If you run a small business, and think that none of your data was of interest to a hacker, consider this: what if a hacker could take stolen bank account or credit card information from your computer and package it with the same information from a hundred or a thousand other small businesses? Would it be worth something then?
"SMBs don't know how defenseless they've become, especially to automated and industrialised attack methodologies by organised crime," Christopher Porter says. Porter, a principal with the Verizon RISK Team, is the author of a new report from Verizon on security risk.
"[Hackers] scan the Internet, looking for remote access services, and then try the default credentials. Once they gain access, they automatically install keyloggers to collect password information [as it's typed in]," Porter says. "Then they send the information it out via email or by uploading it to an FTP server or a website. They aggregate the data and sell it on the black market."
Hackers could use the keylogger to figure out how access and drain a small business' bank account, but more commonly, Porter said, they'll target point-of-sale systems, as four Romanians did recently. "That kind of attack is increasing, because they're low risk and low-cost attacks for organised crime." Because they're geographically widespread, it's hard for any one police department to follow up.
But if small businesses are increasingly vulnerable, Porter characterised the tactics they should employ in response as "quite simple".
If you have a point-of-sale system, make sure to change the password from the default it came with. It shouldn't be microsmicros or alohaaloha," citing two common POS systems. "The problem is that when small businesses think about their POS system, they worry about whether it's going to be available when they sell the shirt or charge for the burger," Porter says. "They're not worried about confidentiality. They're worried about margins."
The fifth annual Verizon 2012 Data Breach Investigations Report, produced in conjunction with the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service and the London Metropolitan Police's cybercrime unit, reveals seventy-nine percent of attacks represented in the report were opportunistic.
Of all the attacks the report studied, it found 96 percent were not difficult to achieve and 97 percent were avoidable, "without the need for organizations to resort to difficult or expensive countermeasures."
What does the Verizon report recommend small businesses do? The report cites three simple things:
- Use a firewall. Install and maintain a firewall on Internet-facing services to protect data. Hackers cannot steal what they cannot reach.
- Change default credentials. Point-of-sale (POS) and other systems come with pre-set credentials. Change the credentials to prevent unauthorised access.
- Monitor third parties. Third parties often manage firewalls and POS systems. Organisations should monitor these vendors to ensure they have implemented the above security recommendations, where applicable.
In addition, Porter recommends some other simple steps:
- Educate your staff, especially in regard to social phishing. "Set up policies, and then make sure they're being followed. The weakest link in security will always be the carbon-based life form."
- Follow through on what you've bought. "Businesses spend a lot of money on security technology, but then they don't configure them properly, or ignore the reports. A well-tuned intrusion detection system that's tailored to your environment is a powerful tool for finding hacking incidents on the network."
- Think about security frequently, not just when you're being audited. "Check the logs of your Windows OS system, your POS system, and your security software." If that represents too big a time commitment, then hire someone to do it. Don't ignore them.
Porter stresses that, in most cases, these infiltrations are targets of opportunity. If small business follows the simple procedures outlined, they're less likely to be targeted. "The criminals will pass right by you."