Malware is a broad term short for "malicious software." It includes anything designed to harm your computer or steal your information. Some of the more common infections that are classed as malware are viruses, spyware, worms and trojan horses. We’ve all heard these terms from time to time and probably many of us have experienced the headache of dealing with one of them.
Often though, there is much confusion about exactly what each type of infection actually means. Without a complete understanding, we can fool ourselves into a false sense of security and unwittingly allow ourselves or our employer’s computer network to be compromised. Before we can prevent or remove a malware infection, we need to comprehend exactly what we are dealing with. Please read "What’s the Difference Between Viruses, Trojans, Worms and Other Malware?"
The summary is:
- Viruses: Surreptitiously infects a computer by replicating itself – only user action required is connecting an infected device. Goal is to cause as much damage and havoc as possible.
- Spyware: Hides its presence (doesn’t kill your PC) in order to monitor and steal personal & financial information.
- Scareware: Masquerades as an antivirus program with constant phony warnings. Renders computer inoperable until they buy their fake "full version" antivirus.
- Trojan Horses: Also try to keep the presence secret to provide remote access to your computer for nefarious purposes. Must be installed unwittingly by user – do not self-replicate.
- Worms: Self-replicate and infect computers across network connections, requiring no user intervention. Often have a less malevolent intent than viruses, more nuisance like.
Each of these threats require different measures to counteract. For example, an antivirus program may protect against viruses, but often does not include spyware protection. Or a malware removal tool might be great at removing viruses, but it impotent to prevent a worm infection. Here are some expert guidelines you can use at work or at home.
1 – Remove the junk on your computer
- Download Squad has a 4 step process guaranteed to cleanse your computer of all malware evils. It is titled: Save Your Friends & Family From Malware!
- Lifehacker.com has a similarly titled "How to Fix Your Relatives Terrible Computer" that includes instructions on issues other than malware, but about middle of the article discusses "Clogged with Crapware."
2 – Implement some protective strategies
- 99% of infections come from Internet use – so some simple Internet improvements can make a big difference. For instance, stop using Internet Explorer! Switch to a more secure browser like Mozilla Firefox or Google Chrome.
- Switch to a web-based email provider that includes attachment virus scanning and prevents automated actions (like Gmail) to provide an added security filter.
- Stop installing pirated software – it is often ripped by people who add trojans to allow them access to your computer.
- Even with these protections, some websites exploit known software vulnerabilities to automatically download something to your computer without your knowledge.
To "harden" your computer against these attacks, follow the suggestions in "Protect Yourself From Drive-By Malware Attacks."
Password: The Key to Digital ValuablesA well-known proverb advises: "A chain is only as strong as its weakest link." For many modern security systems, the user password is the weak link. No matter how advanced the security measures a weak password will render it all useless. Most of us have a few passwords we use over and over, and any extra unique ones are written down on paper or stored in our email. This system allows our brain to manage the never ending password list, but leaves open gaping security holes. Before we go any further, test your passwords using the Password Meter to see how you’re current passwords hold up.
Ideally, every website should have its own password. Realistically, our brain would melt under the strain of memorizing all these unrelated random strings. However there is a simple way to generate a unique password every time it is needed. This method is described in slightly different forms by How to Create a Good Password That You Will Not Forget, and Geek to Live: Choose (& Remember) Great Passwords. Basically the method goes as follows:
- Choose a memorable "base" password at least 8 characters long that isn’t a word found in a dictionary. For example I can use part of my name "Tyler Mc" as a base password.
- Replace letters with symbols and upper/lower case in a memorable but uncommon way (ie: don’t change a to @ - it’s been done before). In my case "Tyler Mc" becomes "7y!er%M
- Test your password with the Password Meter to ensure it is complex.
- Come up with a simple way to incorporate each site into your password. For example, append the domain name or url with some simple substitutions. My password for gmail would become: "7y!er%M
- If you don’t feel safe with "easy to remember" secure passwords, use 5 Free Password Generators For Nearly Unhackable Passwords.
The idea is to come up with a long list of unique passwords that we can remember without writing them down. Of course there are times when specific sites have requirements that conflict with our system. In these cases we do need to find a way to track these outliers. And using "Remember Password," is completely unacceptable. Find out why by reading Your Passwords Aren’t As Secure As Your Think; Here’s How to Fix That. In that article it explains that the only real secure solution for password storage is a password manager. If you choose to use one, here are the Five Best Password Managers.
Physical SecurityThe Internet is only one way that our data can be compromised. It is also susceptible to failure or theft of the physical device on which it is stored. Data losses for these reasons continue to occur at even the largest organizations. Regularly we hear reports of laptops stolen from government agencies and corporations containing the personal information of thousands of people. As employees we need to be capable of protecting any virtual assets our employer places in our care, and those of our personal life as well.
Theft:Protecting against theft can tack a number of different forms. The first line of defense available is a lock and key. Laptop specific designs are widely and cheaply available. The second stage of defense involves using a laptop alarm or security camera. This software is installed on your computer and will draw immediate attention in an attempt to steal it or alternatively lock it down so it becomes useless to the thief. If these deterrents fail there is still hope to track your computer down via free retrieval & tracking software. Finally, if all else fails a good encryption system will prevent your data from falling into the wrong hands even if your computer does. Read the step-by-step guide to setting up each of these preventive measures on your own laptop security system.
Side note: sometimes information can be given away without theft even being involved. One study found that over 40% of hard drives for sale on eBay contained easily recoverable personal data. As a responsible business student, we should understand that simply deleting data doesn’t erase it or prevent others from reading it afterwards. Whenever discarding a hard drive with sensitive information make sure to Properly Erase Your Physical Media.
Hard Drive Failure:
When a hard drive fails, our information doesn’t fall into the wrong hands, but it can still cause great damage. Consider the example of JournalSpace whose entire business was wiped out in 2009 due to inadequate backups. Backup is something that most of us know we should do, but few take the time to implement. It doesn’t necessarily need to be a complex undertaking. Instead of explaining it all here, we are going to send you to the tried and test Lifehacker.com to "Set Up a Foolproof and Fireproof Automatic Backup Plan." Read it! Even if you don’t implement the exact steps it walks us though, it will demonstrate the method to develop a backup plan of our own.
Phishing and Other ScamsThe most recent attacks on our digital assets, passwords and data comes by way of social engineering. Criminals have found it is often easier to fool a person into giving their confidential details (passwords, logins, etc) away than hacking them technologically. The most widespread use of this technique currently is an approach called phishing.
Phishing traditionally involves an email from someone misrepresenting themselves as a representative of the organization they want to steal our information from. There can be an endless number of reasons given for why, but always the end request is for our login and password information. We are directed to a site that looks identical to the real one, but is actually setup by the hoaxer and when we enter our details he captures them for his own use.
For example, you receive in your inbox and email from TD Canada Trust that informs you they have had a breach of security and your account security may have been compromised. They ask you to please login and change your password to prevent unauthorized access. At the bottom of the email there is a helpful link provided: TD Canada Trust Login Page.
Go and take a look at the page pointed to in the link. You will find it looks identical to the real TD Canada Trust Login Page, but the URL shows that it is actually hosted on a private blog. I set the fake page up in less than 10 minutes to show you how easy it is to copy the look of a real website! If a phisher had setup the fake page, whenever you logged in, he would have immediate access to your real accounts.
An even more insidious scheme called tabjacking cuts the email out of the picture and is harder to identify. Learn what it is and see a proof of concept by Aza Raskin.
So how can we protect ourselves? Knowledge is by far the best weapon in this arena. Phishers prey on the unwary. So let’s educate ourselves. First, study and save for your reference the Phishing Flow Chart to understand what signs identify questionable emails. Second, test out the flow chart and your knowledge by taking the SonicWall Phishing & Spam IQ Test. You will need your results for this week’s learning activity.
AssignmentImplement 3 suggestions from Lesson 10 above. In a paragraph, tell us what you did, why you choose those suggestions to implement and any problems you had in doing so. In a second paragraph post your Phishing IQ Score and explain what fooled you in the quiz.