Security Control 5:
Malware Defenses

Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading: Use automated anti-virus and anti-spyware software to continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti-malware tools on all machines on a daily basis. Prevent network devices from using auto-run programs to access removable media.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

5.1

Employ automated tools to continuously monitor workstations, servers, and mobile devices for active, up-to-date anti-malware protection with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality.

[additional details]

All malware detection events should be sent to anti-malware administration tools and event log servers.

REQ REQ REQ

5.2

Employ anti-malware software and signature auto update features or have administrators manually push updates to all machines on a daily basis.

[additional details]

After applying an update, automated systems should verify that each system has received its signature update.

REQ REQ REQ

5.3

Configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.

REQ REQ REQ

5.4

All attachments entering an e-mail gateway should be scanned and blocked if they contain malicious code or, where appropriate, file types unneeded for the business.

[additional details]

This scanning should be done before the e-mail is placed in the user's inbox.

REQ REQ REQ

5.5

All malware detection events should be sent to anti-malware event log servers and reviewed frequently.

REQ REQ REC

5.6

Configure laptops, workstations, and servers so that they will not auto-run content from USB tokens (i.e., "thumb drives"), USB hard drives, CDs/DVDs, Firewire devices, external serial advanced technology attachment devices, mounted network shares, or other removable media.

REQ REQ REC

5.7

Deploy network access control tools to verify security configuration and patch-level compliance before granting access to a network.

REC OPT OPT

Additional Reading