(By Robert Siciliano)
“Standard security measures are never enough. Depending on the size, scope, type of data requiring protection, compliance and regulatory environment, possible insider threats, and what “bring your own device” policies may be in place, risks and threats must be defined and prioritized. This often requires consulting a professional.“
Organized crime has always been known to be all about muscle … but even the bad guys have evolved. Seems organized crime syndicates have discovered that more money can be made in less time with less hassle simply by employing brains over brawn.
As technology and technology skills have evolved, it’s become painfully easy to employ hackers to break into small businesses’ networks and seek out sensitive data and personal information.
Meet the members of your friendly neighborhood crime ring:
Programmers: skilled technicians who write and code viruses that target a business’s network PCs.
Carders: specialists in distributing and selling stolen card data and sometimes transferring data onto blank “white cards” then embossing them with foil in order to create exact clones.
Hackers: black-hat intruders who look for and exploit vulnerabilities in networks.
Social engineers: scammers who may work with psychologists who dream up the different scams and then con victims via phone, phishing or in person.
Rogue systems providers: unethical businesses that provide servers for criminals.
Money mules: often drug addicts or naïve citizens who buy items at retailers with stolen credit cards. Some mules ship products, and others launder money. Mules may be from a foreign crime syndicate’s nation and travel to developed to gain employment within an organization and open bank accounts to store money until transfer.
Bosses: in charge of the entire operation. Bosses delegate, hire talent and make all the money.
Why Target Small Businesses?
Organized criminal hackers all over the world use sophisticated hacking tools to penetrate databases that house a small business’s client data. In general, they’re seeking:
Social Security numbers
Credit card numbers
Bank account information
Home and business addresses
Why do they do it? Simple—their primary motivation is to get paid. They accomplish this by opening new lines of credit or taking over existing accounts. Transactions include making charges to credit cards, initiating electronic fund transfers or using email addresses for large phishing or spear phishing campaigns.
How Hackers Hack
Hackers are the bad guys who use penetration-testing tools—both legal and illegal—that are available commercially or only available on the black market. Their tools come in different forms of hardware and software that seek out vulnerabilities within a small business’s network.
Vulnerabilities may be physical, as in facilities vulnerable to intrusion, or may be people who are vulnerable to social engineering. Virtual vulnerabilities exist in a business’s Internet connection (whether wired or wireless), an outdated browser or an outdated operating system—any of which may be vulnerable if they don’t have updated security patches. Vulnerabilities can also be exposed via social engineering: A criminal simply gets on the phone, sends an email or shows up in person and cons a target using any of a variety of methods.
Protecting Your Data
There are plenty of ways to get taken. But there are also plenty of ways not to. The fundamentals of protecting your business’s data include:
Maintaining updated operating systems, including critical security patches
Installing and running antivirus, anti-spyware and anti-phising software and a firewall
Keeping browsers updated with the latest version
Updating all system software, including Java and Adobe
Locking down wireless Internet with encryption
Setting up administrative rights and restricting software, such as peer-to-peer file sharing, from being installed without rights
Utilizing filtering that controls who has access to what kind of data
Utilizing Internet filters to block access to restricted sites that may allow employees or hackers to upload data to Cloud-based storage
Possible disabling or removing USB ports to prevent the downloading of malicious data
Incorporating strict password policies
Encrypting files, folders and entire drives
These 11 steps are a good start. However, standard security measures are never enough. Depending on the size, scope, type of data requiring protection, compliance and regulatory environment, possible insider threats, and what “bring your own device” policies may be in place, risks and threats must be defined and prioritized. This often requires consulting a professional.
There are two considerations small businesses must take into account that go beyond a low-budget, “do it yourself” mentality:
1. Data loss prevention and risk assessment software. This type of software monitors an entire network’s activities and behaviors to seek out events that might lead to a breach and then stop them before data loss.
2. Penetration testers. These are white-hat hackers who use similar tools as black hats to seek out vulnerabilities and exploit those vulnerabilities as far as they’re allowed by the client. They might use automated tools to seek technology vulnerabilities, or employ virtual or physical social engineering. For instance, some penetration testers will test the physical security of a building during or after hours. Penetration testing involves real-world attacks that have been proven to work elsewhere, along with seeking out flaws in a business’s networks.
The worst thing any small business can do is nothing. Failure to test your networks and put layers of security in place will inevitably result in a breach. Forewarned is forearmed.
“Opinion pieces of this sort published on RISE Networks are those of the original authors and do not in anyway represent the thoughts, beliefs and ideas of RISE Networks.”