Computer Security Threats for Small Businesses

Monday, October 13, 2008 |

Phishing, Spyware, and Zero-Day Attacks Are Just Some of the Information and Computer Security Threats All Businesses Face

Computer Security Threats for Small Businesses

With all the good that modern computer and networking technology can bring to a small business, there are also many computer security risks that may be involved. In this day and age, those that want to steal from small businesses' aren't necessarily going to walk through the front door anymore. They are just as likely to walk through the computers and networks that were set up to help a business grow. Hackers and other cyber thieves are more often targeting small businesses, rather than larger companies, since their computer security systems are more vulnerable to attack.

There have been numerous reports and studies that have come out recently on small businesses' attitudes towards computer security. One such report, the 2005 Small Business Information Security Readiness Study, shows, more than anything, that too many small businesses take a more complacent approach towards information and computer security. According to this study, approximately 70% of small businesses consider information and computer security a high priority, and more than 80% have confidence in their existing protective measures. Unfortunately, 56% of small businesses experienced one or more computer security incidents in the twelve months prior to completing the survey, and many were still not taking the necessary steps to help prevent these security attacks in the future. Even more alarming is that almost one-fifth of the small businesses surveyed didn't use virus scanning for email, which is one of the most basic and widely known information and computer security protection measures.

The study also suggests that the inability to measure the economic impact of these computer security attacks may lead to denial within the small business community. The most significant effects of information and computer security incidents on these businesses tend to be in areas concerning personal productivity; such as lost or corrupted files, slow computer networks, and lack of email. It is difficult for a small business to realize the financial impact of such productivity losses, and this is illustrated by the fact that the majority of small businesses that allocate little or no priority to information security also believe there has been no economic impact on their business from the information security incidents. The front-line staff feels the burden of these incidents more than management, which may also lends to why executives aren't giving information and computer security higher priority.

There are many types of information and computer security incidents that can hinder a business' operations. One of the newest, and most common, computer attacks is called phishing. These attacks steal personal identity data and financial information from businesses. Phishers often hijack brand names of banks, e-retailers, credit card companies, and other businesses, to convince the victim to respond to emails that lead them to counterfeit websites designed to trick the recipients into divulging financial data. There are various forms of phishing, but this is the most common facing individuals and small businesses.

Phishing is one of the most lucrative computer crimes, which continues to grow rapidly. In April of 2005, 2,854 unique phishing sites were found. That number jumped almost four times by April of 2006, with a record 11,121 unique phishing sites reported. These sites are not an amateurish knock-off of the sites they are portraying. Sophisticated phishers actually use server-side software that pulls all of the text, graphics, and links straight from the company's live site. What this mean is that all of the queries that are input go to the real site, except log-in information, which goes directly to the cyber thieves.

Experts at UC Berkley and Harvard published a study, entitled "Why Phishing Works", which 22 participants were shown 20 web sites and asked to determine which ones were real and which ones were 'spoofed', or fake. In this study, it was shown that even when people are specifically looking for phishing websites, many cannot distinguish between real and fake. The best phishing site in the study was able to fool 90% of the subjects. The study also pointed out that indicators designed to signal trustworthiness - padlock icon in browser, "HTTPS", yellow address bar background, etc...- were either misunderstood or completely unnoticed by many participants.

Another information security concern for businesses, as well as individuals, is spyware. Spyware is computer software that collects personal information about users without their informed consent. Personal information is recorded using a number of techniques; including logging keystrokes, recording internet web browsing history, and scanning documents on the computer's hard drive. Responsible for half of the computer crashes reported to Microsoft, and one out of four help desk calls for businesses, spyware is draining IT resources and lowering business productivity. Spyware that exposes personal data may result in undue public embarrassment, costly customer notifications, and compliance violations that bring hefty fines.

Detecting what programs are actual spyware is difficult, as these examples of different spyware types will illustrate:

Adware is a type of spyware that tracks user's information and web surfing habits through the use of cookies, programs intended to track this information to improve websites for users. Some of these cookies share this tracking data with third-party companies that deliver pop-up or banner ads. These are called adware cookies.

NonBizWare is a term used to describe programs employees download or install onto company PC's, which have nothing to do with the actual business. IM programs and peer-to-peer file sharing programs are common examples of such programs. These programs could open up back channels for cyber thieves to invade company systems and information. NonBizWare may also expose employers to legal liability associated with distribution of copyrighted music, pirated software, and pornographic material. So, even though many of these programs may not be actual spyware, many anti-spyware programs treat them as they were and delete them from computers.

A growing number of spyware programs are malware; malicious software intended to damage computers, steal data, or create an attack platform. Browser hijackers can change homepages, redirect web searches, and misdirect URL's to phishing websites. Keyloggers record document edits, email, instant messages, chat room conversations, and web form responses by relaying user keystrokes to remote attackers. Trojan downloaders hide in attachments and downloads, and open back doors for other vicious software to attack. These are just a few of the many examples of malware that is circulating the internet these days.

The creation of spyware itself has created a whole industry of anti-spyware programs and software, but also a new opportunity for cyber attackers to get to users. Rogue anti-spyware programs use pop-up ads and scare tactics to convince users to download phony anti-spyware programs. Once executed, these rogue programs generate false positive warnings that make users purchase clean-up programs or paid feature licenses.

These were just a few of the thousands of spyware examples. They illustrate how diverse spyware programs can be in their delivery and attack method. These examples also showed how spyware can affect business operations from many different angles.

One of the most vicious internet attacks a company can face is called a zero-day attack. This is an attack against a software flaw at a time when no security patch or update is available to fix the flaw. The reason these attacks are so devastating is because they can attack well-maintained and secure systems, leaving the users and IT professionals almost helpless.

The most dangerous of these pre-patch attacks permit drive-by downloads, where simply browsing a poisoned site or reading an infected HTML email, can trigger an invasion capable of filling your PC with all kinds of spyware, Trojan horses, and other malware. Microsoft products such as Internet Explorer, Office, and the Windows operating system are common targets of zero-day, and other, attacks, partially because they are so widely used in the market.

The zero-day attacks on MS Word and other Office products differ from the Internet Explorer attacks. Since these applications can't employ drive-by downloads, the cyber criminals typically rely on getting the victim to double-click an email attachment. By sending employees of a targeted company a spoofed email message that appears to come from a coworker or somewhere else within the organization, these attackers have a much better chance of getting unsuspecting victims to double-click these attachments.

It may seem that it's just too dangerous out in the world wide web for small businesses and individuals, but there are ways you can safe guard your data, and ultimately, your money. With all of these threats, come an onslaught of software to help protect against them. The next few paragraphs discuss some of the key security features every small business owner and manager should know.

First step for a small business owner to do is set up a firewall on all computer networks. A firewall's basic task is to control traffic between computer networks with different levels of trust. Most internet and computer security systems come with some form of a firewall program, or management can always upgrade to a more powerful one.

Although firewalls are universally deployed and necessary, with all the new information security threats that have, and will, come to fruition, firewalls are just not comprehensive enough when it comes to major data and financial protection. Many internet security firms believe that using multiple security features is a more realistic way to safe guard your business. Essentially, this gives hackers and cyber thieves more obstacles to overcome.

Besides buying and installing security features and programs to thwart these attacks, management needs to make sure all computer systems and security programs are updated regularly. It's not enough to just have these programs installed; management needs to stay up to date with them. Most of the reference material I have come across also stresses the importance of updating the 'human factor'. This is keeping all employees, not just management, knowledgeable about what to watch for and what to avoid while working on the internet.

0 comments:

Download Links