No Business Too Small for Cyberattacks: Threat Actors Trump SMBsBy: Jeff Multz
As a kid you might have been told, “You’re too small to play,” but no matter how small your business is, every day it plays the cybersecurity game.
Cybercrime hits one in five small businesses each year, and 60 percent of those compromised go out of business within six months, according to the National Cyber Security Alliance. Threat actors attack small and medium-sized businesses to steal their financial account information, customer and credit card data, and company trade secrets. The financial loss can be devastating as remediation costs and lawsuits pile up and customers shop elsewhere.
Small and medium-sized businesses (SMBs), like many enterprises, don’t have the time, money, resources and staff that are needed to secure their networks. Most of these organizations mistakenly believe that certain devices will protect them.
Buying a top-of-the-line device, whether it’s a firewall, router, intrusion detection system (IDS) and intrusion prevention system (IPS), Security Incident Event Management (SIEM), antivirus technology (AV), an endpoint detection device or the newest “Next Generation” product will secure a network no more than a top-of-the-line oven will cook an outstanding meal. To get something delectable, you need expert people and processes in place.
Your network has likely already been compromised at some point. Employees unknowingly click on malicious links or attachments that infect their computers, and security devices fail. Not only do these security devices/technologies break down and stop working, they don’t catch everything bad that enters your network when they are working.
They consistently have to be tuned – often numerous times throughout the day – and they can’t catch everything that’s bad. That’s why you have layers of protection, so that whatever threats get by the firewall, won’t get by the IDS/IPS. But antivirus technologies only blocks detected or suspected threats. The technologies don’t protect users from the newest pieces of malware that are created every day. It takes time for new malware to be discovered by security researchers and time for them to create countermeasures for it, so the newest threats scoot right by threat detection technologies.
Additionally, a lot of malware that gets through them is polymorphic, meaning the malware changes. It starts out looking like one thing, such as <123abc>, and changes its code just after entering a network to become something else, such as <DEF123>.
So if AV is designed to block <DEF123> and not <123abc>, the latter code is going to enter your network and may well stay there for months before being detected. Sometimes the only clue there is that your network has been compromised is that it is running slow, but more often than not, the threat actor is so stealthy there is no clue he is in your network. But if you are having your network and endpoints (laptops, workstations and servers) monitored 24x7x365, you can catch intruders soon after they enter.
The longer intruders have been in your network, the more difficult and costly it is to get them out, and the more time they have to collect your data and that of your customers. To prevent their data loss, most regulatory agencies like the Federal Trade Commission and the Payment Card Industry Data Security System (PCI DSS) require that organizations continuously monitor their networks.
Watch Me Now
When you don’t monitor your network and use professional incident responders, you set yourself up for big losses. A company I’ll call “Privy” didn’t realize it needed help with its cybersecurity until after its email domain had been hacked. The hackers used the company’s email server to send out to all the people in its contact list spam emails advertising pornography and sexual enhancement drugs.
After realizing its email system had been hacked, Privy wiped its exchange server and thought that had fixed the problem. However, Privy was not a specialist in remediation, and the hackers got back into the server the next day, unbeknownst to Privy, which still was not monitoring its network. The hacker sent out more spam emails, causing the IT department of a Privy prospective client, to blacklist all emails hailing from Privy’s domain. So when Privy later emailed the prospect a proposal for a million-dollar deal, the prospect never even received the proposal. It wasn’t until after the company realized it lost the deal that it learned the prospect had never even received the proposal.
Out, Spot, Out!
Once intruders have entered your network, you need to get them out and keep them out so they can’t re-enter. A well-rehearsed Computer Security Incident Response Plan (CSIRP) that your security team and business leaders created is invaluable to let you know what needs to be done and in what order you need to do it.
The plan should answer the following questions:
- Which people or what company will you call in case of a possible breach?
- If your network has been taken offline, what parts of the website need to be up and running first?
- What messages will you tell employees, customers, shareholders and the media?
- What team will you call upon to remediate the threat?
- If a server in one location goes down or is destroyed, what do you do to get that part of the network back up and running?
- Who are all the people who are going to be on the Computer Security Incident Response Team?
- What are the roles each team member will play?
- How will you define the severity of an incident?
A CSIRP should also help ensure you comply with legal, regulatory and industry requirements. A SecureWorks security consultant who specializes in Incident Response (IR) can help you develop and test a CSIRP.