This the first in a four-part series on Internet security, how to monitor and prevent threats to the computers and networks of a small business, and how to combat breaches when they occur.
“The criminals have gotten much more sophisticated over the last few years,” says Sam Masiello, director of messaging security research at McAfee Inc., which protects computer systems and networks.
“Their intention is to infect your computer so that you don’t even know you’ve been infected.”
Hardly reassuring words for computer users or business owners. Cybercrime continues to flourish for one simple reason: it’s profitable.
Hackers use two broad approaches: Either they sneakily install malicious software on your computer to control it or steal your information, or they trick you into giving up your information voluntarily.
The malicious software can enter your system when you visit a shady website, or open an e-mail attachment carrying a virus. If it infects your machine, it might hand control of your computer over to networks that will rent it out to spammers, who will use it as a junk-mail-sending machine.
Or worse, it might install “key-logger” software that takes careful note of every word you type – usernames, passwords and all – and sends it back to hackers, who can co-opt your online accounts, take your money, and even represent themselves as you to your friends.
None of these things bode well for small businesses, which are often focused on the job at hand more than they are on information security. But there are new responses to these threats. In increasingly perilous seas, how do you stay on course without giving in to paranoia?
Here are some suggestions:
1. Don’t open unexpected attachments, even if they come from friends.
E-mail attachments are a great source of malware. But nowadays, they don’t just come from dodgy strangers, they can come from your best friends.
When certain malware infects computers, it will scan e-mail address books and send malicious messages to every contact, making it appear that the message comes from a friend. Oftentimes, they’ll contain messages such as “Here’s the PDF I said I’d send,” but they’re getting more clever and more subtle all the time.
If someone you know sends you an e-mail with attached files that you weren’t expecting, or that seem strangely generic (“Hey, check out these pictures!”), make contact with the sender first to make sure it’s genuine.
“If it sounds unbelievable, it totally is,” says David Mirza Ahmad, a cyber-security veteran and one of the founders of Subgraph, a Montreal-based security start-up. “Look for cues in the e-mail: Is the e-mail worded a little differently? Is it normal to receive random files from this person? If there’s a file, there should be context.”
In fact, any unexpected behaviour from friends on social networks should be taken with a grain of salt. Social networks are the latest frontier for hackers because they engender so much trust. If a Facebook friend starts posting items they wouldn’t normally post, be careful: their account might have been compromised, and the items might be a trap.
2. Update, update, update.
Even if you never opened another attachment in your life, you can still let viruses in, even by doing something as simple as visiting the wrong website at the wrong time.
The software that runs modern computers is enormous and labyrinthine, and hackers are always finding new holes that they can use to sneak malicious software onto computers – usually by injecting. And software makers such as Microsoft, Apple, and anti-virus makers, are constantly rushing to patch those holes. It’s a never-ending game of cat-and-mouse.
This is why it’s essential to keep your software up-to-date, and up to the minute. You need to update three things: First, your operating system (such as Windows or Mac OS), which receive updates to plug security holes as they’re found. By default, these will install automatic updates – it’s important to let them. Second, your web browser (Internet Explorer, Firefox, Chrome) needs to be up-to-date for the same reason. New versions are free to download. This goes expecially for users of Internet Explorer 6, an older version of the popular browser that was well-known as a security nightmare.
Finally, your virus-checking software needs constant updates to know which malware to look for today.
3. Be very careful about following login links from e-mails.
The next trick is to keep from getting tricked. Increasingly, scammers will try to convince you to give away your login and password for a phony web page that’s set up to look like a real one.
It’s called “phishing” – as in, going fishing for victims. You’ve probably already received some that use banks as bait: An e-mail arrives, prompting you to visit your bank’s website to “verify your login information.” It will direct you to a page that looks like your bank’s website, but it is really a false front that passes your login information on to hackers.
So far, these have been fairly easy to spot. But scammers are getting smarter: they’re now sending e-mails that look like new-friend or message-waiting notices from social networks such as Facebook or LinkedIn.
Always be cautious. Watch out for vague-seeming notifications. Pay careful attention to the URL at the top of the web page. If there’s any doubt, don’t follow the link from the e-mail, but visit the social network’s page directly and log in there.
4. Use different passwords.
Password safety isn’t the be-all and end-all of security, but it’s an important rudiment. You’ve probably been regularly warned not to use simple or easy-to-guess passwords. But it’s probably even more important (and, yes, more annoying) not to use the same password for every online service you use.
The reason is simple: If, by installing a key-logger, or tricking you with a phishing trick, a hacker gets the username and password for one site, you can bet he’ll turn around and try it on every other service you’re signed up with. You could wind up being locked out of everything at once.
If remembering a dozen different passwords is unwieldy (and it is), consider using at least two groups of passwords – one for not-so-important sites, and different ones for the really sensitive logins. Or, Mr. Mizra suggests using desktop software that uses one master password to access all the individual passwords - software such as the Mac OS Keychain or PasswordSafe for Windows.
5. Don’t think you’re smarter than the criminals.
So you know the ropes on the Internet. You know a malicious e-mail when you see one. Still, sometimes curiosity gets the best of you, and you click, thinking that you’re not going to divulge any personal information or download any suspicious files. Surprise: the bad guys have anticipated that, too.
“People believe that the operating system will protect them from everything they want to do; that by clicking on this link they’re smarter than the criminal,” Mr. Masiello says. “The criminals have got smart to this kind of thing.”
Tricks such as interstitial pages, pop-ups, and unpatched browser exploits can infect a computer before the user has clicked a single button or typed a word on a malicious web page.
And if you’re reading this on a Mac – don’t get too smug. For all of Apple’s marketing, Macs aren’t actually more secure, they’re just targeted less because fewer people own them. Malware comes for everyone, and – unfortunately - the only real solution is diligence.
Special to The Globe and Mail