alcatel-Lucent, Riverbed, and SonicWall.
At the same time, Seybold says, network traffic flows will start to be more compartmentalized and insulated from each other as network access control and policy-based management are combined with application flow monitoring. "As these are linked up, full behavioral analysis based on end-to-end application flows bound to specific users will become possible," he says. Eventually there might be predictive analytics that could preemptively intercept malware transmissions based on past user behavior, "but that is still science fiction," he says.
Malware survival tip No. 3: Diversify your IT infrastructure to decrease reliance on one or two OSes or browsers
It might make sense to move away from the Windows monoculture, which can be more quickly and easily attacked, and bring in other operating systems and devices so that you know a malware infection can never take down everyone in the organization. Maybe some people who handle critical systems or data can use a Linux PC or a Mac OS X PC so that they're not as likely to be hurt by a virus aimed specifically at a common Windows vulnerability.
Along these lines, consider avoiding a browser monoculture, because a lot of current malware invades systems via the browser. Evaluate browsers such as Internet Explorer, Firefox, Chrome, Safari, and Opera to see which fit best with your enterprise applications and user base.
"Diversity is always good to prevent your entire infrastructure from coming down," says B. Clifford Neuman, director of the University of Southern California's Center for Computer Systems Security. "But there is the flip side to this strategy in that it gives an intruder many different possible choices of attacked system in which to get a foothold into your organization." You trade potentially limiting infection for having more possible infection entry points.
Of course, whenever you make a move to switch operating systems, you might encounter resistance from some quarters. Tony Hildesheim, senior vice president of IT at financial services firm Redwood Credit Union, says his company is reviewing the use of alternative operating systems, browsers, and some business applications. But "none of these options appear to be all that popular with the business units," he notes.
Technology diversity is not always an effective defense per se. ICSA Labs' Hayter points out that malware infections are not limited to desktop PC environments. "There are many serious pieces of malware that can infect other [operating systems] and devices, be they desktop-based or mobile," he says. "Additionally, malware can cross platforms from one OS or device to another, further requiring a layered defense plan."