Now, you could say that small organizations aren't really big targets because they don't have anything that the bad guys would want. After all, they are small and/or not particularly technical. Well, that's not always the case.
I recently did work for a couple of collections companies. Both were small (with less than 50 employees) but each maintained a database with millions of records containing personal information (can you say identity theft) and even credit card and bank account information. Another customer with less than 50 employees stored significant amounts of sensitive information about pharmaceuticals. Still another sub-50 person company manages over $3 billion in assets. If you were a bad guy hacker, would these targets be interesting to you?
I can wonder and suppose all day long but this is all theory, right? WRONG! A recent article on the Dark Reading site (http://www.darkreading.com/smb-security/security/management/showArticle.jhtml?articleID=225701975&cid=RSSfeed) told the story of a Demolition firm in California that suffered a computer breach that resulted in hackers transferring almost a half a million dollars from the firm's accounts to various accounts worldwide. This happened because an employee clicked on a link in an email that directed them to a malicious web site. The site leverages a vulnerability in Internet Explorer to load a Trojan horse on the employees system. From there the attackers collected information about the company and its finances. This allowed the hackers to conduct 27 transactions involving $447,000.
This example is news for the simple fact that it involved actual theft. The only reason the crime was detected was that funds were transferred. If the attackers were after credit card numbers, personal information or even a place to store contraband child pornography, they might never have been discovered. This should make us wonder.....how many SMBs have already been hacked and just don't know about it? Of equal importance, what can small to medium-sized businesses do to promote security if they have a limited staff, limited resources and limited expertise. Oddly enough, I think for most businesses, the answer is simple. Following a few basic steps, organizations of virtually any size can create an environment that is resistant to attack.
- Step 1: Patch your technology. This means patching not only Microsoft Operating systems but non-Microsoft operating systems, Microsoft applications, non-Microsoft applications (e.g. Adobe, etc.) and network devices.
- Step 2: Baseline your environment. Understanding what your environment looks like when it is running normally is critical if you are going to identify abnormal or malicious activity.
- Step 3: Run anti-virus software and keep it updated. AV is not a silver bullet but it can help. Running AV won't stop all threats but stopping 60% of the malware is better than falling victim to all of it.
- Step 4: Regularly test your environment using a network vulnerability scanner such as Nessus. This allows you to identify problems before the bad guys can. Vulnerability scanning should be run, at a minimum, weekly and scans should be "credentialled" if possible. Any vulnerabilities that are discovered should be addressed in a timely manner.
- Step 5: Use mail and web filtering technologies. As shown in the story about the demolitions company, hackers today target end users via their mail clients and web browsers. Leveraging a product or service that scans incoming and outgoing email and web traffic for harmful content reduces the size of these attack vectors and should be considered a mandatory part of any security program.
Remember, from a hackers perspective size does not matter. Smaller organizations represent juicy targets because the rewards can be great and the risk of discovery is small. Change the game and take steps to make your environment more secure. Take control.
No comments:
Post a Comment