Skip to content

To Pay Ransomware or Not?

March 19, 2015

One of our security partners, Sophos — the developer of the Sophos Cloud End-User Protection software we use in our Flex-IT End-User Security Program — posed the following question given the recent resurgence of ransomware infections:

Should victims of locked-screen ransomware or file encrypting ransomware like CryptoLocker and CryptoWall pay the ransom to get their files back?

We generally agree with our partner’s assessment that if it is the only way to get critical files back, then you have no choice but to pay the ransom and hope for the best.

But if you’ve followed my advice through the years, you will have backups in place that at most would lose a day’s worth of data.

If you haven’t backed up, and you need those files to run your business or the encrypted data includes sentimental photos or other irreplaceable files, you’ll have to pay the ransom. In most cases, you will get the key needed to decrypt your files.

But there is more to it than just paying the ransom. The question that wasn’t addressed was what do you do before and after you’ve retrieved your files?

The answer is you must get the ransomware off of the computer, of course, but you just can’t run an anti-virus program to do that.

Because of the possibility that the hackers have left malware on your computer, and because you know it’s already evaded your anti-virus software in the first place, you need to completely erase the hard drive and replace everything — operating system, files, programs, peripherals — to ensure no remnants remain that could come back to life.

You would need to do this regardless of whether you paid the ransom or not.

To recap, you should do the following if your computer is infected with ransomware:

  1. As soon as you see warnings and demands to pay a fee or fine, disconnect the network cable from the computer and/or try to turn off the wireless connection, and turn the computer off — encryption ransomware will search your network for encryptable files on mapped drives, including file servers
  2. Check files on network drives to see if you can open them — if not, immediately begin the recovery process from a backup prior to the encryption
  3. If no backup exists, you will have to pay the ransom if you need the files — the instructions will be in documents left by the hackers on your computer
  4. Once your files have been recovered, start up the infected computer without connecting to your network and begin the process of erasing the hard drive and restoring it to factory condition
  5. After restoration, re-connect the computer to the network and be sure to install the latest updates for Windows, third-party applications, and anti-virus software
  6. Don’t open unsolicited file attachments — the most common access point for ransomware
Advertisements

Presidential Candidates Set Bad Security Examples

March 5, 2015

Two of the leading candidates for President in 2016 have offered voters bad examples of cyber security practices in the past month.

Hillary Clinton and Jeb Bush, the former the leading presumed contender for the Democratic nomination, and the latter the leading presumed contender for the Republican nomination, have proven to be failed leaders in cyber security and privacy matters.

Clinton’s well-publicized use of personal email to conduct U.S. State Department business as its Secretary and Bush’s less-publicized release of personal details of constituents who emailed him as Governor of Florida in the name of “transparency” demonstrate a disturbing lack of awareness of online security and privacy.

Clinton’s use of personal email off the security of the State Department’s network would make any IT person’s head spin, not to mention violate federal regulations.

Bush, in a flawed attempt to provide transparency by releasing emails from his terms as governor that he knew would be requested at some point, violated the confidentiality of constituents who emailed him by failing to redact the personal details they revealed in those emails, including Social Security Numbers in some cases.

The notifications alerting constituents that their emails were a matter of public record weren’t on the online forms they submitted but in the automatic replies they received AFTER they emailed.

Unfortunately, I can’t say I’m surprised. Some of the people who should know the most about cyber security seem to be the most egregious violators of common sense security measures.

I’ll never forget the time I visited a couple performing outsourced human resources tasks for the Department of Homeland Security. They had viruses on both laptops they used to store and analyze the applications of Homeland Security applicants.

Neither laptop had adequate anti-virus software, and worse, neither required a password to boot into Windows. Just turn it on and a treasure trove of personal information for job applicants for sensitive security positions awaited. I mean, it’s not like a laptop has ever been stolen or lost ( /snark ).

So, the lessons to be learned here are not to follow the examples of politicians and government officials when it comes to online behavior, and most certainly don’t send government officials your Social Security Number.

Encryption Debate Ratchets Up

February 19, 2015

The debate on strong encryption has heated up with differing viewpoints from President Barack Obama and UK Prime Minister David Cameron in the past couple of weeks.

On one side, President Obama says he prefers strong encryption “more than some in law enforcement”, and on the other, Prime Minister Cameron would prefer encryption that provided a “back-door” for government and law enforcement agencies to read encrypted data.

So why would two allies, leaders of countries that have both been victims of terrorism, be on opposite sides of such an important security issue?

Encryption scrambles data that can’t be read by anyone who doesn’t have the proper “keys” to decrypt it.

Strong end-to-end encryption would prevent cyber criminals from reading the sensitive communications, information and files of businesses and individuals and help alleviate the financial and emotional toll hackers exact. This is President Obama’s concern.

It also, however, makes it much more difficult for intelligence and law enforcement to read the communications of cyber criminals, hackers and terrorists. This is Prime Minister Cameron’s concern (President Obama also acknowledged this risk in an interview with RE/Code).

Therein lies the issue — preventing information from falling into the wrong hands while not allowing law enforcement and intelligence agencies to abuse their access, as has happened since the Patriot Act was enacted in response to 9-11.

There is no easy answer for this and I’m not prepared to weigh in one way or another, though I lean toward preventing official agencies from accessing information without reasonable cause rather than the blanket, dragnet access we’ve seen some agencies abuse.

The Malvertising Scourge

February 4, 2015

In their zeal to monetize their online content, publications increasingly have turned to online ad serving agencies that aggregate ads from a multitude of advertisers and distribute them to those online publications via code in the web site from the ad network’s servers.

This provides advantages for both publishers and advertisers — publishers can more easily manage who they sell to and advertisers can more easily manage who they buy from through these ad networks, as opposed to weeding through all of the potential publishers and advertisers themselves.

Unfortunately, in their desire to get their ads noticed by online readers, advertisers, publishers and ad agencies resort to intrusive ads that pop up over the content and jump, hop, wiggle and fly across the screen.

Those ads invariably involve Adobe Flash for the animations, and as we all should know by now, Flash has inherent security flaws as evidenced by the three — count ’em, 3 — zero-day vulnerabilities Adobe had to patch in the past two weeks.

This provides a convenient path for hackers to distribute their malware. The problem is serious enough that it even has its own category of infections — “malvertising”.

Hackers love malvertising because it allows them to infect the millions of visitors to popular web sites without breaking into all of those web sites, and the infections often occur automatically without any action on the part of the visitor.

In September 2014, the ad network Doubleclick (a subsidiary of Google) and Zedo, another popular online ad agency, served up the Zemot malware to millions of unsuspecting computer users.

Earlier that month, malvertising hit visitors to 74 different domains, including Amazon, YouTube and Yahoo. It attempted to infect Windows and Macs with spyware, adware and browser hijackers. In the past, malvertising on third-party ad networkds has hit the New York Times, Fox News, London Stock Exchange, Spotify and The Onion, to name just a few.

Anecdotally, when we clean up infected computers, users invariably tell us the infection occurred while on a news or other ad-laden web site.

That’s bad for business for publishers, as it appears that the publishers’ web sites themselves are infected, when in reality the infections come from a third-party ad server.

The problem can be alleviated by running an ad blocker, like the ad blocker in Sophos Cloud that’s included in our FlexIT End-User Protection program.

Ironically, it might also improve your experience on sites that need you to keep coming back to justify their offerings to advertisers.

PCI DSS Security Standard Compliance Makes Sense for Small Businesses

August 25, 2014
Since 2006, the major credit card issuers have required that businesses that process credit card payments implement the PCI DSS Security Standard for credit card processing.

 
Unfortunately, many small business owners still don’t understand the growing threats they face from hackers preying on small companies that lack the security that larger companies can afford (more than 70% of attacks are against small businesses).
 
A direct response to the breaches of hundreds of millions of computer records including credit card information, the Payment Card Industry Data Security Standard requires that merchants who process credit card payments — no matter how small — implement certain security measures on their internal networks.
 
From a business standpoint, compliance with PCI DSS makes sense as you can tout your compliance to your customers to give them more confidence that their payments to you will be secure.
 
On the other hand, the financial downside to not complying could invite not only losses from credit card fraud, but seriously impact or even put you out of business through:
  • Negative publicity
  • Lost customers
  • Lost vendors
  • Lost sales
  • Cost of reissuing new payment cards
  • Lawsuits
  • Insurance claims
  • Fines from credit card issuers
  • Government fines
  • Higher costs of subsequent compliance
  • Termination of ability to accept payment cards
 
Remember the Target breach? Target’s profits dropped nearly 50% in the aftermath and the CEO resigned, all because of security lapses within Target that started when an HVAC vendor’s login credentials for Target’s vendor system were hacked and used by the thief to log into Target’s POS system.
 
Don’t be a Target.
 
More information on PCI for the smaller sized businesses we have on Delmarva is available at the PCI Security Standards Council’s web site for smaller businesses.
 
If you need help with the technical aspects of complying, call us at 302-537-4198.

Choosing the Right Applications

June 9, 2014

One of the most important decisions you will make is choosing the software that runs your business. More specifically, I’m talking about the main applications used for the daily operation of your company.

Known by various acronyms (ERP, LOB, CRM), these applications are not purchased from a store.

Instead, these applications are just about always purchased direct from the developer. Written specifically for your type of business, they are often offered in modules that integrate seamlessly with each other, such as:

  • businesscollageCustomer Relationship Management
  • Marketing and Sales
  • Accounting including Receivables and Payables
  • Human Resources
  • Parts & Service
  • Inventory

Written by programmers targeting industry verticals or even businesspeople in your industry who couldn’t find a suitable off-the-shelf product to run their business, these applications generally work like you do rather than making you work within the confines of an off-the-shelf program that needs heavy customization and third-party utilities.

So, while the software will encompass some or all of the functions of general businesses, it will focus on specific industries. In this area, I most often see such applications for boat dealers, retailers, restaurants, hotels, auto dealers, real estate, and construction.

These programs reduce or eliminate duplicate data entry so data is available to all members who need access to it without re-typing it. The best ones include Dashboards and reporting to give you the Big Picture of your company’s performance and operations, or the ability to integrate with third-party programs that provide that functionality.

A word of caution:

It’s easy to get locked into a specific application and can be expensive to get out if it doesn’t live up to expectations. The cost alone (we’re talking thousands of dollars here) should cause you to perform your due diligence, but if that doesn’t phase you, perform your due diligence anyway to answer these questions:

  • What happens if the software developer goes out of business. Will you be stuck providing your own technical support? Are there peer support groups you could get help from? Could you move to a new application fairly easily or will you face a steep learning curve and expensive data conversion costs?
  • Does the application integrate with retail products like Office and Quickbooks if needed?
  • Will the application require major changes in your network security to function properly (i.e., do users need to be administrators on their computers, thus increasing the risk of security breaches)?
  • How much do technical support and application upgrades cost, especially in subsequent years when those costs aren’t rolled into the initial purchase price any longer?
  • Does technical support work roughly the same hours you do, or will you have to wait a couple of hours for support from a different time zone?
  • What are their typical tech support response times — they should have statistics and possibly guarantees on this;
  • If there is a Cloud-based version and it doesn’t offer all of the functionality of the on-premise version (as is sometimes the case), can you live with the reduced feature set?
  • Is a mobile version offered and what are its limitations?
  • How is their Cloud version backed up?
  • What happens to your data if the Cloud version is no longer offered?
  • Can you set up a demo for your staff or even better, run a trial version for 30 days to give all employees a chance to use it and make comments?
  • Will the system requirements require you to buy a new server and/or workstations or upgrade existing network hardware to run the application efficiently?

You should also get to know the executives of the software company and learn about:

  • Their history
  • How long they’ve been in business
  • The owners’ succession plan
  • What upgrades they plan to roll out in the next few years?

One other consideration here — if you have very specific needs that can’t be met by one of these applications, you may need to go with a custom-designed program written by a programmer. In that case, all of the above goes, but you have to be even more diligent about tech support issues and costs.

As you can see, choosing these applications is a major, company-wide decision. Look at not one, but multiple applications in your price range and whether they operate similarly enough to make a somewhat smooth change to another application if that becomes necessary.

If you’ve decided you’ve outgrown the limitations of Quickbooks and Microsoft Office and would like help with performing your due diligence, give Eric Magill a call at 302-537-4198.

Protecting the Availability of Your Data

May 20, 2014

In this four-part blog series, we’ve written about the Confidentiality, Integrity and Availability of your company’s data as the three lynch-pins of corporate IT security.

We’ve already blogged about Confidentiality and Integrity, and in this final installment will address the Availability aspect of network security.

Availability addresses two IT security concerns:

  • That data be available when you and your employees need it;
  • and that the network resources to access and manipulate that data are available when you need them

Availability of Your Data:

ciagraphic

As you and your employees go about your business throughout the day, you’ll touch on a wide variety of data types.

In the typical small business, you will need access to your company’s Line of Business application, word processing documents and spreadsheets, email, Internet-based applications, and perhaps accounting, image editing, and other highly specialized data generated by applications specific to your industry.

The inability to access any of those data sources could disrupt your business for at least as long as the data remains unavailable.

Imagine that the important quotes you’re working on are in documents on the server and the server goes down.

How disruptive would it be if you couldn’t send or receive important emails to customers or vendors or access important web sites for research because of bandwidth bottlenecks or the loss of the Internet entirely?

What happens when the Line of Business application’s database becomes corrupted or encrypted by a nasty virus like the Cryptolocker virus that encrypts files and demands a ransom for the decryption key?

How can you prevent or minimize those incidents from becoming disasters?

Availability of Network Resources:

If you can’t access network resources like your server or the Internet because of a failed server hard drive, or a failed router, modem or firewall, the Availability of your data suffers.

What would happen if a natural disaster or a fire destroyed a significant part or all of your business?

What can the typical Sussex County small business do to mitigate the risks and the damage associated with such events?

  • Consider a backup Internet source, such as another ISP or wireless services such as your cell phone provider, for access to Internet-based data, especially email, during on-premise Internet outages
  • If your business relies on the Internet for email, web-based research or Cloud-based applications, ensure that you have enough bandwidth to perform those tasks efficiently
  • Have plans in place to operate while the network resource is down, such as hand-written notes and receipts that can be entered into the system when the network resource becomes available
  • Backups to recover the most recent versions available of your data
  • For the most extreme disasters involving a long-term (more than a couple of days) loss of availability, have a Backup and Disaster Recovery Plan in place to get the business back up and running ASAP rather than trying to plan the recovery after the fact.

We’ve discussed a number of potential risks and mitigation strategies in this four-part series over the past several months.

In our inter-connected world, in which your business relies on that inter-connectivity to access data critical to your operations, the data stored on your firm’s network is more at risk than ever from a wide variety of threats.

More than anything, I hope you’ve gained an understanding of the risks to your data, and your company, and the steps needed to mitigate those risks, that you may not have appreciated before.

%d bloggers like this: