Saturday, April 19, 2014

Ten Basic Steps a Small Business can take to avoid getting hacked

Cybersecurity can be daunting.   The technology, the terms and the cost.  Big companies spend collectively BILLIONS of dollars per year, and yet they still get hacked.  As a small business, what can I do to prevent the same thing from happening to me?  If you don't want to be the next TARGET, pay attention to what is important.

While there is never any guarantee for anyone or any business that they will be totally hack proof, you can make it difficult which will encourage them to pick on an easier target.

Depending on the size of your business, what you have to protect and if you are under government regulations there are 10 common sense and (mostly) free steps you can take.

Even if you don’t think you have anything the hackers want, think again.  Do you log on to your payroll system or the company bank account?  Do you check or pay any bills online?
Your computer, the network and your internet connection are also valuable to the hackers.  A small HVAC vendor was hacked and that network was used to hack into Target.  You don’t want to be the source of an attack on Bank of America or the Whitehouse’s website.

1) Know what you need to protect and why.  Do you collect any private or confidential information?  Where do you store it?  What do you do with it when it’s no longer needed?  If you store any confidential information you should look into encrypting it.  Modern operating systems come with free encryption software or you could use ‘TrueCrypt’.  TrueCrypt can even encrypt those pesky USB drives you use to move your customers data back and forth.  If hackers get encrypted data they can’t do anything with it.  Target did not encrypt their data.

2) Talk to your employees.   Big companies spend thousands of dollars on ‘Security Awareness Training’.  You might just need to remind your employees not to download files from the internet or open attachments in emails without thinking about it.  You could subscribe to our Facebook or Twitter feed and send reminders to your users or have the information posted in your internal ‘intranet’ or ‘Message of the Day’.  Target did not train their employees on what to do if they were infected with malware. The SBA has a short, (30 minute) course of Security Awareness and it is free: http://www.sba.gov/tools/sba-learning-center/training/cybersecurity-small-businesses

3) Firewall:  If you are on the internet at your office, you already have one from your cable, phone or internet company.  It is designed to keep bad people from easily accessing the computers in your office.  Consider taking it one step further:  Instead of just blocking bad things from getting in, think about blocking bad things from getting out.  Your firewall can also block many attempts by hackers to send data out.  Target ignored alarms from their APT firewall for several days and might have been able to prevent the exporting of the credit card data.

4) Anti-Virus:  You bought a new computer and it came with 6 months of free anti-virus.  The anti-virus is still on that 7 month old computer, but in the last 30 days new viruses have been produced, making that old anti-virus software less useful.   You can get free anti-virus from AVG, but for a paid version I recommend Kaspersky. (Target had a vendor, the initial source of the attack had a free version of malware detection software)

5) Passwords.   Use them.  Don’t reuse them.  Don’t use the same password on your bank web site as you do on the Papa John’s internet order site.  Have different passwords for your business accounts.  Keep in mind that you might have passwords for third party social media accounts like twitter, facebook, and wordpress.  Here is some information from the IEEE Computer Society on passwords:
Changing Your Password:
• Never change your password by following a link in an e-mail that you did not request, since those links might be compromised and redirect you to a site set up to steal your personal information.
• In order to be effective, you should aim to update your online account passwords at least once a quarter or every few months.

Creating a Strong Password:
• Variety – Do not use the same password on all the sites you visit.
• Do not use a word from the dictionary.
• Length – Select strong passwords with 10 or more characters that cannot easily be guessed.
• Think of a meaningful phrase, song or quote and turn it into a complex password using the first letter of each word.
• Complexity – Randomly add capital letters, numbers, punctuation, or symbols.
• Substitute numbers for letters that look similar (for example, substitute “0“ for “o” or “3“ for “E”).
• Never give your password to others or write it down.

6) Wifi/Wireless: Do not use ‘Free’ Wireless hotspots.  Ok, you will do that.  But consider that anyone at all in the area can snoop on any unencrypted data you send or receive.  There is also the possibility that they can hack into your laptop because you are no longer protected by your company firewall.  If you have wifi at work use the best protection possible:  WPA2 Enterprise if you are running a local Active Directory/Windows Domain, or WPA2 with a strong share key (passphrase).

7) Sign out of your account when you are done.  This is especially important for publicly available computers in the business lounge of a hotel or airport.  Even with a computer you own, if you are still logged on to a web site, it is possible a hacker can take remote control over your computer without your knowledge.

8) Patches and updates:  All computer programs have unknown ‘side effects’.  Sometimes known as bugs, hackers call these ‘undocumented features’.   Software companies release frequent patches, mostly right after a hacker figures out one of these undocumented features.  Patch your operating system, patch common third party software such as Java, Adobe pdf readers and Flash software.  All of the above have been used to break into computers.   This includes your company’s servers, workstations, laptops and smart phones.   This also includes any third party web sites or cloud services you might use.  You can’t patch them directly but you should insist that they audit and patch any service you pay for.  You really don't want hackers to do to you what they have done to famous websites like advertise your competitors or post porn.

9) DON'T VISIT THE BAD SIDE OF TOWN.  Don't let your children or employees use a company computer for games.  Web sites of ‘questionable value’ are known to use deception practices to install malware and spyware.  That ‘Anti virus update’ you just downloaded from the ‘artistic’ web site may contain the very virus you were trying to avoid.

10) MAKE BACKUP COPIES.  Consider how much time it takes to make the backup copy vs the time it would take to recreate all the work you lost.  If that is even possible.

The FCC also has a top ten list, some of the same information as I have and some different information: http://www.fcc.gov/cyberforsmallbiz

Is this all?  No, but it is a good start.  The NIST has checklists that contain hundreds of things that need to be checked, but if your small business doesn’t do the basic steps above it won’t matter what else they do.   Target got hacked because:
1) Then didn't train their employees on their APT Firewall
They didn’t make sure their partners had good cyber security
2) Their partner used free anti-virus software and had a very weak password
3) Target let their partner have access to places they had no need to be
4) There were unpatched computers in Target’s network

RSA, a big company that sells CyberSecurity hardware to big business and the government was hacked two years ago.  What went wrong?

1) They had identified critical information, and even had written policies which were not followed
2) Someone opened an attachment in an email that they should not have opened
3) That attachment exploited a flaw in a third party product that was not patched
4) Passwords that should have been disabled once they were no longer needed were still active

And, now the obligatory sales pitch:

Follow me on Twitter @scheidell, Linkedin http://linkedin.com/in/scheidell  or facebook http://www.facebook.com/SecurityPrivateers.  I publish news on the latest attacks, viruses and patches.  You can use this information for free to educate, inform and warn your users, clients and partners.  Subscribe to this blog  http://blog.securityprivateers.com and check my latest presentations on http://slideshare.com/MichaelScheidell.  Invite me to do a presentation at your local Rotary or Kiwanis club.

You have something valuable to protect, your company assets and your clients’ privacy and information. If you don’t think the above steps are enough, I can help with a cyber-security survey or IT Risk Assessment.

I have worked with companies from small offices with 20 people to large Rail and Transportation organizations with 20 thousand people.  I have experience in banking and finance as well as medical devices and health care.  Remember, all it takes is one breach to destroy your company.

Michael Scheidell, CCISO, SMIEEE
michael@securityprivateers.com / (561) 948-1305