A friend rang me today to discuss how she and her husband had become the victim of an apparent keylogger attack resulting in large amounts of money taken from their bank account. Thankfully once they reported the suspicious activity to their bank their funds were recovered and the bank are now investigating the case themselves.
My friend rang me to see what extra steps they should take to ensure that the criminals could not do any more damage to them. I talked her through how to monitor their credit rating for suspicious activity and whether or not they should get their credit cards reissued.
Once that was finished I turned the conversation to how the keylogger got onto the PC in the first place. I was trying to ascertain how much protection was on her home PC, whether or not the anti-virus software was up to date, was the PC software patched and so on. It was after a few minutes into the conversation she asked me why I was so interested in her home PC? I said “because I want to ensure it is clean of any malware and that the criminals don’t access your online accounts again with their keylogger software”.
The focus of the conversation changed quickly when she told me “Oh we don’t use our home PC for anything serious like online banking, we use my husband’s work PC for that because we know his company’s IT department will make sure the anti-virus and other security software is kept up to date”. Knowing that her husband was very senior in quite a large company I quickly asked “Have you contacted your husband’s company IT department to alert them that one of their PCs could have keylogging software installed on it?” The answer was a no, “we never thought we should as it was only our own bank accounts we were worried about. We did not think that sensitive company information could be at risk”.
Of course we quickly ended the call so they could contact her husband’s company and let their incident response procedures kick in to deal with any potential exposure. But thinking about the phone call, there are some important lessons to learn;
- As an incident responder never assume anything. I fell into that trap thinking it was a normal home PC that had been compromised and not a corporate PC.
- Have you got policies and procedures in place outlining what staff can and cannot do with company PCs? Or indeed policies regarding staff working on company data on their own home PCs.
- Do your IT processes and procedures include supporting home workers in the event their systems become compromised?
- How robust are your incident response processes, procedures and tools to remotely deal with a potential security incident? Especially when the PC in question belongs to a member of senior management.
- How robust are your security systems in updating and securing PCs and laptops that may only connect to the corporate network from time to time?
- Have you got controls in place to ensure that only the data staff need to work on is on their PC? Remember even if you have encrypted the hard drive on the PC, once the user has logged on and decrypted the disk they, and any keyloggers on that system, now have access to all the data in clear text.
- Have you considered forcing staff to only access sensitive data via a secure VPN or thin clients?
- Most importantly are your staff trained and aware enough to identify potential threats to your company’s information assets should they experience suspicious behaviour on their personal systems, such as online banking, they may access from their work PC ?