Wednesday, May 11, 2016

Malware prevention

We continue to be locked in an arms race against bad actors seeking to intrude into PCs we use and administer for nefarious purposes. Viruses and other malware keep innovating; anti-malware software has to scramble to keep up, requiring updates both to the 'engine' and the 'definitions' or patterns the security software checks for. These updates must be applied automatically, and users should in general not turn off this updating.

Why release malware?

In the past the biggest draws were either 
  • adding a compromised PC to a vast 'bot net' useful for sending out spam from thousands of distinct sources (making it harder to block source by source), or
  • logging user keystrokes in a quest to collect bank passwords and the like
Lately, the bad guys have zeroed in on a new way to make a lot of money exploiting security holes in other people's computers: ransomware. This involves injecting malware that runs with the user's privileges and encrypts as many of their files as it can find, including on network shares, then alerts the user demanding online payment (typically in untraceable Bitcoins) to unlock the data.

This type of intrusion is being focused on institutional users including hospitals, where our responsibility to keep data accessible for immediate use may pressure data managers to give in to these demands. The same could easily apply to research and teaching related data on UofT PCs.

Backups - the best insurance

The easy way to avoid the pressure to pay in such an event is to have current, secure backups. The backups must be located offline - otherwise the ransomware may just encrypt your backups while it is encrypting your live data. The backups must also be working properly and be readily accessible when the intrusion is detected. Doing a trial restore from your backups and verifying this brings back what you expected is the only way to be really confident the backup system is working as intended.


Ideally we will always keep every PC so secure that no malware ever gets executed. So anti-malware software is needed. Where can we get this? Microsoft encourages all users to run their Security Essentials on any personal PC or laptop; under the MS Campus Agreement, we're entitled to run Forefront Endpoint Protection on every UofT PC. That's a good start, and we should ensure it is activated and getting updates. But is FEP sufficient? Many feel it may not be. Here's one post discussing that question:

Many third party software publishers offer subscription-based anti-malware programs for Windows. The site I prefer for seeing which of these is rated the most effective is where they regularly re-test all listed products.

On their listing are a few products that offer free installation for academic use. The one I'm evaluating for this presently is 'Avast for Education' which you access through their site. It offers a free login account for you as site administrator, then lets you deploy their endpoint protection tool on as many clients as you like. Your 'dashboard' on their website lets you monitor all linked endpoints via the cloud. 

Defense in Depth

Most commenters on ransomware observes there is no 'majic bullet' to turn away this threat once and for all. They encourage 'defense in depth' where we aim to eliminate part of the risk at each of multiple points along the way:

  • maintaining regular backups, including a means to isolate backups from the desktop
    • don't leave the backups writable by the user, so ransomware can't encrypt your backups while it is encrypting your live data
  • using a firewall with frequently updated policies to block malware network activity
  • keeping endpoint (desktop and laptop) anti-malware software installed and updated
    • choose a product that covers anti-virus and internet security to block malware
  • keeping browsers locked down:
    • set up secure browsing settings
    • fewer plug-ins, remove any out of support
      • remove QuickTime
      • remove Silverlight
      • remove Flash Player
    • regularly update any required plug-ins subject to malware
      • Java 8-(
  • keeping users educated about social engineering tricks used in malware emails and websites
    • "Log in here to recover access to your... " {bank, email account, etc.}
    • "Please pay the attached invoice promptly" {apparent PDF, but virus inside}

No comments:

Post a Comment