CryptoLocker Case Study

The following event depicts a real-life malware attack that infected a New England manufacturing firm. The company has chosen to share its story anonymously to help other businesses avoid a similar fate.

The unsuspecting sales rep certainly reacted in a way anyone would expect. He received an email with a voicemail attachment that looked like it came from the company CEO. When the CEO calls, reps jump to attention, and at this particular manufacturing firm based in New England, the business relies on a communication system that sends voicemails as email attachments. So the sales rep had no reason to suspect anything was wrong.

As it turns out, something was very wrong.

Click the link below to read the full article.

Bryley — CryptoLocker Remediation — 2013

5 Facts About Malware

One of our folk compiled this brief list on malware issues:

  • Vulnerabilities in Java are the #1 exploited vulnerability.  (Java is a popular, computer-programming language used in web-based applications.)
  • One of the main causes of malware is “Drive-By Downloads” where all you have to do is browse a website or click on a website from a search engine (Google, Yahoo, Bing, etc.) and you are downloading an infection.
  • Sales, R&D, HR, and other, multi-user email-boxes are targeted by malware distributors since these recipients are the most customer-facing employees; they typically have busy mailboxes and are accustomed to receiving a lot of email and opening it.  They are also accustomed, as part of their jobs, to regularly downloading attachments (resumes, pdfs, etc.).
  • 88% of attacks are on non-government (private) entities.
  • Small businesses with less than 250 users are the most-targeted group.

Are you curious about how to avoid any of these common vulnerabilities?  A member of our staff would be more than happy to discuss the steps you can take to secure your data.

Beware CryptoLocker

We have seen a rise in CryptoLocker virus attacks; these attacks can cripple the data files on your computer and on your computer network.

CryptoLocker is a destructive, ransomware virus; once downloaded, it locates and encrypts data files, which renders them inaccessible.  CryptoLocker does not announce its presence until all data files (Microsoft Office files, PDF files, etc.) are encrypted; it then asks for payment (ransom) to unencrypt these files.  (This type of ransomware is called “cryptoviral extortion”.)

The usual virus-delivery method is via email; the email looks legitimate and includes an attachment.  Once the attachment is clicked, the virus starts and then continues until all data files are encrypted or until the computer is powered-down.

You will not be able to unencrypt these files.  There is no cure.  There is no fix.

If the infected computer is connected to a computer network, data files on other computers and/or on the server(s) may also be encrypted and made inoperable.

Although payment is demanded to unencrypt the files, it should not be sent since any type of response to these criminals could open your computer network to future attacks.  The only recommended recovery method is to restore the encrypted data files from the latest backup.

Please visit http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information for more information on CryptoLocker.

Mike Morel, Engineer at Bryley Systems, suggests adopting these practices to reduce the risk of activating the CryptoLocker virus on your computer:

  • Do not open attachments within emails from sources that look legitimate, but are unexpected.
  • If you are expecting an attachment from someone, save the attachment first (without opening it) and then scan the attachment with your malware and anti-virus scanners before opening it.
  • Backup all data files regularly.

If you discover this virus, please immediately power-down the offending computer; if it is connected to a computer server, shutdown the computer network.  Then, call Bryley Systems at 978.562.6077 and select option one for technical support.

For additional information, see our lead article “Cybercrime targets smaller organizations” from the September 2012 edition of Bryley Tips and Information at

https://www.bryley.com/news/newsletter/bryley-tips-and-information-september-2012/.

Why small businesses struggle with cyber security

In part two of the interview with The Cleaning Crew, Bryley Systems President, Gavin Livingstone, explains why cyber security is sometimes overlooked within small businesses.

Why is cyber security important?

In a recent interview with The Cleaning Crew, Bryley Systems President, Gavin Livingstone, explained the importance of cyber security.  Watch the first part of the interview below.

Studies suggest cyber-security overconfidence in small/medium businesses

In a recent survey by Symantec and the National Cyber Security Alliance (NCSA), most small and medium-sized businesses participating felt they were safe from cyber threats, although just 17% of the 1,015 companies had a formal plan for cyber security.  Other contradictory items:

  • Although 77% recognized that strong cyber security was important for their brand, 59% had no plan on how to respond to a data breach.
  • Only 13% had a written Internet policy, but 62% believed that their employees knew the company’s Internet policy and practices.

 

Visit Small biz survey: No cybersecurity plans — no worries. What? for the full CNet article by Charles Cooper.

 

In a separate survey during the fall of 2011, research firm Opinion Matterspolled 200 IT decision makers working in companies of five to 250 employees.  Although almost 88% had web-monitoring/filtering software, over 40% of respondents have had a security breach due to unsafe web browsing.

 

Visit 40% of SMB have had a security breach due to unsafe Web surfingfor the full ConnectIT article by Mark Cox.

 

Both studies suggest that these businesses are not as secure as they think.

October is National Cyber Security Awareness Month (NCSAM)

According to the National Cyber Security Alliance (NCSA), October is the month to promote Cyber Security Awareness, which “…encourages people to do their part to make their online lives safe and secure.”

 

The NCSA’s philosophy is that safe browsing is a shared responsibility: “Everyone has a role in securing their part of cyber space, including the devices and networks they use.”  NCASM provides a focal point for participants to educate others about safe and secure usage.  Its three-part mantra:

  • Stop – Understand the risks and learn how to spot potential problems
  • Think – Consider how your usage of the Internet could impact others
  • Connect – Proceed with confidence now that you know what to expect

 

The official presidential proclamation states that NCASM is the time to “…recommit to ensuring that our information and infrastructure remain secure, reliable, and resilient”.

 

Business users may visit Keep My Business Safe for details on how to secure their businesses.  There are safety tips for individuals and some free security-checkup tools.

Protect your mobile device – Part 3: Enforcement, Tools, and First Steps

We have explored the importance of setting policies and training users on mobile device security and management; now, we wrap-up with how to enforce these policies, recommended tools, and first steps to mobile device security.

 

Enforcement

 

Enforcement is usually assisted through a Mobile Device Management (MDM) tool; typically a software-based application that requires an agent be installed to the mobile device.  Once installed, this agent connects back (remotely) to a central console from which an administrator can monitor, manage, and secure the mobile device and also support its user.

 

MDM features typically include:

  • Enforce user security policy:

o   Require complex password with frequent changes

o   Permit remote access only via SSL or VPN

o   Lock-down browser settings

o   Enable encryption

  • Recover lost or stolen devices:

o   Activate alarm (set off an audible alarm on the device)

o   Enable track and locate (track and locate the device via GPS)

o   Permit remote wipe (complete erasure of the device as a last resort)

  • Control mobile device applications:

o   Recognize and prevent installation of unauthorized applications

o   Permit whitelisting and blacklisting of application

o   Restrict or block application stores

  • Remotely deploy and configure applications (email, etc.)
  • Audit the mobile device for installed software, configuration, and capacity

 

ComputerWorld has a comprehensive article on the challenges of MDM. View it at

Mobile device management: Getting started.

 

To support our mobile device clients, we use the MDM capabilities built intoKaseya, our Remote Monitoring and Management tool.  Other MDM providers include:

  • AirWatch
  • LabTech
  • MobileIron
  • Symantec
  • Zenprise

 

While MDM provides a comprehensive tool, it can be costly to procure and support.  Many companies utilize a trusted business partner (like Bryley) to provide MDM tooling, monitoring, and support for their mobile devices on an ongoing basis with pricing that ranges from $15 (in quantity) to $75 per device per month.

 

Non-MDM Tools

 

Alternatively, Microsoft Exchange 2010 offers many MDM-type features through Exchange ActiveSync (EAS), an included protocol that licenses by end-user or end-device Client Access License (CAL).  The Exchange 2010 Standard CAL licenses:

  • Password security policies
  • Encryption required
  • Remote wipe

 

The Exchange 2010 Enterprise Add-On CAL licenses advanced features including:

  • Allow/disallow Internet browser, consumer email, unsigned installation, etc.
  • Allow/disallow removable storage, Wi-Fi, Internet sharing, etc.
  • Allow/block specific applications
  • Per-user journaling
  • Integrated archive

 

Exchange Server Standard 2010 is $709; Standard CALs are $68 each while the Enterprise Add-On CAL is an additional $42 each (based on list prices for business).

 

Main difference between MDM and EAS: Most MDM tools provide greater control over the mobile device during its lifecycle and can provide control over the device even before email is configured.

 

Other recommended tools include:

  • Anti-malware: AVG Mobilation – From free to $9.99 for Pro version
  • Protect and find phone via key-case fob – Kensington Bungee Air at $79.99

 

First step suggestions

 

These are our minimum, first-step suggestions:

  • Deploy anti-malware software immediately and manage it continuously
  • Require password to activate the device with a low auto-lock time
  • Update mobile devices through vendor-approved patching
  • Enable on-board encryption if handling sensitive data

 

Visit 10 Steps to Secure Your Mobile Device for detailed recommendations on securing your mobile device.

Protect your mobile device – Part 2: Training

Training is an important, early step in any process; informing end-users of the need to secure their mobile devices is critical. Recommended training topics:

● Why we need to authenticate and encrypt

● How to reduce the risk of loss or theft

● How to safely deploy new applications

● How to securely backup your data

 

Authenticate and encrypt

 

Authentication is the process of confirming that the end-user is authorized to use the mobile device in a prescribed manner. It is typically handled through a username with a complex password that is changed frequently.  (A complex password requires at least three of four character options – capital letter, lower-case letter, numeric, and special character – with at least eight characters.)

 

Increasingly, biometrics (fingerprint verification, eye-scans, etc.) are playing a role in authentication.

 

Sensitive data should be encrypted to make it unreadable if the device is lost or stolen. (Encryption scrambles the content, making it unreadable to anyone without the capability to unencrypt.) Authentication is required to unencrypt and access the data.

Reduce the risk of loss or theft

 

Cell phones are easy targets for theft; they can be sold on-the-street and are (still) easily programmed to a new service on a cellular network.

 

To prevent theft:

● Be vigilant; know where your cell phone is at all times and keep it close to your body. (It doesn’t always help: One of our clients had his cellphone taken right from his hand by a man on a bike on a busy city street; the bicyclist also gave him a kick to discourage pursuit.)

● Install phone-tracking software

● Install a physical locking device

 

Safely deploy new applications

 

Mobile-device users download applications through app stores installed on the device. App stores are increasingly targeted areas for malware distribution; only trusted and approved applications should be downloaded and deployed. (Most app stores have responded by requiring additional security precautions from their customers.)

 

For company-owned devices, end-users should have specific guidelines on what applications can or cannot be deployed; ideally, an enforcement mechanism would be installed on the mobile device to ensure these policies are followed. For employee-owned devices, this policy may need to be recommended rather than required.

 

Securely backup your data

 

To prevent loss or inadvertent deletion, data stored on a mobile device (pictures, documents, contacts, etc.) should be backed-up in an encrypted format to a separate, secure location.

 

Backups should be required on devices owned by the organization and strongly recommended for individually owned devices. Backups should be scheduled periodically and verified.

 

Online, consumer-oriented backup and file-storage applications – spritemobile, DropBox, Mozy, SugarSync – are somewhat restricted by the mobile-device operating system in what type of data that they can backup; typically contacts, calendars, tunes, and photos. Full backups are usually done through tethering (attaching the phone to an external device).

 

Visit Enterprise Security Policies for Mobile Device Backup and Restore atDummies.com for an informative article on mobile-device backup.

 

Next month (part 3): We will discuss enforcement, review a few tools, and wrap-up with first-step suggestions.

DNS-changing malware in the news this week

A well-publicized, DNS-changing malware was detected and temporarily thwarted by the FBI late last year.  The FBI will remove its temporary fix at midnight on Monday, July 9th, which could cause any remaining infected machines to lose their Internet connection.

 

Windows-based PCs managed by Bryley Systems under our Comprehensive Support Program are not at risk.  The risk to all other PCs exists, but most carriers of the DNSChanger malware had been notified previously.

 

To determine if your PC might have this malware, please visitwww.DNS-OK.us, a US site created to check the DNS settings on your computer.  If infected, the banner on this site will be red in color and will alert you.  (A Canadian version of this same test is available athttp://www.dns-ok.ca/. in both English and French.)

 

There are tools to remove this infection, but please feel free to contact us at 978.562.6077 if you require assistance.

 

 

See DNS-Changer Malware for additional information.