When it comes to Windows malware protection, the rule is simple: Install antivirus software on every host and forget about it. It's what everyone else is doing so it must work, right? Well, it's not that simple, especially when it comes to protecting prized possessions stored and processed on Windows servers.
Research shows that servers are a big target of criminal hackers. Malware is listed as a top threat event impacting server confidentiality, possession, integrity and authenticity, as well as availability and utility, according to the 2012 Verizon Data Breach Investigations Report. Verizon also found that 94% of all data compromised involved servers and that most breaches were avoidable.
No real surprises.
Microsoft’s 2012 Security Intelligence Report also found that average infection rates for Windows Server 2008 R2 SP1 systems were identical to those for Windows 7 SP1 workstations. Underscoring just how critical this is, Trustwave documented in its 2013 Global Security Report that the average time it takes from zero-day Windows malware discovery to an actual patch release from Microsoft is 375 days for Windows Server. Can you afford to have your servers at risk for that length of time?
Along the same lines as the eye-opening Mandiant APT1 report, I’ve worked on several projects where hundreds, even thousands, of Windows servers were infected in targeted malware attacks. The bottom line: Windows servers are targets and traditional antivirus may not be enough to ward off attacks.
This is a problem because servers are unique when it comes to Windows malware infections. Here’s how:
- Even in our BYOD world, servers still have the most valuable goods. Be it unstructured files or structured databases, servers are where the gold is stored and what the criminals want to access.
- Servers are often unhardened. Even with the numerous server hardening tools such as Microsoft’s Security Compliance Manager at our disposal, default server installations are a dime a dozen. Internal IT staff and even IT auditors often overlook security standards. More and more, it's third parties (i.e. hosting and colocation providers, cloud service providers and independent software vendors) that deploy unhardened Windows servers that aren't so resilient to attacks.
- Servers are the most common culprits for missing patches and, in turn, susceptible to malware and related misuse. Simple targets make for simple exploitation. Furthermore, servers often run outdated software that cannot be patched because the vendor doesn’t support it.
The one thing Windows-based servers have working in their favor is the minimal third-party software they typically have installed. One won't likely find apps like Adobe Reader, Flash, iTunes and the like. As we see on the workstation side, missing third-party patches is a big contributor to the malware problem.
If you're going to truly protect your servers from the latest criminal hacker nonsense, you're going to need to change your approach, which includes moving beyond traditional antivirus. You have some options:
- You could use cloud-based anti-malware technologies from vendors like Webroot and Panda. The benefit is that these adaptive controls can be more responsive to new threats while maintaining a smaller footprint, which is critical for servers. Some even claim to prevent 100% of all zero-day attacks. This is a hefty claim, but it's better than some technologies that prevent few or no zero-day attacks.
- Advanced malware protection in the form of next-generation Internet Provider Security tags from companies like Sourcefire and Palo Alto networks, plus dedicated appliances from vendors such as Damballa and FireEye, can be very beneficial. These technologies can be pricey but can offer a ton of value, especially for larger enterprises with complex networks configurations.
- Application whitelisting is another technology available from vendors such as Bit9 and Lumension Security; it can offer very granular control on server endpoints.
I've seen all of these technologies in action and they work very well. But every network and server situation is different. I recommend evaluating each of these to see what the best fit is for your environment. Certain vendors are touting a new paradigm revolving around detection via big data analytics. In many cases, the intruder is already on the network. Being reactive is better than being completely unresponsive.
The most important thing of all in protecting your Windows servers from Windows malware infections is to have a plan of action. No system is impermeable -- incidents will occur. Prevention is ideal, but being prepared properly is arguably just as beneficial.
About the author
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management and is the author/co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies.