Threat Landscape in the Middle East and Southwest Asia – Part 6: Best Practices from Locations with Low Malware Infection Rates

In this six part series we examined many factors that are likely contributing to relatively high malware infection rates of countries/regions in the Middle East and southwest Asia. Here are the articles in the series for reference:

I have had the opportunity to travel to many parts of the world to discuss threats and best practices, including those locations with the lowest malware infection rates in the world, as well as some of the locations I discussed in this series with relatively high malware infection rates. The locations that typically have low malware infection rates include Finland, Japan, and Norway. We recently published a series of articles on some of these locations that includes commentary from local security professionals.

When I talk with security professionals in locations with relatively high infection rates they are always interested in learning about the practices that the countries/regions with consistently low malware infection rates employ to be so successful. Here is a summary of those best practices.

Strong public – Private Partnerships
The locations with the lowest infection rates in the world typically have some well working partnerships between government and private industry. These partnerships typically focus on better cybersecurity outcomes for countries/regions potentially doing a number of things including working together to set standards, enforcing cybersecurity related laws, sharing threat intelligence, or initiatives funded both by industry and government.

A great example of a public – private partnership that helped keep malware infection rates low in Japan is the Cyber Clean Center or CCC (https://www.ccc.go.jp/en_index.html). The CCC is a cooperative project between Internet Service Providers (ISPs), major security vendors, and Japanese government agencies. This partnership focused on educating users and helping them remove infections from their computers. This process also helped to improve malware detection rates by providing security vendors with samples collected by honey pots.

Regional Threat Monitoring
CERTs, ISPs and other organizations actively monitoring for threats in each region is helpful in preventing and remediating widespread malware infections. A great example of this is the large CERT community in Germany. This community has more than thirty commercial, government, and academic CERTs organized in the German CERT-Verbund (http://www.cert-verbund.de). Part of this community’s function is warning and alerting services for each of the CERTs’ prime constituencies (http://www.cert-bund.de/), but also for the citizens (http://www.buerger-cert.de/).

Responsive Administrators
A factor that several security professionals working in locations with very low malware infection rates stated was very helpful was an IT culture where system administrators respond rapidly to reports of system infections or abuse. In locations where system administrators were serious about responding to malware infection and system abuse reports from users, malware tended to have a much harder time flourishing. Infection rate increases tended to be relatively restricted and temporary in these locations.

Enforcement Policies and Quarantining Infected Systems
Using enforcement policies and actively remediating threats via quarantining infected systems, have been very effective practices in Finland – the location that typically has the lowest malware infection rate in the world. A real-world example of these practices in action is how TeliaSonera, the largest ISP and largest carrier of Internet Protocol traffic in Europe, manages their network. In essence, TeliaSonera monitors traffic on their network for signs of infection, and if malware is detected the impacted customer is notified while their system is isolated to a “walled garden” until it has been cleaned of malware. Once the infected device has been cleaned, it is allowed back on the network.

Figure 1: TeliaSonera provides a complete cycle of protection for its users using this process

You can get all the details on how TeliaSonera uses enforcement policies and walled gardens to protect their customers in this case study: European Telecom Uses Microsoft Security Data to Remove Botnet Devices from Network.

Regional Education Campaigns and Media Attention
In countries/regions where users are more aware of online scams and attacks, they are less likely to get taken advantage of. User awareness campaigns and media attention focused on educating technology users about the tactics attacks are using can have a positive effect.

A great example of this is the Norwegian Centre for Information Security (NorSIS) and the Norwegian Business and Industry Security Council (NSR). The NSR was established by the Norwegian business sector as part of a unified effort to combat criminal activity. NorSIS has done a number of things to help create awareness on the need for IT security such as sharing their insights on threat intelligence and contributing to NorSIS’ Stop- Think- Click (National Security Month)  campaign for increased consumer awareness on privacy. Together with the NSR, Microsoft Norway has cooperated in several awareness campaigns aiming at improving information security in the enterprise market.

Low Piracy Rates and Regularly Updated Systems
Regions with low software piracy rates tend to have lower malware infection rates.  The Special Edition Microsoft Security Intelligence Report: Linking Cybersecurity Policy and Performance that I mentioned earlier in this series examined 80 different socio-economic factors and their potential correlation with regional malware infection rates. One of the factors examined in that study was piracy. The piracy rate (the number of pirated software units divided by the total number of units put into use) for the Seeker group of countries (high malware infection rates that underperform the study’s model) as an average was 68 percent.  This is 26 percent higher than the Maximizer countries (highest performing countries in the model).

Additionally, in locations where we see widespread usage of Windows Update/Microsoft Update, malware infection rates tend to be lower. Keeping all of the software installed on systems up-to-date is basic computer hygiene that makes it harder for attackers to be successful. This includes Windows and Office software, but also Oracle Java, Adobe Flash and Reader, games, and all other software – as attackers are looking for vulnerabilities in any software in order to compromise systems.

Cybersecurity Public Policies and Programs
The Special Edition Microsoft Security Intelligence Report: Linking Cybersecurity Policy and Performance study hypothesized that regional malware infection rate differences can be partially attributed to the public policies and programs implemented by countries/regions to limit cybersecurity risk. For example, half of the Maximizer group countries (highest performing countries in the model) had either signed an international treaty or a voluntary code of conduct related to cybersecurity, while less than 10 percent of the Seeker group of countries had. Specific examples of an international treaty and a voluntary code of conduct are the Council of Europe Cybercrime treaty and the London Action Plan respectively. It would seem that the steps which countries/regions take in preparation to sign such treaties or voluntary codes of conduct have positive impacts on regional malware infection rates.

This concludes our six part series on the threat landscape in the Middle East and Southwest Asia. Thank-you for reading.

Tim Rains
Director
Trustworthy Computing

About the Author
Tim Rains

Director, Cybersecurity & Cloud Strategy

Tim Rains has over 20 years of experience in the technology industry across several disciplines including engineering, consulting, and marketing communications roles. He currently manages security marketing and corporate communications in the Trustworthy Computing division at Microsoft. His expertise ranges Read more »