Last week we defined ransomware. and explained what you should do if you accidently download it. This week we are going over how to go about avoiding ransomware in the first place.
The first step to avoiding ransomware is to purchase and install a quality Firewall on your network. There is a perception amongst many small business owners that’s if their business is small enough they won’t be targeted by hackers and don’t need to invest in this sort of security hardware, but they are absolutely wrong. Many cyberattacks are sent out en masse and quite indiscriminately. A firewall is a great defense against this sort of carpet bombing approach because it looks at all of your network traffic and monitors it for security issues, filtering them out when it comes across them.
Believe it or not, ransomware and viruses can be spread by something as benign as an email attachment. It is imperative that business owners and their employees both know not to click on attachments from unknown senders; if downloaded, they may very well contain malicious software that can impact the entire network. Along the same line, it is important not to download software or software updates unless you are certain that you are actually on the website of the company that produces that software. Various types of malicious software often masquerade as software updates. For example, you might find a video online that you are interested in watching. You click the link but it redirects you to a website where you are informed that there is, “A new version of Adobe Flash Player that you must download in order to watch this video.” When you click to download the supposed update, you have unwittingly infected your computer with ransomware, or some other sort of computer virus.
Another very sinister and subversive technique used by cyber criminals to infiltrate the computers and networks of various organizations is to drop USB thumb drives or CDs loaded with malware in public places, near the target of their attack. Once they have been inserted into a computer connected to a business’s network, the software on them is able to perform the malicious tasks their creator programed them to perform. Once this has happened, the entire network may well have been compromised.
A number of security companies and researchers have performed tests where they drop a certain number of USB thumb drives on the premises of a business. These drives have software on them that report back to the company or individual who placed them that someone has inserted them into a computer that is connected to the network of the business near the location in which they were dropped. They determine the number of drives that have been picked up and then find the percentage of those that were inserted into network connected devices. As you might imagine, the results of these studies indicate that people have a hard time resisting the urge to see what might be stored on a device which they believe has been accidentally dropped. This is particularly true whenever they are labeled as, “Payroll Data,” or, “Performance Reports.” It isn’t difficult to understand how this sneaky method can be very effective for directly distributing malicious software onto computers and the networks they connect to.
In order to have a complete picture of the means by which hackers may infiltrate a network and infect it with ransomware or some other sort of virus, it is important to understand the concept of “phishing” and “social engineering.” Phishing is a technique used by cybercriminals to obtain personal information using a variety of methods, from website forms to emails where they misrepresent their identity and true intentions. Social engineering involves taking the information gained through phishing attacks or other means and using it to systematically infiltrate an individual or organization’s online identity.
Let’s say that you are at work and while performing research that is job-related you come across a contest wherein the winner receives a free iPad. Without thinking, you fill out a form with your name, address and birthday and click submit. Then you are informed that the last step is to create an account by providing an email account which will act as your username and creating a password. Like many people, you have one password that you use for almost all of your online accounts and memberships. If that contest is simply a guise created by a hacker for the purpose of mining information which they can use to infiltrate your online accounts, you have just provided them with just about all of the information they need to do so. This is how phishing works.
Using the information gathered through the phishing attack, the hacker can then begin social engineering. Those handy links on the login pages for Amazon, Gmail, Facebook and every other online service that allow you to reset your password by sending a link to your email address can be used by hackers to access your accounts once they have access to your recovery email account. Imagine a hacker uses information gathered via a phishing attack to gain access to your Apple ID and password. For the sake of this example, let’s say that you are an iPhone user who syncs notes to iCloud (which most people do unwittingly) and are one of the countless individual that keeps all of their usernames and passwords recorded in the notes application on their iPhone – you would have provided the hacker with literally ever bit of login information that you have. If you have a computer, your admin password would probably be a part of this list, in which case the hacker would be able to easily control your computer remotely. Once they have access to your computer, infecting it or the entire network that it is connected to with a virus or ransomware is child’s play – though they may choose instead to quietly infiltrate your banking and financial accounts and drain them.
The best way to protect against phishing attacks is to be extremely careful when releasing personal information online. A good rule of thumb is to give out personal information as infrequently as possible and to never provide any personal information online unless you are absolutely certain that it is being provided to a legitimate organization. You can protect against nefarious character infiltrating your online accounts by using different passwords as well as choosing complex passwords that are difficult to guess. Another defense against this sort of attack would be to make use of two factor authentication when it is available; this way cybercriminals would need to guess two passwords rather than one, have access to a particular email account of yours or access to your computer or mobile device as the case may be.