Information Security
CIS Control 10 - Malware Defenses
Last modified 7/6/2021
Malware Defenses
Purpose
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Background
Malicious software (sometimes categorized as viruses or Trojans) is an integral and dangerous aspect of internet threats. They can have many purposes, from capturing credentials, stealing data, identifying other targets within the network, and encrypting or destroying data. Malware is ever-evolving and adaptive, as modern variants leverage machine learning techniques.
Malware enters an enterprise through vulnerabilities within the enterprise on end-user devices, email attachments, webpages, cloud services, mobile devices, and removable media. Malware often relies on insecure end-user behavior, such as clicking links, opening attachments, installing software or profiles, or inserting Universal Serial Bus (USB) flash drives. Modern malware is designed to avoid, deceive, or disable defenses.
Malware defenses must be able to operate in this dynamic environment through automation, timely and rapid updating, and integration with other processes like vulnerability management and incident response. They must be deployed at all possible entry points and enterprise assets to detect, prevent spread, or control the execution of malicious software or code.
Standard
All University assets must be configured to be compliant with the Safeguards of Control 10: Malware Defenses from version 8 of the CIS Controls based on the applicable, corresponding Implementation Group (IG) of the owning business unit.
More information about Implementation Groups can be found here: https://www.cisecurity.org/white-papers/cis-controls-v-7-1-implementation-groups/
| Safeguard | Control Title (Links to Information Security Office Guidance) | IG 1 | IG 2 | IG 3 |
|---|---|---|---|---|
| 10.1 | ✔ | ✔ | ✔ | |
10.2 | Configure Automatic Anti-Malware Signature Updates | ✔ | ✔ | ✔ |
| 10.3 | Disable Autorun and Autoplay for Removable Media | ✔ | ✔ | ✔ |
| 10.4 | Configure Automatic Anti-Malware Scanning of Removable Media | ✔ | ✔ | |
| 10.5 | Enable Anti-Exploitation Features | ✔ | ✔ | |
| 10.6 | Centrally Manage Anti-Malware Software | ✔ | ✔ | |
| 10.7 | Use Behavior-Based Anti-Malware Software | ✔ | ✔ |
Additional Information
The following items are to provide context or better understanding of this standard:
- Requesting an Exemption
In the event that this standard cannot be met, an exemption can be requested and will be evaluated on a case-by-case basis. All exemptions will require documentation of the system, the data use on the system, the reason the standard cannot be met, ISO approval, and then executive approval from the requesting area acknowledging and accepting risk.
Exemptions can be requested according to the published Security Exemption Procedure using the Security Exemption Request Form.
- CIS Controls v8 License Statement
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/bync-nd/4.0/legalcode). To further clarify the Creative Commons license related to the CIS Controls content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization, for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform, or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.®).