Breaches of well-known corporations and organizations are becoming more frequent as the criminal hackers’ technological abilities are outpacing companies’ ability to keep up, with the most recent example a breach of the retail giant Target and the theft of information on 40 million of its customers’ credit cards. Those card numbers are now flooding the underground black markets and are fetching from $20 to $100 per card. If you’re a small to medium-sized company you may be congratulating yourself, and thinking, “Thank goodness I’m not a target for cyber criminals.”
Not so fast there. The results of a recent study completed by Verizon’s 2013 Annual Breach Report showed that there were approximately 621 confirmed data breaches reported in the United States, and more than 47,000 reported security incidents. This doesn’t take into account the fact that most companies don’t even report cyber incidents to the authorities.
According to the Verizon study, 62% of all breaches that occurred last year impacted small-to-medium-sized organizations, most of which employ 100 or fewer people. This is significant because most organizations in the SMB market believe they will not be the target of a cyber breach. They believe that they don’t have anything of interest to cyber criminals, but the data below suggests something quite different.
During the last quarter of 2013, a leading cyber investigation and security firm, Cyber Investigation Services, worked two unreported breaches in which a hacker was able to worm his way in to an attorney’s office and intercept a real estate transaction, redirecting a wire transfer worth over $150,000 to his own bank account. In another incident, the hacker entered a broker’s account and posed as a client selling shares of stock portfolio; the cyber criminal arranged for over $300,000 to be wired to an overseas account.
We interviewed Bruce Anderson, cyber security expert and former law enforcement officer with Cyber Investigation Services. He explained the most popular types of attacks on small-to-medium-sized organizations, as well as the security measures that these businesses need to take to protect themselves.
- Spear Phishing Attacks: Spear phishing targets a specific organization and/or person within the organization via e-mail in order to seek unauthorized access to confidential data. Spear phishing attacks account for 71% of all breaches perpetrated on small corporations last year. These attacks are not randomly initiated; they are more likely to be targeted, conducted by perpetrators looking for financial gain, trade secrets or information they can leverage to bribe the owners of the organization. What makes a spear phishing attempt difficult to spot is that they are created in a way that makes them seem to come from within the targeted organization. This is called “spoofing”. Typically the hacker will spoof being a person of authority within the company or a trusted vendor source. Studies show that a spear phishing campaign run twice against an organization results in an 80% probability of success. Security Measures: For most organizations some very simple steps can stop 99% of spear phishing attempts. The first step is to block malicious materials from getting into your corporate email at the gateway by analyzing content in real time and setting up controls that screen out suspicious URLs, IP addresses and documents. The second step is to implement company-wide training regarding the dangers of spear phishing attacks, including how they work and how to handle potentially suspicious emails. While this may sound obvious, a surprising number of companies do not take these steps.
- Spyware/Keyloggers: Spyware has become the tool of choice for attacks against the SMB market. This is because spyware is easy to deliver via a spear phishing campaign, it can steal all of a user’s important data, it can download additional malware, and it can log every keystroke, website, and email that an employee makes and send that information back to the attacker. All of this is accomplished without being detected by the company’s anti-virus software. Though many small business owners think they don’t have anything worth stealing, cyber criminals understand that they can utilize company and personal information such as bank account numbers, compromising photographs and private emails, confidential documents, business plans and the like to blackmail you, your company, your vendors, and your key customers. Security Measures: The security measures that need to be taken to guard against keyloggers/spyware require many of the same steps required to fend off spear phishing attacks, plus additional monitoring of outgoing TCP/UDP traffic from your network and computer and systems event logs. This outgoing monitoring is required because all spyware programs “phone back” to a C2 center command and control, and therefore can be detected. Monitoring suspicious traffic on the network combined with monitoring changes in registry and event logs can generally detect this type of activity.
- Abuse of Employee Privileges: Organizations expend significant amounts of time and resources on hiring personnel, looking for staff that are trustworthy, skilled and who work well with others. They provide key personnel with access to confidential financial information and critical data that is owned by the company, then find themselves vulnerable when an employee decides to maliciously or inappropriately use those privileges for personal gain or revenge. Security Measures: Misuse of company privilege typically comes in the form of stealing vendor lists, client lists, specialty formulas, intellectual property and other proprietary information that would be useful to a competitor. Every company should include the immediate disabling of all privileged access as part of their termination process. Consideration should be given to modifying computer policies in order to block the download of company information to external drives, and logs of all data critical to the organization should be regularly monitored to determine when and by whom it is accessed.
- Compromised Assets: Point-of-sale terminals and controllers, web applications and database servers are the most abused assets for the SMB market. These can quickly be sold on the black market, making them the preferred targets of financially motivated criminal groups looking for a quick score of payment cards from smaller franchises, or access to the large amounts of data stored in the database servers.Security Measures: While technical terms like SQL injection, XSS Scripting or Cross Site Forgeries are familiar to cyber security specialists, they are generally not on the minds of business owners. Yet they provide a highly vulnerable attack platform against the SMB market’s Internet facing servers and websites. Most websites have been designed either by internal staff members or web companies whose primary goals were functionality and customer appeal, leaving the backend code vulnerable to skilled hackers who know who to abuse their code and compromise servers and point-of-sale systems. Hiring a skilled penetration tester to test your systems for vulnerabilities and close any security holes is the best step to take.
- Time from Initial Compromise to Discovery: It’s no secret that nearly any organization can be compromised by a professional cyber criminal, nor is it a surprise that the cyber security industry is focused on preventive measures and protective hardware systems. Because no barrier is impenetrable, more focus needs to be placed on monitoring for and detecting a cyber breach rather than simply trying to prevent the breach altogether. Surprisingly, approximately 70% of all breaches are discovered by external parties: not security firms, law enforcement or card brands, but an outsider whose role has nothing to do with detecting a breach. Even more surprising is the fact that most breaches are not found until several months after they occur. Security Measures: A well-designed security architecture plan can go a long way towards protecting your organization against most cyber attacks. The plan should account for information critical to the organization, methods of isolating that information from the outside world, customized intrusion prevention systems and alerts, event log and registry change monitoring, all done in conjunction with employee training and awareness programs about cyber security . Whether you implement this plan via your internal IT staff or utilized highly-trained security professionals, it is an important step towards protecting your organization from the financial and reputational cost of a cyber security breach.