6 scary facts your computer security company won't tell you
Your network support company is focused on making sure your computer systems are up and running.
While they probably address security basics, few keep
experienced security experts on staff. As a result, they may not be
fully aware of today's many serious risks.
Likewise, most business owners have limited tech budgets, and what money is available is dedicated to expanding capabilities, not locking down the systems you already have.
With new automated tools, software packages and third-party programming consultants, it is easier than ever for nearly anyone to launch a sophisticated attack.
Here's what you need to know to protect your business.
1. Easy to hack
Every network can be penetrated.
According to certified ethical hacker Dave Chronister, founder of Parameter Security: "In most small businesses, it takes mere minutes to gain access to their systems through common security holes that hackers know how to exploit."
For example, if you don't keep your systems patched with the latest Microsoft updates, you're asking for trouble; leave passwords set to factory defaults, and you'll surely invite unwanted intruders.
Even simple passwords can be cracked with a basic "dictionary" hack that rapidly tries password after password until a successful result is achieved. That may sound like a lot of trouble, but it's completely automated. All a hacker has to do is set things in motion.
2. You may not know
If you don't keep a close watch on your network, you may not be aware of outside attacks. Your server could be spamming thousands of victims around the world without your knowledge, or your confidential customer data may have been copied and shared with others, all without leaving any obvious trace.
Security should be revisited every time a new device or software package is installed, but few companies take this step.
Chronister points out another common vulnerability: "Most companies never think about their log files. Hackers usually clean up after themselves to avoid detection. That means if your log files are stored on the compromised server, the logs will likely be altered, leaving no trace of what really happened. Make sure all logs are shipped off the source device, either to a logging server or some other medium like e-mail."
3. Employee data theft
One of the most common sources of data theft is, unfortunately, your employees. It's not unusual to hear of customer or prospect lists being copied when an employee or sales person leaves. Even worse is the transfer of company secrets, customer financial data or sensitive employee information, such as Social Security numbers. In bad economic times, these types of incidents tend to increase due to the high value of this information.
4. employees help hackers
Chronister warns: "There is no technology to protect you from your employees; social engineering plays into almost any major or minor intrusion these days."
You may be acquainted with some of the tricks sales people use to gain access to decision-makers in target companies. Hackers use similar tactics, referred to as "social engineering," to uncover key information that can help them access computer systems over the Internet and in person.
Phishing scams that trick employees to click links online and in e-mail also are a huge issue as they bring unwanted programs inside your computer network, opening the door for hackers to get in. These could be e-mails that look legitimate but aren't or programs that appear helpful but have been designed with an ulterior motive in mind.
"The key to a successful social engineering attack is understanding what will entice the target to click the link or open the e-mail. Social sites like Facebook and Twitter provide a malicious attacker all the background information they need to be successful," Chronister said.
5. You're an appealing target
Many businesses skimp on security, thinking no one would bother with them because they are too small. Nothing is further from the truth.
Chronister explained: "Often, the hacker is looking for a computer network that can be used to launch attacks on others. Hacker sites are filled with lists of vulnerable IP addresses ripe for exploitation. What this means is that your very own unprotected systems could be used for credit card theft or even a government attack."
Another worry: being targeted based on your vendors or customers. "If I were targeting a Fortune 500 company, I might try hacking one of their smaller vendors to see if there is a way in through an extranet, billing system or some other backdoor," Chronister said.
6. Attacks can be costly
Attacks can expose your business to financial liability in a number of ways.
According to the 2008 CSI Computer Crime and Security Survey, the average annual loss is just under $300,000. Costs include response to loss of confidential information, which is often subject to regulatory compliance requirements and may carry hefty financial penalties. There are additional costs involved to restore your computer network to a clean, secure state, which can be a complex, time-consuming process. It's likely that after an attack, you also will put stronger safeguards in place to prevent a repeat incident.
But Chronister noted: "The worst thing you lose after an attack is your company's reputation. We've seen companies go under because their reputation couldn't be rebuilt."
So what can you do? A good place to start is an audit conducted by an experienced security company. You may see advertisements for inexpensive security scans, but these won't accomplish much since they typically don't show the whole picture. If you are taking the time to strengthen security, do it right and bring in experts. They'll advise you on intrusion detection, firewalls and other tools that make it harder for outsiders to get in, as well as strong security policies and security awareness training to ensure your staff is protecting you, too.
Wendy Gauntt is president of CIO Services LLC, a technology consulting company that specializes in small business solutions.
Likewise, most business owners have limited tech budgets, and what money is available is dedicated to expanding capabilities, not locking down the systems you already have.
With new automated tools, software packages and third-party programming consultants, it is easier than ever for nearly anyone to launch a sophisticated attack.
Here's what you need to know to protect your business.
1. Easy to hack
Every network can be penetrated.
According to certified ethical hacker Dave Chronister, founder of Parameter Security: "In most small businesses, it takes mere minutes to gain access to their systems through common security holes that hackers know how to exploit."
For example, if you don't keep your systems patched with the latest Microsoft updates, you're asking for trouble; leave passwords set to factory defaults, and you'll surely invite unwanted intruders.
Even simple passwords can be cracked with a basic "dictionary" hack that rapidly tries password after password until a successful result is achieved. That may sound like a lot of trouble, but it's completely automated. All a hacker has to do is set things in motion.
2. You may not know
If you don't keep a close watch on your network, you may not be aware of outside attacks. Your server could be spamming thousands of victims around the world without your knowledge, or your confidential customer data may have been copied and shared with others, all without leaving any obvious trace.
Security should be revisited every time a new device or software package is installed, but few companies take this step.
Chronister points out another common vulnerability: "Most companies never think about their log files. Hackers usually clean up after themselves to avoid detection. That means if your log files are stored on the compromised server, the logs will likely be altered, leaving no trace of what really happened. Make sure all logs are shipped off the source device, either to a logging server or some other medium like e-mail."
3. Employee data theft
One of the most common sources of data theft is, unfortunately, your employees. It's not unusual to hear of customer or prospect lists being copied when an employee or sales person leaves. Even worse is the transfer of company secrets, customer financial data or sensitive employee information, such as Social Security numbers. In bad economic times, these types of incidents tend to increase due to the high value of this information.
4. employees help hackers
Chronister warns: "There is no technology to protect you from your employees; social engineering plays into almost any major or minor intrusion these days."
You may be acquainted with some of the tricks sales people use to gain access to decision-makers in target companies. Hackers use similar tactics, referred to as "social engineering," to uncover key information that can help them access computer systems over the Internet and in person.
Phishing scams that trick employees to click links online and in e-mail also are a huge issue as they bring unwanted programs inside your computer network, opening the door for hackers to get in. These could be e-mails that look legitimate but aren't or programs that appear helpful but have been designed with an ulterior motive in mind.
"The key to a successful social engineering attack is understanding what will entice the target to click the link or open the e-mail. Social sites like Facebook and Twitter provide a malicious attacker all the background information they need to be successful," Chronister said.
5. You're an appealing target
Many businesses skimp on security, thinking no one would bother with them because they are too small. Nothing is further from the truth.
Chronister explained: "Often, the hacker is looking for a computer network that can be used to launch attacks on others. Hacker sites are filled with lists of vulnerable IP addresses ripe for exploitation. What this means is that your very own unprotected systems could be used for credit card theft or even a government attack."
Another worry: being targeted based on your vendors or customers. "If I were targeting a Fortune 500 company, I might try hacking one of their smaller vendors to see if there is a way in through an extranet, billing system or some other backdoor," Chronister said.
6. Attacks can be costly
Attacks can expose your business to financial liability in a number of ways.
According to the 2008 CSI Computer Crime and Security Survey, the average annual loss is just under $300,000. Costs include response to loss of confidential information, which is often subject to regulatory compliance requirements and may carry hefty financial penalties. There are additional costs involved to restore your computer network to a clean, secure state, which can be a complex, time-consuming process. It's likely that after an attack, you also will put stronger safeguards in place to prevent a repeat incident.
But Chronister noted: "The worst thing you lose after an attack is your company's reputation. We've seen companies go under because their reputation couldn't be rebuilt."
So what can you do? A good place to start is an audit conducted by an experienced security company. You may see advertisements for inexpensive security scans, but these won't accomplish much since they typically don't show the whole picture. If you are taking the time to strengthen security, do it right and bring in experts. They'll advise you on intrusion detection, firewalls and other tools that make it harder for outsiders to get in, as well as strong security policies and security awareness training to ensure your staff is protecting you, too.
Wendy Gauntt is president of CIO Services LLC, a technology consulting company that specializes in small business solutions.
No comments:
Post a Comment