by Randy Johnston, Chairman – Network Management Group, Inc.
I have the pleasure of working with some really brilliant people, including technicians and accountants, in my NMGI and K2 businesses. Throughout this year, we have been warning people that virus attacks are more aggressive and invasive. These attacks are frequently delivered via email, social media such as Facebook and embedded in PDF files. The anti-virus companies are having more issues keeping their software ahead of the threats and the creators of viruses and malware are becoming smarter in their attacks. Even if your IT team or managed service provider is diligent in updating your firewalls and anti-virus signatures, your organization is still susceptible to attacks in the current environment.
Why are we so concerned about the attacks now? Haven’t viruses been around since the early 1980s? The first virus discovered in the wild was the Elk Cloner on the Apple II in 1981 and the first PC virus, Brain, was reported in 1986. Some key ideas about viruses are:
- Viruses exploit weaknesses in operating system controls and human patterns of system use/misuse.
- Destructive viruses are more likely to be eradicated.
- An innovative virus may have a larger initial window to propagate before it is discovered and the “average” anti-viral product is modified to detect or eradicate it.
More important, systems can be infected and unusable during the recovery period. Viruses make attempts to hide intelligently and re-infect the systems where they have made initial entry. It may take 24, 48 or 72 hours to completely eradicate the viruses from your systems and to restore all of your files to a usable state. What will you have your team do while their computers are not working? How do teach them to be careful in the first place?
We suggest that end users attend regularly scheduled and ongoing prevention training and this training be recorded in human resources records so that there is a permanent record of training, accountability and liability. Such training should include customized basic training for your firm, especially since firms have unique virus protection strategies. An employee should sign an acknowledgment that training has been received and understood. This training record should be added to the employee’s permanent record and should occur at the completion of training. All team members of the firm should be required to attend from the janitor to the CEO/Owners.
What to do?
One of the best strategies is to schedule security training at least annually for your organization. The importance of compliance with your firm’s policies, and using your best efforts to make sure everyone has been exposed to the issues and has a chance of understanding the threats is a good use of time.
As a starting point, we are recommending teaching the following topics:
- Name the product being used: It is important for team members to know if your firm has GFI Vipre Antivirus, Trend Micro, AVG, Sophos, etc. Next, train on the basics of that specific product to familiarize the end users with the protection they have been provided by their company such as:
- “Here is your Icon for VIPRE Antivirus” see it in the Windows tray (VIPRE is just an example – different products may be in use in your firm)
- Blue indicates that protection is on, active and up to date. Green indicates a scan in progress. Yellow means there is a problem with the program and to contact your IT support team immediately. Red means contact your IT support team immediately.
- If you do not have an icon, contact your IT support team immediately.
- Explain how your AV protection works: Examples of features to explain might be to explain what the firm has purchased and installed:
- Email gateway Antivirus
- Exchange Antivirus
- Firewall based Antivirus
- Desktop Antivirus products to help protect our computer network from email threats.
- However, this protection only works if it is enabled, up to date and employees follow these basic principles:
- Don’t click links in emails without determining where they go first
- Don’t open attachments unless you know the source of document AND were expecting to receive it
- When surfing websites and popup windows come up, (ALT-F4) is the proper way to close them
- Protect Outlook properly: Outlook has improved its virus protection and spam filtering with each version, but there are still fundamental features to consider and use:
- Turn off the reading pane for the Inbox
- Disable links for messages in the Junk Email Folder (Outlook). This should disable attachments too.
- Ensure AV is on and current on your desktop at all times: AV is only as good as the most current signature file. Vendors frequently release updates to protection for the known threats in the world and these change hourly worldwide. Often, it can be several days or even weeks before some vendors have definitions, (the file that allows identification of the viruses) to protect from the newest threats. Our team has submitted samples to Avert Labs, ThreatTrack and Symantec for items that we could easily recognize as being a virus. It is not unusual for it to be several days, and on a couple of occasions, several weeks before the vendor released new specific definition protection for the new variant.
- Do not open emails that are not recognized: or any file that may have questionable business content, especially if the email has hyperlinks or attachments if you are not expecting this type of email from other sources. We frequently see spoofed emails from Intuit, Bank of America and Citibank, which I have personally seen recently as examples.
- These emails are very clever nowadays and often include spoofed senders (senders pretending to be someone they are not), content that seems to come from valid business senders, and my personal favorite from current times are emails from “spoofed” Intuit that contains a QuickBooks update that needs to be installed NOW to correct a program problem or improve performance. These emails have hyperlinks to an external virus payload and ZIP attachments that contain executable files which are email worms or Trojans, that is programs that hide and attach themselves to your systems causing infections. These emails actually contain images from Intuit’s website and appear very legitimate. We need users to ask themselves, did I contact Intuit support and speak with someone about a specific problem that I needed an update for? Should I be receiving unsolicited email notices from Intuit about updates when that process is managed by my IT Support team? Staff need to regularly communicate with their IT Support team before opening questionable emails or files.
- Even more recent, we have seen emails sent from spoofed Citibank containing valid images from Citibank’s website that linked to external virus code and included ZIP attachments containing executable files that appeared as PDF (payroll) files, but were actually executable files with subject line “Payroll processing received” and the body contained instructions to open the attached PDF file to verify the amounts of each employee’s payroll amounts. Needless to say, these emails were not sent to the Controller nor were they actually requested by anyone. However, these worms were opened because staff thought they might actually get a peek at what others in the company are getting paid. If they would have paused before opening the attachment or links and asked themselves, did I contact Citibank for payroll information or am I actually running payroll thru Citibank, then they would recognize they received a new worm email variant that their Antivirus was not protecting them from and the worm would not have been unleashed.
- Explain your procedures for recovery: Hopefully, you never have to recover, but if you do:
- Outline your reporting and shutdown procedure
- Have everyone stay off of their systems until given the all clear
- Unplug infected machines from the network.
- Explain how you intend to estimate the recovery time
- Explain what systems are likely to be made available first
- Consider other topics related to security: You probably don’t get your team together frequently enough. Take this opportunity to discuss other important security related matters such as:
- Review the firm’s acceptable use and other computer policies
- Protection of portable computers and removable media
- Properly handling USB devices from home or clients
- Password strength and changes
- Social networking site safety
- Security of smartphones and tablets
- Instant Messengers – AOL, MSN, Google Chat, ICQ
- Weather Bug – should not be used
- Personal email access from Gmail, Yahoo or Outlook.com
- Transferring documents to and from clients via your portal or secure email
Training is the best prevention
In summary, the best training is customized for each firm. Your staff should know how they are being protected and what the limitations of that protection are. Human Resources and IT should work together to deliver ongoing, regular training that is recorded into employee records. In between regular training sessions, IT should inform staff of high risk known threats via alerts whether that is through email, intranets or bulletin boards. There should also be training required for new employee onboarding since the next regular training might be months away and the new employee might put the entire training program at risk unless we educate them. Please use these ideas to schedule and hold a training session with your team to minimize your risk of virus infection.