Posted on

Are Invoicing Companies Leaving Small Businesses Vulnerable?

For the last 2 years, my main focus as a cyber security consultant was/is getting companies, mostly big companies, ready for GDPR. One pressing concern is the GDPR compliance of invoicing companies.

Maybe GDPR is a buzzword for some, but the logic behind it is great for both privacy and proper data security.

The privacy part is somewhat challenging because the definition of PII (personally identifiable information) and SPI (sensitive personal information) is well defined in GDPR and it is very wide by definition.

It COVERS EVERYONE.

From big companies to small companies, and even micro companies. You are obliged to do your maximum to protect PII and SPI.

Many companies have started the shift of changing their work methods and the way that B2C communication is done. For example, basic “client notifications” are now usually protected.

GDPR is first and foremost a methodology change, not a technological one. You change the way you work first and then which technological tools you use.

This change has already “hit” some industries but other industries are preferring to ignore it, for example I am a client of one the biggest online invoicing companies, along with many other small & medium business owners.

Invoices have PII and SPI in them – they have a lot of the info of my clients (their name & postcode), sometimes even the full address, proper identifiable information.

When I send an invoice to my clients I am sending PII and SPI.

Since the GDPR date, my colleagues and I have started to send invoices in a secure way. Is it more “work”? Yes. We are sending a PDF within an encrypted email, not a link, so that we can make sure that only the recipient gets it and not someone else.

As a client of one of the biggest online invoicing companies, I’m concerned about their GDPR compliance, and I have contacted them and asked very clearly,

“What are you going to do about GDPR? Which encryption method are you going to use and how are you going to guarantee that the PII and SPI that are being sent via your system is secure?”

And …

Nothing really.

I got some generic responses, some links to the privacy/GDPR policy, but no real answer.

Then after some more Q&A, I got a strange response,

“We are sending PII BY FUNCTION... so, nothing is really going to change” So I responded with,

So? GDPR has no “BY FUNCTION” Exclusion” and, of course, since then, it’s been silence.

It seems, at least for that specific company that they are ignoring or excusing not being GDPR compliant by saying that their CORE FUNCTION, and I quote “BY FUNCTION” is … NOT GDPR compliant, I know its sounds crazy but that’s the reality.

So, let’s break it down a bit:

  1. I am using their online invoicing platform – they are my Data Processor
  2. I am storing sensitive client information on their system and I expect them to be GDPR compliant. Which I trust their feedback that it is (regarding the way the store and access information)
  3. But… when I send the invoice to my clients via their system – I am extracting PII and SPI from their system and sending it into the world with no security mechanism at all?!
  4. This specific online invoicing company is sending a link (like many others) – not even a password protected PDF is an option?

Bottom line, you as a user of the system have the option not to send a link, but download the PDF, secure it, and then send it yourself… but why isn’t the invoicing company doing it for you? Why are they putting YOU at risk?

Why? – I don’t know, I presume it’s because it’s easier to ignore the reality than to face it. It’s easier to put everything on your clients than to solve the core issue.

My professional recommendation to you is: Until online invoicing companies GDPR compliance become clear, protect yourself! Don’t send PII and SPI in a non-secure way.

Eli Migdal.

Posted on

Industries Prone to Email GDPR Breaches

Although emails are not specifically referenced within the clauses of the GDPR, the legislation does cover all data contained within emails and attachments. Anyone handling personal information related to citizens of the EU is bound by GDPR, and must make preparations to ensure that they are compliant from the date of adoption, if not sooner.

In this article, we’ll take a closer look at the industries that tend to be prone to data breaches involving emails, the reasons why, and strategies to avoid information becoming compromised.

Why Are Some Industries More Prone Than Others?

Theoretically, all industries have the potential to experience GDPR breaches. However, these are made more likely when organisations manage a disproportionately large amount of personally identifiable information, or PII. This is data that can be used on its own, or in combination with other known variables, to determine an individual’s identity.

Some examples of PII may include a full name (particularly if it is uncommon), date of birth, home address, telephone number, email address, passport, driving license, national insurance or social security number, credit card details, or vehicle registration. The more variables that are known, the easier it is to build an image of someone’s identity.

This kind of data is attractive to those who wish to exploit it, which can make some organisations vulnerable to hacking or phishing attacks. Human error can also cause data breaches; although this may be innocuous, the potential damage is just as severe.

It’s important, therefore, for these industries to take additional precautions in the gathering, storage, and processing of sensitive information.

Industries at Risk

Due to the nature of the data they hold the:

  • Financial
  • Legal
  • HR
  • Medical sectors

have a high risk of experiencing GDPR breaches.

The recruitment industry is also very susceptible, as organisations within it hold substantial amounts of personal information, which is passed frequently between internal and external recipients!

Small businesses, entrepreneurs, and virtual assistants can carry an elevated risk of experiencing GDPR breaches, particularly if they are starting out or otherwise unaware of correct data management procedures. 

Emails regarding invoices, bank details, and login information can be especially problematic. Training helps to mitigate this risk, prevent records being compromised, and protect the reputation of data custodians.

What Can Be Done to Minimise Risk?

Take a ‘prevention is better than cure’ approach. In the first instance, use anonymised data as far as possible because, if data is compromised, this makes it far more challenging for unauthorised parties to connect the dots and endanger the security of afflicted individuals.

When communicating via email, take extra precaution and encrypt your emails and attachments at the file level rather than on your computer because it’s much harder to crack and is very GDPR compliant. You can do this by installing software in your business which does this automatically, but if you don’t have the budget for a large-scale solution, you can try something like My Protected Mail which doesn’t involve installing anything and is quick and easy to deal with.

Although we have cited industries prone to email GDPR breaches, it’s best to be responsible no matter your industry. All custodians of sensitive data are responsible for its protection. If you are working within an industry with an elevated risk of email GDPR breaches. Be sure you are prepared! Check out My Protected Mail here for more info and sign up for free to get the extra protection your sensitive emails or attachments need.

Posted on

Why Your Emails Need to Be Compliant Under GDPR

Although emails are not specifically referenced in the GDPR, all data contained within them does come under its jurisdiction. To avoid the risk of a breach, as well as to conform to these regulations, it’s important to stay protected and send GDPR compliant emails. 

In this article, we’ll introduce you to points you should consider when sending GDPR compliant emails.

Safeguarding Personal Information

Personally identifiable information, or PII, is data that can be used—either on its own or in combination with other records—to determine an individual’s identity. It is best practice not to provide PII wherever possible, but to use anonymised data instead.

But, we know this isn’t always the case and sometimes you need to share data that could become identifiable, so it must be sent securely. Protected emails that contain PII should also not be allowed to be forwarded to unauthorised participants and you should ensure that any data you do send has been pre-authorised by the owner because consent is a key part of GDPR, which must be respected at all times.

Preventing Unauthorised Access to Data

A data breach places sensitive information at risk of exploitation by criminal activity or other unauthorised purposes. A data breach can be prevented by sending attachments securely, tracking the receipt of documentation, sending only essential information, and by double-checking that data recipients are authorised.

File level encryption is one of the best ways to do this (find out more about this in our previous article here) and there are simple ways to send protected emails without having to download special programs. Try using something like My Protected Mail for free and see how you can send and receive protected emails. 

If you do find that your organisation has experienced a data breach, you (or your company’s assigned data protection officer) are duty bound under GDPR to notify affected individuals within 72 hours of awareness of the breach. This provides the opportunity to take corrective measures and prevent further compromise of their information. Of course, your organisation has a responsibility to facilitate and support such action, whilst simultaneously commencing an investigation and completing internal and external reporting.

Protecting Your Brand’s Reputation

Personal data is important to every individual. When we entrust organisations with sensitive information, there is an expectation that this will be respected. Any breach or mismanagement of data reflects negatively on a brand.

That said, if a data-related incident does occur, it is best to be honest about the situation from the start. Not only does the GDPR explicitly require this, but taking swift action helps to protect your brand’s reputation. People understand that even highly secure structures can be compromised, and if your organisation responds quickly, this can help to mitigate the damage. Conversely, a delay or cover-up would be completely unacceptable.

Generating positive PR

If your organisation is shown to be consistently compliant with data protection laws—including GDPR—this gives a positive impression of your information safeguarding processes. It also demonstrates a wider sense of reliability and security and strengthens your brand’s reputation, encouraging potential customers and stakeholders to put their trust in you.

Consider getting help in making you compliant by using My Protected Mail, it works with your exisiting systems and doesn’t require setup or installation! To find out more, visit www.MyProtectedMail.com

Posted on

5 Ways Your Emails Could Breach GDPR

There’s a lot of confusion in the air currently for small businesses surrounding GDPR!

So let us set the record straight when it comes to sending emails.

If you are sending emails with personally identifiable information (PII) (here’s the ICO’s guide on what actually counts as personal data.) you need to take adequate lengths to protect it.

It’s that simple.

So let’s look at some of the ways your emails could be putting your business at risk when the GDPR regulations come into effect on the 25th May 2018. 

Edit: for the answers to commonly asked GDPR email questions scroll to the bottom of this article. 

*This post may contain affiliate links* 

1. Failing to use BCC (Blind Carbon Copy)

When sending to multiple recipients, unless emailing internally, you’ll need to use the BCC function.

This means that any given recipient will only see their own email address, the sender’s, and any recipients in the carbon copy (CC) section. All other recipients are anonymised. 

Failure to do this means that the name and email address (both PII information) are shared with other recipients without their prior consent! This is a breach of GDPR regulations.

2. Sending Sensitive Data to the Wrong Recipient

So many people are getting in hot water for this one! Not only is the distribution of sensitive data to an unintended recipient contravening the consent element of the GDPR. It is also likely to have a detrimental effect on the trust held between two parties, which can devastate a working relationship.

And, the ICO aren’t allowing the human error defence!

With the likes of UK law firm WilmerHale unintentionally sending details of  whistleblowing investigations at PepsiCo to a Wall Street Journal reporter. The information came from the US Securities and Exchange Commission, as well as internal investigators. This mishandled data had the potential to cause significant damage to PepsiCo’s reputation, and its leak certainly did no favours for Wilmer et al.

Be careful, therefore, to double-check both the data being sent and the email addresses of recipients, to ensure that sensitive information does not fall into the wrong hands, or you could be in a world of trouble. 

3. Un-Protected/Encrypted Attachments

It’s essential to encrypt critical information when sending it by email. This prevents interception, either by malicious or accidental means, and ensures that sensitive data is delivered securely.

This also includes making sure that you retain control over how the personal information is used once you have sent it too, by making sure the recipient can’t just copy, forward or blast out the sensitive information after you’ve sent it. You do this by encrypting the file rather than your computer or email system itself (we’ve written a handy guide on disk vs file encryption for small businesses here.)

My Protected Mail, for example, encrypts the file to make sure that it can’t be sent on to someone other than the intended recipient (you can’t even screen share the file via Skype, you just get a blank page!)



4. Preventing Opt-Outs/Automatic Opt-Ins

Under GDPR, people have the right to erasure, otherwise known as the right to be forgotten. If any recipient asks for their email address to be removed from a mailing list, you need to do it immediately. Also, if an individual requests that any data stored about them is deleted, you are legally bound to do so.

It’s also important to confirm active consent from the outset, you can no longer ask people to “opt-out” with an automatic opt-in box checked. As well as requesting manual entry of an individual’s email address, provide information about how their data will be stored, and ask them to check a box to confirm they understand and acknowledge this. 

5. Including PII Without Taking Precautions

This isn’t just related to encrypting your one email, be careful with chains, “reply all” and forwarding emails that may contain the original PII on to those without permission. If you add additional recipients to a discussion, perform a check of the email content beforehand, and remove PII if it is present.

Taking the proper precautions beforehand ensures that your business is safe from fines but also that you are taking the responsibility of your clients or customer’s data.

Data Breach Report Blueprint & Template

CLICK HERE TO GET THE TEMPLATE

Common GDPR Email Questions Answered:

We’ve been contacted with many GDPR email related questions so we thought we would share for you the most common ones:

Is sharing an email address a breach of GDPR?

This depends on two things:

Firstly, Is the email a personal one, like your personal Gmail? If no, does your company email address have your full name? e.g. [email protected]? If you’ve answered no, then it’s not a GDPR breach. If yes, answer then next question.

Do they (you) have permission or reasonable reasons to share your email. For example, to perform a service you’ve signed up to where sharing your email address is absolutely necessary? Have you given express consent and forgotten about it?

If someone has shared your email and is now marketing to you without your consent, it IS a GDPR breach and you can respond to them asking for an erasure request (request to get your data deleted).

When is my business allowed to share email addresses?

The short answer is that you’re not. Unless you get express permission from the customer (not automatically opting them in.) The only time you are allowed to share emails is when it is vital to the service you are providing. For example, sending email addresses to a courier for confirmation of delivery.

But even then, you must ensure that any third parties do not market or contact those personal addresses outside of the business need they are providing! Or you could also be liable.

When forwarding emails what do I need to consider with GDPR?

You should always air on the side of caution when forwarding private or sensitive information, even internally. Ask yourself, does the recipient need to see this information or should I remove sensitive PII from the email before I forward? And don’t forget to remove personal email addresses in the replies if they are not needed.

Can I use BCC and be GDPR compliant?

Yes, if you’re sending a mass email, BCC makes sure no-one else sees each other’s emails and therefore reduces the risk of a breach. Of course, if this happens regularly there is more chance of human error being made so it’s always best to use a mailing program.

Are you being GDPR compliant in your marketing? Check out this article on that HERE.

My employer shared my personal email address in the company. Is this a GDPR breach?

It can be. But the likelihood is, it’s more of a privacy issue that you should first discuss with HR. Internal company communications, particularly if you’ve provided your private email to be contacted on is a GDPR grey area and if you’re uncomfortable with this information being shared, you should first contact your HR or legal department to discuss.

I accidentally shared personal email addresses with our sporting group, is this a GDPR breach?

If your sporting (or any other social group) is classed as an organisation, rather than an informal group, then yes, it’s technically a GDPR breach. However, the practicality is that everyone who is part of that team or group has consented to being contacted and know the other members anyway.

If you’re concerned about your privacy, in that case, you should contact the head of the group and request them to use BCC in the future. If you were added to the list and didn’t give your permission, or know the group, then yes it’s a GDPR breach that you can report. But, again, this is a grey area.

Posted on

Find Out Who Is Using BCC External Emails on Exchange Online 365

Who In Your Company Is Using BCC Emails on External Emails? (on Exchange Online 365)

There are cases especially when dealing with Data Leakage Prevention scenario in which you need to know who is using BCC and to whom are they sending, usually the focus is on internal to external emails.

* Yes, you can block the BCC availability if you wish (Via GPO and other options)

 

Finding out who is using BCC seems like an easy task for your IT Systems admin to check but when using Exchange Online 365 or Exchange 2013 and onwards, the task is a bit complicated, there is no BCC log.

In order to enable this type of logging in Exchange Online 365 we need to make a small workaround:

  1. Recommended – Create a dedicated mailbox
  2. Create a new rule in 365 Exchange Admin to Generate Report for every internal > External email, this is also a very useful tool as a Journal ( because Office 365 online wont let you use an online mailbox as a Journal)
  3. Make sure the “Custom Content” has BCC select
  4. The above rule will send reports on ALL internal > External email that are being sent in your organization, now we need to filter them.
  5. Create an OUTLOOK Rule ( the rule will work on the server level but created from OUTLOOK) to move any Report to a specific Folder
  6. Now we need to Separate an email that has BCC in the report from “normal external emails”, Create an OUTLOOK rule to separate the emails based on “BCC:” content , VERY IMPORTANT to make this rule AFTER the previous rule
  7.  Now you can create if you want another rule to delete any report that does not have a BCC in it, i personally recommend having a dedicated mailbox which will hold all reports as a type of a Journal – very useful for forensics and quicker that MESSAGE TRACE
  8. for the Advanced user – have a look at Microsoft FLOW features that can convert Emails to SQL, when the data is in SQL you can create alerts and combine the system with your DLP policy
  9. The same logic is even more useful when you have RMS or AIP , then you can make the same reports run via classification, for example WHO is sending CLASSIFIED emails with BCC.

No shortcuts – we always need to be one step ahead.

Written by Eli Migdal – TowerWatch Solutions – CEO

*This article originally appears on Linkedin here*

Have more questions? Check out our Smiley Geeks IT Help Membership from only $69 a month!

Posted on

How To Protect Your Email Password From Hackers

*This article originally appeared here on LinkedIn* How To Protect Your Email Password From Hackers

In my previous article I have showed how easy it is for hackers to get your outlook & 365 password.

The method I showed requires the hacker to be on the same network as you (WI-FI or Local) but usually hackers will use much easier way to obtain your password:

Spearhead phishing & Social Engineering is very effective and works from my experience in many cases – they are waiting for you to be a off your guard for a second and then they will get your email password (you will give them the password … )

There are several very easy steps that from my professional experience reduce the risk significantly:

The basics:

  1. Don’t be cheap and use a business grade email solutions like Microsoft 365 or Google Apps – you are paying for added security / traceability and support. the worst Hacks i have seen are always with “Free” email accounts such as Yahoo, Gmail and such where you don’t have a real “point of contact” when you need help
  2. Use complex passwords ([email protected]!) – don’t use the same password you use for other service !

Use the Advanced feature that the business grade solutions offer you – use 2 Form Authentication (for more information, visit our 2-Form Authentication post for an in depth look at this.)

Use 2 Form Authentication – it will require you provide another authentication via SMS / APP and will make it MUCH more harder for the hacker to hack your email account

Both Microsoft and Google offer 2 Form Authentication solutions,

Microsoft 2FA

Google 2FA

both of them will require you to provide a one time password via SMS / APP when you login.

Both of them also support “APP Password” that will provide you a one time password for your APP ( such as outlook ), This is very useful to avoid the type of “Men in The Middle” attack I have shown in the previous article

Generally speaking Hackers usually search for the ” weak link ” in the chain – dont let it be you – do what ever you can to make it complex for them so they will move on to another person / company.

Never say it wont happen to you… when it does it hurts more and you will regret not taking the basics steps to protect yourself and protect your email password.

Written by Eli Migdal, CEO of TowerWatch Solutions Ltd (UK) and founder of Migdal Computing Solutions Ltd (Israel)

Posted on

12 Warning Signs Of A Phishing Email

The importance of online security is bigger than ever and with criminals coming up with new and inventive ways to catch you, we must remain vigilant. Previously we have discussed how to defend yourself against phishing but with increasingly clever tactics we thought we would highlight some 10 ways you can sniff out a potential threat and detect signs of a phishing email.

As you probably already know, phishing is the act of misleading you into giving away your sensitive information, from login details to your credit card information there’s a wealth of data you don’t want falling into the wrong hands. The most popular way of phishing is via email so we will be looking solely at this, but remember that cyber thieves can masquerade in a variety of different ways so keep an eye out.

Here are the 12 signs of a phishing email that should throw up an immediate red flag.

  1. Email Address

Why is PayPal emailing you from [email protected]*? The correct answer is they are not and if a reputable company is not using their own server email or a recognizable email, then it’s definitely not them. If you are genuinely concerned and are expecting a similar email, do not reply to this one, go to the company’s website and find an email address or contact number of someone you can speak to and you can deal with the quiery directly. Also, contacting the real company helps to raise awareness that someone is using their name to steal data which they can then act upon by contacting customers legitimately and this avoids anyone else getting duped.

  1. Unsuspecting Urgency

If something was really happening with your account then chances are you would have heard something rather than a strange email out of the blue claiming that you MUST ACT NOW. If you aren’t expecting an email, then chances are it’s false and again, you can always contact the company and check. This also stands for unrealistic threats that are suddenly imposed in the email, stop and think about this company and what they are LEGALLY allowed to do, if the threat doesn’t line up it’s because someone is trying to use fear and intimidation to get you to click.

  1. Poor Language

In many instances phishing emails will have poor grammar or language and this could be because they were thrown together quickly with minimal spellchecking, because an automatic translator was used to quickly send to a variety of different countries or alternatively because the writer was writing in their second language. Although businesses can make mistakes, professional business emails are usually written by someone from your own country or at least spell checked and proof-read so this can be a major giveaway.

  1. Asking For Money

Email marketing is strong for a lot of businesses or charities and although you may find you get newsletters and emails drawing your attention to the latest products or services, when was the last time a company asked you for a specific figure to immediately hand over? Even if they are sending you an invoice, most of the time this will be in the form of an attachment, with a legitimate invoice, reference number and contact details so you can always check it out. Asking for money is one of the telltale signs of a phishing email!

  1. Wrong Child Domains

A favourite trick is to create a child domain which involves having a domain underneath an original, meaning that the parent domain details are in the URL which is how they catch you out. For example, Information.Security.TowerWatchTech.com would be a child domain of our own website and this is clearly indicated if the parent domain is on the RIGHT-hand side due to the way DNS naming works. However, a spoof version of this would be TowerWatchTech.com.phishing.com but because the brand name is in the URL, you get confused into thinking it is legit. The best way to remember it is:

On the LEFT, I’m LOSING money

On the RIGHT, everything is all RIGHT

  1. It Asks You To Log In

Be wary of any email that asks you to log into an account direct from their email. Most companies will ask you to log in but will not provide you with a link, or will provide a generic link to their own website that you will recognise. Links are often disguised as a dummy website which records your login data! If you think it is from a reputable company the easiest thing to do is manually go to their website and log in the same way you usually do, the extra minute it will take you to do this is better than the hassle if you don’t.

  1. TGTBT

Too good to be true. At the end of the day, if someone randomly wants to send you a £million then it’s probably not your lucky day. Do you REALLY think that if you had come into that much money they would contact you via email? No, they would use several points of contact, (as unlikely as it is anyway) or official channels. If it sounds too good to be true, it probably is.

  1. Embedded Links

Linking content can be beneficial in an email but it is also an excellent way to hide nefarious links! Many people don’t realize that embedded links can be checked by simply hovering over them (on a desktop) computer and seeing the actual link (rather than clicking on it!) Ask yourself if the link is reflective of the company you’re expecting, if it isn’t then DO NOT CLICK ON IT, and definitely don’t click on it to “see what it does.”

  1. Lack of Personal Info

This doesn’t always work as some criminals are getting more sneaky but a lot of the time, legitimate brands or businesses with your email address will use at least your first name, if not your first and second. “Valued customer”, “friend” or “client” are all ways of saying “I don’t know your name but I am going to pretend to anyway” and should be avoided, particularly if they are asking you to share personal information.

  1. Naked Signature

A business, brand or professional will sign an email with more than just a name at the bottom, even if it is a generic email it will still have “The Team” with contact information or website addresses underneath because it’s a marketing tool. Giving out as much information so that customers can contact you and potentially turn into a sale is good business practice so be wary of any “business” who is not willing to share that information and a name-only signature is a good way of doing this.

  1. Header Name

The header name can be inputted, the email address cannot be changed so ignore the header name and go straight to checking the email. Always check the little arrow to look at the email as a first point of contact. A lot of the time people don’t realise you can and that is why few emails will actually cover this up so you can save a lot of time and heartache by dealing with this first.

  1. Unexpected Attachments

Always double check before you click on an attachment, particularly those that you aren’t expecting, have strange names or aren’t mentioned in the email itself. This tactic plays on curiosity to see what it is and that is how they will get you! Normally, the sender will tell you what is attached, why and how it is relevant to you so that you know what you are looking at, the first warning signs of a phishing email is when they don’t tell you and the second is when they tell you it contains irrelevant information or info they could have just written in the email. If something sounds suspicious, don’t open it.

Find out what to do if you accidentally click on our “Defend Yourself Against Phishing” article or check out our Information security services to see how we can help you protect your business’s data.

Posted on

Making sure You’re Protected From RANSOMWARE Attacks

All Disaster Recovery plans include ways of dealing with fires, floods or earthquakes, but do not mention RANSOMWARE attacks – why is that so, and what to do if you want to be protected?

This article includes:
1. Defining RANSOMWARE as disaster
2. How do avoid getting infected by RANSOMWARE programs
3. How to deal with infection after it happened
4. Structure of backup and fast replication systems
5. Conclusion

It may be a real surprise for most of us to learn that many major organizations and companies have high-quality DR/BCP plans that do not include preparedness for RANSOMWARE attacks.
Disaster recovery planning usually gives sufficient response for the events caused by natural disasters (such as massive floods, fires etc) or even to events caused by human error or malicious actions. At the same time, possible damage in case of RANSOMWARE attacks is frequently left by the wayside, with the IT departments not assuming full responsibility for the consequences of such events.
Is RANSOMWARE attack a disaster event? In my professional opinion, it is, and very much so! Definition of disaster event in the IT environment should be influenced by the event’s business impact, and by the level of downtime experienced by the organization due to the event’s occurrence.
I am convinced that RANSOMWARE attacks should be defined as disaster events that can frequently cause a total shutdown of the organization, therefore there is need to plan for this kind of attack as it would be for any other significant disaster.
RANSOMWARE attacks have already caused widespread damage to various organizations, such as major hospitals, causing financial damage as well as endangering human lives. This proves once again that RANSOMWARE attacks should be classified as disaster-level events and dealt with accordingly.
Having concluded that dealing with RANSOMWARE attacks should be made part of your Disaster Recovery (DR/BC) Plan, we need to know how to prepare for it.

How to prevent being infected by RANSOMWARE

This is a theme for an entire a separate essay, but these are the main steps every organization should undertake on this issue:
1. Raising the awareness of personnel to the dangers of such infection
2. Minimizing the number of Admin authorizations to the absolute minimum, and making sure that those authorizations are given only to those employees that really need to have them
3. Control over software inside the office – you need to work on a strict WHITELISTING basis, so that pre-authorized applications can be run on your company’s IT network (mapping all the software inside the company may take time, but it is worth it)
4. Blocking applications in sensitive locations such as APPDATA
5. Blocking all scripts throughout the organization except the Whitelisted ones
6. Using anti-virus software with features that provide protection against RANSOMWARE, anti-virus programs without those features cannot be considered worthy of the name

Nowadays there are more steps to be taken, of course, I will describe them at length in a separate article that will be forthcoming

How to deal with RANSOMWARE infection

This chapter is the most relevant to the issue, as it is only a matter of time until your organization will be hit by a RANSOMWARE attack. IT professionals have to be fully ready to the “day after” that follows such an event. The process of dealing with RANSOMWARE attack should be part and parcel of your DR planning.
In my professional opinion, the best way to effectively deal with such an event is to ensure fast restoration of your data and servers, together with immediate forensic investigation that will help out to locate the way your organization got infected in the first place.
The decision on whether to initiate restoration of a file, a folder/directory, a server or a whole server cluster has to be taken according to the level of infection and its influence on company’s operations. There is a need for a clear Rule Book that will define when to step up from restoring a single file to the level of restoring the whole server. In such situations there is usually not enough time to deliberate on the possible consequences for the company, the best way is to operate according to a clearly delineated Rule Book that is compiled according to calculations and projections made well before the emergency occurs.
My professional experience exposed me to multiple cases in which the organizations lose precious hours or even days while trying to figure out in real time “what to do” instead of “doing it”.
This is when the proven methodology of Disaster Recovery Plan should kick in and save the besieged organization, when the employees and managers work according to a pre-approved, clearly defined and pre-tested process stages. All employees should know well their roles in the process, what and when to do – this will result in the company quickly returning to routine full-capacity operation.
Below you can find a concise template for Disaster Recovery process for organizations dealing with RANSOMWARE attacks:

  1. RANSOMWARE identification – the identification can be delivered by a server monitoring system, or by HELPDESK staffers that get complaints from the users concerning files or folders that “do not open/do not work”
  2. Absorbing the information about the infection and performing the initial analysis of the event – what files are affected, in what department, in what directories, this will help to identify the computer that was the source of infection
  3. Isolating or detaching the affected sector of the company’s IT network so that further infection will be prevented
  4. Making decision on the crucial subject of whether to restore only certain files/directories or the whole server/server cluster – this decision should be taken by the appropriate manager according to the chosen indicators as projected in the DR plan
    1. Usually the trigger indicators are defined as follows:
      1. If the infection is found in one separate department/unit and just a few files are infected there – only those files or folders containing them may be restored
      2. If there are indications that the server itself (in its system files or databases) has been infected – then there is a need to restore the whole server
    2. Every manager and employee of the affected department should understand clearly what his role is in the process, as defined by the DR plan
      1. All the team members should undergo training and simulations for the DR process
  5. If the process of full server replication is initiated – great back-up and recovery tools, such as VEEAM, can ensure very fast Instant Recovery capability, especially when it is possible to define a SNAPSHOT back-up procedure with hourly recurrence, so that you will never lose more than the latest hour’s work
  6. You will be able to bring the affected server back to operational status while still accessing the infected version in a SANDBOX mode, so that you will be able to extract some of the freshest data from it manually
  7. After the restoration process is complete – you need to evaluate the situation, making sure that:
    1. There are no more affected files
    2. Source of infection has been identified and isolated

 

Structure of Back-up and Restoration System

As could be seen in the preceding chapter, protecting yourself from RANSOMWARE attacks is based mostly on thorough back-up and fast effective restoration.
Every organization has to make sure that it has the following:

  1. Full back-up on hourly, daily, weekly, monthly and annual level
  2. Offline/Offsite back-up capability – Offsite back-up should include historical versions of your data, separate back-up file created during each back-up session can be considered as Offline back-up. It can be done in several sites, my recommendation is to use Cloud services, perfect for the purpose
    1. No, there is no need to return to the era of back-up tapes
    2. It is also possible to ensure that there is no overlap of authorizations, so that the back-up system can read data from a Production system, but not vice versa (so that RANSOWARE would not be able to infect your back-up system)
    3. Nowadays we have numerous solutions for Offline/Offsite back-up, I would certainly recommend utilizing Cloud solutions such as AWS and Azure
  3. The organization should implement a high-quality Backup and Replication solution such as VEEAM – experience shows that this product can save IT networks from destruction or massive damage
    1. It allows for fast and efficient back-up
    2. It provides for back-up through separate PROXY servers – this increases the back-up speed and also adds to the level of system segregation
    3. Back-up on the level of Virtual Machine/Host greatly reduces the possibility of severe malware infection
    4. VEEAM uses Always-On approach which is so essential in current threat environment
    5. It is very important to keep VEEAM back-up copies at an Offsite location, there is no real DR without that
  4. There is a need to invest in a separate solution for Offline file back-up (below the threshold of server/server cluster) which back up the files with Unlimited Version History – there are solutions like CrashPlan that, while not enabling fast recovery, do allow the unlimited number of versions to be saved
  5. You will need to enable Volume Shadow Copy; in most cases it ensures quick recovery of affected files (otherwise RANSOMWARE infect those as well)
  6. You need to make sure that the back-up structure is designed and implemented correctly for data integrity
    1. Back-up of SQL systems should be enacted in the highest possible resolution (every 15 minutes) at the data level, and at hourly rate on the VM level – this way you will be protected even in cases of deep and widespread infection

If your system still runs on physical / non-virtual machine environment – this is the time to change that, advance to virtualization, because when your system operates as VM, there are so many more possibilities for fast assured back-up and Restoration!
Most organizations nowadays do not have any justification for not working with a virtual system, usually the reason for not advancing is the difficulty and complexity of replacing Legacy systems that are especially susceptible to RANSOMWARE attacks and other major malfunctions.

Conclusions:

1. RANSOMWARE attacks should become an integral part of your DR plan
2. Your team has to be trained and ready to deal with those attacks
3. The foundation for effective and fast solution to such attacks is a fast back-up and restoration system
4. It is much easier to protect a fully virtual environment – do not hesitate to start the process of moving from physical to virtual environment

Prepared by Eli Migdal, CEO of TowerWatch Solutions Ltd (UK) and founder of Migdal Computing Solutions Ltd (Israel)

Visit our Information Security page for more information on our services.