In this fourth blog in the series, we look at Malware Prevention, following the guidance from the UK National Cyber Security Centre (NCSC). We explore how schools can ensure that the appropriate technical and organisational measures are in place in order to stop the installation or reduce the impact malware has on school users and the network. With each blog, we are building upon each stage of the NCSC’s 10 Steps to Cyber Security, and in turn, providing our independent recommendations, examples and guidance.
In our previous post, User Awareness - How To Help Your Users Protect Themselves & The School Network! we discussed how structured and regular training, alongside clear policies and procedures, can go a long way to stop some attacks in their tracks before they hit the network. This blog goes hand-in-hand with the above and provides schools with a greater understanding of how malware is introduced, the types of malware, and what else should be done to add another layer in a multi-layered approach to defence.
By following these recommended steps, you will be able to evidence that you are putting the appropriate mechanisms in place to reduce the possible introduction of malware onto your school’s network and have the policies and procedures in place to limit the impact should malware be unintentionally introduced. Keeping your anti-malware defences up to date and understanding how to best combat the various types of malware will demonstrate that the school is proactively working to eliminate or reduce the impact of a cyber attack.
What is Malware?
Malware (malicious software) comes in a variety of shapes and sizes. Having an understanding of the various forms and how they can be presented to your users, can help you successfully reduce the likelihood of installation or the impact of a successful installation.
The type of malware that used to be frequently mentioned in the news and talked about between IT techies was the virus. However, the virus now makes up only a small percentage of malware in circulation and has been surpassed by ransomware and other malwares that can provide the attacker with a foothold on your network. There are some positives in this reduction as viruses are the only type of malware that infects a file, which can often lead to file corruption and the need for that file to be quarantined. On a good day you would get your file back and your anti-virus product would be able to clean or repair the file. More often than not, the quarantined file will need to be deleted.
As mentioned above, replacing the virus as the most commonly talked about malware is ransomware. We are hearing more and more in the general news, or through technical feeds, of data being held ransom by this malware type. These ransomware programs are often spread through social engineering, coming in the form of phishing emails with malicious attachments, or unofficial websites offering subscription/purchasable software or apps for free. Most of these free apps or software have a form of malware installed alongside the legitimate app. Once installed, in the case of ransomware, the program will seek out and encrypt users’ files. Then in most cases the user will receive a notification explaining that their files are locked and in order to unlock them a fee must be paid. Statistics show that this form of attack is on the rise with 25% of victims paying the bitcoins to release the files. The sad fact is that a percentage of users who pay still do not get their files back.
Worms & Trojans
Worms are less prolific on their own these days. However, what makes the worm so devastating is that they often arrive through an email and require no end user interaction to start propagating around the network. The worms are self-replicating and historically have spread rapidly once a system has been infected. The worm causes havoc by overloading users with messages, consuming system resources like memory and CPU, and ultimately causing e-mail servers, computer networks, and stand-alone personal computers to crash.
Whereas the worm often arrives and initially propagates whilst the user is blissfully unaware, the trojan tries a different technique. The trojan lies in plain sight and often presents itself as a legitimate program. The trojan relies on the end user activating the malicious code, which once activated like most malwares, aims to inject or initiate the malicious code. The trojan is a common delivery mechanism for attackers who aim to infect your computer/network with ransomware, or install a malicious agent to allow a more sophisticated attack such as remote access. We have seen an increase in attacks on fee paying schools - most of these have started with a spear-phishing email with a malicious attachment that installed code allowing the attacker remote access to the network
Register for a free 14-day trial of the 9ine App and transform the way you manage data privacy and protection.
Adware and Malvertising
Most of us will be familiar with adware. Adware is software that redirects users to different websites, search engines or product pages. Other than being an inconvenience they are usually relatively easy to remove and cause no long term damage to files or operating systems. In some cases the adware is legitimate and installed as part of a genuine download. For example, application providers might provide a free app or piece of software with the idea of generating revenue from the advertising space they sell within their app. Whilst many of the ads that we see are legitimate, some are malicious and attackers have been known to buy advertising space on popular websites. These malicious sites, “malvertising sites,” look legitimate and may use the same tracking technologies to provide you with appropriate product advertising based on your search history, however they lead to malicious downloads or links that ultimately are trying to get the user to unknowingly install malware. Usually these downloads will take the form of ransomware, cryptomining scripts, or banking trojans.
Are schools being targeted?
It is rare that a cyber attack on a school would make the news, however, with an increased public interest and awareness of data protection a few such stories have come to the media attention. The below are not isolated cases but provide an example of how a successful cyber attack can impact a school.
BBC report on how GCSE coursework lost in cyber attack
BBC report on how a school was targeted in fees phishing scam
At 9ine we have seen an increase in requests for support and guidance following cyber attacks which involve department-targeted spear-phishing, credential theft and even sextortion.
What are schools doing to prevent malware installation or propagation?1. User awareness
Users are becoming more and more aware of the perils of clicking or downloading attachments in emails. However, regular training, infographics and school orchestrated phishing campaigns are a useful way of keeping this fresh in people's minds. Users should also be reminded that there are websites masquerading as legitimate entities or download sites that offer something that is often too good to be true - such as a free software download that should be purchased from an official vendor site. Users should be reminded to ask themselves:
- Would the sender of this email normally ask you to click a link or download a file?
- Are you expecting the email, attachment or link?
- Is the software you are downloading on the schools approved list?
- Should you be downloading the software? (or should you be logging a call with IT)
- Is the website the official vendor's site, or an unofficial download site?
- Are you downloading or clicking on a link from an unsolicited pop-up message?
2. Maintained and managed anti-malware
In the unfortunate event that a user has unintentionally installed or clicked on a suspicious link or file, you need to be confident that ALL your devices have up to date anti-virus (malware) definitions and security patches. Most malwares exploit known vulnerabilities in firmware, software and hardware. Keeping your systems and services patched is crucial to your school's defence.
When we conduct systems and security assessments on school sites, on average we find 2-5% of the school's devices are lacking the latest definitions or security patches. Sometimes it's a collection of laptops that have not been connected to the network for long enough, or there is an unresolved issue that is stopping updates or patches from applying. Other times it's a computer-aided design (CAD) machine or piece of hardware that's supporting an old technology that is running an unsupported operating system. Either way, it's the small security holes that the attacker or the unintentionally downloaded malware that allows your network to be compromised.
The NCSC strongly recommends that you do not continue to use unsupported operating systems or devices. You should upgrade to an operating system that receives regular security updates from the vendor, and regularly check on vendors’ support sites to understand how long a product will be supported for (review EoL - end of life notifications). During replacement or decommissioning the device(s) should have compensating security controls put in place, such as network segregation and enhanced logging and altering.
3. Backup your systems and services
If one of your users downloads malware onto a device where the antivirus solution is not up to date and your files become corrupted, or in a worst-case scenario fall foul of ransomware, you will be reliant on your backups.
Some of the best advice is to follow the 3-2-1 rule when looking at successful backup solutions. Three copies of your data, over two mediums and one of these should be off-site. You need resilience within your backup solution itself and should not be reliant on a single backup to tape, NAS or another medium. You should ensure that you are confident that all your mission critical services and files are being backed up and that your disaster recovery plan is aligned to your school’s business continuity plan.
Successful, resilient backup is out of the scope of this blog - if you require advice, please contact us.
4. Defined policies, processes and procedures
Whether you have a single infected PC or a whole network that is in the midst of a ransomware attack, you need to have a robust set of policies and procedures in place. As outlined in the previous blog, this starts with the end user; do they know what they should do if presented with a ransomware demand? Do they know what to do if they suspect that they have downloaded a malicious file or entered their school credentials into a dummy site? Assuming that the end user has raised the alarms quickly enough to the incident response manager (IRM) / IT Team - what next?
Do you have the following?:
- School Incident Management Policy, Process and Procedure
- School Breach Management Policy, Process and Procedure
5. Regular testing of all of the above!
Your users’ awareness and understanding, your anti-malwares updates and distribution, your backups and resilience, and your policies and processes should be tested end-to-end regularly. This ensures knowledge and awareness is at the forefront of people's minds and that the school’s policies, processes and procedures are effective and regularly updated to be in line with the latest technical and organisational changes
How can 9ine help?
9ine's Cyber Vulnerability Assessments , when paired with our Security & Systems Essentials subscription service, will provide your school with a comprehensive infrastructure and systems audit. The output of which will inform and shape your remediation, resource and investment plans.
Completing the Cyber Vulnerability Assessment, the annual cyber posture evaluation and the vulnerability scans, will provide your school users, governors/board with the confidence that you have the technical and operational measures in place to minimise the possibility or impact of a cyber attack.
Our evaluation is based on the NCSC 10 Steps to Cyber Security and the NCSC Cyber Essentials + accreditation. It also utilises the security standards from other recognised security frameworks and methodologies such as NIST and ISO27001, taking the most appropriate/best of breed recommendations from each. The organisational and technical assessment will highlight areas that are directly influenced by your users and will lead to supporting policy, process and procedure changes as well as security improvements of technical implementations.
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.