Cyber-crooks think small biz is easy prey. Here's a simple checklist to avoid becoming an easy victim
One of the unpleasant developments of the last decade has been the speed with which IT security threats, once aimed mainly at large enterprises, have spread to SMBs – small and medium businesses.
Today, SMBs are no longer secondary targets, and are up against exactly the same cyber-threats with the same level of sophistication as larger organizations. Criminals have evolved, the economy in which they work has become more professional, and their understanding of SMBs has moved with the times.
SMBs account for a large chunk of all IT spending – 40 per cent according to Gartner – with modest-sized biz splashing more on security than ever before. Some two-thirds reported doing this in a new survey of US SMBs by Osterman Research. Yet this money doesn’t seem to be having a noticeable effect on the anxiety executives express about their ability to fend off miscreants. They still feel vulnerable to attack.
Traditionally, SMB cybersecurity has been a scaled-down version of the enterprise grade, adapted to suit relatively trivial networks of commodity Windows PCs, printers, LANs, servers, and software.
As times change, what are emerging threats and what should SMBs be spending on in order to stay safe if the generic, cut-down versions of old defense measures struggle to keep up?
Here's a simple guide on issues and pitfalls for IT bods at SMBs to think about; a starting point, if you will, for further research and planning.
Targeted extortion, email weakness
The stand-out threat is the rapid rise in extortion-based attacks that are designed to force a company to pay a ransom to regain access to data, internal systems, or paid off hackers from launching crippling distributed denial-of-service attack against public web servers. According to Osterman, nearly one in five US-based SMBs reported being on the receiving end of a successful ransomware attack, with approaching one in three reporting the same for phishing.
Phishing can also be highly targeted with Business Email Compromise (BEC) – tricking employees into making payments to fraudsters using impersonation and spoofing – now another widely-reported attack. Typically, a miscreant pretends to be a supplier to fool staffers into paying invoices into the crook's bank account. Alternatively, a hacker hijacks the corporate email account of a senior manager, or otherwise impersonates that person, and asks the finance department for sensitive employee files, such as tax forms that, when provided by a hoodwinked beancounter, can be used for identity theft.
This type of fraud has boomed in the last year, with cloud security company AppRiver reporting it had quarantined one million BEC emailsin the first half of 2018, a rise of 55 per cent on the previous half year.
The easiest way to stop phishing attacks is never to receive them, which is the job of the email service provider or email service gateway. These vary widely in their capabilities, but all service providers should enforce spoofing control and email authentication, rejecting messages which don’t confirm to standards such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and DMARC (Domain-based Message Authentication, Reporting and Conformance). Ideally, employees should have a way of reporting suspicious emails.
All backed up
An SMB’s backup routines become doubly critical to beat ransomware. Online shares and backups must be protected to stop ransomware targeting these, while offline backups are a must to act as plan B. There are numerous ways of defending valuable directories, including Windows itself such as controlled folder access as well as network-wide approaches such as VLANs. Most important of all is to test backups.
Unfortunately, ransomware doesn’t always go after data, and can be deployed to lock up entire servers running applications, knackering production systems and databases. SMB endpoint suites often include server protection which can be strengthened with careful network segmentation.
Beyond email, office applications are often the next target. Any attachments that can be booby-trapped with malicious code that sneak through – particularly PDF and Word – should be limited by, for example, Microsoft Office's protected view, disabling macros, and scanned for known malware. Legacy capabilities such as Object Linking and Embedding (OLE) should be disabled while powerful interfaces such as Powershell, VBScript and Jscript scripting need care and attention. If it’s not needed, chuck it.
Backdoor RDP and authentication
Another emerging target for hackers is Microsoft’s Remote Desktop Protocol (RDP), which many SMBs turn on to enable remote support. Discovering RDP ports left open to the internet isn’t hard, and all crooks need is a password to use this as a door into the average SMB – this can often be brute-forced assuming one’s even been set.
The sad part is, it’s incredibly easy not to notice that this weakness even exists because it’s not the first thing admins think about. Armed with an open RDP, attackers have effectively found a way to bypass all controls, turning off whichever processes – including the security protecting servers – they please. Game over. Configuration weaknesses are often to blame for the RDP hole and it could be mitigated in many instances by simple investment in better authentication for admin accounts, which should always enforce this security.
But let’s not forget firewalls – they’re no longer a magic shield but are great friends such as closing RDP back doors to outside access. Firewalls also lock down guest Wi-Fi networks from reaching other parts of the business, detect suspicious outgoing connections – such as malware or rogue employees exfiltrating sensitive information, and more.
Use access controls and firewalls to limit and compartmentalize your organization, so teams access only the information they need, and sensitive data cannot leave those compartments.
IT security breaches resulting in the theft of data are a perennial threat. Ten years ago, the unauthorized slurpage of customer data appeared to be something that happened only to large outfits such as US company TJX that had huge amounts of data worth stealing. Recent headlines, British Airways and Equifax, confirm this is still the case, although thieves are setting their sights lower. Verizon’s 2018 Data Breach Investigationsanalysis of 2,216 known data thefts found that 58 per cent of such breaches were reported at SMBs.
While rogue insiders are a legit security threat IT managers should be on the look out for, the exploitation of vulnerabilities in software lies at the root of many successful cyber attacks. The scale of the challenge in defending against hackers leveraging buggy code can be seen in figures from CVE Details, which reported 14,600 vulnerabilities in 2017, excluding zero days, up from 6,447 in 2016.
You shouldn't read too much from CVE-labeled bug totals – more flaws found may well mean we're getting better at finding and fixing them – although it does mean there's more patching to do before exploits are developed and used in the wild.
SMBs lacking dedicated in-house security personnel need to automate patch management as much as possible. The first trick is to reduce the amount of software that needs patching in the first place by removing old applications and plugins such as Flash and Java and standardising on one browser and office suite. Service providers will do some of the patching job while endpoint security suites will usually now have a module for managing more specialised needs.
The struggle small organisations have in securing sensitive data is often tied to the difficulty in properly and competently using encryption. Many SMBs end up with a patchwork of systems, and varying levels of protection. It's too easy to make a mistake, and leave chunks of information unprotected. The logical solution is to use a single product that can be controlled centrally, but as with authentication finding a system built for SMB use can be a challenge.
Encrypting outward email is becoming more popular but may not be practical for all SMBs. Encrypting files when at rest is, however, a must. Every portable device should be encrypted while Microsoft’s BitLocker can be used for local file security on Windows PCs.
Watch the cloud
SMBs are increasingly using cloud services for data storage and applications, indeed this might one day soon become the main place much of their IT systems reside. Arguably, this should boost security because it will rationalise many of the problems already mentioned into a series of security processes under one or a small number of services. Most SMBs are not yet ready to trust cloud platforms with their crown jewels, but when they do, it could potentially improve their security simply because it will make it easier to manage.
The cybersecurity challenge for SMBs has always been that they must cope with the same security threats as larger companies but without the same level of resources. Cybercriminals know this, which is why – in a sense – SMB-specific campaigns are always a form of social engineering that exploits pressure points, such as a lack of understanding, time, and weak processes.
Irrespective of size, there’s not always a single failure that explains why these keep happening so much as a collection of weaknesses covering patching, data controls and encryption, cloud security, authentication, privilege management, as well as the difficulty of defending email systems.
Lacking resources to throw at a cyber-incident, the rules for every SMB are clear: simplify the IT estate as much as possible, clear out unwanted software, layers of access controls, and choose a good partner to help with the tricky details as insurance against the day when the cybercriminals come knocking with a crowbar.
Industry: Cyber Security News
- IAM Consultant- One Identity Manager- UK Wide
- Upto £75,000 plus excellent benefits
One Identity IAM consultant is needed for this expanding UK based business, you will be responsible for: Developing and Supporting the Identity and Access management system based-on One Identity products Active Roles Server and Identity Manager. Further develop One Identity Manager’s integration with Service Now to provide automated JML processes and application access requests and fulfilment. Work across the business ensuring that the IAM solutions integrates into both the technology and business systems and processes, ideally automating as mush as possible. Work with the Governance Risk & Compliance (GRC) team to provide application access attestations and toxic combination alerting and reporting. Work on a mixture of IAM related projects to help to integrate new ideas and technology into the business to ensure the business stays fully compliant Assist in ensuring that all IAM capabilities are mapped to internal processes, policies, and standards. Develop metrics to measure and improve and also compile reports around the solution If you are interested in this opportunity we are looking for someone who is skilled within Identity Acess management, you will need to have worked with the One Identity product, ideally both Active Roles Server and Identity Manager Experience in managing and integrating with Microsoft systems (on-premise and cloud), such as Active Directory, Exchange, Office, SharePoint, etc.
- SailPoint Integration Consultant
- Upto £75000 plus benefits
SailPoint Integration Consultant. SailPoint Integration Consultant is needed for this expanding service business to help them with complex deployment with their FTSE focused customer base. They are looking for experienced SailPoint Integration Consultants who have: • Strong solution designing experience with in depth understanding of IAM concepts and thorough understanding of Sailpoint domain. • Thorough understanding of Identity and Access Governance concepts • Leading and creating Identity & Access Management (IAM) technical architecture • Secure by Design principles in Identify Access management, Privilege Access management • Familiar with cloud architectures, data management and source control from a security perspective. This is a great opportunity to join a business that is growing and looking for individuals who want to grow and develop and work on some of the most complex Sailpoint deployments.
- CyberArk Integration Consultant
- Greater London
- upto 75,000 plus benefits
CyberArk Integration Consultant. CyberArk Integration Consultant is needed for this expanding service business to help them with complex deployment with their FTSE focused customer base. They are looking for experienced CyberArk Integration Consultants who have: • Strong solution designing experience with in depth understanding of IAM concepts and thorough understanding of CyberArk domain. • Thorough understanding of Identity and Access Governance concepts • Leading and creating Identity & Access Management (IAM) technical architecture • Secure by Design principles in Identify Access management, Privilege Access management • Familiar with cloud architectures, data management and source control from a security perspective. This is a great opportunity to join a business that is growing and looking for individuals who want to grow and develop and work on some of the most complex CyberArk deployments.
- Penetration Tester, UK based. Ability to achieve SC clearance
- United Kingdom
Experienced Penetration tester- UK based with the ability to achieve SC clearance. On-going training and development and paid certifications / renewals. Interested to hear from all areas of penetration testing, web app, infrastructure, mobile, etc. MUST have current hands on experience delivering penetration testing. Ideally from a consultancy background with experience working with multiple clients. OSCP / CREST / CHECK / Tigerscheme penetration testing experience / certifications desirable. Apply today for more details. All information kept in the strictest of confidence.