Cyber-crooks think small biz is easy prey. Here's a simple checklist to avoid becoming an easy victim
One of the unpleasant developments of the last decade has been the speed with which IT security threats, once aimed mainly at large enterprises, have spread to SMBs – small and medium businesses.
Today, SMBs are no longer secondary targets, and are up against exactly the same cyber-threats with the same level of sophistication as larger organizations. Criminals have evolved, the economy in which they work has become more professional, and their understanding of SMBs has moved with the times.
SMBs account for a large chunk of all IT spending – 40 per cent according to Gartner – with modest-sized biz splashing more on security than ever before. Some two-thirds reported doing this in a new survey of US SMBs by Osterman Research. Yet this money doesn’t seem to be having a noticeable effect on the anxiety executives express about their ability to fend off miscreants. They still feel vulnerable to attack.
Traditionally, SMB cybersecurity has been a scaled-down version of the enterprise grade, adapted to suit relatively trivial networks of commodity Windows PCs, printers, LANs, servers, and software.
As times change, what are emerging threats and what should SMBs be spending on in order to stay safe if the generic, cut-down versions of old defense measures struggle to keep up?
Here's a simple guide on issues and pitfalls for IT bods at SMBs to think about; a starting point, if you will, for further research and planning.
Targeted extortion, email weakness
The stand-out threat is the rapid rise in extortion-based attacks that are designed to force a company to pay a ransom to regain access to data, internal systems, or paid off hackers from launching crippling distributed denial-of-service attack against public web servers. According to Osterman, nearly one in five US-based SMBs reported being on the receiving end of a successful ransomware attack, with approaching one in three reporting the same for phishing.
Phishing can also be highly targeted with Business Email Compromise (BEC) – tricking employees into making payments to fraudsters using impersonation and spoofing – now another widely-reported attack. Typically, a miscreant pretends to be a supplier to fool staffers into paying invoices into the crook's bank account. Alternatively, a hacker hijacks the corporate email account of a senior manager, or otherwise impersonates that person, and asks the finance department for sensitive employee files, such as tax forms that, when provided by a hoodwinked beancounter, can be used for identity theft.
This type of fraud has boomed in the last year, with cloud security company AppRiver reporting it had quarantined one million BEC emailsin the first half of 2018, a rise of 55 per cent on the previous half year.
The easiest way to stop phishing attacks is never to receive them, which is the job of the email service provider or email service gateway. These vary widely in their capabilities, but all service providers should enforce spoofing control and email authentication, rejecting messages which don’t confirm to standards such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and DMARC (Domain-based Message Authentication, Reporting and Conformance). Ideally, employees should have a way of reporting suspicious emails.
All backed up
An SMB’s backup routines become doubly critical to beat ransomware. Online shares and backups must be protected to stop ransomware targeting these, while offline backups are a must to act as plan B. There are numerous ways of defending valuable directories, including Windows itself such as controlled folder access as well as network-wide approaches such as VLANs. Most important of all is to test backups.
Unfortunately, ransomware doesn’t always go after data, and can be deployed to lock up entire servers running applications, knackering production systems and databases. SMB endpoint suites often include server protection which can be strengthened with careful network segmentation.
Beyond email, office applications are often the next target. Any attachments that can be booby-trapped with malicious code that sneak through – particularly PDF and Word – should be limited by, for example, Microsoft Office's protected view, disabling macros, and scanned for known malware. Legacy capabilities such as Object Linking and Embedding (OLE) should be disabled while powerful interfaces such as Powershell, VBScript and Jscript scripting need care and attention. If it’s not needed, chuck it.
Backdoor RDP and authentication
Another emerging target for hackers is Microsoft’s Remote Desktop Protocol (RDP), which many SMBs turn on to enable remote support. Discovering RDP ports left open to the internet isn’t hard, and all crooks need is a password to use this as a door into the average SMB – this can often be brute-forced assuming one’s even been set.
The sad part is, it’s incredibly easy not to notice that this weakness even exists because it’s not the first thing admins think about. Armed with an open RDP, attackers have effectively found a way to bypass all controls, turning off whichever processes – including the security protecting servers – they please. Game over. Configuration weaknesses are often to blame for the RDP hole and it could be mitigated in many instances by simple investment in better authentication for admin accounts, which should always enforce this security.
But let’s not forget firewalls – they’re no longer a magic shield but are great friends such as closing RDP back doors to outside access. Firewalls also lock down guest Wi-Fi networks from reaching other parts of the business, detect suspicious outgoing connections – such as malware or rogue employees exfiltrating sensitive information, and more.
Use access controls and firewalls to limit and compartmentalize your organization, so teams access only the information they need, and sensitive data cannot leave those compartments.
IT security breaches resulting in the theft of data are a perennial threat. Ten years ago, the unauthorized slurpage of customer data appeared to be something that happened only to large outfits such as US company TJX that had huge amounts of data worth stealing. Recent headlines, British Airways and Equifax, confirm this is still the case, although thieves are setting their sights lower. Verizon’s 2018 Data Breach Investigationsanalysis of 2,216 known data thefts found that 58 per cent of such breaches were reported at SMBs.
While rogue insiders are a legit security threat IT managers should be on the look out for, the exploitation of vulnerabilities in software lies at the root of many successful cyber attacks. The scale of the challenge in defending against hackers leveraging buggy code can be seen in figures from CVE Details, which reported 14,600 vulnerabilities in 2017, excluding zero days, up from 6,447 in 2016.
You shouldn't read too much from CVE-labeled bug totals – more flaws found may well mean we're getting better at finding and fixing them – although it does mean there's more patching to do before exploits are developed and used in the wild.
SMBs lacking dedicated in-house security personnel need to automate patch management as much as possible. The first trick is to reduce the amount of software that needs patching in the first place by removing old applications and plugins such as Flash and Java and standardising on one browser and office suite. Service providers will do some of the patching job while endpoint security suites will usually now have a module for managing more specialised needs.
The struggle small organisations have in securing sensitive data is often tied to the difficulty in properly and competently using encryption. Many SMBs end up with a patchwork of systems, and varying levels of protection. It's too easy to make a mistake, and leave chunks of information unprotected. The logical solution is to use a single product that can be controlled centrally, but as with authentication finding a system built for SMB use can be a challenge.
Encrypting outward email is becoming more popular but may not be practical for all SMBs. Encrypting files when at rest is, however, a must. Every portable device should be encrypted while Microsoft’s BitLocker can be used for local file security on Windows PCs.
Watch the cloud
SMBs are increasingly using cloud services for data storage and applications, indeed this might one day soon become the main place much of their IT systems reside. Arguably, this should boost security because it will rationalise many of the problems already mentioned into a series of security processes under one or a small number of services. Most SMBs are not yet ready to trust cloud platforms with their crown jewels, but when they do, it could potentially improve their security simply because it will make it easier to manage.
The cybersecurity challenge for SMBs has always been that they must cope with the same security threats as larger companies but without the same level of resources. Cybercriminals know this, which is why – in a sense – SMB-specific campaigns are always a form of social engineering that exploits pressure points, such as a lack of understanding, time, and weak processes.
Irrespective of size, there’s not always a single failure that explains why these keep happening so much as a collection of weaknesses covering patching, data controls and encryption, cloud security, authentication, privilege management, as well as the difficulty of defending email systems.
Lacking resources to throw at a cyber-incident, the rules for every SMB are clear: simplify the IT estate as much as possible, clear out unwanted software, layers of access controls, and choose a good partner to help with the tricky details as insurance against the day when the cybercriminals come knocking with a crowbar.
Industry: Cyber Security News
- SPLUNK SOC Analyst level 3, London.
SPLUNK SOC Analyst level 3, Must be able to commute to the City of London. Onsite role. Security clearance needed. The SPLUNK SOC Analyst level 3 must have current experience working within a SOC environment with specific experience using a range of tools and techniques to investigate security incidents. Current experience with Splunk is essential. any additional experience Individuals with Elastic Security SIEM are highly desirable. Any of the following certifications are desirable Splunk Phantom certified admin, Splunk Core Certified Power User / Advanced, Splunk Certified Enterprise Security Admin, etc The role will include, but not be limited to working with sophisticated information security tools, investigating security incidents, incident management, technical escalation, process improvement, research into the latest threats, reporting etc The individual MUST currently be living in the UK and be able to achieve UK security clearance. (SC) This is a permanent role To arrange a call with Chris Holt https://calendly.com/chris-holt/arranged-call-with-chris-holt-elastic-siem-engineer-soc Chris.Holt@dclsearch.com
- ISO 27001 & Business Continuity Security Specialist, End User
- United Kingdom
CH7828 ISO 27001 & Business Continuity Security Specialist, End User, £70,000 United Kingdom ISO 27001 & Business Continuity Security Specialist needed to join a Cyber team within an end user. The ISO 27001 & Business Continuity Security Specialist will have end to end responsibility for the information security and Business Continuity management system. ISMS/BCMS. Both from an information security and technical security perspective working alongside the CISO. Experience must include, but not be limited to; a mix of Information Security standards, frameworks, audit principles, controls / policies and the management and use of the technical tooling to achieve compliance. ISO 22301, ISO 27001, NIST Cybersecurity Framework etc An ideal candidate will be working within an end user environment with a cyber consultancy background. Experience taking a company through accreditation is highly desirable Experience managing internal stakeholders, technical teams and external third parties essential Flexible working, very occasional travel to London office This is an exclusive role to DCL Search & Selection. Looking to interview immediately. https://calendly.com/chris-holt/iso-27001-business-continuity-security-specialis
- PCI- DSS Security Consultant, End User
PCI- DSS Security Consultant needed to join a Cyber team within an end user. The PCI- DSS Security Consultant will have end to end responsibility for PCI - DSS and its continuing certification. Both from an information security and technical security perspective working alongside the CISO. Experience must include, but not be limited to; a mix of Information Security standards, frameworks, audit principles, controls / policies and the management and use of the technical tooling to achieve compliance. PCI objectives / 12 key requirements, OWASP top 10, ISO 27001, NIST Cybersecurity Framework etc An ideal candidate will be working within an end user environment with a cyber consultancy background. PCI Cloud compliance, specifically someone with experience taking PCI-DSS from on premise into the cloud is HIGHLY desired. However, someone with Solid PCI experience with a strong technical background which include Cyber / Secure by design etc would be considered. Experience managing internal stakeholders and external third parties essential. Flexible working, but with the ability to get into London. This is an exclusive role to DCL Search & Selection. 1st stage interviews to happen the week of the 14th September Arrange a call with Chris on https://calendly.com/chris-holt/arrange-a-call-chris-dcl-pci-compliance
- IAM Contractor CyberArk
Identity & Access Management Architect Contractor Flexible • Extensive PAM / IAM experience required, • MUST have CyberArk and or Beyondtrust. Privileged access management • Technical review, recommendation, design and hands on technical delivery. • 6 month contract Arrange a call with Chris Holt https://calendly.com/chris-holt/arranged-call-with-chris-holt?month=2020-09