Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Security tips for large and small businesses

Steps for small businesses and enterprise-class security specialists

Article comments

Whether your business is a big fish or a small-fry home office, you can get hacked just the same, and the stakes are higher than a few canceled credit cards. Here are a few tips to protect your users and your networks--steps that even enterprise-class security specialists may slip up on.

Know Who Might Be Targeted - and How and Why

With the recent news of attacks on US companies including Google, many business owners might be thinking, "That wouldn't happen to me - I don't have anything so valuable on my servers that an attacker would go after it". Many attacks aren't targeted at all, but are the result of self-selection. That is, the attacker casts a wide net by sending thousands of messages to a harvested list of email addresses, and the ones that respond - either by clicking a link or via a ping-back embedded image in the email - are the self-selected targets to pursue.

Targeted attacks - or "spear phishing," as they have come to be known - are a more dangerous animal. A good attacker performs reconnaissance by scanning a target organisation's website, quarterly SEC filings (if a public organisation), and press releases to find names of key personnel and email addresses.

Related Articles on Techworld

If that fails, attackers will probably prowl industry conferences and public speaking events (slideshows are almost always archived on the conference website with the speaker's name, title, and email address); they'll also check out social networking sites - it's easier for a hacker to bait the hook by figuring out who's in charge through Facebook fan pages and LinkedIn profiles.

While your average spammer is looking for quantity, a spear phisherman is looking for quality. Any key executive that regularly handles sensitive documents or has elevated permissions on a company's file server is a potential victim.

Although you might jump to the top of the organization chart and think that the CEO is where spear phishermen would focus their lasers, consider your CEO's executive assistant, as well. This person is accustomed to receiving hundreds of e-mail messages a day for the CEO from unfamiliar senders, and is likely charged with sorting all inbound messages. The assistant is more likely to be stressed, behind a deadline, and pressured to avoid delaying important messages--and thus more likely to make a poor computer security decision.

For similar reasons, a general counsel or staff attorney at an organization is also a good target, especially with an Adobe PDF attack. Attorneys regularly exchange large PDF briefings between one another and between companies. It wouldn't be a stretch to imagine sending a mock cease-and-desist email message from a spoofed address of your favorite influential intellectual-property law firm and include a PDF with a malicious payload. The attorney wouldn't think twice about opening such a message; and once the payload within the PDF is executed, the attorney's machine is effectively "owned" by the attacker.

Don't Take the Bait

Phishme

Spear-phishing attacks aiming for competitive intelligence or corporate espionage are likely to have a custom-tailored message (e-mail, IM, tweet, and so on), such that the victim is more likely to take the bait. A top nuclear physicist at a research institution is unlikely to follow through on a link advertising replica Rolex watches or natural male enhancement, but if the message is inviting the victim to be a speaker on a panel at a well-known nuclear physics symposium, the bait will be all but irresistible.

Although you might think that in 2010, most users (and especially tech workers) would be suspicious of any password reset or messages declaring that "we are improving our security," a stunning number of them will still be fooled by such schemes. My company, Special Ops Security, as part of its assessments with organizations and government agencies, will run controlled experiments where we intentionally phish targeted individuals at a company and track both click-through and captured passwords on an encrypted Web site.

Two colleagues of mine have even started their own self-service portal for CIOs to run mock "spear phishing" of their employees at PhishMe.com. It's a particularly eye-opening exercise, and I highly recommend it.

Phishme

Use Unique Email Addresses to Keep Password Reset Emails at Bay

If you don't believe that you would fall for a targeted e-mail discussing your upcoming new product or a malicious PDF with a class-action settlement notice, there is the ever-present category of password reset and social networking notification messages. Most Websites, as an unfortunate necessity of large scale, have a "forgot password?" function that sends e-mails to allow you to obtain access to your account.

Additionally, we are trained to expect notification emails from sites informing us of new friend requests, or photos of ourselves that others have posted. This is a particularly enticing proposition for the human psyche--how can I resist clicking on "have you seen this hilarious picture of you from last night?"

How is one to know if Facebook or MySpace truly sent the email or if it is spoofed? Eventually there will be enough adoption of electronic signatures and DNS-level security to make these spoofed messages ineffective. In the meantime, there is one method that I employ to make sure a message is genuine. Each social networking (or e-commerce, airline, or whatever) Website that I use has its own unique e-mail address for me.

If you are fortunate enough to have your own domain name and a mail server (Google Apps is great for this), you can create linkedin@johndoe.name and bankofamerica@janesmith.org. If you receive any notification message purporting to be from a site but the "to" address does not match, consider that message to be highly suspect and delete it immediately.

For those of us without the luxury of their own domain, or who are worried that someone might be able to easily guess their myspace@alicejones.net addressing scheme, a few e-mail masquerading services are available. My favourite is Sneakemail.com, which lets you create an unlimited number of email aliases for a modest $2 per month. This way, you can use one unique email per website, and all the messages get forwarded to your "real" mailbox. The service even handles replies, so that the website never has your real address.


Share:

More from Techworld

More relevant IT news

Comments




Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *