As you are likely aware of, ransomware is the fastest growing breed of malware, and it is very profitable for the criminals who run these attacks. Rita the Designer, our fictional web designer and UX expert from the filesilo story, is running into ransomware trouble. But not of the obvious kind.
She’d been working long hours to finish a project for a demanding client. Still a bit shaky from the filesilo incident she was determined not to fall into any security traps. She was a great designer but not so great with contracts and liability, and she new this. It hasn’t been much on her mind previously but she was feeling more anxious lately.
Monday morning a messenger was at her door with a personal delivery; she was being accused of failing to secure the app she’d made for the client, causing his users to become victims to ransomware scammers.
She contacted the client and asked what this was about? They met to discuss things and she learned that the infections had happened via malicious ad banners. She’d never placed any ad banners on the site. The client claimed she must have, because he’d not touched the code.
Rita thought to herself: – what if something was fishy with the filesilo templates she downloaded? They closed the meeting and she promised to respond to the claims within the week.
As she stepped out she texted Johnny the Hunter to ask him out for coffee. Johnny met with her right away – after all he was single and she was attractive enough – and heard her out. He promised to help her look into it.
Impact of security issues can be hard to estimate. Here a developer is being sued after a client’s end users got infected with malware. We don’t know the end of the story but we can think of some practices she could have changed to better protect her business.
- Never trust downloads. Particularly not from insecure sites like filesilo, with insecure authentication and no integrity checks
- Include liability clauses in contract, to define and limit your business’ risk exposure
- Always run security tests before deployment. Don’t allow injection vulnerabilities to live
- Prioritize client relationship management; don’t let the first contact about trouble be a letter from your client’s lawyer delivered with your breakfast.