OPINION / With Malware, everything old is new again

By Andy Hayter

If you look back through the history of malware, you can expect the bad guys to use special occasions such as holidays or major world events to trick unsuspecting end-users into doing something with dangerous consequences.

Take, for example, the CHRISTMA EXEC that was released on IBM-based VM CMS systems in 1987. It displayed a Christmas tree and message on “dumb” terminals. Following the instructions on the screen, those who received and ran the EXEC allowed it to send a copy of itself to all e-mail addresses it could find. In the 22 years since the infamous CHRISTMA EXEC, nearly every holiday, disaster or major world event has brought with it new malware.

The 2009 holiday season was no different. Sadly, exploiting end-users is as easy today as it was two decades ago.  

One change in the application of technology is the explosion of social media Web sites such as Facebook and Twitter that opened the world of online communications to many more people. Becoming a member of Facebook or signing up for a Twitter handle takes only a few minutes. The biggest shift is that the people signing up are audiences who never previously embraced technology in their lives, and therefore are lacking cyber-safety knowledge and education.

What may not be obvious when signing up for a social media site without reading the fine print is that it is the user’s responsibility to protect him or herself. These social media sites are a bit like the Wild West, where anything goes. Users should be skeptical about opening links and new applications. When in doubt, be wary of a Facebook application.

Twenty-two years ago when the CHRISTMA EXEC invaded corporate systems, they were relatively closed environments. Connectivity to the “outside” world did not exist like it does today with the Internet and the advent of social networking sites. Businesses face a dilemma that was not part of the enterprise-computing environment then. 

Allowing employees to access the Internet from their workplace computer also allows them to access social media Web sites from the office. While social media Web sites can be a valuable and professional tool, it is very important to establish policy on which social media sites employees are allowed to access, who is allowed to access them, and most importantly, to educate users on how to recognize potential cyber-threats.

While many employees access social media sites as part of their job, other employees may be accessing their favorite social media Web sites for personal reasons. If you allow unfettered access to the Internet (and I think it is a good thing), those charged with the company’s cyber-security programs and policies should run mandatory education programs to educate employees on cyber-security, cyber-ethics and cyber-safety. Show me a company that has an acceptable use policy limiting Internet access to business purposes only and I’d bet every single employee has at one time or another viewed a Web site that was not related to business. Perhaps it was simply to get the weather forecast.

What I don’t see happening when you sign up to participate in a social media Website is mandatory education on cyber-security, cyber-safety and cyber-ethics from the site itself. What the world needs now, besides “love, sweet love,” is to be educated in the responsible use of technology.

What can help users better protect themselves? You mean PC users can protect themselves?

Of course they can. But as we IT folks hear all the time: “Is it easy to do because I’m not a computer expert?” The answer: protecting your own computer is as easier than it has ever been. 

Here are some steps anyone can take. Hopefully your corporate IT staff has already taken care of this for you, but it is always better to be safe than sorry:

First, make sure that you have the option to receive and install automatic operating system updates enabled. This includes Mac users. Many of the threats that befall end-users can be prevented by simply keeping your operating system and key applications such as your browser “patched.”   Take the case of a recent virus called “Conficker.” This virus is preventable when the correct patch is applied to the operating system as is the case with the majority of other PC infections.

The second step is just as easy. Install an anti-virus product on your PC. A good practice is for companies to offer their employees a copy of the same product they use in the office for ALL their home computers.