SMB Security - The Forgotten Target

I've performed security assessments for organizations that have thousands or employees and for organizations that could fit every member of the company on a city bus. Some of these assessments were done for very "high-tech" organizations while others barely use computers. Logic would dictate that high-tech large, enterprise-class organizations make the biggest targets and that is probably true but it is not the entire picture. Big organizations make big targets but they also can bring to bear big resources. Even having a single person with the correct skill set focused on security can make a huge difference in the effectiveness of an organization's security program. Small or mid-sized businesses (SMB), on the other hand, are often under-staffed with respect to IT in general and have no security expertise whatsoever. This creates a big problem because while they may know how to deploy a firewall, they don't fully understand the threats and thus have minimal or even non-existent security programs.

Now, you could say that small organizations aren't really big targets because they don't have anything that the bad guys would want. After all, they are small and/or not particularly technical. Well, that's not always the case.

I recently did work for a couple of collections companies. Both were small (with less than 50 employees) but each maintained a database with millions of records containing personal information (can you say identity theft) and even credit card and bank account information. Another customer with less than 50 employees stored significant amounts of sensitive information about pharmaceuticals. Still another sub-50 person company manages over $3 billion in assets. If you were a bad guy hacker, would these targets be interesting to you?

I can wonder and suppose all day long but this is all theory, right? WRONG! A recent article on the Dark Reading site (http://www.darkreading.com/smb-security/security/management/showArticle.jhtml?articleID=225701975&cid=RSSfeed) told the story of a Demolition firm in California that suffered a computer breach that resulted in hackers transferring almost a half a million dollars from the firm's accounts to various accounts worldwide. This happened because an employee clicked on a link in an email that directed them to a malicious web site. The site leverages a vulnerability in Internet Explorer to load a Trojan horse on the employees system. From there the attackers collected information about the company and its finances. This allowed the hackers to conduct 27 transactions involving $447,000.

This example is news for the simple fact that it involved actual theft. The only reason the crime was detected was that funds were transferred. If the attackers were after credit card numbers, personal information or even a place to store contraband child pornography, they might never have been discovered. This should make us wonder.....how many SMBs have already been hacked and just don't know about it? Of equal importance, what can small to medium-sized businesses do to promote security if they have a limited staff, limited resources and limited expertise. Oddly enough, I think for most businesses, the answer is simple. Following a few basic steps, organizations of virtually any size can create an environment that is resistant to attack.

• Step 1: Patch your technology. This means patching not only Microsoft Operating systems but non-Microsoft operating systems, Microsoft applications, non-Microsoft applications (e.g. Adobe, etc.) and network devices.
• Step 2: Baseline your environment. Understanding what your environment looks like when it is running normally is critical if you are going to identify abnormal or malicious activity.
• Step 3: Run anti-virus software and keep it updated. AV is not a silver bullet but it can help. Running AV won't stop all threats but stopping 60% of the malware is better than falling victim to all of it.
• Step 4: Regularly test your environment using a network vulnerability scanner such as Nessus. This allows you to identify problems before the bad guys can. Vulnerability scanning should be run, at a minimum, weekly and scans should be "credentialled" if possible. Any vulnerabilities that are discovered should be addressed in a timely manner.
• Step 5: Use mail and web filtering technologies. As shown in the story about the demolitions company, hackers today target end users via their mail clients and web browsers. Leveraging a product or service that scans incoming and outgoing email and web traffic for harmful content reduces the size of these attack vectors and should be considered a mandatory part of any security program.

These steps won't make organizations 100% secure. These steps shouldn't be considered a total security solution. They should be considered to be a good start. They will make any environment more resistant to attack and will allow organizations to more easily identify problems and thus are a decent starting point. The best part - taking these steps can generally be done with a very limited IT staff, minimal security expertise and in a way where the costs can scale to fit virtually any environment.

Remember, from a hackers perspective size does not matter. Smaller organizations represent juicy targets because the rewards can be great and the risk of discovery is small. Change the game and take steps to make your environment more secure. Take control.