In the past week or so we've had a number of customers express concern over the newly identified 'Gameover Zeus' malware. Many of those customers are asking if they are protected against this kind of online threat, but it's not a black and white answer. No business will ever be secure from every threat that comes their way, but every business can do their best to be as well protected as possible.
To help us answer those concerns, we have developed this 10 point security plan which lists the key things you can do to ensure your business is safe from the majority of online threats. These are the criteria we use to assess a given customers vulnerability to any malware of virus, not just those newsworthy ones.
Desktop Operating Systems and Applications
#1 – Desktop Operating Systems
It is important that your desktops and laptops are running a currently supported version of Microsoft Windows. At time of writing this includes Windows Vista, Windows 7 and Windows 8. If you are running Windows XP or any earlier version of Windows then your business is at risk because Microsoft are no longer releasing updates to legacy systems such as Windows XP.
On Desktop and Laptop Computers we currently recommend Windows 7 Professional
#2 – Operating System Updates
Assuming you have a currently supported version of Microsoft Windows on your computer (see point # 1 above), you’ll also need to ensure that all of the recommended updates to that operating system have been installed. Given that updates are released at least once per month (and sometimes more frequently when malware risk levels are high) you’ll need to verify how up to date your computers are on a frequent basis.
If you are unable to check if your own desktop operating systems are up to date, you need our desktop monitoring service - available from £5 per month.
#3 - Applications & Updates
Internet facing applications like web browsers and email clients must also be maintained and updated in the same way as the operating system. For example, older applications such as Office 2003 are no longer supported. Where you have currently supported products such as Office 2007, Office 2010 or Office 2013, these applications still need to be updated to the latest available versions to improve security. While many Microsoft applications are easy to update, other programs require more work because update methods can be different.
If you are unable to check if your desktop applications are up to date, you need our vulnerability scanning and patch management services - available from £5 per month.
#4 – Removal of Admin Rights
Most small businesses have their computers configured so their users have full and unrestricted access to their own computer. In the business, we call this having ‘Admin Rights’. This is very convenient for most businesses because it means any user can install any software they want or install necessary updates to their computer without having to call their network administrator (usually, that’s us!). The great drawback of this approach is that, if a malicious program gets past your security and tries to install on your system, it will usually be successful. Only by removing admin rights from all users will you be able to halt installation of this kind of malware on your network.
We recommend removing admin rights from all users, but you’d need to have a responsive IT support and maintenance plan in place in order to alleviate the knock effects of removing admin rights from users.
Firewall and Malware Protection
#5 – Premium Security Suites
If you want to give your business the best protection against online threats, don’t rely on basic security protection. Paid-for security suites such as AVG Internet Security offer you permanent protection against online threats. We’ve seen first-hand how customers that rely on free of charge security products have suffered hundreds of pounds worth of data damage and permanent data loss – but those customers that bought premium products have had the same threats intercepted automatically. For businesses, a centrally managed suite such as AVG Internet Security Business Edition enables centralised management, monitoring and policy enforcement which is essential to helping secure your network. Of course these suite must be kept up to date and malware scans should be run frequently.
We currently recommend AVG Internet Security 2014 or AVG Internet Security Business Edition 2013.
#6 – Supplementary Malware Protection
Not all security suites are able to detect or remove 100% of threats 100% of the time, and so in some circumstances, malware can ‘get past’ an installed and ‘always-on’ product. In these situations it is useful to have a secondary malware detection and removal tool which is always up to date and can be run on-demand. It’s like having a second opinion available at all times. Note that it is not appropriate to have two ‘real time’ security suites running at the same time on a given computer so users should run this supplementary malware protection on demand, or it can be run as part of a maintenance service.
We currently recommend Malwarebytes AntiMalware Free Edition.
Most small businesses concentrate their security efforts on protecting their ‘endpoints’ – that’s the desktops and servers where internet traffic arrives (in the form of web sites or emails). While this is essential, an extra layer of security can be had by implementing security on this traffic before it reaches your computer endpoints.
#7 – Perimeter Email Scanning
One of the best ways to improve security at the perimeter of your network is by having a robust email server which scans inbound email for malware and spam. Such servers will form a first line of defence and can eliminate many attachment based viruses before they reach your mailbox and will reduce the number of spam emails that could include links to websites that are hosting malicious code.
We currently recommend cloud hosted Microsoft Exchange based email servers.
#8 – Perimeter Traffic Scanning
A proxy server will scan the content of a web site or a download before it touches your users computers. It takes decisions about whether a web site is safe or not out of the hands of your users and into the hands of (in the case of GFI WebMonitor) multiple security engines, three antivirus engines, several anti-phishing feeds, multiple malware protection layers and web reputation protection. Note that a proxy server requires an elevated amount of administration in addition to the initial software installation and setup costs and such software or hardware require an on-going investment and support commitment.
We currently recommend GFI WebMonitor software proxy, or a FortiGate security appliance hardware proxy.
Assuming that you have some or all of these bases covered, there is still an important human factor to consider. Users should adhere to an IT policy that outlines what is and is not acceptable in terms of email usage and internet usage at your business. The IT policy should be backed by regular training and include guidance on:
#9 – Email Attachment and Link Policy
Where users receive unsolicited emails with attachments or links to websites they should be very cautious. An email attachment could include a malicious program that presents a security hole in your network. A single, compromised computer could render a whole computer network unusable. While security suites get stronger at combatting these types of attachment based threats, users are instead diverted via links in emails to malicious websites that will try and install malicious programs on your system. These are harder to detect because a simple link to a website in itself may not be considered malicious – only when a person clicks that link can it become a problem.
We recommend forming an IT policy which includes guidelines on ‘acceptable use’ and also training users to be suspicious of unsolicited inbound emails containing attachments and links.
#10 – Passwords
Once a computer is compromised, malicious software can scan a computer (or indeed any servers it is attached to) for such things as usernames, passwords and bank details. If any of your users are saving this kind of information in an unencrypted format then you should consider changing the way passwords are stored.
We recommend using a password manager such as LastPass, or saving passwords in Outlook 'Notes' only where you are using a Hosted Exchange email solution.
So, that's our 10 point plan. No business will be completely secure against all online threats, but if you can tick off as many boxes as possible you'll be well on the way to a network that is more secure than most.