Antivirus software has improved but malware continues to evolve, using techniques like hiding, disguising itself, or waiting for commands to activate. Reading antivirus logs weekly can provide insight into attacks, even if the computer seems fine. While antivirus helps, relying only on it is risky; a layered security approach including firewalls, intrusion prevention, and endpoint protection fits all budgets. Ransomware infects computers in phases, initially tricking users then encrypting files until payment is made; ignoring early warning signs like slow performance increases risk. Businesses must educate employees to promptly report anomalies to prevent data encryption across the entire network.
1. 3101 N. Central Avenue I Suite 300 I Phoenix, AZ 85012
602.264.6835
www.cbiz.com I www.mhmcpa.com
CBIZ & MAYER HOFFMAN MCCANN P. C. – YOUR LEADING BUSINESS SERVICES PARTNER
Antivirus Complacency could Cost More than You Think!
In recent years, business and home PC users have enjoyed a period of relative calm with low impact
virus outbreaks or so it would seem. Yes, it’s true that antivirus programs like Symantec 360, McAfee
and Sophos have all improved to the point that we forget there is a war taking place over our data just
on the other side of our keyboards. The categories of Malware targeting our business and home PC’s
have changed to avoid detection. For example, some malware gets on your system and waits, listening
for remote commands to become active and deliver its payload. Other malware uses stealth to hide and
others put on a disguise to look like operating system files. Have you looked at your antivirus protection
application log files lately? Most of us haven’t. Symantec 360, for example, will display a history of
intrusion prevention, identity protection events, firewall reports and the one I pay attention to the most
is the recent history report that displays all of the preceding reports and much more.
Reading your PC’s antivirus software history report on a weekly basis can give you a better
understanding of the attacks that are taking place on your PC, even when you’re not using it. Did you
leave your PC on last night? I believe that we as computer users grow complacent because we have
transferred the job of protecting our businesses and PC’s from hackers and malware coders to the big
antivirus companies. We have forgotten that we are in a war and “know your enemy” applies just as
much today as it did 2,500 years ago when Sun Tzu wrote those words.
Here’s What You Need to Know
Most Antivirus Manufactures do a good job of protecting your PC from Malware and the sub categories
such as antivirus and spam. While it’s true that our best offense is a great defense, today’s business
systems require a greater depth of security controls that are detective, preventative, deterrent,
compensating and technical. Most businesses are willing to invest in network equipment of some kind,
that’s a technical control. To make the purchase truly effective, your network security equipment needs
to provide a layered security strategy also known as ‘defense in depth’ that includes security controls
from each category. Simply put, don’t place all of your eggs in one basket and rely on the antivirus
manufacturer to keep your critical business data safe! Taking a layered approach to security includes
having properly configured firewalls that block unwanted traffic both coming in and going out of your
network. Depending on the size of your company, your defense in depth strategy may require you to
deploy a Unified Threat Manager (UTM) or Intrusion prevention System (IPS) to work alongside of your
firewall. Your PC’s also need protection everywhere they go not just on the business network. Defense
in depth on a PC should include at least three layers: antivirus protection, the operating system firewall,
and some type of end point protection in the form of an internet proxy filter. Today, these defensive
tools come in the form of hardware appliances and software applications to fit just about any budget.
2. 3101 N. Central Avenue I Suite 300 I Phoenix, AZ 85012
602.264.6835
www.cbiz.com I www.mhmcpa.com
CBIZ & MAYER HOFFMAN MCCANN P. C. – YOUR LEADING BUSINESS SERVICES PARTNER
Data Security is a Full Contact Sport
When it comes to data security, I like to quote Warren Buffett “ It takes 20 years to build a reputation
and five minutes to ruin it”. When applying this to protecting your business data , compliance
requirements and legal implications that come from just one data breach should help us to become
better guardians of our data. You may have the best antivirus money can buy, but if you are relying on
antivirus alone it’s just a matter of time before your PC gets compromised. PC end user awareness and
malware education should be at the top of your business defense in depth strategy and it’s the focus of
the rest of this article. Knowing your enemy isn’t enough these days, you need to know your PC. We
spend more time with our PC’s today than we do with our friends and family. We know when things are
off with our PC’s, we see and feel the warning signs, but choose to ignore them and that is what the
malware coders are counting on. If you are the PC user that leaves your computer running all night
because rebooting takes too long then you could find yourself waking up to a ransomware infection that
has locked up your data. I’m not just talking about your PC hard drive either. If you are logged into the
network, ransomware will go to work on the server drives that are mapped to your PC. Beginning with
Drive F: and working to drive Z: every file that the infected PC has access to will get encrypted.
Phases of Ransomware Infection
Let’s look at the phases of a ransomware infection and some of the symptoms that you may be ignoring.
Phase One, you took the bait. It showed up in the form of a phishing email or you downloaded what
looked like a .PDF and ignored the warning that the PDF file needed to run a script. You thought nothing
of it because nothing appeared to change on your PC. So you moved past the incident and forgot that it
happened. Phases Two and Three, the Trojan is now activated on your PC and it begins writing to the
windows registry. The next time you boot up your PC the ransomware encryption engine starts. You may
have the latest Antivirus update installed to stop it, but then again your PC may be under attack from a
newer version of Trojan/ Win32.crilok.new.* and the Antivirus company hasn’t identified it yet. This is
where user awareness comes in. You say to yourself “It’s taking longer to open that email, application,
webpage than it did last week.” But you shrug it off and move on. Stop and rewind. What if your car,
dishwasher, or TV suddenly started running slow would you just ignore it? Now is the time to call your
IT support professional to help you by checking your PC’s antivirus, firewall and proxy logs for new
issues. Phase Four, you become complacent and leave your PC on all night allowing
Trojan/Win32.crilok.* to have its way with your PC. Trojan/Win32.crilok.* establishes a connection to
the command and control server, it’s now too late! Remember what I said about blocking traffic leaving
your network, this is why. If Trojan/Win32.crilok.*or any of its new variations is able to establish a
connection to the command and control server, the encryption begins and the key exchange takes place
3. 3101 N. Central Avenue I Suite 300 I Phoenix, AZ 85012
602.264.6835
www.cbiz.com I www.mhmcpa.com
CBIZ & MAYER HOFFMAN MCCANN P. C. – YOUR LEADING BUSINESS SERVICES PARTNER
allowing them to make good on the threat of holding your data hostage until the ransom is paid and
they send you the un-encryption key to unlock your PC. It’s during phase four where it all begins to
become clear as to what just happened to your PC. That’s when people call me and say “ the other day I
opened this email and…”, or “I was a website and this download did something and now I can’t get to
my files.”
For a business owner with a computer network, one infected PC that is attached to the network
undetected during Phases 1,2, or 3, will move into phase 4 and encrypt the file server mapped network
drives as well. Beginning with Drive F:, the network drives will begin encrypting moving as far down the
server drive mappings as the compromised user has access to. To combat ransomware and many other
malware threats we need to stop being complacent PC users. Please reach out to your IT professional as
soon as you notice any strange activity. The earlier we can detect and prevent, the safer our computers
and data will be.