“Hey Josh, where’ve you been?”, I hear you all asking. Over the last several months, you might have noticed a suspicious absence of security folks from the wider blogging world. The reason for this is pretty much “Sorry, been busy”, which I know isn’t much of an excuse. So here’s the deal. Security is hard. Its always been technically complex, but recent events have combined to create something of a perfect storm. We like to divide the world into “good guys” and “bad guys”. In the past, it’s been a fairly even fight. However, with the global economic recession resulting in staff cuts, there are fewer good guys. Of course, with small budgets, there have been cuts on the technology side as well. At the same time, advances in malware technology have given the attackers some extremely impressive tools. These advances have been made possible due to unprecedented cooperation within multiple groups of organized crime.
So here we are, a reduced set of security practitioners trying to help businesses maximize security benefit for the dollar against a massive global network of highly skilled and highly paid criminals who are writing highly complex malware that goes far, far beyond your old school phishing attack with key logger. This post is going to focus on a specific type of financial attack. Odds are, if you’re reading this, you’re more interested in protection than the technical stuff, so we’ll break tradition and leap straight into that.
If you’re interested in hearing more about what this particular malware can do, there are technical links at the bottom of this post. For now, know that it’s a highly complex piece of financial malware which exists to steal money in any way it can. It runs on all versions of Windows and most common browsers. It’ll come in via email, web, PDF files, USB or any way that the attackers come up with. Small businesses and nonprofits are being targeted because they tend to have weak controls, but CEOs and CFOs are also being targeted as they tend to have to more to lose.
Within the industry, we often talk of security tradeoffs. Basically, there are costs to reducing risk… and these often go beyond mere dollars. My ultimate goal as a security consultant is to help a business make the appropriate decisions and balance security expenditure against the possible benefits. The following advice is what I believe to be true for most businesses, but please keep in mind that your particular business may have different requirements. To keep things simple, here are five technical and five financial recommendations.
T1) Use a dedicated system for financial transactions. Yes, it’s expensive, but a lot less expensive than having your money stolen. If you use the same computer to transfer money that you use to play Mafia Wars on Facebook, you’re just asking for trouble. If you’re using a shared system that’s not locked down, you might as well just cut the attacker a check… it’d save time.
T2) Use a dedicated firewall. Put a firewall between the dedicated financial workstation and both the Internet and internal network. Set it to use NAT and allow no traffic to flow from the Internet to the workstation. Allow the workstation to connect to your bank and the Microsoft and Adobe updates sites. Depending on your financial processing software, you may need more sites allowed… but keep it as minimal as possible. Only allow connections that it needs. The firewall should be a physical device as malware often disables local firewalls.
T3) Keep the workstation hardened and updated. Make it useless for anything other than financial processing. Don’t install Office. If you need to view docs or spreadsheets, install the free viewers from Microsoft. If you don’t need to view PDFs, keep Adobe as far away as possible. Update as soon as the updates are available. Forget about testing the MS patches, the vulnerability window is already negative, delaying patching is just stupid. Build your business processes to have a manual failover in case a patch breaks your financial transfer workstation. That’s a much better use of time than testing patches on a one-off system.
T4) Take away admin rights. I know it’s a pain to figure out what privileges you actually need to run that one app that is used every January to do taxes, but it’s a less than the pain to recovering half a million dollars because someone had admin access and didn’t need it. If you can use Linux and Firefox, by all means, do so… it’s a lesser target. If you cannot, go with Windows 7. The UAC security controls in Windows 7 are excellent.
T5) Use a real antimalware program. The one that comes loaded on your workstation when you buy it from Dell/Best Buy isn’t going to cut it. Freebies aren’t going to cut it. Real programs cost real money. For specific recommendations, I like Sophos because of the enterprise control features. Being able to use device-based controls and lock down applications is very important here. If you really want to go light and accept the risks that come from reduced control, Kaspersky is a good second runner. In any case, if you detect malware running on your dedicated system, notify your financial institution immediately.
F1) Set your account to use dual controls. This means that one person in your organization has the ability to initiate payments but a second person must approve them. This makes the attackers’ job much more complicated, as they have to control two systems and synchronize data in order to steal money. If your financial institution does not offer this ability, we strongly recommend finding another institution.
F2) Some institutions allow you to create a list of companies and individuals who are authorized to receive payments (called Positive Pay or Whitelisting). This list should be created outside of the Internet banking system so that an attacker cannot simply add and authorize a new account. If you have this available to you, by all means use it! This can go a long way towards preventing your money from being transferred to money mules.
F3) Almost all institutions allow you to sign up for alerts. With these systems, you get emails (or, in some cases, text messages) whenever a transaction occurs. The faster you can respond to a suspicious transfer the more likely you will be to reverse it. Bank-to-bank transfers are nearly immediate and require the cooperation of the receiving bank to get the money back. The longer you wait the more likely that the money has moved on and more institutions will need to be involved, which makes recovery much less likely.
F4) Set limits wherever you can. Many systems allow you to limit the amount of money a particular person may transfer, the amount that may be transferred per day/week/month and the times at which transfers can occur. Of course, you run the risk of being prevented from transferring money when you really need to, but in most cases you can work around this with a phone call to your institution. The protections you get from limiting transfers are usually worth the occasional irritation when you have to work outside the norms.
F5) Utilize emerging technologies. Not all banks have these options, but if your bank can provide you with a two-factor authentication token, security software to facilitate secure transfers, out of band approval systems (phone, fax, text message, etc.) or analysis of payment patterns, take advantage of them. They’re usually free to inexpensive and will give you a much deeper level of financial protection than you would get otherwise.
F6) Bonus suggestion! Some accounts have overdraft protection in place. This sounds good if you are worried about occasionally spending more than you have. However, the flipside is that it could allow an attacker to steal more money than exists in the account. If you can get by without overdrafts, turn this protection off or, if you have to, at least set the protection level as low as you can.
In the end, a combination of technical and financial controls will go a long way towards protecting you, but implementing them will require you to change your business processes. If you’re a CEO, CFO or owner you’re lucky. If you’re not, you may need to set up a meeting with your C-level people. They need to understand that they are being targeted personally because of their role. They need to know that the online systems are being manipulated. The balance reported on an infected system will be altered to hide the malware’s activities. They also need to understand that there is no 100% solution. What I recommend here is a good start, but they could still have problems if the attacker is persistent.
This blog entry collects the information from my recent presentation on Malware.
Let me start by making it clear that the world has recently changed. I’m not talking about Thomas L. Friedman, water on Mars or the 350 new species found in the Eastern Himalayas. No, I’m talking about malware.
Time was when malicious software was written by kids in the comfort of their own home. They were more interested in exploring computing technology and claiming bragging rights than in actually doing something with the systems they took over. If problems occurred, they were mostly accidental. Today it’s different. Today malicious software is written by criminals for the purpose of making money. In yesterday’s world, you could get a computer virus and then launch a cleanup tool. Then, as it removed the infection, you were free to sit and ponder the lovely flying cars that we’d have in the future. Today, you could get a computer virus and never notice, then when you check your bank balance online, all your money could be transferred overseas while you ponder the fact we still don’t have our flying cars.
A lot has been written about different classifications of malware, and the differences between worms, viruses, trojans and the like. I see no need to repeat what’s been done before. Instead, I’d like to look at how malware can get on your system, what it can do once it’s there and what you can do about it.
One way to get malware into the world is to just toss it onto the Web. There tend to three ways this is done. The easiest is for them to just put up their own website. However, if they do this, they have the same problem you might in driving traffic there. Sure, they can do all the basic advertising and search engine optimization (SEO) techniques to drive folks there, but in the end, people just won’t go a boring website. Instead, it helps to have a hook.
Though one would think that all it would take is making a fancy website about the new flying cars out there, the more common hook that we’re seeing today is to play on people’s fears. In this case, fears of malware. Yes, we are seeing sites out there designed resemble anti-malware sites… that exist to spread malware. They’ll even try to leverage current events fears, so if a legitimate company has an issue with one of their products, you’ll probably start seeing ads appear stating things like “Problem with [Company]? Try [Fake Antivirus]!”. You hit one of these sites, and it pops up a little dialog box that there may be a problem and asks whether you’d like to run a scan. When you click “Yes” (or “No”, they’re awfully helpful), it will pretend to run a scan, pretend to find problems and then offer you a lovely little cleanup utility. You download and run it, and promptly get infected. Then, just to pour salt in the wound, you’ll likely get a bill for removal services. Sophos reports that there are 15 new sites like this discovered daily.
A more difficult, but often more successful technique is to target a popular social networking site with a good reputation (not an unpopular one with a bad reputation). Social media sites are successful because regular users can post content. So, once there, they post content and try to get people to download it. If you go to a website and see a friend’s posting something about this cool video about flying cars, you can get infected, and your account starts posting the flying car malware too. That’s when your friends get into the mix. Since the content is being posted as you, it’s viewed as “safe”, so they download it and then they also get infected. In May, there was a quite successful attack of this type that was linked to a viral (in more ways than one) video of somewhat questionable taste.
The most difficult way, but often the most rewarding attack is to take over an already popular website. Most of the big sites on the Internet are pretty well protected these days, but if they manage to get control of one, they can load it up with malware. In fact, recent analysis has shown that some website carry around 18.000 pieces of malware. These attacks go on all the time. Sometimes they are general, as in earlier this year when there was an Internet-wide attack that aimed to find flaws in backend databases. Sometimes, though, sites are specially targeted, as in April when Paul McCartney’s website was hacked and all his visitors were infected with malware that stole their online banking usernames and passwords. Thus, the more interesting you are, the more of a target you will be. (Boring people should be safer.)
Of course, there is more than just web vectors. The second most popular attack is via email. It’s important to remember that email is fundamentally flawed. It was intended to serve email just within a local campus and was neither sufficiently scalable nor secure to be used in the way it is today. One fundamental problem is that anyone can send any email to anyone from anywhere. While there are a few technologies in place that limit this, the vast majority of attacks use this flaw.
So what does that mean? Basically, if an attacker can uncover a trusted relationship between you and someone else, all they have to do is send you an email as if it were from that person. You receive the email from good old Uncle Johnny and without puzzling over the fact that he was killed in that tragic flying falling car accident, you open it and suddenly get infected. Of course, not everyone has a (poor old) Uncle Johnny, so the attackers will use whatever they can to get you to open the email. Often times, this involves riding a popularity wave. Anytime we see news about a natural disaster or a celebrity death, there will be malware-laden spam in it’s wake — earthquakes producing tidal waves of infections.
Remember, organizations like the FBI and IRS send letters, not emails. If there’s a problem with a package delivery, your customer will call you, not UPS or DHL. If you get an email from someone you don’t expect, there’s a good chance that it also contains what you don’t expect.
Of course, the traditional attacks still work, so CDs, DVDs, BluRays, Floppies, media cards and USB are still legitimate vectors. In fact, some enterprising folks have managed to infect a keyboard. The basic principle here is to take over a system through any of the avenues into it. Thus, if you use a cell phone for email or connect an mp3 player up to your system, they can be suspicious too.
Lastly, there is the ever-popular “just break in” method. Every month, Microsoft releases patches. Every quarter, Adobe and Oracle do the same. In the open source world, patches come out hourly. Each one of these fixes a known issue. Some of them are remotely exploitable, meaning that if you don’t have them in place, an attacker can waltz right in and do what they wish. If you use a firewall but don’t keep up on patches, it’s like having a machine gun turret on your flying car, but ignoring the suspension problem. It’s going to catch up to you just like it did to Uncle Johnny.
So, once it infects you, what does this malware actually do? Well, short form: anything it wants. By the time the malware is running, it’s too late. It can grab your passwords as you use them, it can search your disk for sensitive data and copy it offsite, it can wait for you to login to your banking system and start transferring all of your money overseas while simultaneously interfering with your web browser so that everything looks normal. (There’s a lot of this latter going on right now.)
More, it can just sit there and wait for orders. Often, infected machines will gang together and form a “botnet” that is centrally controlled by a small group of attackers. The attackers can use these systems to send spam, steal user names, passwords, account numbers, credit card numbers, and so on. They can also rent these “services” to others if the price is right.
What can you be doing about all this?
In addition to basic server and network hardening (firewall, disable unneeded applications, layers of defense, etc), you should deploy a complete endpoint security solution. Unlike previous versions of anti-malware that just matched signatures, a complete endpoint solution contains multiple features. You need to consider:
Even though the old style of signature matching is considered passe, all those old attacks are still out there. You have to protect against them somehow and this isn’t a bad way.
In addition to signatures, anti-malware systems can also look at what applications are actually doing. This used to be called “heuristics”, but these days tends be something like “suspicious behaviour detection” or “pre-execution analysis”. The way it works is to load a small environment around each application and detect what it’s going to do before it does it. If it’s something bad, it stops it. Please note that it is very important that this functions as “pre-execution” and not “during execution”. If it runs at the same time that the application does, there is a chance that the malicious behavior will run before the anti-malware system can stop it.
This is a different sort of firewall than your Cisco ASA or Astaro (or the kind on a car, flying or otherwise). This is a host-level firewall that protects the server/workstation itself. The problem here isn’t to duplicate what the network firewall does, it’s to protect a layer where the network firewall cannot. If an attacker manages to get in to one of your workstations, in a normal network, they can then attack all the other workstations on that network. A local firewall protects against attacks pivoting within the same zone to take over more and more of your network.
Traditionally, host-based firewalls have been difficult to manage, but modern endpoint protection systems have central management consoles that makes this easier.
The idea behind application control is simply that a central authority can determine which applications may or may not be run on a system. In the ideal world, of course, all users would have minimal privilege levels and not be allowed to run non-approved software. However, since many Windows applications require administrative privileges you need another layer. application control is this layer.
Web Browser Helper Objects
Some malware these days never touches the disk. When you hit a compromised site in your browser, it loads the malware into memory. Once there, it can look at browser traffic, analyze what you’re doing and take over sessions. Since it never hits the disk, it’s not detectable by traditional scanning technologies. Anti-malware solutions that have a Helper Object feature can protect your browser from this sort of malware. It basically wraps the browser and analyzes the pages you visit, providing a layer of protection.
Zero Day Protection
There is necessarily a delay between the discovery of a vulnerability and the availability of a patch. If malware is released during this delay, it’s called a Zero Day Exploit. A system that offers good Zero Day protection combines heuristics with a knowledge of system vulnerability types to catch problems before they take over a system. While it is impossible to ever achieve 100% protection against Zero Day Exploits, the good anti-malware suites are tested against these. You just have to pick one that does well in the independent tests.
Some systems are including the ability to manage local encryption. This can protect important data against casual spying and theft. It’s worth noting that if the malware can manage to run at all, it can just wait until you decrypt the data to view it. However, it does add another layer and if you typically deal with sensitive data, it is worth considering.
Optional: Network Access Control
Network Access Control (NAC) allows your anti-malware system to communicate with your network infrastructure. In the old model, all a machine has to do to connect to the network is be plugged in. With NAC, you layer additional checks such as patch status and whether anti-malware services are running. This would be like a built-in breathalyzer in a flying car. (Can you imagine the drunk driving problem we’d have there?) It’s not been widely accepted yet, but it is growing. In the near future, it will likely be standard, so it would be wise to at least select a vendor that has experience in this field.
Optional: Data Loss Prevention
This technology is aware of the type of data that you work with and will examine it when it is accessed. If there is a rule against allowing that data to leave the network, the DLP system will block access to it. It is worth noting that this technology is still quite new and new technologies generally have a few bumps on the way to adoption. If the anti-malware system includes it, great… but it’s probably not essential quite yet.
Some industries are unregulated and can just get by doing the best business they can. Most anti-malware systems these days have decent consoles that can be used to get a snapshot of activity. This is generally sufficient for most day-to-day operations. But, within a regulated or audited business, it can be important to show trends of activity over time. For this, you need a more robust reporting capability. Sadly, most systems do not include this in the basic package. However, if you have this need, be sure to ask about additional packages. It may be available.
Optional: Lightweight, Frequent Updates
I’ll admit that I’m biased. I like the systems that give me constant updates. If I had a flying car, I’d want to always know about potential problems so I could correct for them. I wouldn’t like it when those updates are big and bring my systems (or my car) down. However, it’s not a requirement per se. If your business doesn’t access the Internet often, slower and bigger updates may work just fine for you. On the other hand, if you have a distributed environment with branch offices or remote workers, consider the impact of pushing out updates.
There are some interesting new approaches in the world of anti-malware. While these are always worth considering, you should also be aware that this is a lot more complex than people think. Even the big vendors have had some pretty embarrassing problems as they grew their business. By all means, check out the newer players, but keep in mind that rocky starts are common in both business and software development. Do you want these rocky starts in your security software?
Also, if you want to check out the newer players, keep in mind that attackers are creating fake anti-malware sites and filling up the search engine listings with links to them. At the very least, pull the list and links from reviews in reputable journals. The last thing you need is to think you’re evaluating anti-malware when in fact you are installing malware itself.
Some anti-malware companies try to reduce their pricing by reducing service levels. From a business perspective, I understand this. It allows you to pick the level of service you want and pay accordingly. However, with security software and service, there is a huge value in responsiveness and operating hours. If there is a new outbreak on the Internet, you want to know that the company is addressing it. If you have a new outbreak, you want to be able to pick up the phone and get help… not an invitation to purchase the new “Uranium Level Tech Support”. (In general I feel that metallurgy belongs in my flying car, not in my technical support.)
Home and Mobile Use
These days, the idea of having a “secure” network are gone. If you allow users to connect to the network from their home or with their various smart phones, there are far too many ways in to the network to keep it secure at the perimeter. This means that the concept of “endpoint” extends out to computers that you don’t own. Luckily, some anti-malware vendors provide “bonus” licenses to cover home PCs and mobile devices. This way you can make sure that all the systems have a level of protection, even if they’re not exactly yours. If you’re advanced enough to be running NAC (above), you can even enforce connection requirements.
Multiplatform and Legacy Issues
If you are completely on the ball, and are only running the absolute latest and greatest operating systems and vehicles, congratulations! Most of us aren’t there (and are still driving pathetic land-bound conveyances). If you have a handful of older systems or systems running different operating systems, you may have a challenge with anti-malware. Many systems still require a separate console for each OS and some of them don’t even support the older systems. Keep this in mind during your evaluations.
In the end, if you have money, you are a target. While running anti-malware isn’t a perfect solution, it is certainly part of a measured response to the problem. As malaware gets increasingly nasty, you have to step up your defenses. I am assuming that you already have a firewall in place and have your servers reasonably configured. The next step would be endpoint protection. Sure, there are many many steps after this, but just having these three layers will get you in a position where there are many easier targets than you… which buys you the time to get proactive about things.
This essay was originally published by Alliance Technologies
Microsoft recently released their Security Essentials product. This is a free anti-malware product, and analysts seem to think that it does a pretty good job at what it does.
However, I want to point out one thing that you probably already know: You get what you pay for.
Security Essentials is intended to be a lightweight anti-malware solution that competes against other free AV solutions. It does a decent job at protecting against the average threat and is certainly better than using nothing at all. However, it is a mistake to compare it to a professional anti-malware system. As SANS says, “Think of this as the AV as it used to be in 2000 or so.”
In short, if you are a home user and don’t care enough about your system to spent $50 a year to protect it, go ahead and use Security Essentials. However, if you are in a business environment, you need something that includes firewall, behavioral detection, network access control, data loss prevention and central management (and more). Security Essentials won’t cut it.
Lastly, if you do decide that you want to try it out, be sure you download the right thing. There are search engine optimization attempts going on to make malicious software (fake antivirus) appear on the search results instead of the link you really want. The right link is http://www.microsoft.com/security_essentials/.
I’ve posted about the current run of banking malware before. For a quick review, this is malware that sits on your computer and waits for you to access your online banking site. Once you’re logged in, it watches what you do and then surreptitiously transfers money out of your account to the attacker. I’m posting about it again because of the new wrinkle:
It will now alter what your browser shows to you, so that you don’t see the unauthorized transfers.
Essentially, the malware knows what you expect to see and shows you that, while it is simultaneously lurking under the radar of banks and avoiding their anti-fraud systems. For those that want more details, read this, this, this and this.
For everyone else, try the following:
1) Check your banking statements very carefully. Most home users have at least 30 days to challenge a transfer, but business users only get 2.
2) Work with your bank to implement a call-back mechanism so that you can approve transfers.
3) See if you can use a dedicated system for only doing banking. Leave it unplugged and turned off unless you’re using it or patching it.
4) Keep all of your other systems patched and run a decent anti-malware system.
This week, ComputerWorld released a review of free anti-malware systems. The conclusions were much as one would expect, mostly that the free stuff works OK but the pay stuff is probably better. The free systems are ranked here, if you are so inclined.
So, really, there’s nothing new here. However, I do want to point out a few things:
- Only one system has phone support, and that costs $50 per instance.
- Many of them fund themselves with advertisements.
- Heuristic detection was pretty poor across the board.
- None of them update very frequently.
- Most of these companies have a for-pay version available as well.
I know that most of us are always looking to cut costs, but the sheer number of times that I have removed expired or non-functional anti-malware systems indicates to me that this is very important. Do not scrimp when it comes to security software. The good stuff costs real money for a reason.
If there is a problem, a reliable company will take care of you. The goal of a business in this space should be to help you maximize your profits. Sure, they have to cover their costs and make a bit of profit themselves, but attitude is extremely important. If they approach the problem of “people don’t want to pay for anti-malware” with “let’s constantly distract the users with popup ads”, do you think that they have your interests at heart? If they charge as much for one support instance as it does to buy a license with unlimited support, do they really want to help you? (And, do you think that they have an incentive to have you not experience problems?) If they make no distinction between “I am unable to login to World of Warcraft” and “I am unable to make payroll”, do you really want to work with them?
I mean no disrespect to ComputerWorld here. I know that they serve both the consumer and business markets. I know that there is a place for free anti-malware systems in the consumer space (though I think it’s quite small). However, to answer the question “Can You Trust Free Antivirus Software?”, I’d have to answer unequivocally “no”. If you are in business, you should use a business-quality anti-malware suite. Even if you’re at home, if your business requires you to use your home system, it should also be protected by a business-class anti-malware suite.
Odds are that you know the cost of your time, and if you are unable to work because you get sick, you know what it’s worth to protect against that, that’s why we have health insurance (however it winds up being paid for in the U.S.). Similarly, if your computer gets sick, how will that impact you? Does your computer need health insurance too?
First of all, you are more likely to get hit with a virus if you don’t have antivirus than if you do, so it’s not exactly useless. Second, you can get antivirus systems for free (Windows version here) so there’s no economic reason not to run one. However, if you go into the process thinking that if you install an antivirus system, you’re done, then you’re making a mistake. Antivirus may not be dead, but your system will be.
See, the way that antivirus works is by maintaining a set of signatures, or unique identifiers for a piece of malware. This worked well enough twenty years ago, but these days, the people that write malware are pretty good at making each one have a unique signature. So, these things can change and morph faster than you can keep up. However, you’ve got to do something, right? What are your options?
Ignore The Problem
My mother used to tell me that if I ignored the mean kids, they’d stop teasing me. She was wrong. In the same way, ignoring this problem will not make it go away. Instead, it will likely create a situation where your systems get infected and then spread that infection to your customers and partners. I hope that we can agree that this is no solution.
Host-Based Intrusion Prevention
Many of the traditional antivirus vendors have started rolling host-based intrusion prevention systems (HIPS) into their products. These systems shift the problem from scanning the entire system to looking at what actually runs. These systems can detect common security flaws and prevent malware from accessing them. With some vendors, they are combined with application blacklisting, so you can use the same system to prevent employees from running games or installing browser plugins.
In the past, we’ve used a firewall to prevent access to internal systems. Some people are trying to extend this idea and pushing extra capabilities onto these network devices. The logic is that if you control where your people can go (web filtering) and what can come to them (email filtering), you can block malware at the edge of your network. It’s a nice theory, but given that you also would have to deal with USB drives, MP3 players, CD/DVDs, wireless networks, etc etc, I have my doubts that this technique will be effective.
As many people do, once they’re told that something’s not working, they go to the opposite extreme. In this case, instead of building a blacklist of “bad” applications, they try to identify some known “good” applications and only allow those to run. While I’m not a fan of extremism, it seems to be working in this case. Bit9 seems to be the current leader in this space, but it’s only a matter of time before there are others. The one caution here is in relying on only this technique, as if anyone uncovers a flaw in the technology that prevents the non-whitelisted applications from launching, they can then launch anything they want. Also note that, depending on your organization, it might take a long time to define the “good” applications.
One thing I recommend is to recognize that your system will probably get compromised eventually, no matter what you do. If you implement a system that can identify your important data and let you know when it detects it somewhere where it’s not supposed to be, you can at least know that there’s a problem. Small comfort, I know, but it’s better than not knowing, right?
Every organization will have a different set of needs and will need a different solution. However, there are a large number of businesses out there that would likely benefit from the following type of solution:
- Application Identification – Take the time to identify which applications are required for business.
- System Imaging – Build a standard “image” of all applications that a system should have and deploy to all computers.
- Application Whitelisting – Install a product like Bit9 (there are others) to prevent anything non-approved from running.
- Antivirus – Install a product like ClamAV (free) or Sophos (pay) to serve as an additional layer of defense… especially if you have laptops.
- Document Repository – Use a centralized document repository to keep all of your documents and log who accesses them when.
- Operations: Applications – On a regular basis (monthly is good) patch all applications in your image, update the application whitelist and push the changes out to all systems.
- Operations: Data – On a regular basis (monthly is good, quarterly is acceptable, yearly is not), review the access logs on your repository and make sure that things are reasonable.
There is a lot more that you can do, and if you have servers, a lot more that you should do, but as you’re likely not doing the above yet, hopefully this gives you a good place to start.
It’s interesting how business awareness lags actual security threats. I was having a conversation recently with someone who said something like “yeah, we get by a virus about once a month, but we clean it up and keep going”. This took me aback as I realized that there are a significant number of people out there that don’t view malware seriously.
This is our fault. For years, we’ve been classifying threats and discussing their differences instead of focusing on their similarities. If you’ve touched any IT in the last decade, you’ll recognize the following list of words: virus, worm, trojan, spyware, adware, malware. You’ve probably been told that your antivirus application will take care of it, so you run it and get on with your life. Well, I’m sorry to break it to you, but you’ve been lied to.
We’re at the end of what antivirus can do. We’ve also reached the point where malware (malicious programs) have moved from being annoying to being evil.
Back in the day, malware would spread from system to system and slow things down. Sometimes, they’d delete files. That was then.
Today, people are using these systems to create what are known as bot armies. Once they take over your computer and add it to their armies, they can do anything they like to your computer. Like what?
- Conduct attacks on other networks
- Store illegal materials (often child pornography) on your computer
- Crack passwords
- Banking data
- Harvest all proprietary data (trade secrets, tax information, business plans, source code) from your network
- Harvest client data (credit card numbers, social security numbers) from your network
Basically, if you get infected with malware, the attackers can get anything they want from you. Any file you have, any site you browse to, any email you send or receive. It’s all theirs.
It’s more than a nuisance. What are you doing about it?