We’ve all heard security is an illusion. Helen Keller said, “Security is mostly a superstition” in a similar vein. Although these quotes are antiques, it’s never been felt more than in today’s internet culture. For the home user, they believe in their protected bubble. They have their antivirus and operating system tools that alert them to issues on their computer. As long as they keep paying for the subscription, they feel they are safe. This has unfortunately never been true.
Running a Mac and think you cannot be hacked? Think again. For many years people said Macs couldn’t be hacked. There were many reasons they gave to support this position, however in reality more malicious code was being written for Windows based systems because Microsoft had claimed the lion’s share of the market. Hackers didn’t want to waste time writing code that would fizzle out as soon as it spread to a couple machines since there weren’t enough Mac machines around to propagate it. Today Mac has gained more market share and there are more vulnerabilities than ever in the Mac world.
A few short years ago, the motive for hacking was fame–the race to affect the world in the most malicious way. Hackers were driven to become famous – not using their real names of course. They longed for their 15 minutes of fame.
The world is a different place now. Hacking has become monetized. Criminals around the world have figured out that hacking can reap huge profits. The latest exploits are called ransomware. This is where malicious code gets on your machine and encrypts all your files, then asks you to pay money to have them unencrypted. For a home user with 10 years of family photos or a bank with information vital to their operation, this can be a compelling fix to the problem, and many of them pay. Kapersky Labs reported 128,132 ransomware infections in 2014. Only one year later in 2015, the number was 337,205. And these are only the infections that affected one anti-virus vendor. Estimates are as high as 625,000 (PCworld) and it is only getting worse. And because big money is involved, the bad guys are staying one step ahead of the antivirus companies. Always one step ahead.
Much like organized crime developed in the early 20th century in Chicago and New York, the black hats – hackers involved in malicious computer activity – have figured out that it is easier and more profitable during this gold rush to sell pickaxes. Rather than hacking themselves, they are building websites that allow someone to easily purchase a virus or exploit. Sure, there have always been dark sites where you can download some code and put together your own virus, but that is for savvy computer geeks. The new evolution sells the hack as a managed service. You can actual go to a website and pay organized crime to exploit hundreds of thousands of computers for you, reaping millions of dollars in ransom fees, for a small monthly fee.
Yes, you read that right. Computer knowledge is no longer necessary for criminals to hack! They just have to outsource the crime to another organization that will do it for them. These malicious groups take your monthly fee, infect thousands of machines with ransomware, collect the ransom and pay you the spoils. This is REALLY scary to IT people. Anyone with a few bucks (ok, it is more expensive than that but stay with me) armed with malicious intent and a lack of conscience can inflict a firestorm on unsuspecting companies throughout the world and hold their data hostage.
Here is the really scary part of the story. Most industrial control systems, running everything from manufacturing to power plants to water filtering equipment, are outdated, unmanaged, yet connected to the Internet. It’s a slight nuisance when you cannot check the latest sports scores on your favorite news site, but it hits home a little bit more when we lose our power or run out of clean drinking water. Many hospitals have already reported infections that negatively affected their systems and prevented them from providing services last year. In February 2016, Los Angeles hospital was hit with Crypto Wall ransomware, and it shut down the computer system within the hospital until a 3.7-million-dollar ransom was paid.
This is why security is an illusion. Firewalls and security measures like antivirus only keep out the honest thieves, and today’s organized internet crime organizations are anything but honest. So what do we do about it? How do we prevent this attack? How can we be prepared for such a cunning and ingenious electronic onslaught? The answer is we cannot. Security is simply an illusion companies give you to get you to buy their products. But it doesn’t mean we are without hope. There are several steps you can take to protect yourself, your data and your company’s files. The best plan for security takes a multi-layered approach. You have to cover every angle, or you will let something slip by.
Hire an expert. Small business is the most vulnerable because they typically have the worst IT and limited funds to invest in the enterprise tools. That is just the reality. However, SMB is not without hope. Hiring a good consultant or IMO (Infrastructure Management Organization) will be a great first step. These guys are experts and have seen it all. More important, they know what is working and what isn’t. They will help you put together a plan. And trust me, you don’t want to wait to call these guys once you get infected because it may be too late.
Educate your people. Almost 100% of the ransomware infections today are due to employees clicking on links they should not click on. Educate them so they know what to look for in those emails that might tip them off that it is not legitimate. There are services that will even send you fake viruses to see which users click on them and then let you know so you can enforce training for the employees that are fooled. Knowledge is your best defense.
Backup, and restore. Many small businesses don’t think about backup seriously because server disasters due to hardware failure are rare these days. Hardware has become more reliable. But with the latest ransomware infecting hundreds of thousands of machines and companies each year, you may have to restore from backup sooner than you might think. And don’t forget to test your backups to ensure you can restore from them. You should test at least once a year and preferably once per quarter. If you don’t have someone looking at your backups every day, you are playing with fire.
Get multiple layers of protection. You can no longer depend on just antivirus. You need the firewall sniffing out the bad stuff, anti-virus, anti-malware, monitors to alert you when it sees malicious activity and an overall plan to ensure these products are monitored, managed and kept up to date. This is essential since the bad guys are releasing new exploits and attacks each day. Sometimes it is only an hour between the time a new exploit starts blazing a trail across the internet, and the vendors have updated their software to catch it. If you are not getting regular updates, you may miss it. It is not the old viruses you have to worry about typically, it’s the one that was written this morning.
Think comprehensively. A chain is only as strong as its weakest link. If your network has 50 machines and 49 of them are protected, you are vulnerable. It only takes one unprotected machine to launch an attack on your network or to run a malicious script that deletes all your data from the servers. You cannot afford to be lax about your security policies. You need established processes for putting machines on the network and taking them off. Little Johnny should not come home from school each day and plug in his laptop to your work network. That is bad news and a disaster waiting to happen.
For years IT people have heard speeches and presentations from vendors selling security software about how the world is coming to an end due to hacking and that everyone is at risk. We used to shrug it off knowing that they were using hyperbole. Things are changing and not only are the IT people listening now; we are a bit frightened by what’s happening. Do yourself a favor and don’t ignore security or you may be the next victim. Do your research and get a layered security plan deployed in your organization, or better yet, call an expert and ask them to help you do it.