A Rootkit is a hacking program or collection of programs that give a threat actor remote access to and control over a computing device. While there have been legitimate uses for this type of software, such as to provide remote end-user support, most rootkits open a backdoor on victim systems to introduce malicious software. The malicious software includes viruses, ransomware, keylogger programs, or other types of malware to use the system for security attacks. Rootkits can often hide from detection by antivirus software because they control the underlying hardware sometimes making them invisible to the operating system environment where antivirus lives.
Rootkits can be installed in a number of ways, including phishing attacks or social engineering strategies which trick users into giving permission to hackers to install malware on the victim system, often giving cybercriminals remote administrative access to infected systems.
Once installed, a rootkit gives the hacker access to and control almost every aspect of the operating system (OS). Older antivirus programs often struggled to detect rootkits. Today, some antimalware programs have the ability to scan for and remove rootkits hiding within a system but not all. If you suspect a problem with your system, it’s best to have it checked by a cybersecurity professional. Know that some rootkits infect the system bios of your computer and in the worst cases, there may not be any way to remove the rootkit.
What does this mean for an SMB?
Rootkits are designed to be difficult to detect and remove, the rootkit developers strive to hide their malware from users and administrators, as well as from many types of security products. Once a rootkit compromises a system, the potential for malicious activity is very high. Typically, rootkit detection requires specific add-ons to antimalware packages, special-purpose ‘anti-rootkit’ scanning software, or booting off special media to analyze the Root partition of a hard disk drive looking for malware.
While anti-malware solutions are great, the best way to keep your business secure is by preventing an infection from happening to begin with. SMBs can improve their chances of preventing root kit infections and other malware through employee awareness programs and by governing employees with prescriptive policies. Below are CyberHoot’s ten steps every SMB should take to protect themselves from cyber attacks:
- Train employees on the cybersecurity best practices.
- Phish test employees to keep them vigilant in their inboxes.
- Govern staff with policies to guide behaviors and independent decision-making.
- Adopt a Password Manager for all employees.
- Enable two-factor authentication on all critical Internet-enabled services.
- Regularly back up all your critical data using the 3-2-1 approach.
- Implement the Principle of Least Privilege. Remove administrator rights from employee local Microsoft Windows workstations.
- Build a robust network at your firm that is properly segmented. Network segmentation is to computer networks what sealed ballasts are to Submarines. They enable damaged sections of a company or submarine to be completely isolated to prevent the whole network or submarine from sinking.
- Implement email security including third-party SPAM protection, DNS security for Mail Exchange records (DMARC, DKIM, and SPF) all combined with external email banners to give employees a fighting chance.
- Finally, if and when a breach does occur, buy enough Cyber Insurance to cover your recovery from a catastrophic breach event.