7-Step Rapid Response Plan: Mitigate the Dyre Malware Risk in Salesforce

Even though salesforce.com takes great care to protect your data, recent news about Dyre malware shows that Salesforce administrators need to do more for data protection, and they need to do it NOW. Dyre can infect your users’ computers; if it does, it can find their Salesforce identity credentials (like login and password) and use those credentials to access, modify, and even destroy your data in ways that would be virtually undetectable.

Don’t worry: we’re going to show you ways to minimize the risks posed by Dyre, and how to recover from this or any other potential data loss.

What You Need to Know

On Saturday, September 6, salesforce.com sent out an email alert to all Salesforce administrators about a potential threat posed by malware that may have infected their users’ computers. Although the Dyre malware is not a vulnerability within Salesforce, it does pose a potential risk to the security of Salesforce data, as described above. And, as salesforce.com notes, it is every admin’s responsibility to help protect their organization’s Salesforce data and metadata, but detecting symptoms of malware like Dyre will be very challenging – until it’s too late.

What You Need to Do Now

In the email alert, salesforce.com said, “As a first step, we recommend you work with your IT security team to validate that your anti-malware solution is capable of detecting the Dyre malware.” In addition to planning for prevention, you’ll want to prepare for the worst-case scenario in case your prevention efforts aren’t successful, and that means evaluating your backup plan. In other words, if you have not had regular meetings with your IT team on data security in Salesforce, now is the time to start.

7-Step Plan to Dyre Malware Risk Mitigation for Salesforce Admins

First, make sure you’ve completed the four-step recommendation made by salesforce.com in their email. We’ve added handy “how-to” links:

  1. Activate IP Range Restrictions to allow users to access salesforce.com only from your corporate network or VPN.” Here’s how to do it.
  2. Use SMS Identity Confirmation to add an extra layer of login protection when salesforce credentials are used from an unknown source.” Learn how here.
  3. Implement Salesforce#, which provides an additional layer of security with 2-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.” What’s Salesforce#? Learn more here.
  4. Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.” Here’s what SAML means, and how you can get this done.

And here are three more steps to complete in partnership with your IT team:

  1. Inform IT of the Dyre malware warning from salesforce.com. Share the email from salesforce with your IT team, and ask them how they would like to work with you to keep your organization’s Salesforce data secure.
  2. Assess your Salesforce backup and recovery process. Most admins we’ve met are either doing nothing specific to protect their data, they use the Weekly Export only. Now’s the perfect time to determine if more frequent, automatic backups (daily, not weekly) are needed to ensure IT-level business continuity in case the worst does happen. Even salesforce.com recommends that admins use partner solutions for backup on the App Exchange.
  3. Review your data restoration process. Business continuity, and in many cases, compliance, requires enabling a fast restoration from your backup. Your IT team will need to understand how long it may take to restore data from your Weekly Export, and may want to work with you to evaluate solutions that deliver faster restores that meet your company’s defined RTOs (recovery time objectives).

This is likely just the beginning for the Dyre malware threat. Salesforce.com linked to an article that provides more information about Dyre. It features security expert Peter Krause, who wrote, “Since data is being posted back unencrypted, I believe this malware is only in its infancy, and we should expect more refinements from the malware author.”

Whether you have no defined backup and restore process or are using the Weekly Export to protect your organization’s Salesforce data, it’s clear: now is the time to partner with IT and step up your Salesforce data protection game.