There’s a lot of concern at the moment about the threat from GOZeus and Cryptolocker – the first of which is a piece of malware which steals banking details, whilst the second encrypts your data, after which you are held to ransom for its recovery.
The two threats appear to operate together, and have been scaring lots of people this month. They appear to be confined to Windows systems, which is no great consolation if that’s what you have, and there’s no guarantee that even paying the ransom will result in your data being recovered, so it’s a pretty bleak picture, if your system becomes infected.
Tips for individuals
- Backup your data
Just as well you can restore from your backups, then. You do have recent backups, don’t you? Oh, dear. Pity. Better kiss your system goodbye, then, until someone works out the decryption, if it’s possible.
It’s a good time to emphasise the importance of a good backup procedure for your data. Don’t worry about applications, you can re-install them from the installation media, but get a good backup procedure in place.
You might have to wipe and re-build the whole system. There are several ways to go about it – full, incremental, differential, mirroring – and you need to find which suits you best, but a good first step is to copy all of your data to a removable medium that you can keep separated from your system. That gives you a bit of breathing space, and you can then just back up what changes day-to-day, until you get a proper system in place. But start it copying right now.
- Look at passwords
It’s also a good time to look at passwords – the sort of target that GOZeus has in its sights. Do you let Windows, or your browser, remember passwords for you? That’s right – bad idea. Do you keep them, unencrypted, anywhere on your system? Another hostage to fortune.
Consider using a service like LastPass, which gives you access from anywhere to your passwords, which are stored in encrypted form on their server and in a “vault” on your machine. It will also provide hard-to-crack passwords, and remember them for you. Other, similar services are available.
- Make sure your system is patched and updated
Now, with some holes in the dam patched, temporarily, what can we do to avoid these nasties? If your system is connected to the network, you’re a target. Even if you’re not running Windows, there are other “exploits”, though not nearly as many in number, because Windows’ popularity makes it the most lucrative target.
So, first make sure you have your system patched and updated – that can be done automatically by Windows Update, or there are system update tools for Linux. If you’re still running Windows XP, you’re a hopeless optimist.
Keep the antis-virus and anti-malware programs updated. If you don’t have them, there are good free versions readily available, and Windows own Defender and Security Essentials come with the OS.
- Don’t open email attachments, unless you’re sure they’re safe
Don’t open email attachments, unless you’re absolutely sure that you know the source, and you’re expecting the attachment, and you can confirm that the source sent it.
That’s probably the main way these bad things get spread, but apply the same principles to hyperlinks in emails, even if it means you miss out on those millions of dollars waiting for you to look after them, or the promised revealing photos.
And speaking of revealing photos, web sites with “flesh-coloured images” (thanks to Bruce Royan for that term) aren’t the sort of thing you should be consulting at work, but are a really good source of more nasties.
Excuse me – I think my backup’s finished <ahem!>
Tips for organisations
Now, I’m not concerned about the machine I use at work because Robert Gordon University is a fairly big university with a wonderful IT Services department and infrastructure in place.
Lots of organisations aren’t that fortunate, and if you’re in the information profession, you might well be the most knowledgeable person around.
Maybe there’s a technician for the hardware, maybe even an applications supervisor for looking after the software, but it could be that you’re the “go to” person for anything more “information-y”, which is flattering, but comes with a burden of responsibility. Might be that paragraph in the job description that you airily glossed over at the interview?
Ad hoc advice is great, and will raise your profile as an all-round helpful type, but if you really want to be effective, and not to have to repeat yourself endlessly, and to work in a better environment, where the network isn’t at the mercy of the next cyber-hooligan, it’s time to think about policies.
- Create a policy
Policies are good, because they’re explicit, in the knowledge management sense – they’re the captured wisdom, the tablets of stone, the things you can point to and say, “That’s how it’s done” which is immediately more impressive than “Well, what I do is …” Policies can be encoded, made part of induction programs, produced as evidence of good practice – they tick another box, if you will, but you’ll rarely be criticised for having too many.
So, what goes on the shopping list? A backup policy would be good – either take responsibility for your data, or save it to as shared drive, which can be backed up centrally. Patches and updates, antivirus – it depends on your systems what will work best, but to write the policy, you have to think about that, which is what counts.
How else can our systems get infected by malware? What about a BYOD (Bring Your Own Device) policy? If people can connect their phones, tablets and Google glasses to the network, or bring in USB sticks, that’s another vector of infection, to adopt the medical metaphor which viruses so neatly match.
I’m not telling you what your policy should be, but those are at least some of the areas you should address.
- Educate people about email
Email behaviour is more a matter for education: “did you hear what happened to so-and-so? Clicked on a link in an email and … I’d be so embarrassed if that happened to me.”
And you may be dealing with customers, colleagues, your customers may be colleagues – there will be lots of possibilities to exercise your skills in user education. However, if you can be the unseen hero(ine) who saves the system from a fate worse than usual, well, it’s just another day as an information professional.
So, think about what you know, and about how you can best apply it to your organisational context. Critically evaluate the situation regarding this aspect of information security in your organisation. Think about your role as an individual or a department, and how that can be influential in shaping policy.
It’s not unlike a scenario exercise from an Information course, but it’s real, and you don’t have a long time until the submission date. Good luck.
Are you responsible for information security at your organisation?
Share your tips in the comments below.