|
I read an interesting article in the Wall Street Journal today entitled Cyber Criminals Sniff out Vulnerable Firms. It’s a story of a small business owner in New York whose company was broken into by cyber criminals and stole $1.2 million from its bank accounts, although the owner was able to later recover about $800,000 of that.
The moral of the story is that small businesses feel like they are not a major target for online thefts like these. Because big companies have more money, they would be the logical target.
Yet statistics prove otherwise. According to the Verizon 2012 Data Breach Investigations Report, small business are frequent targets for hacker intrusion.
So while it is true that large businesses have more money to steal, they also frequently have more resources dedicated to implementing security. Smaller firms use off-the-shelf software like firewalls, A/V software and spam filters. Those give you the most bang for the buck because it doesn’t require a lot of human capital after the initial installations.
The trouble is that because it’s off-the-shelf, hackers can acquire them too, and try to reverse engineer them to get around them. A large company has the above software but they also have dedicated departments whose job it is to enforce security compliance and monitor if anything is wrong. Thus, a hacker has to dodge software in the small business, but software plus humans in the big business. For some hackers, the cost/benefit ratio is better for small businesses.
The owner of the business didn’t know how he got hacked. He was running Windows 7 (which is more secure than previous versions) and used an internal firewall to connect to the Internet. Their computers were running A/V software. In other words, he was doing everything that security experts tell people to do. One theory from the WSJ:
Experts say that it’s possible that after one of Mr. Keilson’s staffers tried to log onto the website for the company’s bank, a virus may have redirected him or her to a fake page that looked identical to the bank’s site.
If the employee typed in a username and temporary password provided by a secure-ID token, the virus might have sent that information to a thief who could have quickly logged into the bank’s real website to make money transfers before the temporary password changed.
Passwords created by tokens tend to be valid for about two minutes, say Web security experts. It’s important to note that Mr. Keilson isn’t able to confirm that this is what happened.
Compromised accounts are among the toughest to deal with. That’s why they have become a favorite with spammers over the past couple of years (as opposed to using bots to send out spam directly).
One tactic for catching them is performing statistical analysis and looking for deviations from the norm. For compromising accounts that send out spam, it is typical to see someone go from sending a handful of messages a day under normal circumstances to sending out tens of thousands when they are hacked.
Cyberthieves had made off with $1.2 million, wiring the money through nine transactions of about $150,000 each to three major U.S. banks and one Chinese bank.
Mr. Keilson, an ordained rabbi and attorney who co-founded Lifestyle Forms & Displays in 1985, said the business normally makes just one or two wire transfers a day totaling no more than $300,000.
It doesn’t say how long it took the thieves to make off with the money, but if the business normally makes 1-2 transfers per day then I will hypothesize they most likely did it overnight. The business could use this knowledge as part of their detection algorithms—if any transaction is more than $200,000, or the running sum of transfers is more than $300,000, disallow the transaction and require manual clearance. In the article, the business now requires verbal clearance for all outbound transactions which is fine, but the algorithm is another layer of protection.
Verbal clearance works if there isn’t a lot of manual work involved. But when clearance gets noisy and there’s lots per day, people start to ignore them an look for shortcuts. When you scale up in size, you need a way to alert when something deviates from the norm otherwise you’re barely doing better than when there is no monitoring (because people just file them away and don’t look at them in real time).
Keeping track of deviations from the norm works when hackers and spammers make large, sudden changes in behavior. It doesn’t work as well if they fit into established patterns. Those are still difficult to detect.
Catching those requires another set of security policies.
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byVerisign
If you follow Brian Krebs at all, this kind of thing is regular news, and has been so for years.
The best advice that I know of, and which Brian Krebs repeats regularly after recounting the small business cyber-heist du jour, is to use a highly locked-down dedicated computer for Internet banking purposes. For preference, the computer should have no hard drive or other non-volatile storage. Instead, it should boot off a Linux live-CD. Using Linux means that you are using the least-targeted OS in relation to this kind of malware, and using a live-CD means that the computer is in a known-good state when initially powered on. If activity on the computer is further restricted to a short white-list of necessary sites, the system is about as resilient as it can be.
To be fair - even linux won't protect against a phish that takes you to a fake site, though it may guard you against banking malware.
It's not Linux that's going to protect you from phishing in this system: it's the fact that your email and your banking are kept separate. The Live-CD system should be the exclusive domain of sensitive operations like Internet banking, and have no access to attack vectors such as email. You gain access to the banking site through a bookmark (or equivalent) on the Live-CD system to ensure that the correct site is reached. Beyond that, it is necessary only to hammer home the message (to the persons with banking access) that all banking-related activity must only take place on the Live-CD system. A large sign on the Live-CD system saying, "NEVER EVER enter the banking password into any computer but this one," should help. The people who have access to the bank account should have "hard to fool" as one of the required characteristics for the job -- not just for reasons of phishing resistance, but for the general safety of the money. (That last point might seem obvious, but you do hear the occasional report of embezzlement related to an Advance Fee Fraud scam, so it obviously gets overlooked from time to time.) I can think of numerous ways in which security could be further improved through changes to the overall internet banking system, but this level of security (which is pretty good) is available to all, now, purely as a matter of procedure. It involves no invention of new technologies or standards; it is only a change in practices.