Prevent Malware From Being Delivered and Spreading to Devices

(Back)

Objective

Implement and maintain a defence-in-depth model to prevent the delivery and spread of malware to devices and across networks.

Description

• Provide employees with tailored cyber security training to ensure they are aware of attack vectors like phishing and how to identify suspicious emails or links.
• Segment networks into network zones, including separating sensitive and high value information into different zones whenever required, to prevent malware from proliferating among potential target systems.
• Use email domain protection to protect your organization’s domains from email spoofing, preventing the delivery of malicious messages sent on behalf of your domain, and identify the infrastructure used by threat actors.
• Use secure remote access to services, in accordance with GC Remote Access Configuration Requirements.
• Block access to potentially malicious web resources. Use tools and technology that block access to server names, IP addresses, or ports and protocols that are known to be malicious or suspected to be indicators of malicious system activity.
• Allow only authorized applications to access networks and systems. Establish a process for reviewing, and maintaining authorized applications on an allow list.
• Practice good asset management, including keeping track of which versions of software are installed on devices so that security updates can be targeted quickly.
• Keep devices and infrastructure patched, especially security-enforcing devices on the network boundary (such as firewalls and remote access products).
• Regularly perform vulnerability assessments with a priority on systems that are connected or exposed to the Internet.

References

TBS

1. DSD Appendix G - Email Management Configuration Requirements (1.3)
2. DSD, Appendix G - Remote Access Configuration Requirements (3 and 4)
3. DSD, Appendix G - System Management Configuration Requirements (3, 4 and 5)
4. DSD Appendix G - Endpoint Management Configuration Requirements (5)
5. DSM Appendix B (B.2.3.6.1, B.2.3.7.2 and B.2.3.7.3), and
6. DSM Appendix H (H.2.2.2 and H.2.2.2.3)

CCCS

1. Baseline Security Requirements for Network Security Zones in the Government of Canada (ITSG-22) (C.4.1)
2. Network Security Zoning (ITSG-38) (2)
3. Implementation Guidance: Email Domain Protection (ITSP.40.065),
4. Ransomware Playbook (ITSM.00.099) (2.1.1 and 2.2.7)
5. Don’t Take the Bait: Recognize and Avoid Phishing Attacks, and
6. Cyber Hygiene

Related Security Controls (ITSG-33)

AC‑4, AC-17, AT-2, AT-2(1), AT-3, AT-3(3), AT-3(4), CA-2, RA-5, SC-3, SC-3(1), SC-7, SI-2, SI-3,