When did you last run a computer virus scan—or even think about it?
In recent years, the data security profession has flourished, and some common vulnerabilities have been automated away. Unfortunately, newer, more insidious viruses and other malware are emerging just as companies are facing pandemic-related shortages of cybersecurity experts and as more employees are operating under less secure, work-from-home conditions.
Many of the worst incidents of the past year have been ransomware attacks, in which hackers take control of a company’s network, lock the users and administrators out, and demand ransom payments in bitcoin—often amounting to millions of dollars, as in the May 2021 shutdown of the Colonial Pipeline, a vital fuel conduit for the eastern United States. But ransomware is only one type of malicious software.
Malware is an umbrella term for a range of malicious software designed to invade digital devices or networks. The intent generally is to disrupt business, destroy or steal data, steal money from online accounts, hijack systems to execute illicit functions such as mass-distributing spam email, or extort money from the owner of the infected system.
A virus (software designed to spread from computer to computer, often through email, messaging, or social media) is only one type of malware. Other broad classes include:
Worms: Malicious code that proliferates by burrowing into address books, contact lists, and other files containing email addresses. It then sends copies of itself to the found email addresses, generally spoofing recipients by using one of the contact names it finds in the account’s From field.
Trojan horses: Malware that hides inside seemingly legitimate programs (a key reason your IT department insists that you avoid downloading “freeware” utilities like file-conversion tools from websites). “Trojans” generally are designed to enable the hacker to get past systems that protect computers or networks from intrusion.
Rootkits: Malware designed to give a remote hacker control over your device.
Spyware: Malware designed to track your online activity (or even keystrokes), steal data from your system, or redirect your browser to rogue websites. Adware is a type of spyware designed to harvest data used to target ads to you.
Rogue software: An old-school hack is to install software on your device that throws up messages to convince you that your system is virus-infected, directing you to buy a bogus product to remove the virus.
Fileless malware: Not all malware installs malicious files on your device. Fileless attacks alter files that are part of your operating system, files that are then seen as legitimate by the rest of your OS.
Bots: Programs that can be triggered remotely to perform some programmed task. The technique has legitimate uses, but hackers can infect thousands of devices with bots that swarm together into a botnet, a network of infected computers that execute mass exploits that can cause large-scale service interruptions or enslave computers to serve ads or mine bitcoin.
Unless the goal is to shut you out of the system, as in the case of ransomware, hackers try to make it hard for you to know you have been infected. Signs of malware intrusion tend to be performance-related: Your system will behave sluggishly. Software may be slow to load, act strangely, or crash frequently. You may see unfamiliar pop-up messages (typically disguised to look legitimate). Or colleagues may ask you about suspicious emails coming from your account.
Among the many classes of malware, viruses are among the oldest and most diverse. They are distinctive in their ability to infect other programs with their code.
Viruses date back to 1982, when the first was coded to infect the Apple II. Since then, many virus types have evolved:
Boot sector virus: One of the earliest types, boot sector viruses were commonly transmitted via floppy disks, but they can be delivered by newer media such as flash drives, via the hard disk’s master boot record. They then hide in the partition table of the hard disk. The objective generally is to destroy data by destroying the drive.
Direct action virus: A virus that infects and corrupts all files that are in folders in the autoexec.bat path, a component of Linux, DOS, and older Windows systems. After infecting its targets, it erases itself. This type of virus is fading out as enterprises move on from these older operating systems.
Multipartite virus: A virus that attacks both the boot sector and executable files in multiple nonconcurrent processes. It is hard to detect and hard to eradicate. It typically destroys files and consumes huge amounts of memory.
Polymorphic virus: A virus that evades detection and removal by constantly evolving, changing its form, algorithm, and encryption each time it executes.
Web scripting virus: Usually spread via ads on websites, these viruses insert malicious code into webpages.
The COVID-19 pandemic has driven the global adoption of remote work as a new, potentially transformative norm. But remote work also represents a golden opportunity for cybercriminals, who have found employees working from home, under loose supervision, to be soft targets for hacking. Hackers are using increasingly novel, sophisticated tools. But more mundane exploits, including old–school malware and social–engineering methods such as phishing and vishing, are seeing a resurgence as remote employees or contractors—preoccupied with work (and other distractions) and inexpert in cybersecurity—prove vulnerable.
Mid-level employees have difficulty thinking of themselves as targets for industrial spies or state-sponsored cyberspies. Construction firms have also been targeted by hacks and ransomware attacks. The manufacturing industry, long considered lax in its cybersecurity standards in comparison to other industries, had by 2020 become the second-most targeted industry for ransomware and data-theft exploits, after financial services.
Unfortunately, the American Architecture Association warns, malware has become a particular problem for architecture firms, where the internal perception is often that these companies don’t harbor data that would be of interest to data thieves. But, of course, any professional services firm is likely to have or transmit clients’ sensitive data, and any firm can become a vector for email- or messaging-driven malware. Companies have been attacked indirectly through vulnerabilities hackers discovered among the suppliers, consultants, technology service providers, and other actors in the targeted company’s supply chain. The liability risk alone justifies investment in data security tooling and staffing, as well as in building and sustaining a cybersecurity culture across the organization.
The professional service firm Deloitte recommends keeping up with developments in cybersecurity technology by employing tactics such as host checking (verifying the security posture of an endpoint device before authorizing access to corporate information systems). Data security increasingly incorporates machine learning and artificial intelligence, borrowing from the toolbox of technology firms focused on detecting financial crime, fraud, and money laundering. Technology investments are often attractive during periods when human expertise is hard to come by. But equally important are effective governance, policies, and training. Here are eight ways for both employers and employees to fend off malware attacks before they happen.
1. Start with awareness and training. Build cybersecurity awareness across your organization, focused on sending/receiving email and other communications (with or without attachments) and heading off social-engineering exploits such as phishing. Conduct regular, mandatory security training for employees, including periodic updates as new exploits and malware are discovered.
2. Make a plan. Develop and maintain an incident response plan focused on serious attacks and focus specific training on compliance with that plan. Many companies now require that their vendors and professional service providers have such plans in place and document their cybersecurity practices; it’s not unusual to insist on auditing suppliers’ cybersecurity practices.
3. Test your vulnerability. Truly proactive enterprises conduct regular vulnerability tests to find weak points in their IT infrastructures and crisis-simulation exercises for their employees. This type of testing often is performed by contractors with specific expertise in finding such weaknesses.
4. Strengthen your physical security. When implementing a cyber security program, consider how secure your office space is as well. Bad actors could follow employees into the building to steal printed documents, or even to install malware onto unattended laptops. Consider implementing badge access to your building’s entry points and train employees on how to handle visitors to the office.
5. Consider insurance. Many companies have invested in cyber insurance. “First-party coverage” insures against the consequences of direct cyberattack; “third-party coverage” protects against liability claims in the event that a cybersecurity incident is traced to a breach of your company’s systems.
6. Use a strong password. Each account you have should have a unique password, avoiding common phrases or strings of numbers. Don’t use personal information that can easily be found online, such as your birthday or the name of your pet. If you use the same password across multiple accounts, and it is discovered, you can be hacked quickly.
7. Take personal responsibility. If you’re working from home, especially if you’re using your own devices, understand your enhanced responsibility to protect the company’s data and IT infrastructure. Install antivirus and anti-malware software, and keep it up to date. Your employer’s IT team may want to audit your data-protection practices; understand their concerns, and give them the time and access this requires.
8. Secure your home network. Protect your home network by changing the default password to something strong (using the recommended lowercase, uppercase, numbers, and symbols). This goes not only for your router, computer, and wireless devices but also for connected devices such as smart speakers, appliances, and even toys that access the internet through your wireless router. Encrypt your data; WPA or WPA2 encryption is most effective among common encryption protocols.
9. Avoid unprotected Wi-Fi. If you work in coffee shops or airports, never use unprotected public Wi-Fi. Set up a virtual private network (VPN) for Wi-Fi access, ideally a high-end VPN system supplied by your employer. Think you’re careful about what you click on and what personal information you reveal in emails or messaging apps? Be even more cautious on social media, a major vector for malicious code.
10. Scan and back up frequently. Set up your antivirus software to run regular scans and back up your files frequently. If your employer offers automated backup to the cloud, use it. If you absolutely must download a file, make sure your antivirus software scans it before you open it.
Antivirus software works by scanning the files on your system, looking for characteristics of known viruses; the vendor maintains a library of hundreds of thousands of malicious code types, from which it draws these digital earmarks. It is critically important to update antivirus software regularly, to maintain access to the most current library, as variants and new malware types appear regularly.
If the antivirus tool recognizes an infected file, or the virus itself, and if there is a straightforward way to remove the malicious code, it will do so. Or it will sequester the infected file in a quarantine folder. Not all viruses can be easily or cleanly removed. Some will require expert assistance. And no antivirus software is perfect or entirely up to date. Some newer viruses can evade detection. So if your system is behaving erratically or if you have suffered a data loss or system damage, it’s best to engage an expert consultant to diagnose the problem, remove the malware, and restore functionality.
The fundamental issue with viruses and other malware is this: Cybersecurity experts and IT departments are always playing defense. Sometimes an exploit, when deconstructed, will lead investigators to develop a general approach effective against a whole class of malware. But generally, the hackers have the initiative.
Vigilance is essential but expensive. Many organizations have trusted frequent data backups and insurance, basically accepting a cyberattack as inevitable. Software and system vulnerabilities can be addressed, but the process requires a commitment, both from the top down (effective governance, technology, and policy adoption) and the bottom up (best-practice adoption by employees). Today’s remote, relatively unsupervised workforces make that bottom-up commitment increasingly essential.
This article has been updated. It originally published in April 2014.
Peter Dorfman is a freelance writer, blogger, and consultant based in Bloomington, IN.
POV
AECO
Emerging Tech
