Booklet: Information Security
Section: Security Controls Implementation
Subsection: Malicious Code Prevention

Malicious Code Prevention

Action Summary additional information.

Malicious code is any program that acts in unexpected and potentially damaging ways.  Common types of malicious code are viruses, worms, Trojan horses, monitoring programs such as spyware, and cross-site scripts.  The functions of each were once mutually exclusive; however, developers combined functions to create more powerful malicious code.  Malicious code can

  • Replicate itself within a computer and transmit itself between computers. 
  • Change, delete, or insert data, transmit data outside the institution, and insert backdoors into institution systems. 
  • Attack institutions at either the server or the client level.
  • Attack routers, switches, and other parts of the institution infrastructure. 

Malicious code can also monitor users in many ways, such as logging keystrokes and transmitting screenshots to the attacker.

Typically malicious code is mobile, using e-mail, Instant Messenger, and other peer-to-peer (P2P) applications, or active content attached to Web pages as transmission mechanisms.  The code also can be hidden in programs that are downloaded from the Internet or brought into the institution on diskette.  At times, the malicious code can be created on the institution’s systems either by intruders or by authorized users.  The code can also be introduced to a Web server in numerous ways, such as entering the code in a response form on a Web page.

Malicious code does not have to be targeted at the institution to damage the institution’s systems or steal the institution’s data.  Most malicious code is general in application, potentially affecting all Internet users with whatever operating system or application the code needs to function. 

Controls to Protect Against Malicious Code

Typical controls to protect against malicious code use technology, policies and procedures, and training, all applied in a layered manner from perimeters inward to hosts and data. The controls are of the preventative and detective/corrective variety.  Controls are applied at the host, network, and user levels:

Host Level

  • Host hardening, including patch application and security-minded configurations of the operating system (OS), browsers, and other network-aware software.
  • Host IPS, including anti-virus, anti-spyware, and anti-rootkitadditional information software.  An additional technology is software that limits applications calls to the OS to the minimum necessary for the application to function.
  • Integrity checking software, combined with strict change controls and configuration management.
  • Application of known-good configurations at boot-up.
  • Periodic auditing of host configurations, both manual and automated.

Network Level

  • Limiting the transfer of executable files through the perimeter.
  • IDS and IPS monitoring of incoming and outgoing network traffic, including anti-virus, anti-spyware and signature and anomaly-based traffic monitors.
  • Routing ACLs that limit incoming and outgoing connections as well as internal connections to those necessary for business purposes.
  • Proxy servers that inspect incoming and outgoing packets for indicators of malicious code and block access to known or suspected malware distribution servers.
  • Filtering to protect against attacks such as cross-site scripting and SQL injection.

User Level

  • User education in awareness, safe computing practices, indicators of malicious code, and response actions.