What Malware is-Malware Protection 2019
Few things can happen to a PC that is worse than becoming infected with malware. As a consequence, your PC might fail to start, you may lose your connection to the Internet, or a hardware component in the PC might fail, but all of this pales into insignificance when compared to the threat of infection. In this blog, we explain what is malware and how to remove malware from PC.
Why is this? While troubleshooting problems on PCs commonly lead us to discover that the problem is isolated to just the machine in question, malware infection immediately threatens not just every other PC on your network but your servers, storage (both local and cloud), clients, partners, employees, and much more besides.
With the introduction of ransomware in the last few years, the threat is worse than ever before. Businesses might suddenly find all their documents and files encrypted and a demand for payment of a large ransom for the decryption key.
It’s not all doom and gloom though, as removing any type of malware from a PC, even unpleasant ransomware, is simpler than you might believe. Protecting your PCs from malware is even simpler still.
The rise of bots and ransomware took malware infection to a new level. A bot would infect thousands, sometimes even millions, of computers and then sit silently waiting for instructions.
Control of the infected PCs would then be sold on the dark web to the highest bidder, who could then record keystrokes (such as usernames and passwords) from the PCs, get backdoor access to them.
Or launch distributed denial-of-service (DDoS) attacks that would flood Internet services and specific companies’ web servers with so much traffic, and over such a prolonged period, that the servers would fail.
Ransomware, which encrypts the files and documents of individuals and companies, is widely reported to be raking in millions of dollars for its creators every year, as universities, hospitals, major corporations, and even governments secretly pay costly ransoms for unlocking keys.
Today, malware exists on every computing platform and operating system. The popularity of Google’s Android OS makes it a very tempting target, and even the advanced security of Apple’s iOS and OS X systems offers no guarantee of protection, because, as I’ll explain shortly, it’s the user and not the software that’s commonly attacked.
Internet of Things (IoT) devices is a new route of attack into your network or home, as they can often come with very lax, or even zero, security. Once connected to your network and your router, they can be used as gateways through which other devices can also be accessed.
Often, physical access to the IoT device will be required to infect the device, though it’s not unheard of for viruses to be pushed through firmware updating.
If you use IoT devices, it’s always wise to change the default administrator username and password and to check that the manufacturer has taken security seriously when designing the firmware.
For the purposes of this blog, however, I’ll be focusing on Windows 10 PCs and networks, which include servers, desktops, laptops, ultra blogs, and tablets, primarily running on Intel processors. ARM-based Windows 10 systems, such as smartphones and low-power devices, are less susceptible.
Because they are based on a more modern, and more secure, architecture of the Windows OS and don’t include the “legacy” code and features that are often the focus of malware attack.
They are, however, not completely immune, and as such, the same techniques I’ll teach you in this blog for removing malware from Intel-based systems will also apply to infections on ARM-PCs.
The Psychology of Malware or Virus Infection?
There was a time before the Internet when every single PC was a stand-alone, individual machine and, as such, the security they had in place was often poor, or even nonexistent.
Even when the Internet became widespread in the late 1990s, it took companies such as Microsoft many years to become fully aware of the threat poor security posed to their users and their reputations.
The problem with viruses arose because malware exploited security vulnerabilities in operating systems that would allow them to run—automatically, unhindered, and silently— when they arrived on a PC via an e-mail, infected file from a disk, or across a network.
Therefore, operating systems such as UNIX and Mac OS, which was a UNIX derivative, were often hailed as being far more secure than their Windows counterpart, because the user of the PC did not have the administrative rights needed to allow malware to run.
These days, however, our Windows PCs are far more secure. Features such as User Account Control (UAC), first seen in Windows Vista, and Secure Boot, introduced with Windows 8, offer valuable first-line protection against infection. For this reason, the criminals (now more often criminal gangs) behind malware began to look to psychology to propagate their code.
How could end users be tricked into installing their malware? The answer was to disguise the malware as something innocuous, useful, or even fun, such as a codec required to play video on a website, or an app, OS update, or driver that you might normally download directly from the official provider but that has been modified with an added payload and then made available on file-sharing or popular download sites.
The first line of defense against malware these days must be education and training of PC users, be they at home or in the workplace.
People might find a “funny cat” video that won’t play without the codec being installed, a game that one of their colleagues has been playing, or they might be tired or rushed and click a security notice without first reading it or paying attention to what it might mean.
Any granting of administrative rights to malware allows that malware to install and operate freely on the PC. Even if something looks like a legitimate or fun game, it could have an unpleasant payload in the background, operating silently against you.
In the business space, and especially with ransomware, the problem is exacerbated. It takes only one employee, overworked and up against a tight deadline, clicking a UAC security prompt, so that she can open a file a colleague or friend has sent her, to give malware free reign to access any resource then available to that user on the network.
Criminals take advantage of the fact that the average PC user is not a technically minded person who understands, or even has to understand, how an operating system and software work and what a malware infection is capable of doing. It’s the same issue people face with their personal and banking details.
Only when someone’s credit card details are stolen might he begin to reevaluate covering his hand when he types his PIN at an ATM or in a shop or creating a more secure password for himself.
The two main defenses against malware infection, therefore, have to be preventing users from being able to run code or install software and, in such cases where it is difficult or simply impossible to achieve this, to educate PC users on the threat of malware, how it propagates, and the types of things it is and is definitely not acceptable for them to click.
Different Types of Malware
You might have noticed so far in this blog that I’ve been referring to the terms malware, worm, and virus almost interchangeably. This is because there are many different types of malware (which is an umbrella term) that can affect PCs.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide for here]
Viruses and Worms
Viruses and worms are the best-known types of malware, and they’re named, not for the actions they perform, but for the way they propagate. A virus, for example, will spread from one machine to another through a medium comparable to that of a virus that you might catch in your own bodies, such as physical contact or sharing.
A worm, however, will burrow from one machine to another via a network. Viruses and worms may perform one or more of the actions described in the rest of this section.
Privacy is one of the buzzwords of modern computing, as social networks and major corporations collect data and information about our activities online, where we go (both physically and online), what we look at, what we buy, who our friends are, and what they like, etc.
Spyware is malware that performs these tasks independently of a connection to a specific social network or website. Spyware will gather information about what you do offline and online on your PC and send that information, which can include recording keystrokes you type when you sign into websites, online shops, and banks, using a keylogger, back to its creators.
Adware is the most innocuous type of malware, being something that is intended to display ads to you on your PC. These will commonly come in the form of pop-up windows, in a browser or separately. There is no real threat from adware unless it also carries an additional payload, such as a keylogger.
A Trojan, also known as a Trojan horse, is a package that is intended to appear completely innocuous and harmless but contains a hidden payload.
It is named for the wooden horse the Greeks gave as a gift to the citizens of the city of Troy about the 12th century B.C. that contained soldiers who opened the city gates at night, allowing an invading Greek army to overpower the local inhabitants.
So, technically, it was a Greek horse, and not a Trojan horse, but we’ll skip lightly over that bit.
Trojans will typically appear as audio or video codecs (plug-ins required to play a music or video file or view a video online), a web browser plug-in, a game or something otherwise amusing or useful, or a pirated app, an ISO disk image installer for an operating system, or a document.
Bots are usually for sale. If you hunt around a little on the dark web (which I don’t really recommend), then among the drugs, weapons, and other illegal goods that are sold there, you’ll probably find something called a “botnet.” Botnets are networks of machines that are infected by bots.
Typically, a bot will use the Internet connection of the infected machine to launch a prolonged DDoS attack on a company or website. All the end user will notice is a slowdown in his/her Internet speed, but with thousands, perhaps tens or hundreds of thousands, of bots available and online at any one time.
Botnets can be an effective way for criminals to extort money from companies, or for political groups (and occasionally even governments) to attack a country’s infrastructure.
Rarely, however, will not be used merely for this single task. They will almost always include keyloggers and control software that offers backdoors into the PCs they have infected.
You’ll occasionally hear about companies such as Microsoft taking down a botnet, usually with the help of a security company (or more), and always with the help of local law enforcement officials in the relevant territories.
When a network such as this is taken offline, a common criminal activity, usually the sending of spam, can temporarily fall by up to a third on a worldwide basis, such as the prevalence of bots across the globe.
Such takedowns are possible because companies such as Microsoft, Apple, and Google, which provide the base OS, are well-placed, through the anonymous reporting they receive from their operating systems, to identify botnets, and, by using network traffic data and by reverse-engineering the bots from infected machines, they can trace the IP addresses, and the individuals, controlling them.
This is all done without compromising users’ privacy and always within the law.
When Microsoft launched the Windows 8.1 operating system, it mandated that all new PCs sold with the OS on board have the modern UEFI firmware on the motherboard, with Intel’s Secure Boot system enabled.
Secure Boot is intended to defend against rootkits and boot sector viruses (rootkits) from infecting PCs. These malware types will embed themselves deep into the boot partition(s) on a PC.
The rootkit will then start the OS in a hypervisor-type environment, which will give it complete control of the OS, while at the same time hiding and shielding itself from any security software you have installed and any security features in the OS itself.
A rootkit will commonly exploit OS features, such as the ability to install extensions into an app or by hooking into or patching an application programming interface (API) that contains an exploitable vulnerability.
Once compromised, the rootkit can gain control of the application’s execution flow and use its permissions and privileges to attack the PC’s security and boot systems.
It is partially because rootkit infections, which store apps in all operating systems, and Win32 apps, installed either from the Windows Store or on an ARM-based PC, run in their own protected areas of memory.
Rootkits and boot sector viruses can be extremely difficult to remove, given that they reside in hidden and protected partitions on the disk, and extremely difficult to detect.
You might think that if you have Secure Boot enabled on a PC that you’d be immune from rootkit attacks. Sadly, this isn’t the case, as some vulnerabilities do exist within the Secure Boot system that can still allow rootkits to install.
Additionally, some operating systems, such as Linux and Windows 7 will not start if Secure Boot is enabled, as they do not support the signed security that Secure Boot looks for at startup, which authenticates the OS as being genuine.
All of this means that PCs running unsigned operating systems, in either a single or dual-boot scenario, must have Secure Boot disabled.
I’ve already alluded to backdoors several times in this section, as they are commonly part of the payload of a bot or other malware type. Backdoors permit remote access to, and sometimes remote control of, an infected PC.
This will give criminals (and sometimes security agencies and governments) file, folder, and document access to a PC and any file shares and other PCs and servers on the network(s) to which it is connected.
By far the most unpleasant malware is ransomware. This malware will encrypt your files and documents (sometimes even more than these) and demand that you pay a ransom, usually in the online currency Bitcoin, for the decryption key.
As we store more and more files on network shares and in the cloud, and our PCs have access to these storage areas, and other network-connected PCs, ransomware is not only able to encrypt file backups but can also spread to other machines on the network and employ the user access permissions on those PCs to access yet more storage areas and more PCs.
Some ransomware will even encrypt an entire disk in a PC or the master file table (MFT) on the disk that contains the directory of what files are to be found where on the disk.
It is well known that hundreds of universities, hospitals, companies, and even governments around the world pay ransoms every year, so as to avoid the costly downtime required to rebuild the infected systems and losing critical files and data.
These companies and organizations, however, will almost never publicize what has happened, because of the negative effect it can have on their reputation and the uproar from people whose private information has been compromised.
It is also well known that the decryption key, should you pay the ransom, will itself contain an additional malware payload. The criminals behind ransomware, however, are clever enough not to price their ransoms too high, as the financial benefit of an individual, business, or organization not being able to afford the ransom will not bring in revenue to the criminals.
This, sadly, then creates an incentive for people to pay the ransom when they become infected.
Spam and Phishing E-mails
Spam (unsolicited) and phishing e-mails (e.g., purporting to be from your bank or a shopping site), aren’t malware, but I’m including them here, as they can commonly lead to a malware download. Spam is named after the processed meat (pork shoulder meat and ham) that was a common foodstuff in the United States and the United Kingdom during and after the Second World War when food rationing was in place.
It was widely disliked and derided (perhaps most famously in the Spam song by Monty Python) and was, therefore, a good choice of name for unwanted e-mails that began to appear in people’s inboxes.
How to get rid of Malware and How to remove Malware
I stated in the previous blog that there are two main things that you can do, as an IT professional, to defend your systems against malware. One is to make it as difficult as possible for users to install malware on your systems or to transfer malware-infected files onto your storage servers.
This is achieved by using a combination of technologies, processes, and strategies that together can make malware infection difficult.
The other is to train staff in the different types of malware threat, how they are spread, how to spot them, and what it is and isn’t safe to click and permit. This is called security awareness, and it should be a staple of all training for employees in any business or organization.
It’s not always possible, however, to block users from performing actions such as installing software, and it certainly isn’t possible to prevent users from moving files around, saving them from e-mails and copying them from and to USB flash drives.
This is where configuring good preventative measures on your PCs becomes essential, as the PC itself then becomes the first line of defense against any malware.
Microsoft Windows comes with a multitude of tools for defending against malware, though the features on offer do vary from one version of Windows to another, with, as you might guess, the best suite of security tools available in the most modern version of the OS.
I want to look at each of these tools in turn, but first I’ll detail just what you can find in each different OS version.
Before I jump into detailing the security tools and features of the Windows OS itself, it’s important to discuss malware prevention on an organizational level.
This includes the strategic plan for how all aspects of a business or organization handles security. The considerations that have to be made include the operational, tactical, and strategic security activities that will affect every PC, server, network system, and mobile device in the organization, as well as how to bring your own device (BYOD) and guest devices are treated.
Additionally, these security strategies cover the rules governing how data is guarded and transferred across and outside the company network. You may, for example, have a policy that no company files should be transferable to a removable storage device, such as a USB flash drive, DVD, or guest laptop.
Staff security awareness training is also an essential component in an organizational security strategy, as the people using the computers in any business or workplace are always the weak link where security is concerned.
Having an organization-wide security strategy can assist considerably in the prevention of malware, because, let’s not forget, in the age of the Internet, there really is no such thing as a stand-alone PC or isolated network anymore.
Core Microsoft Security Features
The security features in different Windows versions fall into different categories, depending on the type of support and security they offer. At the forefront of this are core features that exist across all supported versions of the OS.
Microsoft security contains up-to-date information on threats, prevention, and defense, as well as information on subjects such as legal compliance, transparency, and privacy.
Security Center/Security and Maintenance
The Security Center, called Security and Maintenance in Windows 10, is most prominent in Windows versions 7 and 8.1, where it sits in the system tray behind a little white flag (the irony of which has never been lost on me).
It’s the Security Center that will automatically, and periodically, check for problems with Windows Update and the network, firewall, and troubleshooting settings, and report to you if a problem is found.
It is designed as a central location for getting information about the status of the security on your PC.
There are collapsible panels for Security and Maintenance, and alerts are highlighted with traffic light colors, including green when everything is fine, amber if you should be aware of something that isn’t urgent, and red for a critical alert, such as Windows Update or your antivirus updates being out of date.
User Account Control
User Account Control (UAC) is a security subsystem that acts as the first line of defense against any malicious software installations and unwanted OS system changes.
It is accessed through the Security Center or by searching for “UAC” in the Start menu. Any user wanting to change UAC settings will first have to have administrative permissions on the PC.
The feature displays an alert dialog in the secure Windows environment that’s used to display the sign-in dialog. In this special environment, nothing can be done with the OS except interact with the single dialog that’s displayed.
And only the user can do that, as all background processes are suspended. This means that malware cannot hijack the screen and click through the prompt itself.
There are four separate settings for UAC that begin at Never notify, which will turn UAC off completely, through to Always notify, which I like to call “Annoying Mode.”
The default setting for UAC will notify you when changes are being made to the PC that will affect all or other users on the machine (whether there are additional user accounts or not), which include disabling features, installing an app, and accessing a core system folder, but not changes that would only affect your own account, such as modifying your language settings or setting the correct time.
Windows Firewall/Advanced Firewall
Windows comes with two different firewall interfaces: the default firewall and the advanced firewall.
The advanced firewall offers IT pros and advanced users the ability to control the firewall on a port, app, or service level, ensuring that users can gain access to critical business systems, such as network shares while maintaining high levels of security.
Many companies and organizations still choose to replace the default Windows firewall with a third-party solution. This is because third-party products can be more flexible, powerful, and more frequently updated than the Microsoft-provided solution.
Malicious Software Removal Tool
The Malicious Software Removal Tool is delivered monthly as part of Windows Update, but you can also download it manually from http://pcs.tv/2c7CUXn if you suspect you have malware on your PC.
You can think of this tool as an extra, offline antivirus package that will check your PC for the current major malware threats and assist in removing them if any exist. I list this as being optional for Windows 7 and Windows 8.1 because it’s only with Windows 10 that security and stability updates are mandatory in Windows Update and cannot be disabled.
Windows Startup Security
I discussed the dangers of rootkit infections on PCs and how an Intel-developed technology is mandatory on all PCs sold with Windows 8.1 or later versions. There is, in fact, a series of technologies available in Windows 8.1 and Windows 10 (not Windows 7) that helps guard against boot sector malware.
It’s worth beginning this section by noting that encrypting the hard disk(s) on a PC through use of a security feature such as BitLocker, which is provided with every Pro and Enterprise edition of Windows, can help secure a PC from attack.
This is because encrypted drives are kept locked and secure until the user password is entered at the sign-in screen.
A BitLocker-encrypted PC in which the user is signed out is much more secure from malware, rootkits, and theft than one that is not encrypted.
Another feature exclusive to Windows 8.1 and Windows 10, Trusted Boot takes over once the OS begins to load.
This system checks the OS kernel and all other OS components, such as drivers, start-up files, Early Launch Anti-Malware (more on that in a minute), and all other Windows components, to see if any has been modified.
If it finds that a component has been modified, it will refuse to load that component. Windows has an automatic feature that will then run in the background and attempt to repair the damaged or modified component.
Early Launch Anti-Malware
One of the problems with security in legacy versions of Windows was that malware could often load before users’ antivirus software, and, thus, it could interfere with that software and prevent detection or removal of itself.
Early Launch Anti-Malware (ELAM) prevents this and also prevents a rootkit from disguising itself as an antivirus driver and loading. ELAM will launch a verified antivirus driver before all other drivers in what Microsoft calls a “chain of trust.”
It does this by examining all drivers that start with the OS and determining if they are signed and on a list of trusted drivers. If they’re not on the list, they won’t be loaded. All major antivirus packages support ELAM, which is only available in Windows 8.1 and Windows 10.
It should be noted, however, that the main antivirus software will load later in the boot process, meaning that while ELAM is a helpful defense, it’s not the full antivirus package.
Another helpful segue, and it’s on to the subject of the specific anti-malware features in the Windows OS. As with other features I’ve already listed, they do tend to vary from one OS version to another, with Windows 7 being the least supported.
Windows SmartScreen is an online feature of many Microsoft products, including Windows 7 (where it’s called the Phishing Filter), Windows 8.1, Windows 10, and some online services as well. Because the service runs online, it is always kept up to date.
It checks incoming e-mails and downloads against white- and blacklists of known phishing sites and malware payloads, and if it finds something that’s known to be malicious, it blocks it.
There are a few problems with SmartScreen as it currently stands, however (it is hoped that Microsoft will address these over time). It will occasionally find a download that it’s not sure about.
The dialog that SmartScreen displays for you advises strongly against executing the download, but the interface is crafted in such a way as to make it difficult to open or run the downloaded file, should you wish to.
The other problem is bigger, as both Internet Explorer 11 (IE11), in all supported versions of Windows, and the Edge browser, along with the Settings app in Windows 8.1 and Windows 10, include a simple switch to turn the feature off.
None of these has any proper description of what SmartScreen is or why it’s important, and no UAC prompt is required to be clicked to deactivate the feature. Given that all three methods are easy for end users to find and click, I hope this is something Microsoft will address in future builds of Windows 10.
Windows Defender/Security Essentials
Windows Defender is the free/included antivirus package for Windows. It’s built into Windows 8.1 and Windows 10 and is activated by default.
Additionally, in Windows 7, it’s called Microsoft Security Essentials, which differentiates it from a separate anti-spyware package in the OS called Windows Defender, which looks and operates in a manner extremely similar to Security Essentials (and indeed Windows Defender) but does a completely different job. I just wanted to make that clear.
I’m not going to make any comments about the effectiveness of Windows Defender as an antivirus package, as the effectiveness of security suites varies from year to year.
As a basic package, however, it’s effective enough, and it has the added bonus of being incredibly lightweight, with almost no negative effect on performance or boot time. Most businesses or organizations, however, and, indeed, the author of this blog, will install a third-party anti-virus product.
Other Security Features
The core security, startup security, and anti-malware features of Windows aren’t by any means all of the security features built into the OS. The final one comes with the unassuming name The Windows Store.
When you install a Win32 traditional desktop program on your PC, it installs into the \Program Files folder from which, with administrative privileges, it can see and access every other file and folder on the machine, including critical Windows operating system files.
Then along came app stores, and with them came containers. Containers are protected areas of storage and memory. Think of them as little virtual machines, each with its own segregated area of memory and storage.
Permissions are assigned to store apps, each of which must be approved by a user. If the user doesn’t want the app to be able to access her documents folders, her geolocation or another feature, such as her webcam, the OS will simply block the app from using it.
The Windows Store contains a great many apps that are useful in the workplace, such as the mobile editions of Word, Excel, PowerPoint, and OneNote. Microsoft has included a developer feature, however, that also allow Win32 apps to be containerized and placed in the store.
This includes the full desktop editions of Microsoft Office apps, and it additionally gives those apps to store-only features, such as Sharing tools.
Tip Running store apps instead of full Win32 desktop apps can boost the battery life of a laptop, ultra blog, or tablet, as these apps are suspended by the OS when they’re not in focus.
This prevents them from using processor time when you’re busy doing something else. Additionally, running an app (any app) full-screen will also boost your battery life, as the graphics processor has fewer things to render.
It’s worth noting, too, that if you’re using Windows 10 on a low-power ARM-based PC, laptop, ultra blog, tablet, or smartphone, and you’re able to install and use Win32 desktop software, this will all be containerized, due to the re-architected nature of the ARM editions of the Windows 10 OS. These apps will also, typically, but not always, come from the Windows Store.
Why is this significant, you ask? While not every software house will place its products in the Windows Store, containerizing any app makes it significantly more resilient against malware infection and prevents it from being able to interact with the underlying OS in a way that could prove malicious.
32-Bit (×86) and 64-Bit (×64) PCs
It’s actually very difficult to find a new PC on sale these days that contains a 32-bit processor (CPU), unless you’re buying a budget tablet or laptop. If you’re using Windows 7 in a business environment, however, you may still be using and supporting them.
32-bit desktop CPUs, which began with the Intel 386 series in 1985 and ran through to the Pentium 4 chips of 2004, don’t support virtualization. This means that, even though Windows 10 comes in a 32-bit variant, older processors and motherboards won’t support technologies such as app containers.
At http://pcs.tv/2cXeWeh, you can check if your Intel processor supports virtualization. At http://pcs.tv/2cE9aAs, AMD provides information on virtualization in its processors.
Also, some older 64-bit processors and motherboards don’t support hardware virtualization, which means that they won’t support all the virtualization features of Windows, which can include app containers.
It’s always wise to check the documentation that came with your processor and motherboard when deciding whether to migrate the PC to Windows 10 or if it might be best to retire the unit and purchase a replacement.
While 64-bit installations of Windows are more secure than their 32-bit counterparts, this has more to do with the security features the 64-bit architecture supports and is no guarantee that a system will be secure by default.
One of the advantages of 64-bit Windows systems, however, is that hardware and software drivers, which are a common method for a malware attack, must be digitally signed by the manufacturer and Microsoft, in order to be supported and loaded at startup.
Note Microsoft is no longer supporting the latest Intel processors for new installations of Windows 7 and Windows 8.1, and one can assume this also extends to AMD processors as well.
This means that there is no driver support available for some processors, and the OS will fail to install. You can check if your PC is compatible with Windows 7 and Windows 8.1 at http://pcs.tv/2cEciMV.
Restricting Access to Files
Several times in this blog, I’ve mentioned ransomware and detailed just how disastrous it can be if you find all of your files, or indeed an entire hard disk, encrypted and inaccessible.
The tools I’ve detailed throughout this blog focus on protecting the core OS and your apps from malware. Protecting your files, however, requires a bit of thought and perhaps some careful planning.
When you look at the way we manage, store, and back up our files, you’ll commonly find that the moment you click Save, the file (or a backup copy of it) is automatically saved to a server store, or a cloud service, such as Office 365, OneDrive, Dropbox, Amazon S3, or Google Drive.
This is brilliant in general use, as it means our files are backed up seamlessly and silently, without us having to do anything about it. We can even use a feature such as File History in Windows 8.1 or Windows 10 to create multiple “versions” of files, which can be restored at a later date, should a change be made to a file accidentally.
Ransomware, however, takes full advantage of our desire to have everything backed up immediately and silently. The moment a file on your hard disk is encrypted, that registers as a file change, and your backup software, be it File History, a cloud sync package, or a third-party backup app—and not being very clever—will automatically back up the new encrypted version of the file.
You may be lucky, in that you’ll have version control, meaning that you can take your file storage offline in the event of a ransomware attack, and after cleaning the malware from the PC, restore the earlier version of the file.
This, however, relies on your having at least double the amount of backup storage for your files as you use to store the files themselves, and many people and businesses not only won’t have this, they won’t think of it either.
The solution is to limit ransomware’s access to your backups, and there’s really only one safe and secure way to do this, even though it’s far from foolproof.
This is to have a completely separate backup of your files that runs on a periodic schedule, perhaps every week or every two weeks. This means that if ransomware hits, you will know that you have a backup you can return to that will not have been affected by the encryption.
I say this isn’t foolproof because, in this circumstance, it’s highly likely (Murphy’s law being what it is) that the ransomware will strike only a day or perhaps even earlier before your next backup is scheduled to begin.
The problems presented by ransomware mean that we all have to think very carefully about the way we store and back up our files and documents. We must make sure that we all have ample space for file versioning and enough redundancy in the system to ensure that we can recover a copy of our files, even if we lose a week or two’s worth so that we can continue working.
This is, I’m sure, something that backup, cloud, and security vendors will address in the coming years, but it does need to be something you, and your business, plan for today.
Malware Defense in Depth
If a software exploits in one of your installed applications are discovered before the vendor can fix the issue and generate a patch, your system could easily be hacked.
Although any method of keeping the bad guys out is thought of as being better than none, we recommend that you use multiple layers of protection.
This is known as defense in depth and is the practice of layering defenses to provide greater protection. In this blog, I will discuss some protection mechanisms that you should consider when using Windows.
All modern versions of Windows include a very competent software-based firewall. Firewalls can be software-running as part of an operating system or run on an appliance such as a router, modem, or a dedicated firewall device.
Firewalls examine network traffic that is attempting to make its way across a network interface and onto your computer. Depending on the settings employed, the firewall software can block or allow the traffic and log the successful transmissions and failed attempts.
An incorrectly configured firewall, or a computer without a personal firewall, is vulnerable to remote connections being made directly to the local system’s services.
Only allowed network traffic should gain access to the internal resources classed as being inside your firewall, such as your PC, When a firewall is operational, network packets attempting to gain access to your computer will believe that your computer does not exist, as the firewall does not respond, and the hacker will in all likelihood move to the next computer and attempt to gain access there.
A common statement I hear is that “I won’t get hacked/attacked; we are too small to be of interest to a hacker.” This sounds plausible, especially when you consider that there are billions of devices connected to the Internet; however, it is not entirely true in practice. The hacker will direct his or her efforts based on the following criteria:
\1.\ Ease of access
\2.\ Likely return (typically financial)
\3.\ Risk of being caught
If you have little protection, you fall into the first category, and this determination is generally fully exploited by the automated use of an investigative bot (short for robot). Bots are able to analyze tens of thousands of computers that are connected to the Internet every minute.
Because Windows computers will generally try to respond to other computers (that is how they communicate), if your computer acknowledges its own presence in response to a Ping request or other query from a bot, it will immediately be escalated to the next level of interest for the hacker/malware software to investigate.
We regularly see reports of laptops being hacked when using public Wi-Fi in areas such as cafés, fast food restaurants, and airports. Although the majority of popular social media sites now require HTTPS connections.
Which are secured using the Secure Sockets Layer (SSL), these high-level protection mechanisms can be bypassed easily if the firewall has been disabled or if file and printer sharing has been enabled for public networks.
By default, if you are running Windows Vista or later versions, your PC is protected from other computers seeing your PC on the network. However, if these settings have been modified within the Network and Sharing Center, to allow network discovery and file and printer sharing on shared or public networks, your PC could be easily comprised.
Understanding that it is essential that you have some barrier against attack is paramount in keeping safe, and the firewall is often the easiest protection to enable.
Within an organization, a dedicated hardware firewall is generally used to safeguard incoming network traffic that is connecting to the Internet. This is useful to protect the company-owned public facing IP addresses that may be used for services such as FTP, Intranet, SharePoint, and websites.
With a hardware appliance, you simply plug the device into your network topology, and you’re ready to configure firewall rules that restrict, allow, or redirect network traffic, based on your requirements.
In this blog, I can’t recommend specific manufacturers of hardware-based firewalls, although some of the well-known brands include Barracuda, Cisco, SonicWALL, and WatchGuard.
In nearly all scenarios, firewall appliances are more expensive than software-based firewalls. The cost of the appliance generally increases with the capacity and features. When choosing, you should ensure the device is well-suited to your needs, by considering the following factors:
Brand awareness and reputation
Capacity: The device has to manage the load, speed, and a number of network nodes being actively managed.
Failover capability: If the device fails, or becomes swamped during an attack, how does it respond? Will it failover to another appliance, allow or block all connections?
Technical support: Because the device is a crucial component of your network, you must ensure that help is on hand when you need it. Ideally, there should be solid support-forum technical help available.
Budget: Most buying decisions often boil down to price. Ensure that you purchase a device that will perform as required, then look for budget alignment.
Blacklists and Whitelists
To reduce the likelihood of self-harm from internal users, many organizations monitor and restrict access by staff to specific external locations.
If the threat of attack or risk to the business is sufficiently high, the firewall can be used to actively block outbound traffic to known malware sites or known access points, such as peer-to-peer file sharing sites or Dark Web gateway portals.
Note The Dark Web, or DarkNet is a special part of the Internet that is encrypted and allows users to anonymize their actions. It has, therefore, become a network on which black market illegal activities take place.
You could also employ techniques, such as blocking IP addresses, using blacklists. These lists contain domains and IP addresses of known and potential malicious attack sources.
It is possible to automate the regular updating of firewall blacklists by using tools such as Fail2ban, which automatically maintains your blacklists, based on malicious behavior.
By using a blacklist, your firewall can be highly effective at restricting outbound traffic, and a modern firewall will have a negligible impact on the appliance performance, even with blacklists containing tens of thousands of entries.
Firewalls can monitor inbound activity and automatically block or ignore any IP traffic if it is exhibiting potential malicious behavior, such as probing or “door rattling.” For specific scenarios, such as on the research and development network, a firewall can even be configured to block all ingress.
Have you ever noticed that when you have a potential customer who is accessing your website often, perhaps you have a discounted sale in place? You may experience many page views from the same external source.
To prevent inadvertently blocking potential customers from your customer-facing websites, when short-term excessive activity occurs, it can be more appropriate to temporarily block access to suspicious IP addresses, as this often is a sufficient deterrent. You have to carefully set the threshold metric for when you trigger these blocks. This could be initially set at 100 attempts and then reviewed.
Remember that most firewall attacks are bot-generated, and, generally, when a bot finds a firewall that is not vulnerable, it will move to target the next IP address in its line of attack.
Where a bot finds a firewall or ports that are expressly open, the “finder” but will flag these IPs as “live” for another bot to perform deeper penetration testing. These scan results are often available to purchase on the Dark Web.
The Rise of the Internet of Things
We are currently at the dawn of a new era in computing—the rise of the Internet of Things (IoT). You can currently buy Internet-connected TVs, alarm clocks, radios, and even refrigerators that can reorder groceries automatically when they run low.
With IoT, devices located within your home can communicate directly to servers on the Internet. This is made possible by using your home Wi-Fi network, which creates an IPv6 bridge between the interface that serves the IoT device directly to your Internet service provider.
In this way, for example, your Internet-connected popcorn maker can be turned on just as you leave the office so that you have piping hot popcorn for the evening movie.
Interface-, port-, and application-level IP forwarding allow your single public IP address provided by your ISP to allow access to multiple devices behind your firewall, often without your knowledge.
You should certainly be vigilant and aware of the potential risks with IoT, especially as they are an emerging technology for which standardized security procedures and precautions have not yet been formalized.
Consider the implications arising if, after installing a new IoT-based security CCTV camera system onto your home or business network, hackers were able to access the data feed?
The Windows Advanced Firewall
Windows comes with two different firewall interfaces: the default Windows Firewall and the Windows Firewall with Advanced Security.
Many users will never step beyond the functionality offered by the Windows Firewall, Windows Firewall was unidirectional and would not stop outbound connections to the Internet, and it would not filter IPv6 traffic.
If the user used an administrator account (as many users did with XP), viruses could easily disable the firewall, and this further weakened the reputation of the built-in protection.
Thankfully, Microsoft upgraded the firewall quickly and enabled Automatic Updates and the Windows Security Center, which addressed many of the earlier failings.
For those users with administrative abilities who have to configure advanced settings, such as fine-tuning a VPN connection or monitoring firewall logs, you must click the Advanced Settings link, or type “wf.msc” into the Run or Search command.
The Windows Firewall with Advanced Security management console was introduced with Windows Vista and provides access to many advanced options and enables remote administration.
From the console, you can configure the following:
Inbound Rules: Traditional firewall capability to prevent network ingress.
Outbound Rules: Blocks outbound traffic, such as preventing malware that attempts to “phone home”
Connection Security Rules: Used to set up advanced VPN and tunneling and set configuration settings
Monitoring: Used to log inbound and outbound traffic through the firewall
Windows Firewall with Advanced Security allows a great deal of low-level packet filtering and refinings of network traffic, such as the ability to filter source and destination IP addresses and port ranges and data types, such as UDP or TCP.
To create a new inbound rule, launch the Windows Firewall with Advanced Security management console and click New Rule in the Action pane on the right-hand side.
Follow the New Inbound Rule Wizard, to create your rule, and once complete, the new rule will appear in the list of Inbound Rules in the center pane. If the rule is active, it will be marked with a green checkbox in the Name column, and if disabled, it will have a gray checkbox.
You can and review any rule and inspect the settings by right-clicking a rule and selecting Properties.
In the Properties window, the selected rule settings are displayed in a tabbed format.
You can edit the rule and change any of the available parameters.
If you scroll through the inbound and outbound rules, you will see that there are many rules built into Windows.
Connection security rules allow you to implement very secure traffic between endpoints, such as between remote computers or between specific IP addresses across the network or Internet.
As an example, you may require that only encrypted network traffic is permitted for all communications to a secure payment gateway server on your internal network.
This could be achieved by creating a connection security rule within the Windows Firewall with Advanced Security, which uses the server-to-server rule and forces connections to be allowed only if connections use IPsec security certificates.
IPsec is often used to secure server-to-server traffic within high-security environments. Hacking into the network stream and decrypting the packet contents protected by IPsec is not possible unless the certificates or pre-shared keys (PSK) have already been compromised.
Note Following the recent disclosures by Edward Snowden relating to network attacks, it is recommended that all routers have their firmware upgraded to the latest version and to maintain strong pre-shared keys or use certificates.
Connection security rules are often used in corporate environments and are set by the network administrator. You should take care if you configure them to ensure that you do not inadvertently lock yourself out of a network or prevent connections when you enable a new rule.
In addition to the GUI tools with the Control Panel, you can also configure firewall settings via the command prompt, PowerShell, and by using Group Policy.
The firewall settings within Group Policy can be found with the following node: Computer Configuration ➤ Windows Settings ➤ Security Settings ➤ Windows Firewall with Advanced Security.
DMZ refers to a network zone that you control that is used to separate the untrusted Internet from your internal (trusted) network.
To harden the perimeter and make the DMZ security more secure, each firewall appliance can be restricted to allow only specific protocols, as required by the organization.
It is recommended that unnecessary or end-user protocols, such as NetBIOS, which could be used to navigate with the DMZ and locate vulnerabilities inside the DMZ, be disabled.
Although the primary role of the DMZ is to prevent further ingress of malicious activity within the internal network, you should still ensure that the DMZ itself is at the highest level of defense and alert. If an attacker can penetrate the DMZ, he could compromise other DMZ routers and gain access directly through to internal systems.
It is common practice for a business to locate web portals, gateways, and extranet websites in the DMZ. If a web server in the DMZ is compromised, the attacker could
Delete, copy, or modify web applications and data
Deface external company websites and extranets
Deface internal company intranet sites
Gain access to internal resources, including databases, backups, and source code
In addition to restricting the ports and protocols that are allowed within the DMZ, the network or security manager must ensure that the DMZ is kept under continuous monitoring. Effectively, the DMZ is the moat that surrounds your castle, and you must ensure that nothing crosses that boundary.
Often, the hacker (or penetration expert) will try to probe your DMZ management systems rather than the main Internet-facing resources. Because this system is only used infrequently, consider requiring a higher level of protection, such as enabling encryption, authentication, and detailed transaction logging, as well as disabling all access when not in use.
Some useful best practices that can be deployed in relation to the DMZ include the following:
Use an intrusion prevention system (IPS).
Implement and deploy a robust security policy.
Implement a thorough auditing policy.
Use signatures to detect and block well-known attacks.
Keep anti-malware signatures up to date.
Power off maintenance equipment when not in use.
On a regular basis, for example, every six months, and especially if your career and business rely on maintaining a robust and secure DMZ, you should consider hiring the services of a penetration expert.
Under a strict set of rules and boundaries agreed to by you and management, the expert will attempt to hack your system from the outside.
The results of the actions will often show where improvements can be made, and they should be safeguarded, as they could contain any deficiencies in your current approach. You should implement countermeasures and remove some or all the vulnerabilities highlighted, at your earliest opportunity.