Search This Blog

Tuesday, March 27, 2012

Why Hackers Set Their Sights on Small Businesses

Why Hackers Set Their Sights on Small Businesses
CSO Security and Risk Online, March 22, 2012
http://www.csoonline.com/article/print/702672
....
"SMBs [ Small and Medium Businesses ]don't know how defenseless they've become, especially to automated and industrialized attack methodologies by organized crime," Christopher Porter tells PCWorld. Porter, a principal with the Verizon RISK Team, is the author of a new report from Verizon on security risk.
....
"[Hackers] scan the Internet, looking for remote access services, and then try the default credentials. Once they gain access, they automatically install keyloggers to collect password information [as it's typed in],..."

"...they'll target point-of-sale systems [ POS ], as four Romanians did recently. "That kind of attack is increasing, because they're low-risk and low-cost attacks for organized crime."
....
But if small businesses are increasingly vulnerable, Porter characterized the tactics they should employ in response as "quite simple.

If you have a point-of-sale system, make sure to change the password from the default it came with. It shouldn't be microsmicros or alohaaloha," citing two common POS systems. "The problem is that when small businesses think about their POS system, they worry about whether it's going to be available when they sell the shirt or charge for the burger," Porter says. "They're not worried about confidentiality. They're worried about margins."

Verizon's Fifth Annual Data Breach Report

The fifth-annual Verizon 2012 Data Breach Investigations Report, produced in conjunction with the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting & Information Security Service, and the London Metropolitan Police's cybercrime unit, reveals seventy-nine percent of attacks represented in the report were opportunistic.

Of all the attacks the report studied, it found 96 percent were not difficult to achieve and 97 percent were avoidable, "without the need for organizations to resort to difficult or expensive countermeasures."

What does the Verizon report recommend small businesses do? The report cites three simple things:

  • Use a firewall. Install and maintain a firewall on Internet-facing services to protect data. Hackers cannot steal what they cannot reach.

  • Change default credentials. Point-of-sale (POS) and other systems come with pre-set credentials. Change the credentials to prevent unauthorized access.

  • Monitor third parties. Third parties often manage firewalls and POS systems. Organizations should monitor these vendors to ensure they have implemented the above security recommendations, where applicable.

In addition, Porter recommends some other simple steps:

  • Educate your staff, especially in regard to social phishing. "Set up policies, and then make sure they're being followed. The weakest link in security will always be the carbon-based life form."

  • Follow through on what you've bought. "Businesses spend a lot of money on security technology, but then they don't configure them properly, or ignore the reports. A well-tuned intrusion detection system that's tailored to your environment is a powerful tool for finding hacking incidents on the network."

  • Think about security frequently, not just when you're being audited. "Check the logs of your Windows OS system, your POS system, and your security software." If that represents too big a time commitment, then hire someone to do it. Don't ignore them.

Porter stresses that, in most cases, these infiltrations are targets of opportunity. If small business follows the simple procedures outlined, they're less likely to be targeted. "The criminals will pass right by you."
---------------------------------------------------------
Also, in a related article:
http://www.csoonline.com/article/print/702667

...hackers used relatively simple methods in more than 90% of data breaches in 2011...
...in a vast majority of attacks (80%), hackers hit victims of opportunity rather than companies they sought out. ...
....
...based on the investigations into more than 850 data breaches. ...
....
Data breach victims and security vendors generally tend to describe attacks as highly sophisticated and involving a great deal of expertise on the part of hackers.

The Verizon report though shows a far more mundane reality.
....
Very often, the companies breached had no firewalls, had ports open to the Internet or used default or easily guessable passwords, said Marc Spitler a Verizon security analyst.
....
-----------------------------------------------------------------
I could add some smart comment here but it would just be redundant of what the article states. Ok, I will say it anyway. Simple steps will go a long way. Now that we are on the Internet, the bad guys have 24/7/365 to get in. Be aware, do something. .....Thomas
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)