CIS Control 10: Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Why is this CIS Control Critical?
Malicious software (sometimes categorized as viruses or Trojans) is an integral and dangerous aspect of internet threats. They can have many purposes, from capturing credentials, stealing data, identifying other targets within the network, and encrypting or destroying data. Malware is ever-evolving and adaptive, as modern variants leverage machine learning techniques.
Malware enters an enterprise through vulnerabilities within the enterprise on end-user devices, email attachments, webpages, cloud services, mobile devices, and removable media. Malware often relies on insecure end-user behavior, such as clicking links, opening attachments, installing software or profiles, or inserting Universal Serial Bus (USB) flash drives. Modern malware is designed to avoid, deceive, or disable defenses.
Malware defenses must be able to operate in this dynamic environment through automation, timely and rapid updating, and integration with other processes like vulnerability management and incident response. They must be deployed at all possible entry points and enterprise assets to detect, prevent spread, or control the execution of malicious software or code.
- 10.1: Deploy and Maintain Anti-Malware Software
- 10.2: Configure Automatic Anti-Malware Signature Updates
- 10.3: Disable Autorun and Autoplay for Removable Media
- 10.4: Configure Automatic Anti-Malware Scanning of Removable Media
- 10.5: Enable Anti-Exploitation Features
- 10.6: Centrally Manage Anti-Malware Software
- 10.7: Use Behavior-Based Anti-Malware Software