ChoicePoint, Bank of America, LexisNexis, RBS WorldPay and other large corporations have reported Data Breaches of their Information Systems. These companies all had elaborate information security measures in place and budgets for developing and maintaining these systems that would likely exceed the total revenue for some small businesses. So how can you, a small business owner with a limited budget protect your IT investments, prevent loss of productivity or worse yet, avoid the negative image of having been a victim of a security incident? Well, it’s really not all that hard and better yet, many times you can do a really good job on a tight budget.
Regardless of your business model, if you have even a single laptop that is used to support your business then you could be a victim of a cyber threat. Many times small business owners fail to realize just how vulnerable they are until they have a problem. This article will outline many of the more common threats and offer advice on how to avoid problems. However, I would advise any small business owner to seek out a qualified professional to assist you with the development of an information security program. An Information Security specialist will be able to discuss options with you and should be able to help you better understand various threats and how they could impact you.
That being said, let’s get started.
Malware (Malicious Software)
Malware is a fancy work for any code that was written with the intention of performing malicious actions. The term virus has become synonymous with pretty much any malicious code but not all software threats are viruses. Viruses, along with the self replicating virus know as a worm, are very common and can be painful to deal with once your computer is infected. Typically virus will inject themselves into existing documents or files as a means of infecting other computers. Worms on the other hand are self-replicating; they do things like forwarding themselves via email to everyone in your address book. Most times without your knowledge. How happy will your client be when they receive an email from you that contains a virus or worm that brings their network down? The good news is that standard Anti-Virus applications will deal with the problem. For some common sense advice on preventing viruses read my previous article found here.
Beyond the common virus, things get a bit more complicated. Trojan Horses get their names from Homer’s lliad. Just as the Greeks infiltrated the Trojan's defenses with the statue of a large horse, today’s Trojan Horses disguise themselves as something desirable yet mask something more sinister. A few years ago there was a Trojan Horse hidden in a video of the Saddam Hussein hanging. Unsuspecting viewers watched the video without knowing it contained a keylogger that later captured keystrokes used to log into email accounts, perform banking transactions and enter other sensitive information that was then sent to the bad guys. Some Trojan Horses create backdoor portals into your computer; other times they can turn your computer into a zombie that is then used to attack other computers. Best practices for preventing these attacks would be to prevent users from installing software on their computers. Establish a list of “approved” applications on each PC and use policies and user rights to prevent the downloading and installation of additional software. Also, most Anti-Virus programs will also detect and remove Trojan Horses.
Spyware is a generic term for keyloggers and other applications used to gather information about your computer habits and report this information to a third party. These applications can do anything from sending your internet surfing habits to capturing personal and sensitive information. Spyware is many times the payload in a Trojan Horse, affected users usually find out they have a problem after it is too late. There is also the more benign code known as Adware. Adware is most often seen in the form of popups or new browser pages that appear without your request, advertising some service or product. They are annoying and affect productivity but usually do direct harm. Notice I said usually, there are exceptions.
Social Engineering
Social engineering can take many forms. The most common, and the one you have probably heard about recently is known as phishing. Typically phishing is in the form of an email but can sometimes be a website or popup while browsing the web. Phishing attacks will most often try to convince you to provide sensitive information to what you believe is a legitimate website or individual. You may be told that you must update your log in information or provide some other updates to your account. The email or website will even be kind enough to provide you with a link to make it easier for you. The problem is this link is not legitimate. Even though the link you followed may look exactly like the website of your bank, credit card company or credit union, it is really a fake and now a bad guy has your user id and password for your bank account. Always contact your bank to verify any email or website asking you to update your account information to be sure it is legit. And If you EVER follow a link and enter you information during a momentary loss of sanity, CALL YOUR BANK IMMEDIATELY and let them know.
Other forms of social engineering can be in the form of phone calls, surveys, cold sales calls and so on. You have to realize that many times a social engineering attack takes on the form of many small steps and you may be the target of only a small piece of the complete attack. These could be used to gain insight to your business, identify your clients and even to obtain trade secrets or proprietary information. In some cases social engineering has even been used to convince you need the product a company is offering to combat the very problem created by the social engineered attack.
The best counter measure for Social attacks is to be educated and educate your employees. Be sure to include guidelines in your security policies or procedures that limit the opportunity for social attacks to be carried out. Such as restricting employees from participating in surveys, defining procedures for resetting passwords used to access data or limiting what information can be sent via email.
Protect against "Crackers"
“Crackers” is the correct term for individuals that attempt to gain unauthorized access to your systems or data. Hackers have been incorrectly labeled as the bad guys for years, mainly thanks to Hollywood, but I digress. Attacks by individuals can come in many forms. Really many more than can be addressed here so I will focus on the more obvious attacks and methods for dealing with them.
Password attacks are at the top of the list. There are programs available on the internet that can launch various password attacks against a website, router or server. There are dictionary attacks that use a file containing thousands of words to attempt to log into a system. There are brute force attacks that will try thousands or even millions of random characters to try and force their way into a system. The best protection against these attacks is a password policy that requires passwords be changed frequently, at least every 90 days, I prefer 60 or less. Also require users to use complex passwords. Complex passwords consist of alpha-numeric strings including a requirement for both upper and lowercase letters and special characters. It is not as difficult as it sounds either. You can use words that you use every day but substitute certain letters for numbers or characters. Let me give you an example. Take the words “Happy hour” you can turn this into a complex password by changing the letters to symbols and numbers to make a password that is relatively easy to remember. “#aPPy#0ur” or perhaps "H@ppYh0ur”. Depending on the number of characters allowed you could also use what is known as a passphrase. This is just a string of words, preferably unrelated. One example would be: chairscupcakespuppyradio. Whatever makes the password easy to remember yet complicated to guess. There are much better methods for authentication, such as tokens, one time passwords and others but to keep this discussion focused on small and micro businesses I want to keep the solutions simple and low cost.
Denial of Service attacks and exploits are also the results of an attack by an individual. These are attacks that focus on a particular weakness in a system. They can have purposes ranging from simply denying the owner of the services of the affected system to compromising the system with the intent of using your system for the purpose of attacking other systems. Preventing these attacks require more elaborate countermeasures I am afraid. It is up to you the owner to decide what your threshold for pain is and weigh that against the cost of the countermeasures needed to satisfy your level of tolerance. Firewalls, Intrusion Detection Systems, Network Monitoring, Log collection and analysis are all some of the countermeasures designed to prevent these types of attacks. One cheap and easy method for preventing many of these attacks does exist however. Patch your systems!! Most modern operating systems provide mechanisms to notify you if updates are available to protect your systems if vulnerability has been identified. Just don’t forget about all the additional software that is installed on your systems. Often times these applications are the source of an open vulnerability. Not the Operating system.
One common and useful counter measure that all small businesses should deploy is data backups. These can take many forms ranging from traditional media such as magnetic tape or optical devices such as CDs and DVDs to internet based backup services or data replication to a secondary site. The most important factor to consider when looking at a backup strategy is to only backup what is needed in the event of a problem. Typically this would be data that has been created to support your business such as customer data, accounting information, payroll or employee information and don’t forget about proprietary information or intellectual property. I plan to devote a post to various backup and recovery methods in a future post so if this is an area that interests you, stay tuned. It should be completed in a week or so.
Lastly even small business owners should create a documented Business Continuity Plan, or BCP and a Disaster Recovery Plan, or DR plan. These do not need to be huge complicated documents, especially for small businesses but should at least provide a documented course of action should a problem occur. I often find that many times people think a BCP and a DR plan are interchangeable terms. This is not the case and really both are needed for any business. Let me try to explain.
Let’s say you are in a car accident, nothing serious just a normal fender bender. Still, your vehicle has been damaged and may not be legal to drive until it has been repaired. Now if your now damaged car represents your business then a viable BCP plan would be, to obtain a rental car that would provide you with a means of getting from place to place while your damaged car is repaired. On the other hand, the DR plan for this scenario would be to identify a repair shop, call a wrecker service to transport your car to the chosen repair shop, work with the insurance company to have your car repaired and then pickup your car once the repair has been completed.
You see the BCP plan just defines how you will continue operating your business while you are performing the necessary tasks (DR plan) to return your business to "normal" operations.
You should also know that depending on the services your small business provides to your clients and their dependency on your services. Your clients may REQUIRE you to have a documented BCP or DR plan. Perhaps they will require both.
In closing
Despite the length of this article, I have really only scratched the surface of many of these topics and there are others that I have not even mentioned. I have jotted down a few notes for some other areas that are just begging for a dedicated article, such as Physical Security, a deeper dive into backup and recovery and others, so those will be coming soon. In the meantime I hope the information here is helpful to you and at least provides you with a basic understanding of core information security concepts. Again, I would advise any small business owner to consult with a professional to assist them in developing a comprehensive security plan. One that protects your investments while doing so within your budget.
Regards,
Steve
Posts
No comments:
Post a Comment