Simple IT Security Tactics for Small Businesses (Video)

Video Simple IT Security Tactics for Small Businesses (Video) 32

Posted by Roblimo on Friday February 27, 2015 @05:14PM from the worry-more-about-criminal-attacks-than-government-intrusions dept.

Video no longer available.

Adam Kujawa is the lead person on the Malwarebytes Malware Intelligence Team, but he's not here to sell software. In fact, he says that buying this or that software package is not a magic bullet that will stop all attacks on your systems. Instead, he stresses coworker education. Repeatedly. Adam says phishing and other social engineering schemes are now the main way attackers get access to your company's information goodies. Hacking your firewall? Far less likely than it used to be, not only because firewalls are more sophisticated than ever, but also because even the least computer-hip managers know they should have one.

Slashdot: This is Adam Kujawa from Malwarebytes Research. And obviously his job at Malwarebytes Research is to try to keep the bad people and their malware out of their clients’ systems. If you are not a client, it doesn’t matter, but what we are going to talk about here is who does the attacking and how you can keep them from getting you, how to not be a target meant in two ways. So Adam, what is the easiest thing that a small business IT person can do?

Adam: Well, the first thing you have to think about is why a small business is just a juicy target in the first place to cyber criminals. Reasons like that are usually they don’t have the means to have a full blown security suite they don’t realize that things have happened until after it is happened, and they usually can’t afford to lose things like, files or get sort of a serious data breach. So they are often victims of malware known as ransomware, which hijacks the system, encrypts files things like that to small businesses, and there has been kinds that are developed specifically for small businesses. It is just a death trap right there. Encrypt the files and demand an x amount of money. For some money, you usually can get more money out of what they would get from an user so while users encrypt the files, might demand a couple of hundred bucks, they might ask for a few thousand, ten thousand something like that from a small business and they can be assured that they probably get it. Because these aren’t just files, like pictures and then personal documents, these are customer you know, customer files, customer information. The same goes with breaches stolen data and things like that. So you know, if you look at those reasons why it is such a good target then you can think about why it wouldn’t be such a good target. Or how you can make it so a business wouldn’t be such a great target. Things like that are usually in user education, the most often, the greatest threat from a business standpoint, is a phishing attack or some sort of social engineering attack done by attackers. So you know, make sure your people know that hey there are things out there, look for emails that seem too good to be true or they’re from your relatives or from someone else’s – a friend or something like that. Never trust what you see on social media either. It is true. It is only accounts to get attacked, to get hacked. And then all of a sudden someone that you think is your best friend on Facebook or Twitter is sending you a link to a file that says hey this is hilarious check this out. And a user who may not be security conscious or paranoid enough, honestly, may think, oh cool, I will just check it out here on a company computer since I am already here, open it up – it’s malware. And they are infected, just like that. And every single major breach has usually been because of social engineering attacks and things like that.

Slashdot: I remember after I I met a guy named Kevin Poulsen some years ago who is one of the big ones, one of the two Kevins, there was Mitnick and there was Poulsen and he told me how to do it. I will confess I was a Bank of America customer hadn’t moved to credit unions yet, and I went down and I watched the branch manager log in on their public website with a special login and I just watched her fingers and I knew her password. It was a stupid password, it was like ‘jimmy’ or something like that, a name, something like that, it was a name, mine and I am sure yours, then then have non-alphabet characters in it and be different, so here’s the thing: Okay, you screw it up, somebody has gotten into your system, and they are holding it for ransom, you are saying a lot of people pay that, what can you do instead of paying it?

Adam: Well, I mean hopefully, you have actually set up some security to begin with. And this doesn’t mean you have to have a huge security system that constantly checks every single byte coming in and out of your network, but just having things like backups, I mean this is a common sense kind of thing. This goes beyond just what you need for security. This goes just if your hard drive gets fried, or something like that goes wrong with the hardware, you know, you need backups, so customer data and things like that, so in the case of losing files like that the encryption and the ransom aspect of it, you know, having a backups means you can just wipe out your systems, start fresh. You know, you have the backups, you can bring them back, your business doesn’t get hurt. If it does, it is a little, it is a very small amount.

Slashdot: Right, and that’s pretty obvious. And what percentage actually have real backups? I know the people who have been burned once have backups.

Adam: Yeah, it is always, it is the first time and you know what to do.

Slashdot: How long does it last? A year, two years, six months, before they lapse again?

Adam: You mean the attacks?

Slashdot: No I mean the backing up, the obsessive security, how long does it last?

Adam: I imagine it will only last for you know the first few months, very diligently, after that it kind of gets lax unless you have already set up some sort of automated means to do it, and hopefully that’s what they have done but you know, depending on your business, a week, every week, backing up shouldn’t be a hard thing to do, you could have it you know automated, and it protects you in more ways than you can imagine.

Slashdot: Now let me ask you: who are we looking for as attackers? Is it pimply faced children in New Jersey basements? I don’t think it is that anymore.

Adam: It is not.

Slashdot: North Korea, China, Russia, where, where do we look for attacks from?

Adam: A lot of attacks do originate from Eastern Europe. You know in the old days of just having some script kiddy in his mom’s basement trying to hack a business because it is funny is gone. It doesn’t exist anymore. The protections that we have to defeat that kind of stuff are too great. So what we deal with are criminal organizations. We are dealing with actual organized crime. I mean, when you take the technical ability and the kind of juvenile malice of the original kind of developers of viruses and things like that, you combine that with actual organized crime, you understand that there is a whole process, there is a whole chain of command, there is a whole assembly line type style to creating the malware, dispersing the malware, you know, you’ve got your guy at the top, you’ve got your guys below him, and you have your people that disperse the malware things like that. So you are dealing with an organization. It is not just a couple of people. It is not just one person. It is a whole organization, completely set up, completely underground, and very very dangerous. And it is all about money.

Slashdot: Wasn’t there a country, Stuxnet, wasn’t there a country called the United States that may have been a national operator behind that, another one called Israel?

Adam: I don’t know anything about those countries. I can’t confirm or anything. But if you are a small business, you almost have no worry at all. I tell people all the time, who come out after they have heard news about Stuxnet or Flame or some other sort of state sponsored malware, saying am I going to get attacked by this? And I will tell you no. Why would you, you know? These are very targeted attacks, they spend millions of dollars developing them with brilliant programmers and people that run tests to make sure that they are not detected, you know, there is usually a human element behind the actual deployment of a malware, so with most commercial malware you might see, you know a bad guy would flip on a switch and it would send out a phishing email or a spam attack to hundreds of people, just hoping that one of them you know, takes a bite. But with targeted attacks, and state sponsored attacks, you’ve got people going after specific targets looking for specific information. So unless you are some sort of high ranking official of the government security organization, I don’t think you have anything to worry about. The same thing goes with small businesses.

Slashdot: What about businesses that have medical records, are they worth anything?

Adam: Of course, they are worth something. They are not worth something to the actual bad guys, they are worth something to shady advertisers who would love that information. Honestly, I mean, you know our country especially, over the last year, really big concerns over surveillance, over privacy, things like that, but the people that pay the most money for that kind of things but the people get the most use out of it are advertisers. They want to custom make their targets, you know, they want to craft a special kind of advertising just for you, so you buy things. So I think I read a statistics statistic really that said maybe 15 years ago there was a pretty high click through rate when it came to things like banner advertisements, and right now it is 0.07% I think. So almost nobody is falling for advertising anymore. So having that kind of information, being able to send out very specific, very unique information about specific people, it is very valuable you know. If somebody finds out that you have a heart condition or you have to use what do they call those the electric things, pacemakers.

Slashdot: Pacemakers or the defibrillator more likely.

Adam: Yeah, yeah, if you have to use one of those you know, that’s something that you’ll want to know more about all the time, somebody sends you an email and says hey you know, we are from the company that makes this, and you need an update or you need to learn about it, here’s a PDF to give you more information, or we could sell you something else I mean it all depends. Personal information is very very attractive. And it is not just about your email or your credit card number, honestly those things can easily change, it is the permanent things, like the medical records, the social security number, your birth date, your address, things like that, that’s when it becomes very valuable, and if you look at it from an identity theft standpoint, I mean you really can’t have anything better that.

Slashdot: I get routinely several times a week I get these calls from people who claim they are in California, but they are really in India, and when they use names like Mendoza, _____11:34 and they don’t speak Spanish, it is just a way to tell fake Mexicans from real ones quickly, they are trying to sell me pharmaceutical products, because apparently I don’t know, maybe they know that I got prescriptions from oh my God, Target... but I get most of them frankly from the VA. And I am not going to buy from India or wherever drugs that I can get for free by calling the VA Clinic.

Adam: No of course not.

Slashdot: So that’s the thing. So here’s a question: Advertisers, legit advertisers, taking information from shady/illegal companies or is ti just the flaky phone people?

Adam: I imagine there are varying levels of leads that you could get I mean depending you know companies that say we will sell you information databases about people and information about them, now whether that information was obtained legally or not, I don’t think that’s necessarily the concern of the advertiser. They just want the information so they can push out the product.

Slashdot: And they might not know. In fact, I know I've seen stories, they usually don’t know.

Adam: Yeah, exactly.

Slashdot: They say we are learning how to do it, first of all, phishing schemes with a ‘ph’, teaching our coworkers not to fall for these scams, sounds like you are saying education is a big deal here.

Adam: Education is paramount and can give you security. I know, that you know, people can tell you all the time, oh you have to get this software, you have to, you know, get this kind of hardware you have to start using Mac, you have to start using Linux in reality none of it matters, because the bad guys evolve, you know, as our securities, as our technology grows and we become better at securing it, the bad guys become better at breaking it. And so the first line of defense would always be the user. And that’s why you don’t see a lot of attacks against computers directly any more. You know, you don’t see someone breaking into a corporate network by pushing their way through the firewall. This just doesn’t happen anymore, ever. What happens is they go through the weakest link, they go through employees, they go through contractors, they go through any other method they can to try and trick people into letting them in rather than just pushing their way through like it used to be.

This discussion has been archived. No new comments can be posted.