A Small Business Guide to Cyber Security
The recent media surrounding the hacking of an unnamed Australian defence contractor where sensitive information relating to Australia’s warplanes, navy ships and bomb kits was downloaded, highlights the very real and increasing threat of cyber-crime attacks on Australian businesses.
An investigation by the Australian Signals Directorate (ASD) found the affected company had not changed its default passwords on its internet facing services. The admin and guest passwords to their web portal were simply left at ‘admin’ and ‘guest’. As incredible and as ludicrous as this may sound, unfortunately it is a very common situation with many businesses (both small & large) in both Australia and around the globe.
However hackers are increasingly targeting small businesses as they understand that they hold valuable digital assets, often with less security than a larger enterprise. A surprisingly high percentage of small businesses underestimate their risk level often saying things like; “We’re not targets for attack because we don’t have anything worth stealing”. However, in almost every case of cyber-attacks, the end goal is to steal and exploit sensitive data, whether it’s customer credit-card information or an individual’s credentials which would be used to misuse the individual’s identity online.
The data that your business holds really is your most valuable asset. The statistics relating to actual business failure in the event of data related loss are extraordinary. Don’t become one of the statistics!
What types of attacks should small business be aware of?
APT: Advanced persistent threats. APT processes require a high degree of covertness over a long period of time. The ‘Advanced’ process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The ‘Persistent’ process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The ‘Threat’ process indicates human involvement in orchestrating the attack.
DDoS: Distributed Denial of Service. These attacks occur when a server is intentionally overloaded with requests, with the goal of shutting down the target’s website or network.
Inside Attack: This is when someone internal to your organisation with administrative privileges, purposely misuses their credentials to gain access to confidential company information. Former employees present a particular threat, especially if they happened to leave on bad terms. Businesses should have adequate processes in place to revoke all access immediately upon an employee’s termination.
Malware: Short for ‘Malicious Software’. This refers to a program introduced to the target computer with the intent on causing damage or gaining unauthorised access. This is often spread through email attachments and unsuspecting employees opening what appears to be a normal file.
Password Attacks: These are either : a brute-force attack, which involves guessing at passwords until the hacker gets in; a dictionary attack, which uses a program to try different combinations of dictionary words; and keylogging, which tracks all of a user’s keystrokes, including login ID’s and passwords.
Phishing: Involves collecting sensitive information like login credentials and credit-card information through legitimate looking websites, often sent to unsuspecting individuals via email. These are also known as social engineering attacks.
Ransomware: This is a specific type of malware that infects your machine and, as the name suggests, demands a ransom. Typically ransomware will either lock you out of your computer or data and demand money in return for access, often with a threat of data destruction or public publishing for non-compliance. This is one of the fastest growing types of security breaches, headlined recently by the global WannaCry outbreak.
So what is the solution?
All businesses should look at a multi-layer approach to security. There are many different types of security on the market, ranging from antivirus software all the way through to high level physical security appliances all with varying price tags.
Businesses large or small should be asking themselves the following questions:
1. How secure are we?
2. How exposed are we?
3. How do we pro-actively reduce our exposure?
Firstly, a small business can and should look at what is immediately controllable by themselves to reduce their exposure, namely:
1. Patches – Ensure that ALL desktops, laptops, servers, routers, switches, applications, databases etc. have been patched up to the latest levels. Ensure that all devices on the network also have the latest firmware versions applied. Non-compliance is literally leaving doors wide open to hackers.
2. Anti-Virus – Ensure that ALL desktops, laptops and servers have a good quality and supported anti-virus program installed, with the latest updates and definitions regularly applied.
3. Passwords – FIRST POINT OF CALL!! Ensure that all your internet facing devices (i.e. Routers, Web Portals etc) have their default admin passwords changed! Too often these are left as Admin::Admin or Guest::Guest (as per the recent case of the Australian Defence contractor security breach). This also applies to any Wireless network that you have switched on, ensure that the SSID password is strong and secure.
4. Email Filtering – If your email service offers email filtering, ensure it is turned on. There are also 3rd party providers that will take on this responsibility for your business if you want.
5. Backups – If you are not performing backups, you are not only exposing yourself to loss of data in the event of an accidental failure or deletion, but if you are a victim of a cyber-attack and your data is compromised, a good backup will likely get you out of trouble. Following the 3-2-1 Backup Rule is generally the best approach, this is 3 x copies of data, on 2 different mediums, with 1 copy kept off-site.
For an additional layer of security, the following items can also be implemented:
1. Firewall – In a physical or software version, a firewall is a network security device that monitors traffic to or from your network and blocks traffic based on a defined set of security rules.
2. OpenDNS (i.e. Cisco Umbrella) – Is an extension of DNS which adds features such as phishing & content filtering in addition to DNS lookup. It essentially blocks outbound traffic to known bad domains in the situation where some malware may have affected one of your computers.
3. Physical Security – Enabling physical security to your office and your server room is another way to reduce unwanted breaches. This can be achieved by use of swipe cards, using video surveillance etc.
Obviously there are many more solutions available on the market, both hardware and software based, however these are just a few ideas to start the security conversation within your business.
At Logi-Tech, we are a proud South Australian company with 30+ years’ experience in managing IT security for businesses large and small. We are Information Technology Experts. If you would like a no obligation consultation relating to your business’ IT security, please contact us on (08) 8152 4000 or email us at firstname.lastname@example.org.