[the following recommendations were originally sent along to the Educause Security Effective Practices mailing list on June 25th, 2010]

Coping with Malware: A Dozen Suggestions

1) Malware is still largely focused on Windows, so if you have users using Mac OS X or Linux (e.g., on Netbooks for example), you may see a different level of malware-related activity than sites that are pure-play Windows environments. Encourage OS diversity. (I would note that Google has reportedly recently moved away from Windows, for example)

Similarly, choice of browser can help. I like Firefox, but Opera is yet another potential choice that may work for folks.

2) While signature-based anti-virus is less useful than it used to be, it will still often help block at least some threats, and as such it has a continuing role. If you site license a product, you will want to make sure that license covers both home and work systems (since infested home systems can serve as an infection point for portable media that then gets plugged into work systems), and covers both viruses, worms and other traditional malware and also "spyware" or other quasi-artificial subcategories of unwanted software.

Use different products for network control points (such as mail servers) and desktops. Doing so can potentially provide protection in depth, and improve coverage since different products may catch different threats.

3) Behavioral (e.g., non-signature-based) anti-malware solutions may also be worth consideration, either on the host or on the network. Things like FireEye may be one option, but Snort and Bro remain excellent intrusion detection options on the network; my colleague Bruce Curtis from North Dakota swears by eEye on hosts.

4) Patching is obviously key, not just when it comes to operating system security, but also when it comes to application security and even helper application security. A number of folks mentioned Secunia's offerings, and that's a great option, but I'd also note things as simple as Firefox's plugin checker (see http://www.mozilla.com/en-US/plugincheck/ ) for things like spotting stale versions of Reader, Flash, Java and QuickTime (since those seem to be favorite attack vectors right now).

5) The bad guys are going to scan for vulnerable (unpatched) hosts, so you should be, too. Nessus will work, but obviously there are many other options, too.

6) Depending on your network religion, DNS also offers a potential control point for malware. MAAWG (the Messaging Anti-Abuse Working Group) just recently published a new document entitled "MAAWG Overview of DNS Security - Port 53 Protection" that may be worth a look, see www.maawg.org/sites/maawg/files/news/MAAWG_DNS%20Port%2053V1.0_2010-06.pdf

7) Good backups play an unexpectedly important role in containing the damage from malware infestations. The difference between, "Guess I'll need to roll back to yesterday's backup image" and "Guess I'll need to reinstall everything from scratch" is huge, I think. Do users have an easy to use (or automatic) backup option available?

8) The community has seen at least some infestations coming from advertising sites. Why people still allow traffic from advertising sites I'll never understand. You can block a lot of potential cr*p (and a lot of infection vectors!) using things like the host file from http://www.mvps.org/winhelp2002/hosts.htm

Yes, advertising helps to underwrite key services we all depend on, but for once, be a free rider and let the other guys watch "your" share of the advertisements out there.

9) Train users to resist dangerous behaviors. You probably don't NEED Word documents just to send a simple meeting agenda, for example. Encourage people to rediscover the joy of plain text. :-) Similarly, you probably don't need HTML-"enhanced" email -- again, plain text works just fine, and has a LOT lower potential threat profile. Another opportunity to limit problems is mailing lists: lists do NOT have to accept attachments or HTML format submissions, for example.

10) If you see malware that's not being detected, send it along to Virustotal (www.virustotal.com). You will learn what you're seeing, and what DOES detect that malware currently, and you'll also help the antivirus community by supplying them with a sample of what's in circulation.

11) Online sandboxes (such as ThreatExpert, Anubis, CWSandbox, JoeBox, etc.) may also give you useful data about the network resources that some malware may be using (e.g., for C&C or for 2nd stage downloads, etc.). If you find network resources that malicious software is depending on, you may be able to work to get those resources torn down (e.g., domain names with bad whois can be reported to wdprs.internic.net), or you may be able to block them locally.

12) Make sure that folks can figure out how to report problems to you. Are all your points of contact in whois current? (e.g., for your domain, and for your IP blocks, and for your ASN?) Do you have RFC2142 standard abuse reporting addresses? If I check for your domain at abuse.net, do I find reasonable abuse reporting contacts listed?