How to Respond to Cyber Attacks on Your Business

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.ipwatchdog.com/2014/01/27/how-to-respond-to-cyber-attacks-on-your-business/id=47603/

In December of 2013, it was discovered that the major American retailer
Target was, aptly enough, the target of a major hacking event that resulted
in the breach of personal information for anywhere from 70 million to 110
million customers. Although credit card information was not obtained in
each case, it does make nearly 100 million people more susceptible to
identity theft.

The cyber attack was accomplished by hacking into Target’s point-of-sale
devices to install a program that records data from credit cards swiped
through an infected device. This information is then sent to a remote
server so others can access the data. And Target isn’t the only major
corporation to deal with a recent hacking scandal; in recent days, luxury
retail company Neiman Marcus announced that they were dealing with a very
similar situation involving the theft of customer information.

Statistics show that hacking activities across the globe have been ramping
up at a feverish clip the past few years, and we’re seeing plenty of
evidence that small and mid-sized businesses have to be on their guard more
than ever to prevent an attack. Still, a survey conducted by Ernst & Young
found that 96% of executives don’t believe their business is prepared to
handle a cyber attack. Appreciation of vulnerability is, of course, an
important first step, but what can you do to prevent an attack? What should
you do when an attack has occurred? Every business needs to think through
these issues before there is a problem.

Small Business Risks

In 2010, two magazine stores owned by Chicago-based City Newsstand, Inc.,
were the targets of a cyber attack on the company’s financial accounts.
Thieves visited both stores and installed a piece of software onto the
store’s registers that sent customer credit card information to a server in
Russia. The ordeal, and the financial investigation ordered by Mastercard
at City Newsstand’s expense, cost the Chicago company about $22,000.
According to owner Joe Angelastri, that amount is roughly half of the
company’s total annual profit.

The prevailing attitude shared by many business owners in the technology
age is that larger corporations are generally at more risk of cyber attacks
than smaller ones. However, the reality bears out a much different picture.
The U.S. Secret Service, in conjunction with Verizon Communication’s
forensic analysis unit, investigated 761 data breach events in 2010, more
than 60 percent of which targeted businesses with fewer than 100 employees.

When a small business does experience a hacking event, it’s often a death
knell for that company. Statistics collected by the National Cyber Security
Alliance and reported by PCWorldindicate that 20 percent of small
businesses experience a cyber attack every year. Of those businesses that
experience this criminal activity, 60 percent close their doors and stop
operating within six months. The stakes couldn’t be higher, which is why
businesses of all sizes need to be vigilant.

The New Playing Field

Once upon a time multinational corporations were the major target for
hackers because of the size of their coffers. But times have changed and
it’s become much easier to reap the same rewards by casting a much wider
net. Indeed, Brian Finch a partner at Dickstein Shapiro LLP who represents
FireEye and McAfee recently wrote: “Small businesses are in fact ripe
targets for cyberattack, and indeed have been under siege for some time,
whether they realize it or not.” It is time for businesses of all sizes to
understand that they are at risk.

Two words continue to come up when experts describe the methods and targets
of identity thieves: automation and vulnerability. When automation meets
vulnerability a lot of damage can be done.

Pop culture has given us an image of the hacker as an individual or small
group cloistered away among a mass of wires and computers, working
feverishly to get past the digital security of a multibillion dollar
corporation. The reality is that many hacking programs created today are
automated and scour the Internet for new prey without any work on behalf of
the program creators.

These automated hacking programs have themselves tilted the field in favor
of large corporations. Even though major corporate targets of hackers make
news headlines a few times every year, these business typically have
extensive protections in place against identity theft. The automated
programs developed by hackers work by discovering vulnerabilities within a
system and exploiting those, leaving small businesses with any online data
activity at risk.

When an attack happens, a small business owner often has few avenues
through which they can try to redress their loss. In March 2010, Los
Angeles-based Village View Escrow lost $465,000 over the course of two days
to hackers who had accessed their financial accounts. As owner Michelle
Marsico found out the hard way, online banking accounts for businesses
sometimes have fewer hacking protections than personal savings and checking
accounts. According to cybersecurity expert Bryan Krebs, interviewed for
the Marketplace.org article linked above, these online business banking
services are being offered with digital security infrastructures that
haven’t been upgraded in response to new hacking threats.

Village View Escrow was able to reach a settlement with their bank, but
that’s an exception far more than a rule. Banking institutions are much
more powerful than small businesses they service and do well in the
courtroom against any litigation. Furthermore, actual cyber attackers are
often too difficult to find to be able to file any meaningful criminal
charges. In many, if not most cases, there can be little redress available
after the fact.

While large businesses are still a prime target, small and mid-size
businesses are not far behind. In 2012, 93% of large businesses reported a
cyber attack, while 87% of small and mid-size businesses also reported
suffering an attack. Yet, amazingly only 44% of respondents believing
security is a top priority. It is time for the business community to wake
up. Cyber attacks are a problem for everyone.

________________________________

________________________________

Responding to a Cyber Attack

Businesses that are attacked need to act swiftly. Indeed, the best weapon a
company has when it realizes its been victimized by an attack is a quick
response. Of course, an unfocused response can do more damage than good.
Businesses need to understand the risks they are facing, the reality that
their customers are now also facing a real risk of identity theft and
siphoning of accounts. While it may feel right act like a victim, there is
more at stake for your customers. How you handle the immediate aftermath is
critical for both your brand and your customers because one of the biggest
concerns facing a business that’s been compromised is maintaining customer
confidence. If consumers, whether they are actual customers or potential
future customers, stay away in the future because of financial security
concerns everything you have worked for will erode, which is what happens
to so many businesses in this situation.

Novice to Advanced Marketing Systems, a provider of marketing training
courses and materials, including online seminars, lost $75,000 in the
effort to overhaul its computer systems in response to a malicious attack.
The business dealt with a very high-profile situation, as the hacker posted
a personal message to owner David Perdrew on the business’s website,
threatening to expose their customer database if the hackers didn’t receive
money. While this can easily be understood to be extortion it brings the
type of attention, and questions, that no business wants.

The first step taken by the company, after taking the website down, was to
make sure that current customers had all of their orders fulfilled. Then,
technology staff at the company scoured their networked servers to find any
malicious files, which they were able to get rid of within 10 hours, and
then discovered why the attack was successful. Before returning all of the
company’s 70,000 digital files to the original system, after they had been
transferred to another computer, new security software and password
protections were installed to prevent a similar attack. The playbook you
follow needs to be to pull the plug to stop the attack, identify what from
a technical standpoint that allowed malicious access, fix the technical
glitch, make sure that no latent vulnerabilities exist, and improve
security before considering going back online. They did everything correct.

But then came the difficult work of reaching out to customers. As hard as
it may be and as unhappy as many customers will be, proactively reaching
out to customers is essential. Again, Novice to Advanced Marketing Systems
did all they could. Anyone affected by the hacking activity and subsequent
website shutdown was offered discounts on services, and the company even
went so far as to create new services that were available after the website
returned. Out of 2,000 prior customers, Perdrew believes that the company
lost 15 customers because of the hacking event.

Even if you do everything correctly there is going to be damage done. That
is why it is essential to be as reasonably proactive as possible. An ounce
of prevention is certainly worth at least a pound of cure!

________________________________

________________________________

Keeping Your Business Safe

There is no better way to make sure that your business will survive a cyber
attack then by having the best protective measures in place. If you own
your own business or you are responsible for the cyber security of your
company, here are some things to keep in mind to ensure the safety of your
business operations.

1. The Weakest Link. Make sure that every single device connecting to your
network is secured against common hacking threats. Many workplaces today
allow employees to use their own mobile electronic device on a company’s
network, which has the potential to allow risky, unsecured communication.
Smartphones and tablets used on a business network should have an
anti-malware app installed. Always remember that your network is only as
secure as the weakest point of access.

2. Phishing and Social Engineering. Phishing, or misrepresenting your
identity through e-mail to gain access to account passwords or other
information, is another form of attack that frequently leads to identity
theft. It may not be as technical as most hacking attacks, but it can be
just as damaging to a business that accidentally gives its financial
account information to a malevolent party. Unless you are absolutely sure
of the identity of the person e-mailing you, don’t give away password
information across the Internet, period. Truthfully, you shouldn’t give any
sensitive information at all without verification. Kevin Mitnick, once
dubbed the world’s most dangerous hacker, used social engineering
techniques to gain information that would allow him to hack. Most companies
do have anti-phishing policies in place where they promise not to ask for
password or account information over e-mail or via telephone, but make sure
your customers know that they won’t be asked for such information and if
they are to be suspicious.

3. Business Level Security. Overall, the malware protection on all of your
computers should be of the business-grade or enterprise variety. Basic
computer security programs available through Norton, McAfee and others are
designed for home computers, not servers dealing with delicate pieces of
financial data. Staying up-to-date on security upgrades for these programs
is also crucial, as many times these upgrades contain patches that can
protect against new viruses currently going around the Internet.

4. Encryption. Make sure data encryption technologies are enabled on your
computers is a simple step, but one that many small businesses can miss.
Many of these technologies are standard on most computers; Windows PCs have
a file called BitLocker, while Mac systems use a feature called FileVault.
Although this won’t stop malware from entering a network while a computer
is running, it can keep hackers from obtaining any useful identity
information.

5. Good Digital Hygiene. Keep your employees educated on how their computer
activities could put the entire company at risk. Adopting a formal Internet
use policy at the workplace can be a very effective tool for making sure
employees are on the same page about which web services can and cannot be
accessed at work. Maintaining good “digital hygiene,” such as logging out
of accounts before closing browser windows or using different passwords for
different accounts, is another way to make sure your employees are working
towards cyber security. In this day and age anyone using “password” or
“1234″ as a password is nearly unbelievable, but it does happen. Whatever
you can do to have your employees use stronger passwords and change them
periodically is well worth the effort.

6. Stay Vigilant. Finally, keep yourself educated on how your business
needs to improve network safety by having a security audit performed at
your business. An audit can help you find any holes in your current
security that can be addressed by current technologies. Heeding these tips
as soon as you get them will make sure that you stay ahead of the
technological curve. Although you should be doing this anyways, check your
financial accounts daily, or at the very least periodically, to make sure
that there’s no unexplained activity.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!