Malware, also known as malicious code and malicious software, refers to a program that is inserted into a
system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of
the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.
Malware has become the most significant external threat to most systems, causing widespread damage
and disruption, and necessitating extensive recovery efforts within most organizations. Spyware—
malware intended to violate a user’s privacy—has also become a major concern to organizations.
Although privacy-violating malware has been in use for many years, it has become much more
widespread recently, with spyware invading many systems to monitor personal activities and conduct
financial fraud. Organizations also face similar threats from a few forms of non-malware threats that are
often associated with malware. One of these forms that has become commonplace is phishing, which is
using deceptive computer-based means to trick individuals into disclosing sensitive information. Another
common form is virus hoaxes, which are false warnings of new malware threats.
This publication provides recommendations for improving an organization’s malware incident prevention
measures. It also gives extensive recommendations for enhancing an organization’s existing incident
response capability so that it is better prepared to handle malware incidents, particularly widespread ones.
The recommendations address several major forms of malware, including viruses, worms, Trojan horses,
malicious mobile code, blended attacks, spyware tracking cookies, and attacker tools such as backdoors
and rootkits. The recommendations encompass various transmission mechanisms, including network
services (e.g., e-mail, Web browsing, file sharing) and removable media.
Implementing the following recommendations should facilitate more efficient and effective malware
incident response activities for Federal departments and agencies.
Organizations should develop and implement an approach to malware incident prevention.
Organizations should plan and implement an approach to malware incident prevention based on the attack
vectors that are most likely to be used, both currently and in the near future. Because the effectiveness of
prevention techniques may vary depending on the environment (i.e., a technique that works well in a
managed environment might be ineffective in a non-managed environment), organizations should choose
preventive methods that are well-suited to their environment and systems. An organization’s approach to
malware incident prevention should incorporate policy considerations, awareness programs for users and
information technology (IT) staff, and vulnerability and threat mitigation efforts.
Organizations should ensure that their policies support the prevention of malware incidents.
An organization’s policy statements should be used as the basis for additional malware prevention efforts,
such as user and IT staff awareness, vulnerability mitigation, and security tool deployment and
configuration. If an organization does not state malware prevention considerations clearly in its policy, it
is unlikely to perform malware prevention activities consistently and effectively. Malware prevention–
related policy should be as general as possible to allow flexibility in policy implementation and to reduce
the need for frequent policy updates, but should also be specific enough to make the intent and scope of
the policy clear. Malware prevention–related policy should include provisions related to remote
workers—both those using systems controlled by the organization and those using systems outside of the
organization’s control (e.g., contractor computers, employees’ home computers, business partners’
computers, mobile devices).