A recent discussion on one of the many mailing lists I’m on brought to the fore an all to common and often misunderstood threat in social networking – malware.  Malware is the generic over arching term that describes programs that do things we wouldn’t otherwise want such as viruses, spyware, trojans, root kits, etc.  Malware is in a constant state of evolution driven by a profit motive and its focus on social networking has been a consistent one.  Social networking sites have been a common way to deliver malware and “toolkits” have been available to help even the most novice of “hackers’ create havoc on the Internet.  Trojan.Generic.3576478 (AKA Facebook Hackers Kit) is a recent example in a long slew of annoying & pernicious malware delivered via social networking.  My general recommendations for the average user are:

• Patch your machine and all associated applications (i.e. 3rd party applications).
• Get an anti-malware suite from any of the major vendors like Trendmicro, BidDefender, Kaspersky, Symantec, etc.
• Switch to the Firefox browser and read my article in CSO Magazine on making it even more secure.  Specifically NoScript.
• Shut off all email notification from any of the social networking sites of network invites, updates, etc.  In this way you know that any email you receive from them is fake.  Remember when you login to these sites you will still see those nifty notices of friend invites or emails.

None of these are a panacea but can help reduce your risks to some degree.

Oh, and if your a security geek like me you may enjoy the Social Media Security Podcast.

Potential for Operator Error
The average computer user isn’t as good at assessing the safety of their computing experience.  At no fault of their own they often fall prey to malware delivered via casual surfing, spam, emails, or even simple instant messages.  Configuring a system to allow for any average user to have Administrative rights in Windows (or root in Unix/Linux) makes it so much easier for your business and its infrastructure to fall prey to criminally minded hackers.  It allows all of the machines involved to execute any code they are give with those very same privileges.  This effectively makes it much easier for you machines to be infected by malware and potentially experience data loss/downtime.

Potential for Criminal Behavior – Insider Threat
When everything is allowed by default – expect the worst.  As odd as it sounds the risks to your company are very often greatest from your own employees.  Startlingly, according to a 2005 computer crime survey by the FBI, 44 percent of organizations reported insider attacks.  These came from often trusted employees who few expected would be a risk to their organizations.  This is why it is important to give users the LEAST privilege (to information/computing resources) they need in order to perform their job function.

Potential for Violations of Industry Regulations
If you do not explicitly forbid changes to your systems/networks configuration you will most certainly eventually fall out of compliance with associated regulation.  It can be assumed that is only a matter of time…

Least Privilege Makes Sense
In the most simplistic sense giving your employee Administrative privileges is like giving everyone in the office the keys to the safe and endless blank checks.  It just isn’t prudent and in the end will come back to haunt you in the form of real quantifiable costs.  Users should be regular domain users or local limited/restricted regular user account NOT administrators.  Utilizing the notion of least privilege will be a good step forward (among many) in mitigating many potential security problems.  This among a unified approach to computer security will save your organization time, money and head-aches.

Google/Stop Badware
Google, (in coordination with partners PayPal, Mozilla, Lenovo, AOL, VeriSign, Trend Micro and Consumer Reports WebWatch) are attempting to address this ever evolving problem with the Stop Badware project.  The project brings together industry, academia and volunteers who are dedicated to making the Internet a safer place.  With the involvement in this project Google is able to flag sites that might contain malware in your search results.

Validating or Reporting a Malware Site to Google
Thankfully, Google has a way to report a malware sites and have them removed from search engine results.

http://www.google.com/safebrowsing/report_badware/

Yahoo SearchScan
Yahoo is also currently in Beta testing of  McAfee SiteAdvisor to protect its search results from malware inclusion.  Just as in the case of Google you will see a warning that a site could potentially contain malware on the SERP (Search Engine Results Page.)
http://tools.search.yahoo.com/newsearch/searchscan

Validating or Reporting a Malware Site to Yahoo
To validate or report a site you can visit SiteAdvisor directly.  One can even join the SiteAdvisor community and make the web a safer place by reporting sites that propagate malware.  See http://user.siteadvisor.com/forums/register.php?do=register&agree=1

Reporting a Malware Site Elsewhere

If you find a malware site and want to take further action you have several options for reporting it.  If the site is inside the United States you can report it to the FTC or if the site is international you can report it to eConsumer.
FTC
https://www.ftccomplaintassistant.gov/

eConsumer
http://www.econsumer.gov/

Conclusion – Do your part
It is important to recognize that we face a never ending uphill battle with malware’s inclusion in the search engines. Criminals make billions from all of these crimeware activities and they are likely to evolve around any effort to thwart them.  As these sites are shut down millions more pop up elsewhere so it’s a never ending battle. No single search engine is immune to indexing these threats.  The good news is that we as upstanding members of the Internet community can report them have their sites shut down.  So I encourage you to take an active role by getting involved with these projects or report any suspicious sites you may find.  We all have a role in making our Internet a better place.

Disaster Recovery is no joke but for many firms it’s not taken seriously.  Organizations without a plan and calculated investment can suffer dire consequences.  Businesses risk serious financial and regulatory costs as well as the potential for insolvency.   Still skeptical?    Here are a few examples:

• Of companies that had a major loss of computerized records, 43% never reopen, 51% close within two years, and only 6% will survive long-term. (Cummings, Haag & McCubbrey 2005.)
• In the 1993 World Trade Center bombing, 150 businesses out of 350 affected failed to survive the event. Conversely, the firms affected by the Sept 11 attacks with well-developed and tested BCP manuals were back in business within days. (Howe School of Technology Management 2004.)
• In the case of fires, 44% of businesses fail to reopen and 33% of these failed to survive beyond 3 years. (IWS 2004.)

In the small business space it seems there are all to many I encounter which have NO plan. More painful still is that many don’t even backup critical business data. Why? Many are unaware of the true risk, are unaware of the potential costs or think it’s to expensive to implement a real DR (Disaster Recovery) effort.

One thing is clear from my 15 years in IT, DR is vital to the very survival of any businesses. A proper DR effort will bear fruits in many other places such as legal/regulatory compliance, cost reduction, increased security.

DR is not a destination or a static plan but a continual process. In my practice I endeavor to ameliorate this situation one client at at time.

In this series I detail how to build a customized next gen firewall solution that might cost you thousands more on a simple Intel box.  =)  So check it out!

IPCop – The Perfect Linux Firewall – Part 1

IPCop – The Perfect Linux Firewall – Part 2