Cyber threats against small businesses on the rise

Written by Mitnick Security | Nov 10, 2017 12:00:00 AM

The phone calls come in almost every day: local companies find out they've been the victim of a cyber attack, and they turn to the FBI for help.

"Yesterday we had two calls about ransomware," said Jason Fickett, a supervisory special agent who heads the FBI's Western New York cyber task force.

Nationwide, the FBI’s Internet Crime Complaint Center (IC3) received almost 300,000 complaints last year, with reported losses in excess of $1.3 billion.

And those are just the cases that law enforcement knows about.

"Larger companies are slower to reach out," Fickett said. "They think they can handle it in-house, and often they're more concerned about the public learning about the breach and any vulnerability, especially if customer information might have been compromised."

Fickett supervises a squad of special agents in Rochester and Buffalo who work cyber cases.  His team also includes computer scientists, intelligence analysts, and task force officers assigned from local police departments.

An increase in the number and complexity of cyber crimes keeps them busy. 

The theft of sensitive customer data is just one of the cyber threats companies face. Often, bad guys are looking to steal money by committing acts of fraud. 

Fickett describes a recent case where a company offered rebates which could be redeemed through their website.

"Someone created a series of fictitious businesses, and were able to drain a significant amount of money over the weekend before the scheme was uncovered," he said.

Ransomware attacks have become more frequent. Criminals send malicious software, either through email or infected web links, which enables them to encrypt the contents of their target's hard drives. They can infect a single computer or a whole network, and the bandits behind it demand a ransom in exchange for a digital key.  

Intellectual property and trade secrets are also at risk. These sort of attacks could come from a competitor, from a criminal organization looking to sell that information on the black market, or even state-sponsored organizations.

Another type of threat comes from hacktivists, whose aim is to disrupt a business, often because of a personal or philosophical grievance.  This can involve defacing a company's web site or social media accounts, or a denial of service attack, which floods online servers with so much traffic they are rendered inaccessible.

Most businesses large and small have security measures in place to prevent access to their systems, just as they would have methods to keep intruders from entering their offices.

But Fickett cautions that when it comes to the digital world, businesses can never assume they're invulnerable. 

"It's like building a moat around the castle and thinking that's enough. Once those intruders get in, they'll have free unfettered access to everything inside unless you have additional layers of security" Fickett said. "You need to build firewalls inside your organization."

Crooks often target a lower level employee to get inside that firewall, knowing that once they get in they'll be able to get access to systems for payroll, personnel information, or other sensitive information.

Social engineering

Tricking employees into letting a hacker into a network can sometimes be the result of a sophisticated attack.  More often, it's a result of simple social engineering.

A study by one industry group found that 52 percent of security breeches were the result of human error. Other researchers say that figure is much higher.

Cybersecrity expertb Kevin Mitnick described how it usually works during an appearance in Rochester last year.

"Imagine a hacker using a website like LinkedIn to identify people within an organization and then looking for their circle of trust," Mitnick said. "Who would that person trust receiving an email from?"

One of the most common methods, Mitnick says, is a technique called "phishing." Hackers send an email that purports to be from a trusted source.  The recipient will click the link and be prompted to type their username and password, thinking they're being asked to log in to their own network. 

Instead, those credentials get sent to the hacker. The employee doesn't even realize they've just unlocked the door to their company's network.  Thieves or spies can access e-mails, financial documents, or customer data and get out without ever being detected.

As a young man, Mitnick gained worldwide notoriety for breaking into corporate computer networks. He loved the challenge of figuring out how to crack through their security.

Needless to say, these exploits eventually attracted the attention of federal authorities.  Mitnick spent two-and-a-half years as a fugitive, using his hacking skills to stay one step ahead of authorities.  

But the law eventually caught up with him, and after his high-profile arrest and trial, Mitnick was sentenced to five years in prison.

Mitnick detailed his crimes and his life as a fugitive in the best-selling book Ghost in the Wires. Today, he works on the right side of the law. He's a popular speaker on cybersecurity topics, and his consulting company helps corporations and governments deal with emerging threats.

Understanding how these attackers work, he says, is the best way to defend against them.

Local resources

Michael Ellis doesn't know how many times his business was hacked before he first discovered the problem. 

"We installed an online shopping cart and didn't change the default password for the software," said Ellis, who runs a small printing business in Rochester. "I didn't think anyone would target us, but I know now that was naive."

Ellis has fewer than a dozen employees, none of them experts in cybersecurity. But after the hacking incident, he tapped into a network of resources available locally to better understand the newest threats and what to do about them.

Small businesses and IT managers can turn to local chapters of professional organizations like the Information Systems Security Association (ISSA) or ISACA, which host conferences and share information about emerging threats.

Business that deal with critical infrastructure, like transportation, financial services, and defense contractors, should consider joining InfraGard. It's a collaboration between the FBI, local law enforcement, and private sector companies, focused on sharing the latest intelligence.

InfraGard members meet to discuss threats and other matters that impact their companies. The meetings give everyone an opportunity to share experiences and best practices.

When a cyberattack comes — and it will,if it hasn't already — Fickett encourages small businesses to reach out to the FBI, either by calling their local field office or filing a complaint at the IC3 website — www.ic3.gov.

"I've heard stories that some people say 'don't call the FBI, they'll come in and take all of your servers and shut down your business,'" Fickett said. 

He wants to assure everyone, from small-business owners to security chiefs for major organizations, that his investigators can do their work without causing those sorts of disruptions.

"We can work with a company after hours, with a low profile, or do whatever we need to do to allow them to continue business," he said.

This great article and more valuable information can be found at the source.

Source: Democrat & Chronicle