To the cybercriminal tapping away on his laptop in Kiev or Baton Rouge, the server your small retail shop, architectural firm, or medical office depends on is just as appealing a target as a box maintained by Wells Fargo, Twitter, or the U.S. Department of Defense.
In some ways, your server is more interesting to the guy. After all, you don’t have a full-time staff charged with guarding your network. You never bothered to change the default password or update your patches. Maybe your Facebook-addicted employee clicked on another “You’ve gotta see this!” link, allowing the crook to implant a little code on his or her machine. He’ll remember that place -- or rather, the code he banged out in 15 minutes will -- and he’ll be back later when it’s time to wake up the zombie farm to carry out a DoS attack. Worse yet, he might tunnel into your network and snatch sensitive customer or business data.
Organized criminals are using exploits and malware to generate revenue and they value ROI as much as SMB owners. Easy, repeatable attacks that skim off a little bit of money from a lot of places for very low effort are extremely appealing, says Erik Goldoff, a longtime IT security consultant. In this new age of cybersecurity threats, volume often trumps size.
“There are a handful of companies with millions of dollars, and millions of companies with a handful of dollars,” Goldoff says.. “If I could get $10 from every company I can touch, I don’t care how big you are.”
In the current threat landscape, attackers simply jiggle a lot of cyber doorknobs, find out who’s left their “house” unlocked, and set about helping themselves to whatever they want: financial data, private emails, customer account information and other goodies.
Sure, plenty of small and midsized businesses are telling their staff not to write their passwords on sticky notes, not to click on links whose origins they don’t know, and not to give any email sender purporting to be Nigerian royalty even one thin dime. But, “while there is a lot more training going on, those gains have been offset by the sophistication of the adversary,” says Anup Ghosh, founder and CEO of Fairfax, Va.-based security supplier Invincea and professor of information security at George Mason University.
BAD GUYS KEEP GETTING SMARTER
Steve Surdu keeps tabs on those adversaries every single day, especially those working out of China or Eastern Europe. As vice president of professional services at Mandiant, an information security firm based in Alexandria, Va., Surdu says about one-fifth of his business is working with SMBs who want to bolster their defenses -- and more often than not are seeking to limit the damage already done by an attacker.
“There are state sponsored attackers going after little [defense contractors] of 200 people or fewer, because of the very specialized things they do” -- and the intellectual property relevant to that work, such as blueprints for emerging weapons systems. “The larger defense contractors know about the threat and have been working for years to protect themselves, but that’s caused the attackers to say, ‘Let’s take it down a notch.’”
Verizon’s 2011 Data Breach Investigations Report [DBIR], released earlier this year, supports Surdu’s observation. According to the DBIR, of the 761 data security breaches analyzed, SMBs with fewer than 1,000 employees sustained 556 of the attacks. Of those, 436 incidents targeted companies with 11 to 100 employees.
Half of the breaches examined in the DBIR utilized some form of hacking, and half incorporated malware (with both malware and hacking up about 10 percent over the previous year). Interestingly, 29 percent -- up from 14 percent in 2009 -- of the attacks had an element of physical attack, such as someone gaining access to a PC simply by walking into an office masquerading as an air conditioning repair person.
Some of the most effective attackers have built workflows as honed and efficient as anything taught in business school, says Chris Porter, a principal in Verizon’s risk management unit, which worked in tandem with the U.S. Secret Service and the Dutch National High Tech Crime Unit to gather and interpret the findings.
“They might write and issue, say, a tool looking for specific default credentials and specific point-of-sale devices” sitting unprotected on the Web, Porter says. As the devices are identified, “they log into each and create a list of attack targets for the next team, which does malware installation.”
After that’s been installed, data exfiltration begins: credit card information, email addresses or some other desirable asset, Porter says. The next group monetizes the information, perhaps by selling the addresses to another crime organization that will use them for a range of nefarious purposes. One popular tactic is the cybercriminal’s “canary in a coal mine”: tacking a small charge onto each account to see whether it gets processed. Those that go unchallenged might prove fertile ground for another, larger-dollar heist, perhaps executed by yet another group of “specialists.”
Cybercriminals’ ingenuity knows no bounds. “They have some really innovative attack processes,” Porter says.
What’s more, bad guys excel at getting more bang for the buck than ever before. Think back to the Episilon attack in the spring, which was thought to have compromised tens of millions of email addresses belonging to customers of everything from CitiBank to LL Bean to Marriott. Chances are criminals have since used that email haul to compromise specific machines, set up spam relay points, initiate spear phishing attacks and much more.
SMBS ON THE DEFENSIVE
Even tech-savvy small business owners like Matt Wade, who runs an ISP in Washington D.C. with business partner and spouse Martha Huizenga, has had to tweak policies and procedures to combat phishing and other tactics that use an organization’s name and reputation with clients for criminal ends.
Wade recently contended with a phishing attack in which someone created an email purporting to come from his company, DC Access. The email asked customers to provide their password and other information in order to complete an “upgrade” to the system. Wade acted fast, reminding customers via email that DC Access would never request such data in such a manner.
Elizabeth Shea, CEO of a 17-person public relations firm, SpeakerBox Communications, was surprised and distressed in 2008, when her company’s website was hacked -- and stayed down for three weeks. The ordeal cost her company at least one client and forced Shea to replace the IT services firm she had retained.
Nervous that business proposals and other sensitive information were in danger of being compromised, Shea chose to outsource the company’s networking to a private cloud service provider for about $200 per month, about ten percent of what she used to spend on her former IT services provider.
SMBs must defend against both opportunistic attacks and targeted ones, experts say.
In targeted attacks, socially engineered methods – the creation of an email that appears to have come from a legitimate source, for example – make even a security-savvy recipient think they are opening a safe attachment. Or, consider a bogus LinkedIn profile filled with accurate company information that can later serve as a launching pad to for other exploits.
“All [the bad guy has] to do is get users to click on a link,” says Invincea’s Ghosh, a former DARPA scientist. “If I can get you to do that, I can set up a back door and remotely log in. Later, I can move laterally within your network” -- to the payroll department, or the president’s PC, or a customer database.
Opportunistic attacks, Ghosh says, are simply the price of using the Internet in a work capacity. From SEO poisoning to malicious links, no one’s targeting your firm, per se, but they are “feeding off your employees’ [Web usage].”
INCREASED SECURITY AWARENESS
For an SMB, the exploitation of a physical, policy oriented or network infrastructure weakness has potentially much greater impact than it might on a larger company.
“Sony and T.J. Maxx have had bad breaches in the past few years, but they’re big enough to be able to absorb costs” related to mitigating the attack, whether it’s paying for customer credit card monitoring services, or reimbursing bogus charges, notes Charles Kolodgy, research vice president for secure products at IDC and a former National Security Agency (NSA) analyst. “But if you’re a small grocery story and someone steals $300,000 from your bank account, that might be the difference between life and death for you.”
Regardless of the size of your organization, information security must be everyone’s responsibility, experts say. That awareness, plus strategic use of appropriate technology, will help combat the cyber baddies who have come to view a lot of little “takes” -- a few bucks from this SMB, a bunch of saleable emails from that one -- as a nice revenue stream.
There is no excuse for SMB owners to not understand, even at a rudimentary level, why they need to be proactive about managing cybersecurity, says SpeakerBox’s Shea. “You have to be informed about how systems become infected in the first place.”
“In companies with two people, you may not have a chief security officer per se, but there needs to be a basic understanding by both people about how to categorize the risk of data loss,” says Frank Kenney, vice president of global strategy and product management at Lexington, Mass.-based Ipswitch. “If credit card data or addresses or emails are lost or breached, all employees need to know what the impact to the business would be.”
Kenney sees a silver lining to all the media exposure of security breaches this year, in that “a better understanding of risk in general and information security in particular is permeating the layperson.”
Ultimately, the fewer SMBs operating under the illusion that obscurity is tantamount to security, the better.
“Do at least what everybody else is doing” to protect their networks and assets, says Mandiant’s Surdu. “The bad guys are looking for the weak link.”
Amy Rogers Nazarov is a freelance writer based in Washington D.C. Send comments on this article to firstname.lastname@example.org.