An Article By: David Tan, Chief Technology Officer
It seems you can’t go a day without hearing news of some huge cyber-attack on a large company or organization. Everyone from Target to HBO has been the victim of malicious hackers looking to gain profit from some sort of unauthorized access to company data, assets, or resources. Those are the stories you hear about – what about the ones you don’t? What about the small businesses getting compromised every day and losing tens or hundreds of thousands of dollars, or losing the intellectual property that help differentiate their business? HBO may look bad when they get hacked, Equifax might have to offer free credit monitoring to the whole country, but isolated cyber incidents are likely not going to put them out of business. However, for the average small to mid-sized business, that type of an incident is unrecoverable.
So the first question you probably want to ask yourself, is are you a target. Before you even have a minute to think about it, I’m going to tell you that you are. You see there are a bunch of different types of victims of cyber-attacks in small business. Certainly, there are those that are specifically targeted by someone looking to do them harm – whether it’s a competitor, disgruntled ex-employee, or just someone whose picked you out and locked in on you. These type of attackers are extremely dangerous. Given enough time, patience and resources, almost anyone is subject to some sort of compromise. It’s imperative you stay diligent and alert to fight these off, or at least minimize their impact – something I’ll talk a little more about in a minute.
There are however other sorts of targets in the SMB. Truthfully a small business is much less likely to be specifically targeted by a bad actor. They have less money, or other valuable resources, and a much smaller attack area to operate in. So, the attack is generally harder, and the payoff is less. That’s not to say it’s not possible, it’s just less likely. SMBs are much more likely to fall victim to being a target of opportunity. What that means is the business did something to make the compromise easy (or relatively easy) and opened themselves up to the hacker. This can happen in one of several different ways.
The most obvious is some sort of failure of execution. What I mean by this is that the business had weak passwords / password policies, or they had unpatched or old servers / network equipment, or just didn’t take basic precautionary measures to protect information resources on their systems. Hackers use automated scripts and tools that scan the internet all day looking for these vulnerabilities or weaknesses. When they find one, it’s usually child’s play to exploit it. If you don’t think you’re being “targeted” in this way, I promise you, you are. We use a tool called RDP Guard that sits on servers setup for remote access through Microsoft Remote Desktop. Every single place we set it up and look at it, we see continuous attempts to login with generic usernames (administrator, support, accounting, etc.) If you have these accounts setup, make sure they have secure passwords, and unless absolutely necessary, restrict them from getting remote access to your network. You should never need to log in from home as the scan account!
The other type of failure of execution is generally related to phishing attacks. As I’m sure you’re familiar, phishing refers to tricking a user in your company into clicking on a malicious link in an email that either installs some sort of malware on their computer (and thus your network) or tricks them into entering sensitive credentials onto a fake website. There are technical controls and restrictions you can put in place to help mitigate this, but nothing beats education and training. Make sure your employees understand what phishing is and what to look for. Teach them how to check the real source email address of an email, and how to hover their mouse over a link in an email to make sure they are going to the website they think they are going to. These phishing attacks are often very well designed and thus very convincing. I highly recommend you implement some sort of monthly or quarterly phishing test procedure where we can work with you to send simulated phishing emails and help you track (and educate) which users click on them. This type of reinforcement is very helpful in making users learn how to behave with technology.
The last thing I want to talk about is the possibility of being a combination of a targeted attack and an attack of opportunity. What this means is, you probably didn’t fall victim to a script looking for weak systems, or some user clicking on a malicious link, but something else made you a target. Then, once you got on someone’s radar, you became a focused target. This is probably the scariest situation because in most cases you or your employees didn’t do anything wrong. Often times you can’t see this type of attack coming, but there are things you can do to protect yourself.
First, let me give you some more details to help you understand what I’m talking about. Let’s say you’re a mid-sized company that’s big enough to have someone in a dedicated financial position, who has the authority to do things like initiate a wire transfer. For argument sake, let’s call that your controller. Well, if you have a controller, who has a profile on LinkedIn, or has their name / title somewhere on your website, I guarantee that within two weeks of updating their profile or your website, they start getting targeted phishing emails. I have seen it first-hand dozens of times. People actively monitor sites like LinkedIn, looking for new employees in powerful positions and target them to do something like initiate a wire transfer or pay some phony invoices.
These requests can appear to come from someone inside your organization or outside. When they come from inside, there are whole new risks to think about. Someone unsophisticated could make a fake email address (i.e. firstname.lastname@example.org) and when sending the email put someone from a position of authority in the company as the sender’s name. This is often easy to spot as the email address shows up in the from line of most emails. Let me tell you about something way scarier I have seen as an emerging trend. Let’s say your company name is Healthy Employee Services (I made that up), and your domain name is healthyemployee.com. What I’ve seen is an attacker registering a domain name that looks like yours, but is just a little different, that would be very difficult to notice without looking carefully. What I mean is, in this case, they could register healthyemploye.com without the last e. Someone looking quickly might not notice. How about these variants – hea1thyemployee.com (with a #1 instead of a letter l, they look the same in many fonts) or healthyernployee.com (where we replace the m with an r and an n which also looks very close at first glance). Let’s be honest, these aren’t easy to spot when you get an email from your boss and want to act quickly and do the right thing!
The same can be done for emails from outside sources. If I see the controller of Healthy Employee Services is LinkedIn with a banker from friendlybank.com, I could potentially make a fake domain for the bank and send an email to the new controller to initiate some sort of wire transfer or access to the system. Again, at first glance it’s going to look very normal and be hard to spot.
There are steps you should take to mitigate risks like this. Again, education is first and foremost. Train your employees what to look for and test them regularly. Next is take an overly cautious approach to what information is available to the outside world. Some basic steps I recommend you take immediately include:
- Don’t put anyone with a job in accounting or finance on your website
- Make sure you and all your employees restrict seeing who your LinkedIn connections are to only people they are connected with
- Don’t let new employees update their LinkedIn profile until they completely understand your company, who you work with and how, and you are 100% comfortable they will spot these scams
- Don’t allow anyone to explicitly state what their working relationship is with you or your employees in LinkedIn recommendations (i.e. “he was my client when I worked at XYZ bank)
- Consider registering any domains that look like yours. Some things to look for:
- Change an l to a 1
- Change m to rn
- Change u to v
- Implement a training and testing process immediately
You are a target today whether you think you are or not. Even a small cyber breach could well put the average SMB out of business overnight. Spend the time up-front to train and educate your employees and prepare your business for the dangers you are facing already.