Securing your business from scams, ransomware and phishing attacks.
The problem.
We have seen a number of customers this year affected by ransomware and phishing attacks and the problem appears to be increasing. If your not sure what these terms mean then read on and I will try and explain them in real world examples.
As a small or medium sized business owner, you already have a lot to deal with, the loss of data or finances from cyber criminals is just another cause for concern. Within this blog article, I will try and explain the nature of these attacks, the implications to you and what you can do to reduce the risk.
The difference between traditional viruses, malware and ransomware are that ransomware is aimed at getting money from the victim whereas viruses and malware have the intention of causing damage.
Ransomware.
This is a threat that effectively removes access to your data by encrypting it. This encryption changes the way the data is written so that it can only be read if you have a special key to unlock the data. The only way to get the decryption key is to pay the money and hope that it works. There are time limits on how long you are given to respond and after that limit, the data is unrecoverable and must be restored.
When devices are infected with this ransomware we have seen large volumes of data encrypted in a short space of time, in one case 250,000 files in 20 minutes.
Examples of fake ransomware email.
Typically the end user receives an email with a link or a file with a link to a malicious site here are some examples of email subjects:
- Payment Overdue, Please respond.
- Symantec Endpoint Protection: Important system Update.
- New Voicemail message.
- Scan from Xerox Workcentre.
Phishing.
This is the attempt to obtain information such as usernames, passwords, credit card and banking details and ultimately your money. Typically the user is deceived into giving the security information through a fake website. The link to the website is often sent in an e-mail, but information may be obtained in many ways using social engineering techniques. This includes text messages and phone calls. A slight variant on this is the use of “spear phishing” where the e-mail or communication would contain personal information that you would only expect to be known by a trusted contact.
Examples of phishing emails.
Your tax refund is available.
Your account has been compromised.
These emails can be very realistic:
Recommendations.
We have put together a set of security recommendations condensed down into 5 layers to simplify the process of managing the problem. There needs to be a combination of solutions, known as security layers that are put in place.
- Good backups and data security. We are moving more towards online backups now as it gives us a greater level of protection, it can be automated and doesn't require user interaction. If the worst should happen and we need to recover from a disaster, we can restore whole systems to our office on to new or spare equipment for recovery. In many cases, we run this backup in parallel with existing systems if customers have them.
There are a number of other methods we can use to reduce the effects of ransomware, we can filter the types of files allowed on the servers, this can be done manually but ideally we would use a product such as Sophos Interceptx.
Restrict users only to the data they require access to, don’t be too generous with file and folder security permissions.
- Device and user security, anti-virus and ransomware protection. This is probably the area of greatest weakness for the small and medium sized business. We have found that we need to increase the level of protection that our customers have. We are primarily using two products, Sophos Cloud anti-virus, and Sophos Interceptx. The first product is a traditional anti-virus and is designed to stop the viruses and malware and the second product is specifically aimed at protecting against these threats labelled as "ransomware".
The need to train end users in good security practices and how to identify the potential threats, such as suspicious emails or unusual files is vital.
Company workstations and servers need to have the latest security updates.
It may be necessary to increase the strength of passwords and implement a password policy to ensure changes, you may decide to use two-factor authentication similar to the tokens banks issue.
- Mail filtering. We have started deploying a number of solutions from providers such as Symantec, LogicNow and Mimecast who are the market leaders in scanning and removing threats from e-mails as well as rejecting spam. This is best done before the e-mail is delivered to the end user. In many cases, we may have several layers of filtering, Office 365 provides several methods for filtering but there can still be significant improvements by adding a separate product in front of the Office 365 systems.
These systems can also scan and replace any links within the emails, we need to remember that in some cases these emails can be delivered from trusted contacts.
- Website Filtering. Many threats are delivered now by browsing to compromised sites where the virus or ransomware is hidden waiting to be downloaded. We recommend implementing a filtering system that scans employee access to the Internet and will block sites listed as being infected or suspicious.
This is a separate solution to the mail filtering although providers such as Symantec can do both mail and web filtering. In some companies, the reporting from these tools can also increase employee productivity if you have users that like to spend company time on e-Bay or Facebook.
- Firewall Updates. The firewall is designed to protect the network from external unauthorised access and should be updated on a regular basis and included in the cyber security process. Although not directly involved in securing the end user from these attacks some firewalls do perform additional functions such as mail scanning and website scanning.
Additional recommendations.
The phishing attacks can be very targeted and in several cases, we have seen members of the finance team sent emails from compromised accounts requesting payments. There are a number of steps we have implemented and seen at other small businesses including the following:
- Dual sign off on payments, have one employee setup payments and another sign them off. It's much harder to scam two people.
- If anything seems fishy it probably is, make a phone call, but use known numbers, not those given to you in the emails.
- Read any web links very carefully, scammers often redirect end user to sites that have very similar spellings. www.g00gle.com Email addresses may be spoofed (forged) and may often be setup with a very similar address.
- Look for changes in the way e-mail are written, this is when you know the end user and if something looks slightly different make that phone call.
