Protect Yourself from Ransomware - Security Awareness Message for June 2016

Ransomware, Photo credit Carlos Amarillo / Shutterstock

In the past couple of months we have seen a growing number of ransomware campaigns targeting healthcare(1) and critical infrastructure(2). This month’s security awareness message aims to address questions staff may have about how to protect themselves at home and at work.  Feel free to use the following text to spread the message in your organization, and to create a culture of security:

“You may have heard about “ransomware” in the news, and how cyber-criminals are targeting commercial organizations by spreading malware.  Did you know that your home computer may also be at risk?  This malware, when it is installed, works by locking (or “encrypting”) all the files on the computer and any other files that it can find through shared folders, and then demands payment to unlock (or “decrypt”) these files.  The ransom money is used to fund organized crime, and further encourages the proliferation of these types of attacks.

Here are some suggestions for how you can protect yourself from ransomware both at home and at work:

1. Always ensure that you have more than one copy of your important files.  That way if your hard drive is encrypted by ransomware you can wipe it clean and restore your files from backup.
2. Keep your backups in a safe location, offline if possible.  Do not store backups on the same computer, or on a network drive that is always connected.
3. Do not mount network shares or join a Windows Workgroup or Homegroup unless you absolutely need to.  Connect to the network share when needed, and disconnect when you no longer need access.
4. Keep your operating system and application software up-to-date by checking for and installing patches.  Ensure that your antivirus software is up-to-date and running.
5. Avoid logging in with administrator accounts.  Provision other users on your home computer with regular user access, not administrator access.

And, as always, your best defence is to never click on any link that you do not trust.

If you suspect that you have installed ransomware and your computer is being encrypted, then power off the computer immediately, disconnect the network cable, and call the helpdesk to report the incident and recover.”

Remember to include a link to your organization’s relevant policies for where and how to backup important company data on laptops and desktops, and reference the relevant sections

Here are some links to further reading:

• Microsoft Ransomware FAQ (for home PC users) https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx
• FBI Warning on Ransomware https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise
• Case Study (1):  Hollywood Presbyterian Medical Centre http://www.cbc.ca/news/technology/hollywood-hospital-hack-ransomware-trends-1.3462062
• Case Study (2):  Michigan Power and Water http://www.securityweek.com/michigan-power-and-water-utility-hit-ransomware-attack

This article first appeared on LinkedIn May 12, 2016 https://www.linkedin.com/pulse/infosec-awareness-message-june-protect-yourself-from-westgate

Follow me on twitter @AM_Westgate  

Ann-Marie Westgate is a Sr. Information Security Consultant with Digital Logic Solutions Inc.  Please contact us for information on how we can make your security awareness program easy.

Security Training and Awareness - Creating a Culture of Security

What is the difference between IT Security Training and Security Awareness?

By planning for and providing for both Security Training and ongoing Security Awareness campaigns, your whole organization will benefit.

Flickr: Stfaiths Road safety training 009

Security Training

You already know that Information Technology (IT) security training is an essential part of an enterprise security program. It provides targeted instruction on your company’s security policies, procedures, and techniques and focuses on developing skills such as secure coding or using a security tool. Also, you can measure what your participants have learned. Was the training effective? Have the participants learned the material? Can they can understand and apply the new ideas?

Conducted by knowledgeable instructors, effective training programs go beyond asking participants to read a document and attest to understanding and agreeing to comply. Some examples of security training include:

• Annual Security Training explaining the acceptable use policy and information security policy with all employees,
• Data Protection Training to understand requirements for the protection of Personal Health Information (PHI) or credit card information,
• Secure Development training for developers to learn secure coding practices, and
• Contact Center Security training to prepare staff to detect and respond when they are a target of social engineering.

Security Awareness

Security awareness, on the other hand, is more about reinforcing general security principles, and drawing attention to a particular issue so that they can respond accordingly. You can foster this culture of awareness through reminder messages that benefit the organization as a whole. Awareness campaigns complement training by reinforcing the company's policies, procedures, and practices covered in your targeted security training. Just as you remind young people to look both ways before crossing the street, these campaigns remind your colleagues to keep security threats front-of-mind, and to be aware of new and emerging threats.  

In contrast to training programs, security awareness campaigns may be less formal in their delivery, and generally do not require you to collect evidence or evaluate the participants. According to NIST SP 800-50 “The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues.”

Some examples of issues that you can highlight in your security awareness program are:

• How to choose good passwords, and how to keep them secure
• Piggy-backing, challenging those who do not use the door card readers
• How to prevent computer viruses, and what to do if you are infected
• Recognizing phishing emails, and remember to click only trustworthy links

By combining Security Training with an ongoing Security Awareness program, you will help to create a culture of security and promote vigilance. In short, your organization will be better prepared to address the security of information and technology assets.  

The protection of information and technology assets is as much a human issue as an IT issue. Take a moment to think about your own Security Training and Awareness programs. What formal training do you provide? Do you have a program of ongoing Security Awareness? What can you do to better to create a culture of security?

If you enjoyed this article, please “follow me”. Stay tuned to my next segment where I will discuss some of the business drivers for Security Training and Security Awareness. Have anything else to add? Please post them in the comments below.

Ann-Marie Westgate is a Sr. Information Security Consultant with Digital Logic Solutions Inc. http://dlogic.ca

@AM_Westgate, LinkedIn: https://ca.linkedin.com/in/amwestgate

Further reading:

NIST SP 800-50, Building an Information Technology Security Awareness and Training Program http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf