While data-wiping malicious software – malware – is not new, the FBI was moved in December 2014 to issue a flash alert to US businesses, writes Peter Wenham. This alert highlighted the new malware that not only deletes files on an infected PC, but also overwrites the MBR sector of the PC’s hard drive, making it impossible for the PC to boot. Recovery is time-consuming and costly, either requiring the disinfection of the MBR followed by a re-imaging of the drive; or installing a new hard drive and re-imagining. For the smaller company the likely case would be re-building a PC’s hard drive from scratch. Note that, in all cases, any data on a PC’s hard drive at the time of infection would be lost.
Mitigation strategies are twofold – prevention, and recovery should the worst happen. The recovery strategy is the easier, requiring that all PCs are regularly backed up (monthly, with weekly deltas being recommended, and daily deltas if you have the resources); and that all company data is backed up (weekly, with daily deltas) – preferably with a copy held on an off-line resource, (old-fashioned tape drives come to mind, or DVDs/Blurays for the smaller business).
The key is being able to recover company data that is no older than one or two days from a clean resource.
The prevention strategy is a bit more complex. Training staff is an obvious first step – and do not forget management and directors – plus regularly reminding people not to open files from unknown sources or files received unexpectedly. A more difficult concept is to get people to the point where they look and think about a website address: Does it look right? Why I might I want to go to that site? And so on.
A second part of the strategy is not giving people local administrator access to their PC. Make sure staff access profiles on the company network are set for minimum privilege – the cleaner does not need Power User – and that the files that can be accessed are appropriate for a persons function. Nobody – and that includes senior managers and directors – should be given access to all company files except backup mechanisms and system administrators. System administrators should have two network IDs, a standard user account for day-to-day use and a system administrator account for system maintenance.
Finally, there is the technical aspects of the prevention strategy. Operating systems and application software should be up-to-date and maintained, as should antivirus software and backup mechanisms for servers and PCs. Maintained infrastructure includes firewalls and antispam and antivirus mechanisms on the companies email – there are a number of companies offering these services, either for in-house use or via the internet. Logging should be in place and preferably to a dedicated servers that requires a unique “auditor” account to access.
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.