Maksim Kabakou - Fotolia
Malware is nothing new, yet malware infections are on the rise – but why is that? Why aren’t the defences we have been putting in place for the past 20 years effective? Let’s look at why.
Buy the software, point, click and you have your own custom malware. You can hide it in a PDF, a Microsoft Word document or ZIP file.
The challenge comes in mastering sufficient grasp of the English language to get your target to execute said malware. But with a bit of time and research, it is straightforward to come up with a realistic looking email, from a realistic looking domain, with the realistic probability of somebody opening it.
Due to the huge increase in malware variants, anti-malware supplies are struggling to keep up.
Much as their marketing teams may beg to differ, it is a matter of numbers. They simply do not have the resources to respond to each and every virus. By the time an antidote is developed, another mutation is in the wild.
Pharmaceutical companies have the same challenge with viruses, and make a fortune in the process. Needless to say, security suppliers do too.
Malware can be created that will avoid detection by all those expensive colourful bits of kit in your server rack. It’s a done deal. Do not try and think about blocking malware at the perimeter. Assume it has somehow found its way onto a user’s device. Be this by a spoof email, rogue USB stick or an Act of God, it will get there.
It’s common knowledge that malware will happily evade detection and analysis, as that is exactly what criminals will be paying expert software developers to do. So what should we be doing about this?
Beware BYOD and the two-click rule
It seems some companies have already hit the self-destruct button by permitting users to access company resources using their own devices, with limited protection in place.
While all your machines in the office might have the latest and greatest malware protection available, Mrs Trellis from her holiday home in north Wales is unlikely to even know what this is.
Users should not be able to double click and open an untrusted file. They should be prompted with a warning message before being allowed to open untrusted files.
This is a basic Cyber Essentials control that most small companies fail when I go in and assess them, yet remarkably simple and effective once in place. Do it. No excuses.
Block executables and install antivirus
Building on the two-click rule, it is a good idea to stop users executing anything. In a trusted environment, which has been carefully thought out and planned, there will be no need to do this. Do not let users install anything or run executables. That way, they cannot execute malware.
If a user cannot execute anything untrusted, then antivirus does not really give you much benefit.
Security suppliers have expanded their offerings to include host firewalls, host intrusion prevention, VPN capability, white listing, file integrity, event logging – the lot. While security bloatware might seem a happy compromise, you have to question the benefits. You should be looking to simplify security, and not complicate it.
Concepts of least privilege and bare minimum build standards go a long way. It is worth looking at the thin terminal model and re-centralising control over user systems, as half the problem has been users being able to do whatever they want.
Ransomware is on an exponential rise. On one hand, it is very damaging for companies with no incident response ability or backups, but on the other hand it is raising awareness. Users are not so trusting anymore and awareness is on the rise.
The last, and most important piece of advice, is to be in a position where you can respond when you do get hit by malware – and you will.
Be prepared to have to trash any single one of your assets and restore it in a timeframe acceptable to the business. Malware should no longer been seen as a security threat. It is an inconvenience. Do not let it get on top of you. With careful preparation you can easily get out of the potential mess that malware can cause.
Tim Holman is CEO at 2-sec security consultancy.