Business security isn’t just about locks, alarms and guards. Thieves have realised corporate networks are safer and more profitable to steal over the internet than doing a ‘smash and grab’. So what’s the best online business protection against cyber criminals?
The threat landscape in a connected world is rapidly changing. New types of attack have emerged over the past two years and small-to-medium businesses shouldn’t be fooled; they are firmly in the sights of those behind the attacks.
Cyber crime is a profession and the demographic of your typical cyber criminal has evolved just like the attacks, from bedroom-bound geek to organised crime organisations traditionally associated with drug-trafficking, extortion and money laundering.
With all these changes, prudent business owners are beginning to realise the security of their livelihood is no longer as simple as locking the door.
Engineered Online Attacks
In Australia, there are an increasing number of engineered attacks made to fool users. As recently as May 2008, MessageLabs announced it had identified an attempted attack masquerading as a resume within a job application. Distribution of the attack was via an Australian recruitment website which, like many others, makes use of a mechanism that allows job candidates to upload their own applications which are then sent to interested employers automatically. In this instance the attack had been designed to infect the recipient’s PC with what is commonly referred to as a backdoor Trojan designed to steal corporate information and personal details such as internet banking passwords.
In the same month, MessageLabs intercepted a Trojan specifically targeted at Australian domains. The email attack claimed to be from a government department and contained a malicious Trojan disguised as a Microsoft PowerPoint slideshow file. Both the file name and body of the email indicated it contained images from Iraq where in fact, once the attachment was clicked; it attempted to download malicious code onto the infected PC.
Continuing the theme of engineering attacks that spoof subjects or senders that Australians would be interested in, has been a slew of fake Facebook message alerts, eBay payment emails and banking phishing scams.
Of particular concern with these types of attacks is that if successful, the victims would rarely be alerted to the fact they have been compromised, resulting in an open line of communication with the criminals behind it for lengthy periods of time.
Cyber Criminal Targets
Don’t perceive your business as low risk; the trend of highly targeted attacks is gaining momentum and increasing in sophistication. Cyber criminals are becoming more adept at drawing less attention to themselves by sending out highly targeted virus and phishing attacks in smaller numbers.
Accelerating the threat to SMEs is the presence of online toolkits. There are websites where you can buy an ‘off the shelf’ attack, complete with upgrade options and service contracts to help attackers stay one step ahead of the desktop antivirus products. This has lowered the barrier of entry for cyber criminals who no longer require the technical sophistication – just the intent.
In another twist, the increasing popularity of social networking sites such as Facebook, MySpace and LinkedIn means criminals now have the means to assume the identities of other people in order to harvest information from their ‘friends’ pages, obtain confidential information and damage the reputation of the victim.
Today, we are also seeing a significant increase in email attacks containing links to malicious websites. Traditional mail-filtering products don’t follow links; they only view the link as text so if it is a known malicious site on their database it will be blocked, but what about new or previously unknown malicious sites which are built for a specific attack? Increasingly, the bad guys are using this technique as the path of least resistance safe in the knowledge it will be missed by most software products.
Your Security Responsibilities
The biggest issues concerning SME owner/operators when it comes to security continue to be spam, phishing, and viruses. Local research by Gfk shows that despite the deployment of virus protection, 29 percent of SMEs (equivalent to 70,570 businesses) suffered some downtime due to virus or malicious events during the past 12 months. Also regularly shown is that businesses of fewer than 250 employees receive almost twice as many spam messages as medium-sized companies and 30 percent more spam than large enterprise organisations.
In 2008, security has a direct impact on every critical part of a business including reputation, productivity and business continuity. So what steps should you take to avoid these pitfalls?
At a minimum, ensure you have an acceptable usage policy in place. Keep it up-to-date and educate your workforce on the changing landscape. Make sure they understand attacks are becoming much more socially engineered.
Small business owners wanting guidance on how to educate employees and establish an e-policy at work can download a free resource from MessageLabs at www.messagelabs.com.au/white_papers/epolicy_form
Top Tips for Internet Security
1. Be sceptical of all unsolicited email.
By far the most common type of phishing email being sent at the moment will be worded in an urgent or overly dramatic way, prompting the recipient to take immediate action such as confirming online account details for a bank or other portals such as eBay or PayPal. It is important to keep in mind that no online bank or portal would ever solicit personal information in this manner. Also be wary of “spoofed” messages – even though the sending domain (e.g. mybank.com) may appear to be legitimate, unless the message is correctly digitally signed there is no guarantee that the message is not a fake.
2. Don’t be fooled.
In the past it was uncommon for phishing-type messages to be personalised, however this situation is changing. Again, always be sceptical of an unsolicited message, even if it appears to be personally addressed to you.
3. Check the security of the website.
Be sure to confirm the integrity of the host site. Secure connections are denoted with an https:// at the beginning of the address bar rather than just http:// and the “padlock” icon should appear at the bottom right of your browser window. In addition, ensure your browser is running the most up-to date version of the browser and that your security settings are active. If using Microsoft’s Internet Explorer you can check for updates via the following url: http://www.microsoft.com/security/
4. Think twice before you click.
Avoid clicking on any links within an email that you think may not be authentic. Similarly, avoid completing any online forms requesting financial information unless you can be absolutely sure of the integrity of the host site.
5. Check your online accounts.
Check them as regularly as possible and if you see any suspicious transactions contact your bank immediately.
—Mark Sunner is chief security analyst for MessageLabs (www.messagelabs.com.au) He joined in 1999 as head of product development and innovation and the services he and his team initially created went on to establish several groundbreaking milestones within the anti-virus and anti-spam arenas.