Today's Top 10 Security Risks for SMBs

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pcmag.com/article2/0,2817,2495926,00.asp

Small to midsize businesses (SMBs) have a lot to worry about. Security for
increasingly mobile and online-focused businesses is a multifaceted beast
to wrangle, and doubly so for SMBs that lack the dedicated security staff
expertise a larger enterprise can afford. Yet, SMBs also can't let a lack
of resources paralyze their technology initiatives or they risk losing out
to the competition.

While it might be daunting to navigate the security landscape without an
in-house expert, IT admins tasked with protecting their SMB can get the job
done by paying particular attention to securing endpoints, encrypting file
transfers, and managing employee devices and permissions. Though, when
faced with the prospect of stymieing an ever-evolving array of attacks and
malware, business security is like a Rubik's Cube that keeps adding sides.

For SMBs, security risks exist both inside and outside the firewall. The
burden falls on both IT managers and business users to avoid compromising
security practices, and to remain wary of and proactive about common
external threats. The following are 10 of the most pressing security risks
SMBs face today, and the steps you can take to best mitigate them.

1. The Pitfalls of BYOD
Mobile device management (MDM) is difficult enough when overseeing data
access and permissions on company hardware. But when employees start
bringing in personal smartphones and tablets under a bring-your-own-device
(BYOD) policy, admin oversight grows exponentially more convoluted. The
majority of updated Android and iOS devices now include expanded enterprise
mobility management (EMM) capabilities around app installation,
configuration, and permissions. But employees and managers should still
remain just as vigilant with proper security practices to accommodate for
the element of unpredictable risks mobile devices bring with them. These
risks can including anything from a stray device compromising a company's
virtual private network (VPN) to a simply scenario in which an employee
leaves their unlocked iPhone in a taxi.

The most efficient way of wrangling employee devices is to use a
centralized security console to manage BYOD policies of Android and iOS
devices in one place. These tools also include remote-locking and location
mechanisms to prevent data compromise on lost or stolen devices. Beyond the
security solution, though, your SMB's BYOD policy should be clear and
comprehensive. That is, employees should know what types of data they
should and shouldn't store on mobile devices, be required to set up
two-factor authentication (or biometric authentication) if the hardware
supports it, and set the bar high when it comes to using complex passwords.

2. Voice Recognition Exploits
Siri, Cortana, Alexa, Google Now, and the cadre of other digital assistants
are ingrained in how users interact with mobile devices today. Addressing
business concerns over BYOD, security researchers have discovered a way for
hackers to remotely control an iOS or Android device through its voice
recognition services without saying a word. If an iPhone or Android phone
has Siri or Google Now enabled, hackers can use electromagnetic radio waves
to trigger voice commands. It's a technique called remote voice command
injection. Apple and Google are working on fixes but, for SMBs, it's
another attack vector through which organizational data can be compromised
regardless of whether or not a work or personal profile is loaded on the
device.

The good news is that a comprehensive MDM solution will notice if the
remote command triggers any sensitive data downloads and, with a quick
verification ping to the device to determine whether or not the user is
authorized, the IT admin can lock the device down.

3. Cloud-Connected Incursions
We're past the point where cloud platforms are too new or not yet
established enough for SMBs to invest in them. It's nearly impossible for
an Internet-dependent SMB to survive today without a reliable cloud
platform for customers to access from wherever they are and on whatever
device they're using—be it a managed private cloud deployment or a public
cloud platform such as Amazon Web Services (AWS) or Microsoft Azure). That
said, cloud-based, brute-force, and distributed denial-of-service (DDoS)
attacks are a significant and pervasive threat that can result in
countless, high-profile data breaches.

The most integral form of protection is end-to-end encryption. There is no
surefire level of encryption but Advanced Encryption Standard (AES) 256 is
a generally accepted standard. Even if your business data is housed within
a secure virtualized environment such as AWS, don't rely on the public
cloud provider alone. A physical and virtual endpoint security solution
that layers an additional level of encryption (while scanning for zero-day
threats and other attacks) is a worthwhile security investment to hedge
your cloud bet.

4. Endpoint Shooting Gallery
While more and more business assets and sensitive data are now hosted in
public, private, and hybrid clouds, don't sleep on protecting the physical
endpoints at which your organization may be vulnerable. Endpoints can mean
anything from on-premises workstations and servers to the corporate
networks that connect physical or virtual servers to mobile and embedded
devices. Through even the smallest opening, hackers and malware can target
employee and customer accounting and financial information, company payroll
data, or intellectual property (IP) information regarding critical projects
and products core to your business success. To shore up those endpoints,
there are a number of worthy software-as-a-service (SaaS) endpoint security
solutions available. SMBs should look for a service that can protect all
relevant physical machines and operating systems (OSes) across, Linux, Mac,
and Windows, and one with the redundancy and scalability to eliminate
single points of failure.

5. Fortify the Firewall
You know what's better than one firewall? Multiple, interlocking firewalls.
Even in a more cloud-based and encryption-focused security landscape,
firewalls are still an organization's most important line of defense to
prevent malicious attacks. SMBs should deploy secure infrastructure with
numerous levels and redundant systems, including a two-way firewall and an
interconnected intrusion detection systems (IDS) to monitor their network
for suspicious activity, both inside and outside the firewall.

6. Financial Phishing
On average, your customers use far less careful security practices than
your SMB and employees do. Therefore, it's a lot easier for hackers to
infiltrate your infrastructure through your customers; more specifically,
the one transaction that's always present in your relationship: payment.

Online banking and payment services are a prime target of malware and
phishing campaigns, and a data breach could have ripple effects, not only
for the customers and bank but for your business financials as well. Recent
financial malware epidemics include Dridex, European banking malware from a
group of "Mr. Robot"-inspired hackers called "Evil Corp." Dridex infects
PCs and spies on banking websites with HTML injections via infected
Microsoft Office files sent in phishing emails.

A similar vulnerability in PayPal allowed attackers to upload malicious
files through a stored cross-site scripting bug (though that has since been
patched). Before hooking into one, your SMB should vet each third-party
banking and payments service, but it can't be responsible for monitoring
every single one. So the security service you choose should include a
global threat intelligence network that uses continuous process monitoring
and automated malware detection to mitigate and control any breaches that
spill over into your system.

7. Intruder Quarantine
If a particularly enterprising attacker does manage to get past your SMB's
firewalls and through your advanced endpoint encryption, the most effective
course of action is to triage the compromised files and cut off their air
supply. Your business security solution should be well-stocked with local
and remote quarantine management for both on-premises servers and cloud
storage. If an IT security manager is ready with his or her finger on the
big red button, you can easily jettison the breached compartments on your
SMB train and continue chugging along.

8. PUAs for All
Potentially Unwanted Applications (PUAs), also known as Potentially
Unwanted Programs (PUPs) or adware, are a particularly nefarious form of
malicious file, and they're no longer confined to just PCs. PUAs (and
malware in general) are on a steady rise in Macs, so SMBs running entirely
on Apple products aren't immune from the malicious third-party downloads on
which adware thrives.

While PUAs aren't as critical a security vulnerability as other types of
malware, the ad pop-ups divert attention away from the user flow your site
intended and, in bulk, that can impact revenue. PUAs are also a nuisance to
get rid of, and can take several tries using free adware removal tools or
Mac and PC troubleshooting steps to finally eviscerate. To save your SMB
the trouble, the security solution your SMB deploys should include PUA
detection and remediation tools as part of its malware detection suite.
PUAs are the bedbugs of malware so be sure to invest in a high-quality
mattress protector.

9. A Crypto Ransomware Hostage Crisis
Crypto ransomware has been ravaging Android users for some time. The
ransomware locks devices with randomly generated encryption keys, and
extorts the users for larger and larger sums. Crypto ransomware is growing
more pervasive in complexity and sheer maliciousness, but the bigger
problem is that newer strains have begun targeting SMBs. A crypto
ransomware strain called Chimera primarily targets businesses, holding
specific employees ransom for $638 in bitcoin, and encrypting data on not
only personal but network drives. The latest version of the spam server
Cryptowall (version 4.0) facilitates the crypto malware with an AES 256
encryption algorithm and the RSA 2048 encryption virus.

Crypto ransomware such as Chimera is extremely difficult to remove once a
system is compromised, but SMBs can install so-called "vaccines" for
Cryptowall 4.0 and other crypto ransomware. These "vaccines" act as an
extra software layer of protection that works in tandem with existing
security infrastructure to "immunize" systems against particular types of
encrypted file attacks.

10. The Internet of Vulnerabilities
The potential of the Internet of Things (IoT) is about far more than
connecting all of the appliances in a consumer's kitchen or living room to
their smartphones or IoT-connected thermostat. For SMBs, the IoT represents
a massive network of connected office and industrial machines, embedded
devices, and connected hardware and software around business operations
(such as manufacturing, shipping, and warehouse management). The biggest
catch with IoT—and the one giving SMBs pause—is its significantly increased
vulnerability to cyberattacks.

The IoT will be a part of your SMB going forward, but deploying this sort
of connected device and machine network shouldn't be done without a
holistic IoT security service in place. Every aspect of traditional
infrastructure security—from firewalls and encryption to antimalware
detectors and centralized management—should be in place and operational
before an IoT network ever goes live. The IoT introduces countless more
endpoints for an SMB to keep secure and make sure each is encrypted and
monitored.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!