• United States




Building malware defenses: Control email, web browsers, and ports

Dec 18, 20154 mins
Endpoint ProtectionNetwork SecuritySecurity

Another staple in a series examining the Center for Internet Security's best practices.

Our last article looked at applying Critical Security Controls 4, 5, and 6 to your organization, covering vulnerability assessment, administrative privileges, and audit logs. Now it’s time to move on to CSCs 7, 8, and 9.

Email programs and web browsers are still the most common points of entry for attackers, too many companies have woefully inadequate malware defenses, and a failure to control ports and limit services is like leaving a window open for cybercriminals.

Critical Control 7: Email and Web Browser Protections

Human behavior is still the path of least resistance for cybercriminals, and they often employ social engineering techniques to gain access to systems. Despite the rising profile of phishing, 23% of recipients open phishing messages and 11% click on attachments, according to Verizon’s 2015 Data Breach Investigations Report (DBIR).

Dodgy attachments, spoof websites, and vulnerable plug-ins can all be used by attackers to gain a foothold.

It’s vital to ensure that web browsers and email programs are kept fully up to date. Don’t allow employees to use unsupported browsers or email programs, and prevent them from installing unnecessary plug-ins or add-ons. All URL requests should be logged, and you should have a filter in place that blocks access to unauthorized websites. All email attachments should be scanned and blocked if they are unnecessary for business.

Keeping tight control over web browsers and email like this doesn’t just reduce the risk of phishing, it also reduces spam and helps prevent wasted time.

Critical Control 8: Malware Defenses

There are five malware events every second, according to Verizon’s 2015 DBIR report, and malware can come into your system from all sorts of sources, including email, cloud services, web pages, smartphones, or even USB thumb drives.

It may not always be possible to detect it at the point of entry, but you can ensure that it’s detected and stopped before it can do too much damage by putting the right defenses in place.

Employing automated tools for real-time monitoring and threat assessment should be mandatory. You need malware defenses deployed throughout your system. Sadly, a Ponemon Institute report found that only 41% of respondents had automated tools to capture intelligence and evaluate the true threat of malware, even though organizations with automated tools reported that they can handle 60% of malware containment without human intervention, saving a huge amount of time and resources.

It makes sense to limit the use of external devices, use network-based anti-malware tools that can pick malicious content out of the traffic flow, and ensure that updates for your defenses are automated.

Bear in mind that the expense of investigating malware incidents is high and inaccurate intelligence is common. Spend money on improving your intelligence and automated containment, and you won’t have to spend as much on security staff investigations.

Critical Control 9: Limitation and Control of Network Ports, Protocols, and Services

Configuration errors, remote access, and default services in newly installed software can leave a window open for would-be attackers. All of the ports, protocols, and services on all of your networked devices need to be properly managed. That means tracking them, controlling, and correcting them where necessary.

Your IT staff needs to have a clear picture of what is and isn’t needed. A clear configuration plan at the outset can save a lot of time spent fixing problems further down the line.

Scan ports, review services, and shut down anything that isn’t necessary for business operations. Make sure that you verify servers and put firewalls in place to validate traffic. These are simple vulnerabilities for attackers to exploit, but they’re also easy loopholes to close, so close them!

Don’t delay

Educate your employees on these issues and put the right systems in place to ensure they aren’t a weak spot for your organization. Remember to measure the effectiveness of your automated systems, and make sure you learn from mistakes and failures.

The most effective defense against phishing, malware, and vulnerability exploitations is a multi-pronged strategy that includes security expertise, educated staff, automated real-time systems, and clear, concise policies that are validated.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.