Protecting your business against virus threats
Ed Gibson, IT security chief at Microsoft, on the latest threats to watch out for
You’ve read about the government’s GetSafeOnline campaign. You’ve seen the news articles about loss or theft of data from the largest of companies and government agencies. But, hey, you’ve not been affected. Why do anything, it only happens to the other person?
I say to you, “Not so fast Mr It Ain’t Gonna Happen To Me”. That ‘other person’ is going to be you and your business if you don’t take a few moments to make sure you’re safe and secure. Cyber criminals and organised crime do not take holidays. But, neither do the thousands of people across the planet working 24/7 to help make the internet safer.
What’s in store for this year?
2008 will be all about the Social Engineer – internet miscreants getting you to do something we would not otherwise do online had we been given all the facts, such as clicking on a link in an email from someone we don’t know, giving out personal details that we wouldn’t give to our next door neighbour, wire transferring money in reply to a ‘get rich quick’ scheme and many other variations.
More importantly, 2008 will be about recognising the social engineered email, text or link. Many people have developed at least a basic awareness of internet security, and businesses have done well to educate their employees in the past. New scams come and go, but social engineering crimes that hinge on tricking people into clicking on attachments or links to activate the scam are, as we identified in 2007, increasingly used to underpin all these scams. Television programmes such as The Real Hustle demonstrate how this process has infiltrated both the on and offline worlds and cyber criminals are using social engineering to create ever more advanced methods of infecting computers or stealing data.
The list of malicious, social engineered tactics is almost as limitless as the imaginations of those that perpetrate the attacks, but there are a few that need highlighting in particular, either for their expected prevalence or prominence in 2008.
Most of us have experience of receiving phishing emails at some point and this type of attack accounted for more than one in three infected emails in the first half of 2007.
However cyber criminals are increasingly employing “spear-phishing” whereby an event topical to an audience, perhaps around the time when tax refunds are expected, or when your company’s HR department alerts you to yearly bonuses, is used to lure victims in with the promise of relevant news.
The Christmas and New Year’s holiday may be over for another year but don’t think that e-greeting card scams will disappear. Data suggests that URLs emailed through these scams will actually increase in 2008. These online cards typically have a general subject line such as “You’ve received a greeting from a family member” that, when clicked, installs malicious software to the person’s computer that can log information, remove data or use it as a distribution device forfurther attacks. We all like to think that we’re too clued-up to fall for such scams, but with the vast variety of tools with which content can be shared online these days, it’s all too easy to fall into a ‘click first, ask questions later’ approach.
Hardly a day goes by without some media outlet reporting a form of fraud related to a financial institution. I’m afraid to say that social engineering attacks where people receive an email directing them to verify their credit card or tax refunds through a phone number will continue as long as scammers find them profitable. Trade associations such as APACS do a fine job educating people to question the validity of such requests, but individuals whether at work or in the office need to take a step back and apply some common sense, or it might not just be your money going missing, but that of the company too.
When businesses seek to protect themselves from security breaches, it’s vigilance that provides the first and last line of defence. Some of the examples I’ve listed demonstrate that there are a multitude of ways into your system and those are just through age-old delivery methods such as email. So what else have you got to look out for?
Your business doesn’t operate in isolation. Whether you like it or not, consumer technology gets into the workplace, but you shouldn’t necessarily view that as a bad sign. Back in November we conducted research that showed that 33% of UK workers now use some form of social networking tool while at work. Unmonitored or unapproved tools such as these can provide a back door into your business if your employees aren’t aware of the risks and the measures they need to take.
A third of users admitted to opening or replying to messages from unknown contacts and one in 10 users admitted to having already caused their IT system problems by downloading unknown applications. Now I know you’re probably already scribbling a reminder to ban these tools at the first opportunity, but read on and you’ll see how this is a shining example of security as the liberator of businesses.
One in 10 people who use social media such as Facebook, MySpace, Bebo or Linked-in at work claim that these tools have given them greater confidence when using computers or other technology. And 8% claim that these tools have allowed them to meet new business contacts. These applications are usually free, so aren’t you saving money on training or networking if your employees gain these benefits from using them?
Educate your employees; follow my tips and hey presto! You’re on your way to confident, happy employees seeing real business benefits, while you can rest safe in the knowledge that valuable company information and your vital IT network is protected. Not! No, it’s not quite that easy, but you see where I’m going.
So a picture is developing of a world where ‘out of sight’ doesn’t mean ‘out of harm’s way’. Many businesses are driving towards flexible or mobile working, and there are numerous business benefits that can be experienced as a result. But security in the mobile world isn’t just about making sure you don’t leave your laptop on the train. Many mobile devices have email applications built in and even one of these in the right hands can be used to access your company’s system if you don’t consider the necessity of an all-round defence. Mobile phones, PDAs, laptops, even MP3 players… if you and your employees can use them so too can criminals.
Security awareness isn’t about preventing the apocalypse; it’s about increasing the value the internet can bring your business. IT security is about people, process and technology. Educate your employees; get the right technology, and use it in the correct manner.
People often ask me at what point can they be satisfied that they’ve done all they need to do. I always advise that ‘being secure’ is a work in progress. Just as the criminal element continually evolves so must being secure. And if something does go wrong, you can always send me an email; I would love to hear from you.
Ed Gibson is a former FBI agent and now IT security chief at Microsoft.