Security Threats That Affect SMBs
Malicious Internet Content
Most modern small or medium-sized businesses need an Internet connection to operate. If you remove thismeans of communication, many areas of the organization will not be able to function properly or else they maybe forced to revert to old, inefficient systems. Just think how important email has become and that for manyorganizations this is the primary means of communication. Even phone communications are changing shapewith Voice over IP becoming a standard in many organizations.At some point, most organizations have been the victim of a computer virus attack.
While many may have antivirusprotection, it is not unusual for an organization of more than 10 employees to use email or the internetwithout any form of protection. Even large organizations are not spared. Recently, three hospitals in Londonhad to shut down their entire network due to an infection of a version of a worm called Mytob. Most of the timewe do not hear of small or medium-sized businesses becoming victims of such infections because it is not intheir interest to publicize these incidents. Many small or medium-sized business networks cannot afford toemploy prevention mechanisms such as network segregation.
These factors simply make it easier for a worm tospread throughout an organization.Malware is a term that includes computer viruses, worms, Trojans and any other kinds of malicious software.Employees and end users within an organization may unknowingly introduce malware on the network whenthey run malicious executable code (EXE files). Sometimes they might receive an email with an attached wormor download spyware when visiting a malicious website. Alternatively, to get work done, employees maydecide to install pirated software for which they do not have a license. This software tends to have more codethan advertised and is a common method used by malware writers to infect the end user’s computers. Anorganization that operates efficiently usually has established ways to share files and content across theorganization. These methods can also be abused by worms to further infect computer systems on the network.Computer malware does not have to be introduced manually or consciously.
Basic software packages installedon desktop computers such as Internet Explorer, Firefox, Adobe Acrobat Reader or Flash have their fair share ofsecurity vulnerabilities. These security weaknesses are actively exploited by malware writers to automaticallyinfect victim’s computers. Such attacks are known as drive-by downloads because the user does not haveknowledge of malicious files being downloaded onto his or her computer. In 2007 Google issued an alert 1describing 450,000 web pages that can install malware without the user’s consent.
Then You Get Social Engineering Attacks.
This term refers to a set of techniques whereby attackers make themost of weaknesses in human nature rather than flaws within the technology. A phishing attack is a type ofsocial engineering attack that is normally opportunistic and targets a subset of society. A phishing emailmessage will typically look very familiar to the end users – it will make use of genuine logos and other visuals(from a well-known bank, for example) and will, for all intents and purposes, appear to be the genuine thing.When the end user follows the instructions in the email, he or she is directed to reveal sensitive or privateinformation such as passwords, pin codes and credit card numbers.
Employees and desktop computers are not the only target in an organization. Most small or medium-sizedcompanies need to make use of servers for email, customer relationship management and file sharing. Theseservers tend to hold critical information that can easily become a target of an attack. Additionally, the movetowards web applications has introduced a large number of new security vulnerabilities that are activelyexploited by attackers to gain access to these web applications. If these services are compromised there is ahigh risk that sensitive information can be leaked and used by cyber-criminals to commit fraud.
Attacks on Physical Systems
Internet-borne attacks are not the only security issue that organizations face. Laptops and mobiles areentrusted with the most sensitive of information about the organization. These devices, whether they arecompany property or personally owned, often contain company documents and are used to log on to thecompany network. More often than not, these mobile devices are also used during conferences and travel, thusrunning the risk of physical theft.
The number of laptops and mobile devices stolen per year is ever on theincrease. Attrition.org had over 400 articles in 20082 related to high profile data loss, many of which involvedstolen laptops and missing disks. If it happens to major hospitals and governments that have established ruleson handling such situations, why should it not happen to smaller businesses?
Another Threat Affecting Physical Security is that of Unprotected Endpoints.
USB ports and DVD drives can bothbe used to leak data and introduce malware on the network. A USB stick that is mainly used for work and maycontain sensitive documents, becomes a security risk if it is taken home and left lying around and othermembers of the family use it on their home PC. While the employee may understand the sensitive nature of theinformation stored on the USB stick, the rest of the family will probably not.
They may copy files back and forthwithout considering the implications. This is typically a case of negligence but it can also be the work of atargeted attack, where internal employees can take large amounts of information out of the company.Small and medium-sized businesses may overlook the importance of securing the physical network and serverroom to prevent unauthorized persons from gaining access. Open network points and unprotected serverrooms can allow disgruntled employees and visitors to connect to the network and launch attacks such as ARP spoofing to capture network traffic with no encryption and steal passwords and content.
Authentication and Privilege Attacks
Passwords remain the number one vulnerability in many systems. It is not an easy task to have a secure systemwhereby people are required to choose a unique password that others cannot guess but is still easy for them toremember. Nowadays most people have at least five other passwords to remember, and the password used forcompany business should not be the same one used for webmail accounts, site memberships and so on. Highprofile intrusions such as the one on Twitter3 (the password was happiness), clearly show that passwords areoften the most common and universal security weakness and attacks exploiting this weakness do not require alot of technical knowledge.
Password policies can go a long way to mitigate the risk, but if the password policy is too strict people will findways and means to get around it. They will write the password on sticky notes, share them with their colleaguesor simply find a keyboard pattern (1q2w3e4r5t) that is easy to remember but also easy to guess.
Most complex password policies can be easily rendered useless by non-technological means.In small and medium-sized businesses, systems administrators are often found to be doing the work of thenetwork operators and project managers as well as security analysts. Therefore a disgruntled systemsadministrator will be a major security problem due to the amount of responsibility (and access rights) that he orshe holds. With full access privileges, a systems administrator may plan a logic bomb, backdoor accounts or leaksensitive company information that may greatly affect the stability and reputation of the organization.Additionally, in many cases the systems administrator is the person who sets the passwords for importantservices or servers. When he or she leaves the organization, these passwords may not be changed (especially ifnot documented) thus leaving a backdoor for the ex-employee.
A startup company called JournalSpace4 wascaught with no backups when their former system administrator decided to wipe out the main database. Thisproved to be disastrous for the company which ended up asking users to retrieve their content from Google’scache.The company’s management team may also have administrative privileges on their personal computers orlaptops. The reasons vary but they may want to be able to install new software or simply to have more controlof their machines. The problem with this scenario is that one compromised machine is all that an attacker needsto target an organization.
The firm itself does not need to be specifically picked out but may simply become avictim of an attack aimed at a particular vulnerable software package. Even when user accounts on the network are supposed to have reduced privileges, there may be times whereprivilege creep occurs. For example, a manager that hands over an old project to another manager may retainthe old privileges for years even after the handover!
When his or her account is compromised, the intruder alsogains access to the old project.Employees with mobile devices and laptop computers can pose a significant risk when they make use ofunsecured wireless networks whilst attending a conference or during their stay at a hotel. In many cases,inadequate or no encryption is used and anyone ‘in between’ can view and modify the network traffic. This canbe the start of an intrusion leading to compromised company accounts and networks.
Denial Of Service
In 2008 many organizations in the Mediterranean Sea basin and in the Middle East suffered Internet downtimedue to damages to the underwater Internet cables. Some of these organizations relied on a single Internetconnection, and their business was driven by Internet communications.
Having such a single point of failureproved to be very damaging for these organizations in terms of lost productivity and lost business. Reliability isa major concern for most businesses and their inability to address even one single point of failure can be costly.If an organization is not prepared for a security incident, it will probably not handle the situation appropriately.
One question that needs to be asked is: if a virus outbreak does occur, who should handle the various steps thatneed to be taken to get the systems back in shape? If an organization is simply relying on the systemsadministrator to handle such incidents, then that organization is not acknowledging that such a situation is notsimply technical in nature. It is important to be able to identify the entry point, to approach the personsconcerned and to have policies in place to prevent future occurrences - apart from simply removing the virusfrom the network! If all these tasks are left to a systems administrator, who might have to do everything ad hoc,then that is a formula for lengthy downtime.