Unfortunately a day does not go by at this juncture without all of us hearing of a new major security breach. For example, in 2014 about half-a-billion customer records were hacked in the U.S., and a billion records worldwide were compromised. Companies such as Target, Neiman Marcus, eBay, P.F. Chang, UPS, Home Depot, JPMorgan Chase, KMart, Sony, Staples, Chick-Fil-A, and Anthem, to list just a few, were penetrated. The private information of a typical suburban customer may thus have been compromised several times, in over just one year. How does a Small and Medium Business (SMB) protect itself and the identity and records of its customers?
Know the attach arsenal
The first thing is to understand the mechanism used by hackers, who have turned into true criminals seeking to appropriate records and re-sell them on the black market. A short list includes the following:
- Malware. A software module that may easily end-up on the SMB’s computer that is designed to cause damage to a user’s computer, server, or network. Malware includes viruses, worms, and trojans.
- Virus. Malware that replicates itself from one systems to another. It may infect other files in the computer, to facilitate the execution of the malware code when these, perhaps more common files are accessed.
- Worm. Malware that spreads by autonomously propagating copies of itself through e-mail, instant messaging (IM), or peer-to-peer (P2P) applications.
- A self-contained program that takes malicious actions on the computer, possibly facilitating additional penetrations at a later time.
- Trojan Downloader/Dropper. A form of trojan that installs other malicious files to a computer of the SMB that it has infected, either by downloading these files from a remote computer or by extracting them directly from a copy contained in its own code.
- Exploit. Malicious code that takes advantage of operating system or application software vulnerabilities that were unwittingly created by developers (perhaps because of insufficient testing) to infect a computer or perform some harmful activity.
- Spyware. Software that may end-up on the SMB’s computer that surreptitiously collects information, such as the websites a user visits or other critical data. Installation typically occurs without the user’s knowledge.
- Keylogger. A program that surreptitiously sends keystrokes or screen shots to an attacker.
- Phishing. A popular method of credential theft (for example user IDs, passwords, PINs, credit card numbers and so on) that tricks users into revealing this information. Phishers utilize phony websites or deceptive e-mail messages that mimic some trusted business by the targeted user in order to appropriate the credentials and then make nefarious use. This may involve web links or attachments embedded in the deceiving e-mails.
- A program that displays advertisements. Adware may display advertisements without user’s consent and/or it can infect the SMB’s computer with malware, for example if rouge sites are visited.
- Social Engineering. A set of techniques that frustrate security mechanisms by exploiting human nature. For example, this may entail receiving a phone call from someone posing as a representative from one’s credit card company, or a vendor, or a government agency; or, it may entail e-mail messages that ask the recipient to click the attachment which in turn results in malware being installed on the SMB’s system. The goal of a social engineering attack is to get the targeted user to perform an action of the attacker’s choice.
- Monitoring tool. Software that monitors activity of the SMB’s computer user, typically by capturing keystrokes or screen images.
- Password Stealer. Malware that works in conjunction with a keylogger and is specifically designed to copy and transmit personal information, such as user names and passwords.
- Rogue Security Software. Software that is advertised to be a security free-ware but that may attempt to socially engineer the user into participating in a fraudulent transaction, or may, of its own, spawn other undesirable system-level activities.
- Spam. Unsolicited e-mail sent to a large distribution, often to upload malware, either by attaching the malware to e-mail messages or by sending a message containing a link to the malware.
- Finally, in this abridged list of infraction tools, SMBs need to be cognizant of Operating System, Browser and Application Vulnerabilities.
Indeed this is a formidable arsenal. Studies have shown that user activities (for example succumbing to social engineering flirtations) actually account for almost half (45%) of all malware propagation events. Another large portion of the propagation predicament (43%) is attributed to the autorun features of many “self-updatable programs”, particularly at the operating system level (e.g., Windows). 6% of infractions are initiated by hackers based on OS or application exploits, and the remaining 6% are based on password issues, such as weak passwords, also perhaps in conjunction with keyloggers and password stealer malware.
Targeted Attacks and Determined Adversaries are becoming fairly common these days. With targeted attacks, the attackers target individuals or organizations specifically because of who they are, in order to access and damage information or intellectual property assets that they possess (on the other hand, typical malware attacks are rather indiscriminate with the goal of proliferate malware widely among many firms.) Determined Adversaries are attackers that are not deterred by initial failures and they are bent on attacking the same target repeatedly, likely employing different penetration techniques, until they succeed.
Some of the more recent issues relate to the corporate use of cloud services, including private, public and hybrid services. The increased utilization of cloud storage services may, in some situations, pose larger risks to businesses. The Internet of Things (also called the Internet of Everything by some) deals with smart embedded sensing devices and/or actuators in homes, cars, industrial equipment, electric meters, and wearables, to list just a few items. Observers expect to see 50 billion or more IoT devices connected over the next 5 years. These devices usually and unfortunately have relatively weak security mechanism at this time; this is too bad because they typically generate a large amount of data that will be transmitted over the Internet, where, when compromised, they can be collected and misappropriated for malicious purposes. A tend towards the broad acceptance of Bring Your Own Device (BYOD) to support mobile computing also puts firms at risk. BYOD may inject low-quality marginal-security business applications inside the corporate IT perimeter.
How does a typical firm protect itself?
Best Practices recommend the utilization of multiple, overlapping security solutions. This design approach to layered security is known as Defense in Depth. Visualize concentric rings. At the innermost ring, typically there are mechanisms for data protection (for example, data encryption while stored); followed by an outer ring of application security (for example, application passwords); followed by a ring of host security (for example, operating system mechanisms); followed by internal network security (for example, segmentation with VLANs); followed by a ring of perimeter security (e.g., firewalls); next, physical security (keeping assets physically out of unintended hands), and finally, as the outermost ring of protection, policies, procedures, and awareness security mechanisms to be utilized by the employees of the firm. The layers of security present in a Defense in Depth enterprise security implementation aim at providing protection, resilience and redundancy, while enabling the use of a variety of defense tools for safeguarding various assets, elements, and aspects of an IT environment. The tools and techniques to address the inner layers tend to be somewhat technical. Companies such as DVI Communications can assist SMBs perform risk assessment (identifying problems an firm might face), vulnerability assessment (determining a firm’s weaknesses), and defense planning (installing protections, such as firewalls, intrusion detection/protection systems, and develop an overall strategy that improves confidentiality, integrity, and availability – the basic triad of policies for information security within a firm.)
Notice that one aspect of Defense in Depth, as a first-layer of defense, is end-user awareness. Some suggestions include (but are not limited to these):
Be familiar with IT policies and follow them. SMBs should develop these policies, if they do not already have them.
- Develop security awareness, and stay informed. Be aware of the threat landscape around you.
- Use strong passwords for your laptop, applications, and online accounts, and keep passwords and personal identification numbers (PINs) secret.
- Password reuse across multiple computers creates some of the greatest risk from folks that use rainbow tables to recover the user’s password, especially if it is less than eight-to-twelve characters and it does not include special characters;
- Do not click links or call phone numbers from e-mails received from financial institutions, but to instead call the numbers that you have on file. Financial institutions typically print customer service phone numbers on the backs of credit cards / bank statements, and it is these numbers that users should call.
- Always use the latest version of the browsers since these incorporate the latest security safeguards and employ the best protection protocol, for example Transport Layer Security Version 1.2.
- Malware can be transmitted through instant messages on both computers and mobile devices.
- (At home) Users (SMB employees) should install and use an e-mail client that actively blocks active content and the automatic opening of attachments.
- Users who think they may have been a victim of an attack, or who suspect something unusual on your network, should immediately contact the IT department for assistance.
- Be extremely careful of using Hotspots in airports, hotels, coffee shops, etc.
If we were to offer just gave one piece of advice what would it be? This:
The IT department, large or small, should make sure it constantly installs Operating System and application patches, but importantly, for employees: Do not open questionable e-mail attachments or web links — only open e-mail attachments that you are expecting to receive. When in doubt, users should contact the person who sent the file and confirm that the attachment was intentional and non-malicious. Opening of suspicious e-mails can help foster attacks and result in the unintentional activation of executable malware programs.
Daniel Minoli, Principal Consultant DVI Communications in New York City (www.dvicomm.com). DVI is a full-service IT, telecom, wireless, cloud, security, infrastructure, and Intellectual Property consultancy. Since its launch in 1978 right in the heart of Wall Street, DVI has supported hundreds of marquee firms in dozens of industries with the assessment and implementation of their IT, outsourcing, and security needs including: Planning, Analysis, Design, Engineering, Acquisition, Deployment Administration and System Management.