Sign in
Follow

Cyber 101 for Small to Medium Businesses

Did you know?

30% of Cyber Attacks are aimed at Small Business - Symantec Internet Security Report ... 

and

>50% of small to medium sized businesses had experienced at least one data breach -- Trend Micro / Ponemon Institute

 

What Are They After?

  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Credit Card Numbers and/or Financial Information
  • Intellectual property – copyrights, trademarks & patents
  • Trade secrets - business plans, customer lists, etc.

 

  Yet?

  • 86% of businesses 250 employees or fewer said they are "satisfied" with the level of security they have in place to defend customer or employee data
  • 87% of respondents have not written a formal security policy for employees
  • 83% lack any security blueprint at all
  • 59% have no plan in place to respond to a security incident

 -- National Cyber Security Alliance (NCSA) and Symantec “National Small Business” survey

 

So why are you not protecting your company given all the breaches of 2014 we heard about in the news? 

  • Target (retail). In January, Target announced an additional 70 million individuals’ contact information was taken during the December 2013 breach, in which 40 million customer’s credit and debit card information was stolen.
  • Neiman Marcus (retail). Between July and October 2013, the credit card information of 350,000 individuals was stolen, and more than 9,000 of the credit cards have been used fraudulently since the attack. Sophisticated code written by the hackers allowed them to move through company computers, undetected by company employees for months.
  • Michaels (retail). Between May 2013 and January 2014, the payment cards of 2.6 million Michaels customers were affected. Attackers targeted the Michaels POS system to gain access to their systems.
  • Yahoo! Mail (communications). The e-mail service for 273 million users was reportedly hacked in January, although the specific number of accounts affected was not released.
  • Aaron Brothers (retail). The credit and debit card information for roughly 400,000 customers of Aaron Brothers, a subsidiary of Michaels, was compromised by the same POS system malware.
  • AT&T (communications). For two weeks AT&T was hacked from the inside by personnel who accessed user information, including social security information.
  • eBay (retail). Cyber-attacks in late February and early March led to the compromise of eBay employee log-ins, allowing access to the contact and log-in information for 233 million eBay customers.  eBay issued a statement asking all users to change their passwords.
  • Five Chinese hackers indicted. Five Chinese nationals were indicted for computer hacking and economic espionage of U.S. companies between 2006 and 2014. The targeted companies included Westinghouse Electric (energy and utilities), U.S. subsidiaries of SolarWorld AG (industrial), United States Steel (industrial), Allegheny Technologies (technology), United Steel Workers Union (services), and Alcoa (industrial).
  • Unnamed public works (energy and utilities). According to the Department of Homeland Security, an unnamed public utility’s control systems were accessed by hackers through a brute-force attack on employee’s log-in passwords.
  • Feedly (communications). Feedly’s 15 million users were temporarily affected by three distributed denial-of-service attacks.
  • Evernote (technology). In the same week as the Feedly cyber-attack, Evernote and its 100 million users faced a similar denial-of-service attack.
  • P.F. Chang’s China Bistro (restaurant). Between September 2013 and June 2014, credit and debit card information from 33 P.F. Chang’s restaurants was compromised and reportedly sold online.
  • U.S. Investigations Services (services). U.S. Investigations Services, a subcontractor for federal employee background checks, suffered a data breach in August, which led to the theft of employee personnel information. Although no specific origin of attack was reported, the company believes the attack was state-sponsored.
  • Community Health Services (health care). At Community Health Service (CHS), the personal data for 4.5 million patients were compromised between April and June. CHS warns that any patient who visited any of its 206 hospital locations over the past five years may have had his or her data compromised. The sophisticated malware used in the attack reportedly originated in China. The FBI warns that other health care firms may also have been attacked.
  • UPS (services). Between January and August, customer information from more than 60 UPS stores was compromised, including financial data, reportedly as a result of the Backoff malware attacks.
  • Defense Industries (defense). Su Bin, a 49-year-old Chinese national, was indicted for hacking defense companies such as Boeing. Between 2009 and 2013, Bin reportedly worked with two other hackers in an attempt to steal manufacturing plans for defense programs, such as the F-35 and F-22 fighter jets.
  • Home Depot (retail). Cyber criminals reportedly used malware to compromise the credit card information for roughly 56 million shoppers in Home Depot’s 2,000 U.S. and Canadian outlets.
  • Google (communications). Reportedly, 5 million Gmail usernames and passwords were compromised. About 100,000 were released on a Russian forum site.
  • Apple iCloud (technology). Hackers reportedly used passwords hacked with brute-force tactics and third-party applications to access Apple user’s online data storage, leading to the subsequent posting of celebrities’ private photos online.  It is uncertain whether users or Apple were at fault for the attack.
  • Goodwill Industries International (retail). Between February 2013 and August 2014, information for roughly 868,000 credit and debit cards was reportedly stolen from 330 Goodwill stores. Malware infected the chain store through infected third-party vendors.
  • SuperValu (retail). SuperValu was attacked between June and July, and suffered another malware attack between late August and September. The first theft included customer and payment card information from some of its Cub Foods, Farm Fresh, Shop ‘n Save, and Shoppers stores. The second attack reportedly involved only payment card data.
  • Bartell Hotels (hotel). The information for up to 55,000 customers was reportedly stolen between February and May.
  • U.S. Transportation Command contractors (transportation). A Senate report revealed that networks of the U.S. Transportation Command’s contractors were successfully breached 50 times between June 2012 and May 2013. At least 20 of the breaches were attributed to attacks originating from China.
  • J.P. Morgan Chase (financial). An attack in June was not noticed until August. The contact information for 76 million households and 7 million small businesses was compromised. The hackers may have originated in Russia and may have ties to the Russian government.
  • Dairy Queen International (restaurant). Credit and debit card information from 395 Dairy Queen and Orange Julius stores was compromised by the Backoff malware.
  • Snapsave (communications). Reportedly, the photos of 200,000 users were hacked from Snapsave, a third-party app for saving photos from Snapchat, an instant photo-sharing app.

And the list goes on… you can keep up with some of the major attacks at this link:

http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014

This link really gives you and idea of how bad this problem is for business:    

https://www.privacyrights.org/data-breach    

 

What is a breach going to cost you?

          

Ponemon did a great study on all the costs here.  They found that the cost in the US is on average about $188 per record lost...

 

How are you going to get attacked?

Bad Actors Sniffing Clear Text Passwords

Many old legacy site still use clear text passwords unfortunately.   Here is a great article that just lists a few.   However, several large sites still offer HTTP Basic authentication where the "password :username " is encoded in Base64 .   Since it's not encrypted, it's considered "cleartext " and can be easily decoded!  

If you connected to a free web-service via Basic authentication and a bad actor captures that same network traffic they may be able to use that same username and password to log on to your banking website (if you use the same username and password on that site).

You should educate users to either use "throw away" passwords for these open websites or to only connect to websites via HTTPS if it is available.

Pharming

You or one of your employees may be pointed to a malicious and illegitimate website by redirecting the legitimate URL. Even if the URL is entered correctly, it can still be redirected to a fake website.

What it can do:

  • Convince you that the site is real and legitimate by looking almost identical to the actual site down to the smallest details. You may even enter your personal information and unknowingly give it to someone with malicious intent.
  • Convince you to download Malware.

Phishing

You or one of your employees may receive a fake email or text message with a website created to look like it’s from an authentic company.

What it does: 

  • Trick you into giving them information by asking you to update, validate or confirm your account. It is often presented in a manner than seems official and intimidating, to encourage you to take action.
  • Provides cyber criminals with your username and passwords so that they can access your accounts (your online bank account, shopping accounts, etc.) and steal your credit card numbers.
  • Convince you to download Malware
  • Cross Site Scripting (XSS)

You or one of your employees opens a website that has embed hidden scripts, mainly in the web content, to steal information such as cookies and the information within the cookie (e.g. passwords, billing info).

Denial of Service DoS )

A bad actor will attempt to make one of your network resources unavailable to its intended users by saturating the target with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable.

SQL Injection

A bad actor may try to get valuable information from your website by exploiting vulnerabilities in the sites databases.

Dictionary Attack

A brute force attempt to guess your network assets passwords, by using common words and letter combinations, such as “Password” or “abc123”.

Botnets

A collection of software robots, or 'bots', that creates an army of infected computers (known as ‘zombies') that are remotely controlled by the originator. Yours may be one of them and you may not even know it.

What they can do: 

  • Send emails on your behalf.
  • Spread all types of malware.
  • Can use your computer as part of a denial of service attack against other systems.

Scanning

Your hosts are being scanned daily by server farms all over the world looking for current vulnerabilities (example: Heartbleed) that you may not have patched yet…

What they can do: 

  • Take control of your company….

 

But I'm protected... NOT!

Myth 1

I'm a restaurant owner and outsource my Point of Sale (POS) network to a PCI (Payment Card Industry Data Security Standards) vendor.   They are responsible for our security...

NOT! 

Installing a PA-DSS validated payment processing application does NOT satisfy all of the PCI-DSS requirements.  Although this is a very important part of PCI-DSS compliance, installing a PA-DSS validated payment application is only one element of PCI-DSS compliance. The PCI-DSS contains more than 200 individual requirements, most of which have nothing to do with the POS product. For examples, Requirement 11 of PCI-DSS, "Regularly Test Security Systems and Processes," in Section 11.4 mandates that an organization use and maintain a network IDS, host-based IDS and intrusion-prevention system in order to monitor network traffic and alert employees to potential breaches.  Do you have one?

More information on the PCI-DSS requirements, please visit the PCI Security Standards Council web site at: www.pcisecuritystandards.org

Even if your company is 100% PCI compliant and validated, a breach in cardholder data may still occur and cardholder breaches can result in the following losses for a merchant.

  • $50-$90 fine per cardholder data compromised
  • Suspension of credit card acceptance by a merchant’s credit card account provider
  • Loss of reputation with customers, suppliers, and partners
  • Possible civil litigation from breached customers
  • Loss of customer trust which effects future sales

Just check out this example.  You don't want to end up like them... and you don't want to be fighting $13,298,900 dollar fines like Genesco (here)--imagine the legal bills...

 

Myth 2

I have virus detection software on all of our laptops so we are secure...

NOT!

There are many vulnerabilities that locally installed virus detection software.  Have you ever heard of a Zero Day Vulnerability?  --That is an attack that exploits a previously unknown vulnerability in a computer application or operating system, one that developers have not had time to address and patch. It is called a "zero-day" because the programmer has had zero days to fix the flaw (in other words, a patch is not available). Once a patch is available, it is no longer a "zero-day exploit".

Dealing with malware is a race.  Malware writers are continually looking for vulnerabilities and writing code to exploit them.  Anti-virus software vendors looking for ways to detect and eradicate new malware as it appears.  Software vendors like Microsoft, Facebook, Oracle and others are continually fixing security holes that the malware exploits.  Lastly are users who hopefully keep their systems up-to-date with the latest patches to both their anti-virus software as well as their operating systems and applications.  As you can see, malware writers are always in the lead and users are last ..   Keeping up takes great process and a lot of updating.

Also no anti-virus tool can protect you from yourself. For example, if you open an email attachment or download a file that is infected (even though you were warned...) and you install a virus before your anti-virus software has a chance to act.

Then what happens if you used the same password for your fantasy football site as you do for your e-banking and a bad actor swipes it up because the password was being transferred over the internet site in clear text.  Anti-virus software can't help you there...

Myth 3

Everything we have is in the cloud and we have protection on all of those servers.

NOT!

Just because your line of business applications, email and document management are in the cloud that doesn't mean you can't get malware on your laptop, android phone (more here for a great article on android malware) or even network printers (more here on that).

Myth 4

I'm an investment banker in a small office and use a FINRA certified email and document management system.  I'm fine.

NOT!

If your network assets are infected with malware and you lose customer data you are going to have big problems.

The Office of Compliance Inspection and Examinations (OCIE) recently published a sample cyber-security examination document request in connection with its recent risk alert to help firms evaluate their “level of preparedness.”    You can find the document (here).

The document addresses various cyber-security issues, including: 

  • Cyber-security governance (including, for example, written policies and procedures; periodic risk assessments of cyber-security threats and vulnerabilities; cyber-security insurance; and the allocation and communication of cyber-security responsibilities to firm personnel);
  • Protection of firm networks and information (including, for example, user access restrictions; system maintenance; data destruction policies; cyber-security incident response plans; security of removable and portable media; backup system testing; encryption; employee guidance and training; and periodic audits for compliance with information security policies);
  • Risks associated with customer on-line account access and email funds transfer requests (including, for example, customer authentication, detection of anomalous trade requests; and protection of stored personal identification numbers);
  • Risks associated with vendors and outsourcing (including, for example, how cyber-security risks are addressed in vendor contracts; vendor training; and cyber-security risk assessments of vendors);
  • Detection of unauthorized activity (including, for example, monitoring for potential cyber-security incidents; amassing and correlating data on cyber-security incidents; detecting malware and malicious code on networks and devices; detecting unauthorized users, devices, connections, and software on the firm’s network; and using data loss prevention software); and
  • Cyber-security breaches (including, for example, malware; denial-of-service attacks; unauthorized network access; fraudulent emails attempting to transfer customer funds or securities; software or hardware malfunctions that impair network or web resources; and theft, loss, or unauthorized use or access to customer information) and the firm’s responses thereto.

Both the SEC and FINRA are now engaged in active cyber-security “sweep” examinations of Firms.  Securities regulators have taken enforcement actions against firms based on cyber-security governance failures as well as failing to protect networks and non-public customer information with appropriate technology (including encryption, antivirus software and firewalls) and reasonable procedures.

Here are just a few examples:

  • A registered broker-dealer, investment adviser and transfer agent failed to implement enhanced security measures and procedures, despite experiencing a series of “hacking” incidents ( more )
  • A registered broker-dealer failed to employ adequate safeguards to ensure that data breaches involving confidential customer information were reported to the Compliance Department and Privacy Officer, as required by the firm’s procedures (more )
  • A registered broker-dealer failed to investigate a data breach and sent inaccurate notifications to customers and registered representatives concerning the data breach (  more )
  • The CCO of a broker-dealer failed to enhance cyber-security policies and procedures, despite being aware of three stolen laptop computers (one of which contained confidential customer information) and a representative’s misappropriated email access credentials ( more )

Myth 5

I'm a small office of physicians and we use HIPAA certified systems.  We   have no issues.

NOT!

If you get malware on one of your local network assets and you lose customer personally identifiable information you will have a serious issue on your hands.

The Department of Health and Human Services (HHS) has done a great job of documenting how to comply with the   Privacy Rule and the Security Rule s out lined in the HIPAA standards .   You can find that documentation here ).

The Department of Health and Human Services, Office for Civil Rights (OCR) is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews.   The penalties can be steep at $100 to $50,000 or more per violation with a $1,500,000 calendar year cap. State and regional governments may also impose separate fines in addition to the federal ones.

Some examples cases:

DECEMBER 10, 2014    Malware Infection Results in $150,000 HIPAA Fine

Malware on a personal computer is troubling enough, but when it comes to computers used by health care providers, the viruses can result in federal fines for patient privacy violations.

According to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), this was a lesson recently learned by Anchorage Community Mental Health Services (ACMHS), which was fined $150,000 for not preventing malware from infecting its computers. The malicious programming breached the protected electronic health information of 2,743 individuals in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).   According to an OCR news release, ACMHS adopted HHS security rule policies in 2005 but never followed them. The introduction of the malware into the ACMHS system was "the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software," according to an HHS/OCR bulletin (.pdf) .    In addition to the $150,000 settlement amount, the   resolution agreement (.pdf)    between ACMHS and OCR includes a corrective action plan and requires ACMHS to report on the state of its compliance to OCR for a 2-year period.

NOVEMBER 12, 2014 Hackers swipe data of 60K in vendor HIPAA breach

'We are sorry for any inconvenience or concern that his may have caused you,' officials write four months later November 12, 2014.  A state insurance plan subcontractor is at the center of a serious security incident after hackers gained three months of unfettered access to its computer system, compromising thousands of members' health records. What's more, despite discovering the HIPAA breach in April, it took officials some four months to notify those affected.  The Dallas-based Onsite Health Diagnostics – a medical testing and screening company, which contracts with the state of Tennessee's wellness plan – notified 60,582 people that their protected health information was accessed and stored by an "unknown source." The breach affected members from the Tennessee's State Insurance Plan, Local Government Insurance Plan and Local Education Insurance plan. 

To date, more than 41 million individuals have had their protected health information compromised in reportable HIPAA privacy and security breaches, according to data from the HHS Office for Civil Rights. 

You can have all the Prevention tools (Anti-Virus, Firewalls, Automatic Patching, Backups, Robust Password Protection etc ..) and still be vulnerable to the introduction of code onto your network that can Sniff your traffic, Copy your data or Control your devices…  

So how do you detect you have a problem? 

Subscribe to the Defensative NETWATCHER™ service and we will do it for you.

 

Comments

Powered by Zendesk