We’ve been involved with multiple organizations in the past three weeks that have responded to a serious security incident that was exacerbated by a lack of up to date anti virus. Each case took a very different turn:
one required significant effort by the company, their IT vendor and a forensic analysis by CDI;
the second is looking at probably $100,000 in lost business and professional remediation services;
a third instances caused a hospital about 80 hours of IT work, and countless time in lost productivity;
and the fourth business is trying to figure out how to pay $30,000 in Bitcoin, and how to stay in business.
The Common Threads
In each of these three cases, the company had premium, traditional antivirus, all from reputable vendors. However, in each case, at least one system, and in some cases many, were not properly protected. During the investigation of these companies, some systems had no antivirus, and some had out of date antivirus. In one case, the licensing had expired and the company was not receiving updates.
In all four cases, antivirus did not protect the systems and did not detect the issue. In two of the cases, Security Incident and Event Monitoring (SIEM) solutions detected and alerted the problem AS IT HAPPENED. In the other two cases, hours or even days went by before someone noticed the issue.
In almost every case, a email phishing attack was the culprit. This reinforces the cliche that you’re only as strong as your weakest link.
What you should do
Here’s a checklist you should perform right now, before it’s too late:
Verify that your antivirus is licensed and up to date
Check every computer, including especially your servers, to make sure that antivirus is enabled for real-time protection and is up to date
If you have more than 10 PC’s or server’s you should have a centrally managed antivirus solution that allows you to see what everything is up to date/protected (Symantec, TrendMicro and Sophos Central are good options).
Always PAY for antivirus. Free antivirus isn’t good enough. Trust us, your business depends on it.
Run Windows Updates
Again, if you have more than 10 machines, you should be using Windows Server Update Services (WSUS) or a similar product to centrally manage windows updates (it’s free folks with Windows!)
Remind every employee of the importance of using caution with emails and potentially dangerous websites. Limit casual web browsing.
Check your backups! Test that you can restore data.
Over the next few weeks you should:
Look into “Next Generation Anti-Malware” products. These provide additional coverage beyond what the “traditional” antivirus companies provide
Malwarebytes, Sophos Intercept X, Carbon Black, etc. all fall into this category
Perform phishing exercises and security awareness training
Call Cyber Defense if you are interested in such a product/service
Review, update, and tabletop your incident response plan
Get a copy of your backups off site. Preferably 30 miles away or more.
Call Cyber Defense with any questions. We’re here to help prepare you for a big incident, but can get you started if something bad does happen.
More to come
Over the next few weeks we’ll detail the stories of each of these incidents, how they happened, and how each business recovered.