Skip to content

Protection from Ransomware

December 11, 2014

© 2014 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from Christian Computing Magazine

Malware has taken a new direction recently that, if you’re not protected, could cost you all of your data and a bit of money. And it doesn’t matter if you’re on a Windows or Mac computer. How can you protect your and your organization’s data?

The new category of malware is called ransomware because it holds your files for ransom. Some ransomware encrypts files, and some only locks files. In either case, you can’t get to your data unless you pay a fee, which may or may not work. Protecting from such malware and having a plan in case an infection gets through to your data is essential.

We recommend a multilayered protection plan that runs on your email system, at your firewall, on your servers, and on your computers. Specifically:

  • Protection for Your Email. Most malware is distributed via email. Believe it or not, about 85% of all email is SPAM, and a lot of SPAM has a goal of infecting your computer. A lot of SPAM also tries to phish for information to steal your identity… serious stuff! This is worth paying attention to!

    Most consumer-oriented email services (like Gmail) filter out a lot of the SPAM that comes into their system. But corporations that have their own email servers (like Exchange) need to have a good SPAM filtering solution in place to protect their system’s users. There are many solutions available, but in my firm’s research we concluded that Barracuda offers the best SPAM filtering solution. We strongly recommend that you check to be certain your email is being filtered to remove obvious SPAM.

  • Protection at Your Firewall. The second most popular malware distribution method is via infected websites. If a webhost hasn’t done their due diligence to protect those visiting the websites it hosts, then malware can be injected into otherwise legitimate websites and infect those visiting them!

    It is important, then, to have a firewall that monitors all incoming web traffic to stop malware from infected websites, in addition to stopping other threats like hackers and bots, etc. Once again, there are many solutions available to help in this area. For churches and ministries, the best balance of features and price are found in Dell SonicWALL firewalls. You can certainly spend more, but the additional features in more expensive solutions are rarely, if ever, used by churches and ministries.

    One of the features we really like in SonicWALL firewalls, by the way, is easy-to-configure web content filtering to keep inappropriate websites from being accessed through your Internet connections.

  • Protection for Your Computers. All desktop and notebook computers are at risk if something gets through those first two lines of defense. Notebooks are especially vulnerable because of their mobile nature, since they connect to the Internet when off-site and not under the protection of your firewall. Tablets are also more vulnerable if they have data storage ability (probably not iOS devices since their filing system is inaccessible).

    The solution we recommend for desktop and notebook computers is Sophos; it is capable and does not slow your computers down with burdensome routines. We recommend installing it on every Windows and Mac computer.

  • Protection for Your Servers. If something gets through your SPAM filter or firewall, your servers need to be protected. Every file that gets written to their hard drives should be scanned to ensure malware protection at that level. The solution we like most in that role is also Sophos.

Really? Macs too?
Yes! We see Sophos catch a number of malware on Macs every year! It is true that most malware is not able to exploit Macs (some can, but they’re a small percentage), but the Macs can become ‘carriers’ which can pass issues on to servers, etc.

Don’t Forget Backups!
One of the most important functions in IT is the protection of data and systems. If there’s a problem, there needs to be a way to get completely back up and running as quickly as possible. Backups are an essential piece of disaster recovery and business continuity strategies.

A client recently asked why we spec the backup solutions we do. It was a great question! Here’s my response, which you may find helpful:

First, let me say that anytime you get ten network engineers in a room and ask for the best way to do something, you’ll likely get at least ten different answers. That doesn’t mean they’re all wrong, just that based on each one’s experience a particular strategy has become their preference.

MBS’ Recommended Backup Strategies
We did some fairly heavy research not too long ago on the subject of backup systems. There are lots of possibilities, but we found that tape was still preferred by most of corporate America that had small-to-medium sized networks– and even some very large systems like digital media archives. Here’s what we learned:

  • Large networks rely on SAN devices (Storage Area Networks) in larger onsite and offsite datacenters, and their replication capabilities make backups unnecessary. Those devices typically cost a minimum of $25-$30 thousand each, and larger units cost six figures. (Some people try to accomplish SANs on the cheap using Drobo and Buffalo drives, but they’re unreliable; in our opinion they’re not enterprise grade.) For our largest clients we recommend using SAN devices.
  • Online backup is good for restoring single files or folders, but is inadequate for restoring entire servers in a disaster. And disaster recovery is something that must be planned for. This is the strategy we only recommend for our friends’ home computers.
  • External hard drives seem like a good idea except that they have many moving parts that, when transported offsite (which should happen often as part of the disaster recovery plan), can– and often do– fail. The manufacturers will replace them under warranty, but without any data on them; not good if that happens during a disaster recovery scenario. We never recommend this strategy.
  • Tape technology continues to move forward in development. Our clients typically only need LTO5 or LTO6 (Linear Tape-Open) specs (1.5tb and 2.5tb native capacities), but LTO7 – LTO10 are slated for release. I’ll be surprised if they ever are, however, because an organization with that much data will usually be at the size where they’re investing in SANs.

MBS’ Datacenter
In our datacenter we use SANs that send their backups to another enterprise-grade device called a NAS (for Network Attached Storage) that has large capacity. We use that strategy in the datacenter because we’re not there to change tapes on a daily basis.

I hope you found this helpful and– best of all– that you’re in a safe place! If you have more vulnerability than you’d like, though, the fixes are reasonable in cost and fairly quick to implement.

Scroll To Top