Malware and Viruses
Policy
Lullabot employees and contractors are expected to adhere to best practices for avoiding malware and viruses.
Scope
This policy applies to all Lullabot employees and contractors.
Compliance
Each employee or contractor will be responsible for their own equipment.
Explanation and Implementation
Protection against malware and viruses includes, but is not limited to:
- Keeping all software up to date with the latest security patches.
- Avoid installing unlicensed software, pirated music, video, software, these can be a vector for malware.
- Protect devices from malware and viruses by enabling the firewall and using virus protection software.
- Use an ad-blocker. The business model for ad networks is contrary to best security practices, making them easy targets for hackers.
- Install ClamAV on servers and have it scan folders with user uploaded data.
macOS, iOS, and iPadOS Software Updates
Apple only provides complete security coverage for the latest major version of their operating systems. Employees or contractors will:
- Apply security updates to existing releases, such as
12.5, within one week of their release. - Upgrade to the latest major release no later than when its first "bugfix" release is issued. Updating to the initial versions of major upgrades is still highly recommended unless there is a known compatibility issue.
For example, as of this writing the current releases and required versions of Apple system software are:
| Operating System | Current Version | Lullabot Required Version |
|---|---|---|
| macOS | 13.0.1 | 12.6.1 (13.0.1 preferred) |
| iOS | 16.1.1 | 16.1.1 |
| iPadOS | 16.1.1 | 16.1.1 |
Note that Automatic Updates on macOS are easy to skip by mistake and do not always apply promptly. Watch for reminders from the Security Team to know when updates are available.
If your laptop, phone, or tablet does not support the required operating system version, then it is time to replace that device with something newer.
Ad-blocker configuration
uBlock Origin is the most commonly used "content blocker" for web browsers. Chrome and Firefox are officially supported, and there are ports for other web browsers too.
The out-of-the-box configuration of uBlock is very good. Feel free to customize settings, but it's not required. The toolbar button can be used to disable blocking on a per-site basis, which is useful when working on client sites or visiting sites that have committed to auditing and securing their ads.
For further security and control, consider using an extension like NoScript or Ghostery.
Installation links
Safari
uBlock Origin does not work on Safari. However, other adblockers such as AdGuard are available.
Ransomware
Lullabot employees and contractors should watch for ransomware attacks, as companies are often targeted by such scams. Ransomware is a specialized variant of malware, where documents and data are encrypted using strong cryptography. Then, the malware will attempt to extort a fee for a "recovery key" out of the business. Ransomware is distributed through a variety of means, including compromised websites and advertising servers or email. Most Ransomware will attempt to encrypt all accessible documents, including those on network or external drives.
Lullabot has a general policy of not paying attackers to unlock files. Instead, we treat ransomware just like any other disk failure. If you are infected with ransomware, wipe your disks and recover your data from backups and from the cloud.
The following types of backups may be at risk from a ransomware infection.
- Time Machine backup disks: Employees should have a second backup system (such as an off-site cloud backup) that protects their data if the Time Machine backup is unusable. This second backup should not be "mountable" as a normal file system, and should have it's own server-side versioning to protect data.
- Files synced to your computer from cloud services: This includes services such as Dropbox, iCloud, and Google Drive. We rely on Dropbox's restore features to protect these files.
- Network drives: NAS appliances should have snapshots and off-site backups. For example, a Synology NAS with BTRFS protects against ransomware from a network mount by not exposing the snapshots to network users.
Source code is typically not vulnerable to ransomware as server-side version control (like Git) protects the code.