4 Small Business Security Lessons From Real-Life Hacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerworld.com/s/article/9250347/4_Small_Business_Security_Lessons_From_Real_Life_Hacks

It's no longer unusual to see major, massive hacks make news these days.
They affect millions of individuals and cost millions of dollars to rectify.

While intriguing to read about, the security breaches of large
organizations and financial institutions generally offer little in
practical terms to help small and medium-sized businesses to better protect
themselves. Specifically, SMBs often deploy different technology than that
used in an enterprise while grappling to do more with smaller IT teams.

There's still no excuse for small businesses to skimp on security. Yes,
technology pervades even non-technical sectors, and mature cloud
servicesmake it possible today to quickly setup an online presence with
little more than an Internet connection and a credit card. This heavy
digitization of business also means that an online hacker could also cause
incredible disruption from the comfort of his or her armchair, too.

To help small businesses navigate these tricky waters, let's highlight
first some real-life security scenarios that recently affected small
businesses and then some practical steps for protecting against these
issues.

Beware Social Engineering of Cloud-Based Accounts

A developer named Naoki Hiroshima had his GoDaddy account hijacked in an
elaborate bid to steal his Twitter username, @N, for which he'd received
unsolicited cash bids of as much as $50,000. The GoDaddy account controlled
access to the domain containing the password reset email address of the
targeted Twitter account.

While this convoluted attack didn't succeed -- Hiroshima was able to change
the predefined email address for the reset password in time -- he initially
had to give up his Twitter handle in exchange for control of the GoDaddy
account, which controls access to multiple work domains and websites.

What's interesting here is how the hacker essentially social engineered
PayPal into divulging the last four digits of the credit card number over
the phone. This information was subsequently leveraged as part of the
verification process at GoDaddy to gain control of the developer's GoDaddy
account. (GoDaddy owned up to its role in the incident, but PayPal didn't.)
As Hiroshima detained in the online magazine Medium, he exchanged emails
with the hacker, who bragged about how he pulled it off.

Fortunately, things ended well. Hiroshima suffered no data loss -- and,
once the story went viral and caught the attention of Twitter
administrators, he got@N back.

Beware Hackers Holding Digital Systems Hostage

A promising cloud service that offered code-hosting and software
collaboration was abruptly put out of service when a hacker gained access
to its Amazon EC2 control panel in what appeared to be an extortion attempt
gone awry. According to a public explanation left on the homepage of Code
Spaces that also announced its closure, an unknown person left a number of
messages at the control panel to open communication regarding an ongoing
Distributed Denial of Service (DDoS) attack against the service.

When the team attempted to regain sole control of the panel, the hacker
retaliated by randomly deleting artifacts from it. When the dust finally
settled, much of the online storage volumes and machine images, and all
backups and snapshots, had been deleted. With no way to recover this
deleted data -- Amazon leaves the onus for backup entirely to its users --
Code Spaces said it was unable to continue operating.

Aside from the obvious elephants in the room -- not enabling Amazon's
multi-factor authentication coupled with the high likelihood of poor
password hygiene -- the other learning point is the importance of offline
backups, or at least backups that aren't within reach of an armchair hacker
or malicious employee. It's not known if customers lost their code for
good, but this is another somber reminder not to rely on the promise of a
cloud service provider when it comes to data backup. Take care of it
yourself.

Beware Attackers Stealing Your Domain Name

There's money to be made stealing the domain name of an established small
businesses, as full-time lifestyle blogger Jordan Reid discovered earlier
this year after forking over $30,000 to buy back her own domain name. A
cyber thief had used the email confirmation system of Web host HostMonster
to steal the domain from Reid and then transferred the domain into a
private account at GoDaddy.

A family friend chanced upon an unknown user selling the domain name on an
online auction site and alerted Reid. The matter was at a deadlock,
however, despite multiple frantic conversations with both parties: GoDaddy
said it couldn't help, and HostMonster refused to initiate a transfer
dispute to get the domain back, in an apparent bid to avoid admitting
liability.

Ultimately, Reid took matters into her own hands by getting a friend to
purchase the domain from the hacker. Once she had the domain back in her
hands, she transferred it out and successfully ordered a halt to the wire
transfer payment. In a nutshell, she avoided what's likely to be an
expensive and protracted lawsuit by cheating on the cybercriminal.

Moral of the story? Your domain names are probably much more valuable than
you believe they are, and it's not be as straightforward as you imagine to
regain control them should they be stolen. Don't forget, too, that control
of a domain lets an attacker intercept all emails by modifying the MX
record to point to its own servers. Rather than bemoan the loss of domains
after the fact, small businesses should secure them appropriately.

Protect Your Small Business With Authentication, Backup

Drawing from the above security incidents, here are four steps that small
businesses can take to protect themselves from hackers. They're not
exhaustive, but they should be practical and simple to implement. The idea
here is to raise the bar to stymie hackers and social engineers enough that
they move on to target other potential victims instead.

Use two-factor authentication. There was a time when two-factor
authentication was considered a luxury, only used to protect high-value
accounts. The use of a single password is no longer good enough, especially
when you consider the sheer amount of data kept online these days.
Essentially, everything is a high-value target. What's more, sophisticated
malware can infect smartphones and automatically steal second-factor codes
for online banks accounts, whisking away the money before any alert can be
raised.

Use a separate password reset address. Most, if not all, online services
ask for a backup email address that can be used for the purpose of a
password reset. As illustrated above, configuring this to a primary email
address turns it into a single point of failure, greatly increasing the
damage that hackers can cause if they gain access to it.

As such, it's prudent to set the email address on an unrelated email
account, preferably one that resides on a separate domain. Services such as
Gmail and Outlook may be worth considering here. To avoid being a target of
hackers or social engineering attempts, don't use this account for
day-by-day correspondence or share it with others, and secure it with a
good password and two-factor authentication.

Protect your domains. Considering paying more for private registration if
it's available. This will reduce the amount of data that may be available
to a hacker looking to put together a social engineering or phishing
attack. Some domain registrars allow for domain names to be locked down to
prevent unauthorized transfers, sometimes as a chargeable option. This may
be a worthwhile investment, too.

In addition, registering for automatic renewal of domain name is a good
option to prevent a domain from expiring and slipping into someone else's
hands. Many small businesses may not be aware of it, but "spectators" use
automated programs keep an eye on expiring domains, snatching them up
seconds after they expire and offering to sell them back to the original
owners at greatly inflated prices. Be sure to keep safe the administrative
email account that's associated to the domain, as it has the authority to
approve a transfer to another registrar.

Regularly create offline backups. For all the online storage services
available today, it still makes sense to create regular backups of
important data. Store them either offline or at locations that aren't
easily accessible by hackers who may have compromised part of your
business. A variety of storage media exists -- direct attached storage such
as a portable hard disk drive, a network-attached storage (NAS) device,
tape drives, or even a separate online service protected with a different
set of credentials.

Additional tips, which are doable if not a bit of a hassle, include using
different credit cards for different service providers and maintaining
separate identities for cloud providers.

Ultimately, small businesses must keep an eye on relevant security
compromises and devise and adopt measures that thwart the weaknesses that
hackers were able to exploit on others. The war on the security front is
never-ending -- but with some diligence and effort, there's no reason why
small businesses cannot keep themselves in the clear.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!