By: Peter K Kardel
We discussed in our last article that RansomWare has become a hugely lucrative business for hackers operating all over the globe. The river of money flowing into their coffers has fueled a cyber security arms race, good vs. criminal, that puts you in the crosshairs of this battle. In the past we worried about hackers as vandals and taggers in cyberspace. They were a nuisance to be sure, but the damage done was limited. Then the hacker trade matured, looking for your valuable data to steal, exploit and sell. This was a sinister evolution that brought intolerable risks to businesses. Not only were the thieves stealing trade secrets, siphoning off funds and disrupting business, they were also exposing firms to liability and loss of customers. Your job might even be at stake. Target’s CEO Gregg Steinhafel, a 35-year employee of the company, was forced out after a breach exposed 70 million customers’ credit card information. The company ended up agreeing to a $10 million settlement.
Many small business leaders felt growing unease, but were comforted by reasoning that they were too small to go after. “No one cares about our data” was a common refrain. That is so last year. A front has opened up in the cyber wars. The hackers don’t need to steal your data, they simply have to lock you out of it using industrial strength cryptography—holding it for ransom in a virtual data Azkaban.
As a 25 year IT veteran, this is what keeps me up at night.
Hardening the defenses is more urgent than ever. Take these 3 steps to put the cyber warrior armor on, helping to keep your business safe.
#1 Banish Adobe Flash
Flash is a technology for playing website multimedia content in your browser. Flash has long been despised by IT people. Not only do Flash enabled sites positively chew through your smartphone battery, it is hopelessly promiscuous. Ever few weeks another disastrous hole in Flash is discovered by security researchers. These holes are terrible. They are easily exploited to do terrible things to your computer. Typically patches for the bugs lag for days or weeks after hackers are zealously attacking computers on the net. What is so insidious is that it just takes a snippet of evil code slipped into a compromised website to allow a hacker to take over your computer. So go ahead. Kill Flash with fire. You probably won’t miss it since newer, safer, better multimedia technologies are already built into your updated browsers. See our article on how to do this: https://www.cleverducks.com/2016/06/29/1277/
#2 Update and Patch Everything
Your data is precious. It is your work product you’ve expended part of your life developing or it is information about you or your customers that you are obliged to protect. You might say it is like your baby. It’s part of you. If your data is your baby, then your computer is like its crib. Using a computer with outdated, unpatched operating systems, applications and utilities is like placing your baby in a crib that has been recalled for harming babies like yours. You got the notice urging action in the mail, but you’re really busy and don’t want to spend the time or money to make the crib safe. You’ll get to it later. Of course, you’d never take that chance with your child! Don’t take needless risks with your data! Patch early and patch often. Here are some patching tips to keep in mind.
- Stay on supported versions. Technology providers can only keep a few generations of their products updated. It takes serious skills and resources to hunt down the bugs, fix the code, retest and release patches. Also the state of the security art is continually evolving. In some cases you will need to upgrade just to stay under the umbrella of support, even if the current functionality is acceptable. This can be vexing to business leaders. Not every system or program is likely to be exploited. Keep the big 4 listed below covered and you’ll be way ahead of most users.
- Operating Systems: Windows & Mac OS have easy to use, built-in, automated patching systems. Make sure they are in working order, that the patches are being applied and the system rebooted. Take action if an issue like free disk space or system conflict backlogs the updating process.
- Browse with the Best: Always use the latest, fully updated browser for your system. This is easy to do, usually handled by the patching of your OS, but you have to let go of the past and move on to the newer browser versions. There may be good reasons to delay moving to the newest version due to compatibility issues with browser based applications. Don’t get complacent though. As soon as you can upgrade, do it.
- Don’t forget the Apps & Servers: These are the main applications you use like MS Office, Quickbooks, CRM and other line of business systems. These are big, heavily used and common . . . making them likely targets of hackers. As an added benefit, you have a fighting chance of recovering when technical issues arise if you’re running supported versions. When access to your data is on the line, you never want to hear the guy on the support line say “whoa, that’s way before my time!”
- Don’t ignore the core – update your utilities: Ok, the obvious one is your end point security software (antivirus). Make sure you have an active subscription, the latest version with the latest virus definitions. Our longtime favorite end point security software is ESET: http://www.eset.com/us/ Other utilities to pay attention to are the Java Runtime and Adobe Acrobat. These are frequently exploited by hackers. Fortunately, the newest versions are much more secure than in the past. Be sure to uninstall the old versions though! Older versions of Java lurking on your system can be directly targeted.
#3 Implement Ad blocking
Website ads can be annoying, but you pretty much ignore them . . . no harm other than slower loading web pages and a little tax on your data plan, right? Enter Malvertizing. This would be really cool if it wasn’t so bad. Check how it works. Many websites are monetized by selling access to ad networks, passing them demographic information gleaned from your browser, cookies, IP address, advertising ID, etc. Visiting a site like say The New York Times will have hundreds of links to sites the Times has no control over. Any given page can have several ad networks woven in, all playing along to building the webpages you see.
You probably are way ahead of me now . . . thinking what if hackers were to compromise one of those ad networks, inserting a well-hidden teenie weenie bit of malicious code? Your browser dutifully processes it, loosing the crooks on to your system. The malvertizing code relies on exploiting an unpatched weakness in one or more parts of your system. I hate to interfere with how sites pay the bills, but the risk has become unacceptable. Until the ad industry can resolve this concern on their own, or regulators force them to, it is time to shut the door on these risky connections. It is time it install an ad blocker on your browsers.
This one is a snap to get done. I have been using Ad Block Plus with great success. It is a free, open source plug-in supporting every browser under the sun. Just head over to their website to check it out, there you’ll find all the links to installing it. You may find some sites like https://www.Forbes.com refusing to load since you are blocking ads. You can either whitelist the site, create a login to the site if they offer it, or skip the site all together. The web is pretty big, you shouldn’t miss any content too much if you don’t want to play ball. Site administrators had their chance with our trust and have failed to keep us safe. Don’t feel bad about taking your safety into your own hands.
Now that you’ve taken these simple steps to protect your data from theft or ransom, don’t you feel better? I do! It’s like you just put your baby in the latest, safest car seat and settled in for a smooth trip. Next week we’ll look at how to make you and your users the safest drivers on the data superhighway. Many IT security professionals will admit that no matter how many security measures they put in place, the biggest IT security risk for most business are their end users. No shiny box is going to close this hole. You have to test, train, retest, and retrain your staff on these 21st century skills to navigate the sometimes dark waters of information security. Stay tuned for the good news . . . training your people to be the best defensive data drivers has never been easier!