A small company selling products from its website had bare-bones security in place. Its executives had figured its small size would put it beneath the radar of hackers and other cyber-criminals. After all, cyber attacks are usually aimed at large organizations such as the U.S. Commerce Department or Circuit City, or in one stunning case, the entire nation of Lithuania. Why would anyone bother to attack a tiny company with only a couple of servers and a handful of employees?
Someone did, though. A hacker managed to crack this company's not-very-elaborate security system, gain access to its network, and obtain credit card information for its customers. Not only that, the hacker left a root kit that continued to collect new credit card numbers as they came in. (Root kits are rogue software designed to give unauthorized outsiders administrator-level access to a system.) It took not only a new security setup, but completely wiping and reinstalling the company's computers to resolve the problem.
"The common belief is, 'I have nothing of value, so no one will bother me," says Dirk Morris, CTO and founder of Untangle, an open-source network gateway company that helped the small e-tailer rid itself of the hacker. "But we keep running into small businesses that are getting hacked and having their machines taken over." Smaller companies tend to have smaller security budgets and weaker security in general than larger ones, he explains, and that makes them attractive.
Organized crime may be involved
"We view targeted attacks in the same category as zero-day attacks," notes Adam Hils, primary research analyst specializing in small and mid-sized businesses for Gartner. "It's essentially the same problem as with zero-day attacks: they will never show up on any virus definition list." (For more on zero-day attacks, see previous article.) Hils adds that as hackers become more sophisticated, targeted attacks are "trickling down" to smaller and smaller companies.
To make matters worse, Morris says, organized crime is beginning to take advantage of security vulnerabilities, coordinating and managing cyber-attacks—and tracking which campaigns are most effective. This has led to an increased focus on hacking small businesses, because the success rate there has been higher.
For instance, he says, some attack campaigns target small businesses specifically by masquerading as e-mails from the Better Business Bureau, notifying the company of a complaint against it with a link to click for more details. "You click it, and it's malware."
What's the best defense against these kinds of attacks? There's an old joke about two campers being chased by a bear: one camper notes he need only outrun the other camper to reach safety. In the same way, you may not need the tightest security possible to preserve against targeted attacks -- as long as your security is as strong or stronger as that of other small companies. Having anti-virus, anti-spyware, anti-spam, and a firewall all up to date can go a long way toward providing the necessary protection.
"Hackers look for the weakest defenses, so if you have credit card numbers, you'd better have better security than the next guy," Morris says. The same goes if your servers contain personal information on customers, valuable patents, insider financial information, or anything else valuable enough to be worth stealing.
Targeting a single computer
Some attacks aim very small. "Things like botnets target individuals, rather than companies," Hils says. In a botnet attack, one or more of your users' computers becomes a "zombie," sending out virus-carrying spam or otherwise doing the hacker's bidding, usually without the user being aware of it.
That's what happened to furniture maker Summer Hill, Ltd. "This is a small company, with 35 employees," Morris says. "They started catching tons of spam, and a large number of attacks. It was all coming from one machine inside the network." It turned out a botnet program had overcome the security on that one computer, and taken it over.
The best way of coping with botnet attacks, Morris says, is careful monitoring of network activity since an unexpected increase in little-used applications may be the first indication that something is awry. In this case, the user's computer was using internet relay chat (IRC) to a surprising degree. "I doubted that the person using the computer even knew what that was," Morris says. Sure enough, the zombie computer was using IRC to send out spam -- and scan the entire Internet in search of other vulnerable machines.