This year’s ISTR illustrates more clearly than ever before that the path of least secure resistance is going to be the path taken by hackers.
In years past, the profile of a hacker was an idle college kid or ‘script kiddie’, and accounted for most of the damage seen on the internet. Security measures rose, and more basic tools became available to secure the network at more reasonable prices. But when the going gets tough, the tough turn pro. Zeus, SpyEye, and other Trojans can now be ordered online in Full setup packages or piecemeal the same way you can buy shoes or books online. I suppose it was inevitable – in the end, everything is going to be for sale.
And who is being targeted? Sure, we still hear about the major breaches suffered by big credit cards and banks. But what about the little companies? Symantec’s intelligence data, gathered from managed security solutions, firewall logs, honeypots, anti-virus responses, and many other sources, shows that it’s the smaller business that has the most to lose. Visa and MasterCard were hit by an enormous hack last year, touching 1.5 million account numbers. There was a Point of Sale system hack reported that proved it can happen to anyone: An employee walking away from their cash register with the drawer at the end of the day might ignore their POS system terminal, not realizing it’s an access of attack. Smaller businesses often rely on third parties to be their trusted advisors in the security space. And there will always be risk, because no system connected to the internet is ever going to be 100% secure. But you can reduce the risk (and maybe even the damages) with some basic precautions.
Have a security patching plan, and mark your calendar for some regular events. The second Tuesday of every month, Microsoft releases their patches for all their systems and programs. Adobe is on roughly the same schedule. Level set with your sys admins (or suppliers, or vendors) how quickly they will patch any ‘Critical’ or ‘High’ rated vulnerabilities. For any proprietary systems, you can always reach out to the software vendors and ask for their schedules of fixes or patches, and make sure that you understand when they are and how quickly you plan to remediate. All of Symantec’s SSL certificates come with malware scanning – review your reports and act quickly to close up holes in your defenses.
Educate your employees, especially about the dangers in Social Media. There are malicious links and ‘click jacking’ possibilities on the different social media sites, and your employees should know the dangers of clicking on ads or unfamiliar site links posted by their friends. Teach them about safe surfing with the green bar, how to look for EV sites to avoid ‘Man in the Middle’ attacks.
E-Commerce Guidelines from PCI DSS 2.0 recommend SSL encryption and EV in particular, for all ecommerce websites. PCI has aligned with NIST standards in stipulating that adequate encryption of a cardholder’s sensitive data is imperative while it is being transmitted, insisting on nothing less than 128-bit encryption. It also calls for crypto keys – their storage and transmission – to be effectively managed. Consider an always on SSL approach, so that the user’s credentials are protected throughout the website from login to purchase.
If you make it harder for the bad guys to get in, they will often go find an easier target. Be the path of greater resistance to security threats, and protect your brand, your customers, your employees, and your business.