Why Do Hackers Write Viruses?

It’s All About the Money

Everyone hates viruses.  They are annoying, slow your computer down, and don’t seem like they’re doing much.  So why do hackers write viruses?  Is it just to be annoying little punks who want to feel powerful?  There is probably some percentage of viruses that get released that way.  But most often, it’s all about money.

First: Steal the Data

The first thing virus writers think about is what data they want to steal.  This can be social security numbers, health records, email credentials, active email addresses to spam (i.e. your address book), or any other type of data.  Sometimes it’s not even data they’re stealing, it’s resources.  They can use your computer’s CPU and internet connection to mine bitcoins, launch attacks on the people they’re really after, send spam, etc.  And it doesn’t matter if you don’t have these things on your computer.  They’re usually not targeting you specifically, they just release the virus on the public hope it lands on valuable computers.

Next: Bundle the Data

If someone steals your credit card, you will cancel it.  One stolen credit card number isn’t worth very much.  But thousands of credit card numbers are worth something, because some fraction of those people won’t know their cards are stolen, and the numbers will still be good.  The same goes for email accounts, health records, spam lists, and most other easily-stolen data.

Last: Sell it to Hackers & Criminals

That’s right: Hackers are stealing your data to sell it back to other hackers.  If someone can buy a thousand social security numbers and health records for $500 per bundle, 10 of those might be good and they can create fake identities, selling them for $1000 apiece.  (I’m making up the numbers, but you get the idea.)

Or: Sell it to Users

In the case of ransomware, they aren’t selling the data to other hackers.  They steal (encrypt) your data and then sell it back to you.  If you are new to ransomware, check out our article on Cryptolocker for a description of how it works.

Recap: Why do Hackers Write Viruses?

Because they can make money.  Good spammers can make six figures per year, but they need lists of real email addresses.  CryptoLocker was thought to have made $30 million, but they need access to computers so they can encrypt users data.  Viruses are how they get this data.

What can you do about it?

  1. Get a good firewall and spam filtering service
  2. Get good antivirus and anti-malware software on your computer and update/scan regularly
  3. Keep your computer and all programs up to date
  4. Back up your data often

If you are worried about your security and how well protected you are against viruses, contact Strive for an evaluation.  We can help keep you safe, secure, and always running smoothly.

HIPAA Compliance Self-Assessment

HIPAA compliance is scary and difficult, and for small practices it can seem unreasonably burdensome.  For those businesses, we offer one of the most comprehensive HIPAA Compliance services in the industry.  Find out more about it here.

For those still in the research phase, we would like to offer you this HIPAA Compliance Self-Assessment.  This is by no means comprehensive, but it will point you in the right direction in your research. Read on to learn what you can do to become HIPAA complaint.

Security Policies and Procedures

Establish policies in order to handle and manage all security violations

  • Are your employees aware of the penalties that ensue from security violations?
  • Are internal penalties in place for employees who violate security procedures?
  • Do all your users know what to do in the event of security incidents or issues?
  • Is there a process in place to document, track, and address security issues or incidents?
  • Have you hired someone to track all security logs, reports, and records?
  • Do you have a security official in charge of a password and smart security policy?
  • Have you ever undertaken a risk analysis?

Documentation

In the event of an audit, you will need to prove your compliance.

  • Have you written down your security policies and procedures for your records?
  • Do you have documentation proving you’ve trained all your employees?
  • Do you have documentation proving you performed security risk assessments (SRA’s)?
  • Where the SRA shows shortcomings, do you have a remediation plan written down?
  • Do you have copies of all Business Associate Agreements (BAA’s)?
  • Do you have an incident management plan to show the auditors?
  • Is all of your documentation updated regularly and do you keep old versions to show progress?

Access Management

Restrict access to ePHI to those who have permission to access it.

  • Do you have measures in place to authorize or supervise access to ePHI?
  • Are there processes for determining the validity of access to ePHI?
  • In the event of employee termination, is their access to ePHI blocked?

Security Awareness Training

Establish a security awareness training program for all staff.

  • Are employees regularly reminded about security concerns?
  • Do you hold meetings about the importance of password, software, and IT security?
  • Are your employees aware of the process surrounding malicious software?
  • Do you have procedures for regular review of login attempts?
  • Do those procedures check for any discrepancies or issues?
  • Have you established procedures to monitor, manage, and protect passwords?

The Worst Case Scenario

Implement a plan for the protection and use of ePHI in the event of an emergency or disaster.

  • Are there tested and revised plans in place for an emergency?
  • Have you analyzed the applications and data needed for these emergency plans?
  • In the event of a disaster (I.T.E.O.A.D.), can you make or retrieve copies of ePHI?
  • I.T.E.O.A.D… Can you restore or recover all ePHI?
  • I.T.E.O.A.D… Will your ePHI be protected?
  • I.T.E.O.A.D… Can critical ePHI related business functions be completed?

 

I would like to thank Harrison Depner for this HIPAA Compliance Self-Assessment, first published at Kaseya’s blog.