We all know not to open emails from sketchy senders and not to click links sent to you via SMS from an unknown number. At least I hope we all know that. It usually leads to some nasty results with malware being installed. At worst, your data is stolen and even more criminal activity is targeted against you and at best your device doesn’t work very well any longer.
So just don’t click those bad sources.
While that is sound advice and it keeps you safe from a plethora of threats being sent out in droves daily, it doesn’t keep you completely safe. Not all threats you need to click to let loose.
These are aptly named Zero-Click Exploits.
They might also be referred to as Zero-Click Attacks or Zero-Click Malware. It’s all the same thing. You’ll note the common descriptor there is “Zero-Click” which clearly means you don’t have to click it. Zero-Click Malware doesn’t need you to click it to unleash its infection. That’s why it’s a major issue.
Zero-Click Malware is not new.
Zero-Click Malware has been around for a while. It is only unique now in the fact that most attacks today use social engineering to invoke a false sense of security to get the target person to take some action. But Zero-Click attacks usually target apps instead, exploiting vulnerabilities in the code. Messaging and calling apps are popular targets because they are designed to receive and interpret data from outside sources. It’s that outside data that injects malware into the app and compromises it, and the device it is installed on.
Some prominent examples: Apple iMessage was exploited and used to spread spyware in 2021. WhatsApp had its security breached by injecting spyware into a missed call communication. Famously Jeff Bezos’ iPhone was compromised by a WhatsApp attack, and his information and conversations were monitored and leaked for months.
This brings up one of the major dangers of Zero-Click exploits. They are really hard to detect, and you probably won’t know that you are infected for months or more. That’s why the dangers tend to be long-running and not immediate. Things like data theft, spyware, cryptocurrency mining, and using your device to launch attacks against others. Those are on top of the usual set of threats like hijacking your accounts and ransomware.
How to protect against Zero-Click Malware.
To protect yourself from zero-click exploits you need to put some thought into your security. Part of this will require constant awareness and part of this will also require a multi-layered security approach.
The good news is that a lot of this is standard when it comes to security, so it doesn’t only protect you from this one kind of threat, but multitudes of them. It’s also likely you are doing some of these already.
Stay Up to Date
You should always keep your devices up to date. Your PC, your phone, your home router…everything. This includes software, operating system, and firmware updates. If you always have the most up-to-date version, you will have every security patch that has been issued. A lot of this can be scheduled for automatic updates, but some will only prompt you and require you to manually start the update, and others won’t at all and require you to actively go out and find updates and apply them. This is part of maintenance. If you don’t have a maintenance plan for your business, you should get in touch. This is part of what we do and we can advise you on the best practices, or take it over for you if you wish.
Ditch unused apps
Have you ever looked through your PCs app list, or scrolled through your phones installed apps? You probably have more than a handful you don’t use any longer. Some you might not even recognize or know where you got them from. Yeah, that’s a sure sign to ditch them. Any app you don’t actively use should go. They are just potential back doors into your device – and for no good reason if you aren’t using them.
Enable Phone Security
You’ve got your phone’s security turned on right? You know, a PIN, fingerprint, or facial recognition. It’s very prevalent and convenient these days so most people do. Some don’t want that hassle though. That’s a bad idea for so many reasons – this is one of them. That’s like not locking your front door because it’s a hassle to get your keys out.
You’re also using Multi-Factor Authentication (MFA) right? You thought you were clear on that last one, but most people don’t use MFA. I’m not sure why. You should be using MFA on every account, and utilizing an authenticator app when you can (because compromising your email or SMS messages is trivial for hackers). This is a scenario where implementing MFA increases your security astronomically over not having it. Is the argument not to because it’s a hassle? Let me point you back to the last analogy of not locking your front door.
Use Strong Passwords
Tell me the truth, is your password on a sticky note on your monitor? It’s okay. I mean, it really isn’t okay, but I understand and you aren’t the only one. So here’s the deal, get yourself a password manager. No, not your browser offering to remember your credentials – that’s not secure at all. But that convenience? Yeah, a password manager gives you that convenience. It remembers all of your passwords for you, and even generates (virtually) uncrackable passwords for you so you can be secure in every single account you have. You only need to remember one password in order to access your password manager. That’s it, it’s easy. And it keeps you ultra-safe. Added bonus, it can act as your MFA authenticator as well, so kill two birds with one stone. Well, I actually like birds, let’s not kill them. But you get the idea.
Backup Your Systems
Your data should be backed up at all times. It protects you from accidental loss, criminal attacks, disgruntled employees, and natural disasters. Depending on your data and your business, you should back up at least daily. Use the 3-2-1 approach. Backup your data in 3 places, using 2 types of media storage, and 1 copy stored off-site.
This is a big topic, so I suggest you read our business guide to backing up your data (it’s free). If you have questions then we can discuss your options and the best plan for your business.
Segment Your Network
Interconnectivity isn’t always good. Sure, your team needs to all be on the same network to access your server and share resources. But your phones don’t. Your smart devices don’t. You should have separate virtual networks set up for those, which prevents what is called lateral movement. This is where a breach can enter your network and move to other areas and devices.
As far as your phone is concerned, this one is a bit extreme, but you might want to consider it. Use a separate phone for work than your personal phone. This acts as segmenting for anything you do on your mobile device. I know, carrying two devices is annoying. That’s why most people don’t do this. I’m just throwing it out there as a consideration that might work for you.
Invest in Endpoint Protection
Simplifying that statement, endpoints are devices on your network (all points where the network ends). What I’m saying is to get security to protect devices on your network. In the old days, that was antivirus. Antivirus is still needed today, but it’s only 1 part of a bigger solution. You need modern, advanced protection for your network. It actively monitors your network and devices to prevent, detect, and respond to threats like zero-click malware. These solutions are very robust and use a litany of tools, including artificial intelligence to detect attacks.
Educate Your Team
This last one is often overlooked. Most SMBs do not educate their employees. Guess what? Human error is one of the most significant sources of data breaches, and why threats are targeted towards people. Your team is your front line. Why not strengthen and empower them for the threats they see every day? There are training programs available that do just this and keep them knowledgeable and up to date on what to look out for and how to avoid the traps set by bad actors. And don’t think it’s boring. It gets gamified so people have some fun and retain the information given them.
Have a Trusted Pro
In all of this, you should have a trusted professional to advise and assess your threat profile. They should be the ones to spearhead all of these points for you to ensure that you are protected. If you don’t have an internal or outside partner, we’d be glad to help. Just get in touch.