Friday, November 29, 2013

The Impact of a Cyber Attack on Your Business

"Statistics show that nearly 60 percent of small businesses will close within six months after a cyber-attack."

That's a scary statistic.  Today I'd like to take a look at how a cyber attack can affect your business.  Let's look at two potential attacks; a malware infection and a DDoS attack on your website.  The first shows the impact of an attack where a system is compromised and used to steal funds from your bank.  The second demonstrates indirect costs associated with an attack that prevents you from making sales.

What I want you to ask yourself is this, "How can I reduce my exposure to these risks?"  Let's look at this in non-technical terms.  Whether you choose to believe it or not, your SMB is exposed to both of them.

For the first example suppose a virus was to infect a system and use a keylogger to obtain the username/password for your SMB's bank account.  You come in one morning and discover there's no money in your bank account.  If you think this can't happen to you then ask Michelle Marsico, owner of Village View EscrowThat's exactly what happened to her SMB.  Almost overnight cyber thieves robbed her company of $465,000.

In the second example you, or someone in your IT dept., receives an email from "Ivan in Russia" threatening to shut your website down unless you pay him $3,500.  Ask yourself, "How many sales per hour/day does my business generate through its website?  How much will we lose if it's down for several hours/days?"

In another real life scenario this is what happened to Endless Wardrobe, an online apparel retailer.  With the companies website down for a week Andrew Burman, Endless Wardrobe's General Manager, estimates they lost "at least a few thousand dollars in business".

As previously stated, I want to look at this in non-technical terms.  The bottom line is your organization experienced a cyber attack that resulted in financial loss.  What can you do to recoup the losses?  I hate to be the bearer of bad news but the answer is most likely nothing.

The only way to protect yourself is to identify your exposure to the risk of a cyber attack.  Beyond implementing technical solutions these involve, among many other things, working with your insurance company, bank and ISP.  Knowing what protections and guarantees these institutions provide beforehand can help you mitigate and recover any losses you may suffer.

Insurance - Talk to your insurance agent.  Determine what, if any, coverage you have against cyber attacks.  If you have coverage make sure it covers against data breaches, cyber theft or a DDoS attacks.  If you don't, look at what is available from your agent or another insurance company.  In either case be sure to perform a cost benefit analysis to make sure you have the right amount of coverage for your SMB.

Bank - You should be familiar with your banks policies and procedures regarding cyber theft.  In many cases you may be out of luck as business accounts are not afforded the same protections as consumer accounts.  If your bank does have a policy/procedure in place make sure you know who to contact or how to report an incident.  One way of reducing your exposure to this kind of theft is through a two-factor authentication, or one time password (OTP), log in method for online banking.  If your bank offers this I strongly recommend you take advantage of it.

ISP - While unable to protect you from cyber theft directly your ISP can help you mitigate a DDoS attack, phishing campaign or malware infection.  Contact your ISP and see what their options for these types of protection are. 

DDoS protection occurs at the network level.  Malicious traffic is filtered out here, before it hits your website.  Make sure you know what number to call or person/department to contact if you are experiencing a DDoS attack. 

For phishing and malware protection they may have a number of solutions.  These could be controls that block spam or prevent access to malicious websites.  Your ISP may be able to provide these services to you but they are usually on a subscription fee basis. 

It's more likely that they will have spam controls that individuals will have to set up on their own.  Ask them for instructions on how to use spam filtering on user accounts.  The ability to block users from accessing malicious websites can usually be found on the ISP provided router.  Check the equipments documentation or ask the ISP for instructions on how to configure web filtering at this level.

Knowing how to handle these three items in advance can significantly influence events in the wake of a cyber attack.  Being able to mitigate or recoup any losses suffered will help you from being one of the 60% who go out of business within 6 months.

2013-11-29 Link of the Day: Kaspersky Rescue Disk 10

Today's LOTD is:

Kaspersky Rescue Disk 10

Just download the free .iso image, burn it to a CD then boot the infected system from it.  For the most up-to-date protection make sure the products A/V signatures are current.  This product will run a complete scan on an infected machine.  If a virus is detected it will remove the infection. 

Download and read the Admin's Guide prior to using this application.
 
 
Any/all products/services are provided for informational purposes only. The author does not endorse any single product.

Use these products/services at your own risk.

Wednesday, November 27, 2013

Network World: Small Businesses Put Themselves at Risk by Not Taking Security Seriously

Great article from Thor Olavsrud:

"Small Businesses Put Themselves at Risk by Not Taking Security Seriously"

2013-11-27 Link of the day: Free Anti-Virus

Todays links are to free virus scanning products from major security vendors.  They offer either online scanning right from your web browser or software you can download to perform a complete virus scan on your system(s) for free.  Links are listed in no particular order.

Sophos Virus Removal Tool

McAfee Security Scan Plus

Norton (Symantec) Security Scan

TrendMicro HouseCall

ESET Online Scanner (Click "Run ESET Online Scanner" button on left side of page)

Bitdefender Online Scanner

PandaSecurity ActiveScan 2.0

Kaspersky Security Scan



Note: To avoid conflicts, disable any other anti-virus software running on your system prior to running these tools.  Any/all products/services are provided for informational purposes only.  The author does not endorse any single product. 

Use these products/services at your own risk.

Tuesday, November 26, 2013

Racingpost.com Hacked - How to properly handle a data breach

From Sophos Naked Security "Hackers trot off with RacingPost.com customer records".

According to the companies LinkedIn page they have between 201-500 employees.  Their LinkedIn profile goes on to state they receive "more than 1,000,000 unique visitors per month".  While located in the UK they qualify as an SMB under the definition set by the US Small Business Administration. 

As the article points out the site does not store credit/debit card info.  That is good news for Racingpost.com and its customers.  However, it does store other personally identifiable information (PII) such as; usernames, passwords, first & last names, customer addresses, email addresses and customer dates of birth.  This is a treasure trove of information for identity thieves, hackers and phishers.  At the very least these users can expect to see a substantial increase in the amount of spam they receive.  In a worst case scenario identity theft is a very real possibility.  Affected users may wish to employ a credit protection service to minimize the potential of this.

While the passwords were encrypted it is relatively easy for them to be cracked.  To see how easy this is just Google "Rainbow Tables".  More info on Rainbow Tables can be found here and here (the first two results returned by Google).  Security best practices recommend stored passwords be hashed and "salted", however this was not the case.  Encryption algorithms are reversible.  Hash algorithms are "one way" and are not reversible.  The practice of adding salt to the hashing algorithm makes it exponentially more difficult to crack.  Had the passwords been hashed & salted a Rainbow Tables attack would be much less likely to reveal the passwords.

How many of these username and (potentially cracked) password combinations do you think have been used for other online accounts? As discussed in the article, password reuse is fairly common. All users affected should immediately change their passwords for any/all accounts they have. This is why users should be forced to change theirs on a regular basis.  My recommendation is to follow cyber security best practices and force this change every 45-90 days.

Now for the good news.  This is an excellent example of an SMB handling a crisis correctly.  They detected the compromise in a relatively short period of time and called in cyber security experts immediately.  They then took appropriate measures to control the damage and began the process of customer notification.  It is obvious they had an incident response plan in place to address this type of event.

SMB's can use this as a learning experience.  Speak with your IT staff and ask them about your organizations incident response plan.  If they are able to explain the process then you're in a position to handle a potential crisis.  It would also be a good idea to schedule some time with your staff to review the incident response plan.  Update it and make any necessary adjustments during the review.

If all you get is blank stares and non-answers you're in trouble.  Take the time to gather the appropriate stakeholders from all lines of business and create an incident response plan.  Once completed, incorporate it into your cyber security policy immediately.  Protect your organization by requiring all employees read the cyber security policy and sign a statement that they have and understand it.

I would also recommend conducting at least one table top exercise per year.  This is an exercise where a data breach is simulated.  It ensures that everyone in your organization knows what they are responsible for and the steps required to meet those obligations.  Remember, getting ahead of the incident goes a long way in regards to damage control and restoring customer confidence.

In future posts I will help guide readers through the process of creating an effective cyber security policy.  An incident response plan will be one of the topics that will be covered.

2013-11-26 Link of the Day: The Business Side of Cybersecurity

The Business Side of Cybersecurity from SecurityWeek

Great article by Marc Solomon from Security Week magazine.  He provides a good insight into how to cyber security needs to adapt to changes in both the threat landscape and business requirements.

Friday, November 22, 2013

More Healthcare.gov woes

From Sophos Naked Security: Security pros: If Healthcare.gov hasn't been hacked already, it will be soon 

This is why testing and vulnerability assessments are critical before rolling out a new website or web application. 

If you're going to err, do it on the side of caution.

From Websense - 8 Security Predictions for 2014

From Websense - 8 Security Predictions for 2014 These guys tend to be pretty accurate in their predictions. 

What I find interesting is item #2, "A major data destruction attack will happen". This is something new. Generally attackers like to be stealthy, hiding their tracks to avoid discovery, and interested in stealing data not detroying it. 

My guess is this would be used to create a new revenue stream for the attacker(s). Steal the PII or intellectual property (IP) then destroy it. This would allow for the data to be sold on the black market (Dark Web) and then ransomed back to the victim, i.e. pay me and I'll return your data.

2013-11-22 Link of the Day: Microsoft Security Guide for Small Business

Microsoft Security Guide for Small Business

Thursday, November 21, 2013

Cybersecurity meets psychology - Microsoft & Maslow

I received an interesting Tweet from Microsoft Security (@msftsecurity) regarding a report they published in conjunction with Oxford-Analytica.  Here is a link to the report titled "Hierarchy of Cybersecurity Needs: Developing National Priorities in a Connected World" (look for the link at the bottom of Kevin's article).

While this is written at a national level I think it is highly applicable to SMB's.  In accordance with Maslow's Hierarchy of Needs the report defines 5 levels of cyber security needs.  With each layer building on the one below it, if lower needs are not met then they will be dominate.  As these lower level requirements are met then higher level needs become evident.

Let's take a look at how it breaks down, or builds upon itself, whichever you prefer.

Access - The first need that a SMB requires is secure access to the network.  Without secure access to shared resources such as; files/folders, databases or printers ... even the Internet itself is a resource in this case, no organiation can SMB's function at an acceptable level of efficiency.  This is even true in more traditional scenarios, POS terminals and credit card processing systems require access to their respective networks in order to perform their functions.  In other words, without access to a network people and machines cannot fulfill the basic needs of the organization.

Resilience - Once the need for access has been fulfilled the organization and its personnel need the network to be reliable.  If the organizations network is not resilient and staff cannot access the resources they require to do their job a breakdown occurs.  The IT industry has made resiliency a core requirement of any quality network design, there can be no single point of failure that would cause a disruption to the business.  Whether it be a RAID array on a server or a highly available router/firewall configuration the architecture of the network should be built in order to function properly even in the event a single component fails.

Connectivity - This need is tightly integrated with its predecessors.  Whether it's to shared resources, business partners or customers organizations are not able to function without secure connectivity.  Think of it this way, if your customers are incapable of connecting to your website, or walking into your brick and mortar location because the entrance is blocked, to purchase goods/services then your business will suffer significantly.

Trust - When conducting business it is vital your customers have an acceptable level of trust in you and your technologies.  Your employees, partners and customers must trust that the information they provide you with; whether it be an employees Social Security number, a business partners bank account information for automated deposits or a customers credit card number, if there is no trust that information will be protected then they will not provide you with it.  In cyber security terms this equates to, among a myriad of other things, protecting your data from hackers, providing secure SSL connections to your website or establishing VPN connections to business partners when exchanging data.

Optimum - When all underying requirements have been met the organization's cyber security posture is in its optimum state.  All parties involved can access the network, resiliency provides fault tolerance to provide a minimum of 99.999%+ uptime, there is connectivity to required resources and trust is established using security best practices. Employee's are secure knowing their personally idenitifable information (PII) and other information they require is secured.  Business partners and customers have assurances that their data will remain confidential.

If you're an SMB owner/partner, IT manager or part of the IT staff take some time to think about how your organizations security practices meet these needs.  Do they?  If not, at what level is there a problem?  If you keep reading this blog on a regular basis I will show you how you can implement a cyber security program that will.

Wednesday, November 20, 2013

SMB Cyber Security: Perception vs Reality

Many SMB's do not consider cyber security a priority.  A recent Gartner survey found that organizations spend 5%, or less, of their annual IT budget on cyber security measures.  This is understandable since it is difficult to justify an expenditure that does not directly impact the companies bottom line by either increasing profits or reducing costs.  The practice of risk avoidance is difficult to quantify when looked at this way.

A good example of this is disaster recovery, an often overlooked aspect of cyber security.  However your data is your companies lifeblood and this practice is essential to preserve the confidentiality, integrity and availability of said data.  Everyone knows they should have current backups of their data but how many actually have an effective backup strategy in place?  Who wants to spend money on backup applications, extra hard disks and other storage media?  What about the cost associated with time spent by IT staff reviewing backup logs to confirm they were completed successfully and rerun the job if it didn't?  How many SMB's have ever engaged (invested) in a data recovery exercise?  Regardless of the size of your business it is critical to ensure you can effectively recover from something as simple as a hard disk failure.  If you cannot recover from a common issue like this how would you be able to recover from something like a data breach, virus outbreak or other cyber attack?

In 2013 security firm McAfee teamed up with Office Depot to create the Office Depot Small Business Index survey.  With over 1,000 participating SMB's the survey found these two interesting facts:

- 77% of respondents indicated they had not been compromised (hacked)
- 66% felt their data & devices were secured from hackers

A recent Ponemon Institute survey of 2000 SMB's revealed:
- 60% of upper management do not think cyber attacks represent a threat to their business

That's the perception.  

Here's the reality.

The Office Depot Small Business Index found that:
- 14% of SMB's have no security protections whatsoever
- Less than half employ an email security solution
- Approximately half have implemented some type of Internet security measures
- Most dramatically, a full 80% do not utilize any type of protection to secure their data

The Ponemon Institute survey found:
- 33% don't know whether or not their business has been the victim of a cyber attack
- 42% have been the victim of a cyber attack in the last 12 months

Other respected publications have discovered:
- 72% of data breaches involved companies with less than 100 employees (Verizon's 2012 Data Breach Investigations Report)
- There was a 13% increase in targeted attacks aimed at companies with 250 or less employees from 2011 (18%) to 2012 (31%) (Symantec's Internet Security Threat Report)
- Most states in the US require that a company whose suffered a data breach notify each and every person affected by the breach.  Current estimates place the cost of a data breach at $130.00 per person. Ask yourself how many consumer/customer records are in your company database and other electronic records then multiply that by 130 to estimate what a breach will cost you.
- Between 2005 and 2010 there were more than 500,000,000 records containing personally identifiable information (PII) breached.  Of those approximately one fifth came from SMB's. (Privacy Rights Clearinghouse's Chronology of Data Breaches report, published in August of 2010)
- 80% of SMB's that are breached suffer significant financial loss or declare bankruptcy within two years of the event. (Per statistics compiled by Identity Theft expert John Sileo http://www.thinklikeaspy.com) 

I could go on and on with these facts and figures but I won't since these are more than enough to lend credence to my asserton that SMB's must take measures to protect themselves.  If you wish to see more examples of what happens to SMB's that take a lackadaisical approach to cyber security just Google the phrase (include quotes) "hackers target SMB's".  The results should convince you to take cyber security seriously.

This post will end the fear, uncertainty and doubt (FUD) surrounding cyber security and the SMB.  From here on out we will focus on ways to protect your business.  Future posts will show you how this can be accomplished through developing policies and procedures, implementation of security best practices and a variety of security applications that are available at no, or very low, cost.

2013-11-21 Link of the Day: FCC Small Biz Cyber Planner 2.0

FCC Small Biz Cyber Planner 2.0

2013-11-20 Link of the Day: NIST Small Business Information Security: The Fundamentals

NISTIR 7621 - Small Business Information Security: The Fundamentals by Richard Kissel

Tuesday, November 19, 2013

Welcome to the realm of The Cyber Security Sentinel


Hello & welcome to my blog. 
 
My name is Eric Cissorsky, The Cyber Security Sentinel.  I have over 15 years experience in the IT field and have spent the last decade of my life dedicated to the discipline of cyber security.  My resume includes working in the pharmaceutical, aerospace & financial sectors.  In addition, I spent a number of years at a large managed services provider giving cyber security architectural/engineering guidance to it's customers, many of whom belong to the Fortune 500 and run the gamut of various industries.  In that time I have developed a deep understanding of cyber security.  You can view my complete resume at http://www.linkedin.com/in/ecissorsky.

The purpose of this blog is to help small-medium businesses (SMB's) benefit from my knoweldge and experience.  Statistics from the SBE Council put the number of employer firms in the US at around 5.8 million.  Of that 89.7% employ 20 people or less.  Very few of these firms have the resources to implement "enterprise class" cyber defenses.  The purpose of this blog is to show how SMB's can leverage their limited resources to develop effective cyber defenses to the most common, and some uncommon ones as well, cyber threats.

As previously stated the target audience of this blog is small-medium businesses (SMB's).  These are typically organizations with less than 500 employees.  Most of them do not have information security professionals on their payroll.  Many may not even have a dedicated IT staff.  I am here to show firms in this position how to increase their security posture by using information security best practices and no/low cost tools.