You start a business in Pittsburgh.
You are happy, excited, nervous and ready.
Through the first few months, you notice profits increasing. You see happy customers. And you see solid growth for your business.
Then, one day, something disturbing happens. Customers are upset and growing irate. Your payment processor seems to be going into a panic over your payment histories.
Data is being altered, accessed and, now, deleted…
You’ve been hacked! And it can cost you everything.
This isn’t a new story. In the business world, many business owners get a slap to the face by the world of hackers, scammers and evilness of the digital world. We’ve heard something similar with many clients of Preferred IT Solutions.
One other thing happens – we don’t think the attempts at infiltrating your systems will likely ever stop.
Here’s the hard truth: Pittsburgh business owners are not exempt from hacking or scamming attempts.
As you’re about to see, neither are the new and naive business owners…
You’ve seen a basic scenario of a new business owner. But what if you are a large organization that has years of services and thousands, if not millions of customers?
Yep, it can happen there, too.
Let’s look at a few successful data breaches, and see what likely happened, and how you can avoid something similar.
Paige Thompson was able to break into Capital One servers and gained access to over 140,000 social security numbers, 1,000,000 Canadian Social Insurance numbers and over 80,000 bank account numbers and information. This includes an untold amount of user’s names, addresses, banking history, credit history and more.
Capital One is no small fish. Founded in 1994 as a spinoff of Signet Financial’s credit card division, Oakstone Financial, Capital One is the 10th largest bank in the U.S. based on assets. Capital One is also the second largest auto finance company, and the 5th largest credit card processor by purchase volume.
Like I said, Capital One is no small fish.
Even with their size, and rules regarding PCI-DSS compliance, and their endless ability to hire the right people and securing their systems the right way, their security still failed.
How did this happen?
Miss Thompson simply exploited a misconfigured firewall. She began by knocking on doors – virtually, of course. When she saw a door that was left open, she then opened it.
The “door” was a server operating between Capital One’s cloud and their public website. Once she could access it, she began requesting some metadata (data about data). She was then able to claim keys used for secure access of secure systems.
Basically, Capital One had shut their front door, but never locked it. The hacker dug through drawers until she found keys to the safe and then simply unlocked the safe and emptied it out.
While Ms. Thompson was arrested on July 29th, her hacking attempts directed at Capital One started in March, and lasted a few weeks. Capital One, during that span, continued business as normal, because they just did not know of the intrusion, because it never looked like one.
Capital One, has no room to defend itself.
Here’s why…
Capital One’s data breach could have been avoided. The exploited firewall software was a known vulnerability that Capital One chose not to fully fix.
Target is the 8th largest retailer in the United States. It owns nearly 2000 stores, and boasts yearly revenue of over $75 billion.
My point is that Target is BIG.
Starting in November 2013, they also became weak. This was the first time the hacking group used stolen credentials to access Target’s network.
And that is the key – Target’s ‘network’.
Where Target failed to secure their systems was involved allowing their whole network to exist together, without segregation. Because of this, a vendor working with Target’s HVAC system remotely had similar rights and access to those POS systems at the counters. While the hacker was not the HVAC vendor, the hacker’s target was.
Once the hacking group had the HVAC vendor’s login, they moved through the network, and deployed malware into the POS systems (among others). Between November 27th and December 15th, Christmas shopping season, the hacking group managed to grab about 40 million credit cards and debit cards.
Not every hack is a digital one.
Just recently, the FDNY reported that up to 10,000 patients may have had their personal information stolen. Was this an elaborate digital intrusion by “the Russians”? What this much like the popular movie, “Hackers”, a multiple hacker effort to break into a large-scale system?
No.
In this instance, someone physically took the laptop containing a hard drive with the information on it!
This is an instance that shows you that you must do more than use firewalls and logins to counter possibly hacking. Physical locks and encryption of data need to be part of every effort to prevent hacking and data breach.
The most simple thing to learn is that security does not exist simply on the level of passwords.
Does your business do this now? If not, you could be susceptible to attack – if you are not already a target.
When you think about data breaches, you likely think about the internet. The internet, currently, involves the transit of data from end users and websites. However, the expanded definition of the internet involves any system, application and type of server accessed from a user or another system.
So, when we think about the term ‘internet’ on the scale of business security and cybersecurity, we need to think of any system that is connected to any other system. A user’s phone or computer could be a system. Just like a company database, website or cloud server could be a system.
What are some of your business systems that are not a ‘website’?
Email comes to mind. Your database(s) are another. Add in more advanced systems like DNS servers, cloud servers and internal business devices like printers, routers and scanners, and there are a LOT of points of intrusion.
And this is not considering your own website.
A website, truth be told, is simply a front end for back end data and information. In most cases, a website is not the final target of an attack on your business and customers.
The security of your business depends on hardening and securing all of these. These services, these devices and these servers, and the methods used by them to communicate with each other are imperative to your business.
What parts of your business systems need secured when it comes to cybersecurity? ‘Everything’ might be too general, right?
But it is the answer – everything needs security.
Start with basic tasks: a user on your website, you sending and receiving emails and the devices that you use.
Does your website use strong passwords to log into the web server control panel? Do you use https/tls over standard http for transmitting data? Do you update and upgrade your CMS (WordPress, Joomla, etc)?
Does your email use encryption, standard? When you send, receive, reply and forward emails, do you use encrypted methods?
For devices, a large consideration must be made on our growth, as a culture, to the ‘internet of things’, or IoT. This mentality allows many to plug into a whole mess of systems, without apparent consequence. But without proper constraints on access, and use of simple logic, you can be hacked.
Take for instance public wifi…
WiFi is a facility that allows one more devices to connect to a central device, and communicate with one another. These devices can be smartphones or laptops, as well as computers, printers, smart appliances, televisions, game systems and more.
WiFi is designed and used for convenience. In my home, I can eliminate 100+ feet of cabling with my WiFi setup. That is a cost, and a headache, which can be magnified in business environments.
One thing to note – never, ever use public WiFi for the best security possible.
Public WiFi, even when using a strong VPN solution, still allows for an external actor to send and receive your signals.
If you do use public WiFi, here are some things to remember:
We all remember the story of the Big Bad Wolf and Little Red Ridinghood, right? In case you don’t remember, Red was going to her grandmother’s house, skipping along just living life. At the same time, the Big Bad Wolf was eating the grandmother and then taking part in some fun cross-dressing.
His goal?
To eat Little Red just like he ate grandma.
A good lesson can be pulled from this children’s tale…
Never assume good or bad; always lock down access with access controls.
After all, hackers are the Big Bad Wolf. If you want to be grandma, then take a wait-and-see plan with your security. Or, you can be the woodsman!
Let’s talk a little bit about some of the ways we can use access controls, starting with two words: blacklisting and whitelisting.
Blacklisting is a term used to designate a person or thing in a negative way, adding it to a list of ‘not allowed’ visitors. This is an effective method of preventing those bad players from entering your system.
However, it has a major drawback…
Blacklisting is a reaction, not a proactive action.
Think about that for a second. You cannot blacklist someone until after they have done something to show that they should be blacklisted.
If you need something more proactive, then use whitelisting. Whitelisting allows us to designate users, by IP or by login, that are allowed to enter the system.
In other words, while blacklisting allows everyone and then blocks the bad, whitelisting blocks everyone assuming they are bad and lets in only those allowed.
Our recommended method of access, or, YES TO ALL!
The simple answer is ‘yes’ – technically, we recommend both. Bad actors might be masking themselves as ideal employees, or could become ideal employees or vendors that have become hacked.
The measure of placing whitelisting as standard, and using some type of blacklisting for malicious activity can save your business!
If you think hacking works exactly like this clip below, then you might need to rethink your security.
The fictional tale of “Acid Burn” and “Zero Cool” isn’t 100% accurate for what a hacker, as well as a hacking group, actually does. Things have changed, even in their fictional world.
Hacking starts with one of two different scenarios: a hacker stumbles across something they can exploit in a company or person, or they target a specific person, group of people or organization.
The first, looks to randomly find a known exploit. This exploit could be publicly known, or only known to the hacker – usually called a ‘zero day’. The exploit then exposes some or all access or data to the hacker.
In other words, they are looking at random for an exploit of technical know-how.
There is a spinoff to this that we will talk about later, and that is looking at random for an exploit of a person.
The second way, targeting a group, is usually what you will see with many masking, phishing, whaling, spear-phishing, whaling and bitcoin-for-malware attacks. This specifically uses flaws and exploits in people to create the ability of the scammer or hacker to enter a system.
Both types of hacking use exploits (whether it is in the software or the people) to gain access into a system.
Information is power. The more information that you and your employees have when it comes to cybersecurity, and security in general, the stronger your company is for your customers.
Now, no amount of knowledge, and even staff, can prevent every attack on your company. In fact, there is a small percentage of data breaches that involve existing employees.
But, having informed employees exist in a digital world, is much different than employees who are completely untrained.
Where should you begin?
Begin with a simple conversation on security, safety and protecting access and information. Ask questions that can test their knowledge, and expand on what they know for a longer conversation.
Do they know what a ‘strong’ password is?
Do they know the difference between encryption and plain-text?
Do they know what compliance issues and regulations that are needed to be followed?
These are only a few topics to discuss. Having a formal plan in place for these types of trainings and conversations will grow into more training and more information. Over time, your employees won’t just think about security as part of the business, they’ll begin to think about security first – which is the goal.
Phishing is the act of using ‘bait’ to get a target to do something. Normally, this ‘something’ is the volunteering of information that might not seem completely sensitive, but is. The information can used to gather more information, falsify legitimate employees or infiltrate larger systems.
Whaling is the act of phishing, but on a very high position. CEOs, COOs, CIOs and Presidents and Vice Presidents are usually the targets of whaling attacks.
Spearing is the act of mixing phishing and whaling together, with some hacking. You are targeting a very specific person, attempting to infiltrate their data on the business platform, and usually personally as well.
So which will your business see?
Your business, based on its size, could see all three. The most common is phishing. Some phishing is considered ‘blind’, meaning the hacker or scammer uses a general set of attack to grab something, anything. Other phishing is more targeted, using a business listing or vendor list as bait.
Too many definitions for you?
Let’s use an example from one of our clients, to show you what a phishing attack looks like and how to prevent it. This was a targeted phishing attack, that used the HR department as bait, for many administrative assistants.
We changed the names, and some tidbits, but you’ll be able to follow along, just the same.
Andrew was a very good administrative assistant. Not only was he good at what he was hired to do, but he really became part of the whole team. Andrew aided his boss, Rebecca, in projects and with ideas to move them along. Andrew was, quite literally, on the fast-track for a promotion.
One Thursday afternoon, after Rebecca had left the office for a 3 week holiday, Andrew received an ‘immediate’ email from HR. You know that kind of email…’take action now, $(*#*%!’.
The email laid out exactly what was needed…
Andrew, This is Carl Larc from HR. We know Rebecca left for vacation already, but we need her verification because someone contacted us regarding her last tax filing and w2. Can you fill out the enclosed DOCx, and send this back to us immediately. To be frank, my job is now on the line and I need this back before tomorrow. I’m leaving the office in a few, so just email it back and I’ll fix everything before heads roll, if you know what I mean. Thanks, Carl
Now, if you are in the security field, a whole host of flashing red lights just started going off in front of you. Likely, you would call “Carl” or someone else in HR and ask about this. You probably wouldn’t open the file either.
However, Andrew didn’t.
He opened the attached file. He filled in the fields needed, including some personal details on the w2 from Rebecca, and then sent everything back.
Then he waited for an answer from Carl.
But Carl never wrote back. Carl was never in HR. We found out “Carl” was actually somewhere in Indonesia, and likely had never even been to the United States.
Unfortunately, it wasn’t filling in the basic details of info that really hurt Andrew and the company. When he downloaded and opened the attachment, he inadvertently installed malware onto the company’s system. And, because his computer was given some serious access to certain systems and client data, his actions cost nearly 7 figures to the company in damage.
And, one final note, Andrew lost his job.
What happened to Andrew was a targeted phishing attack. The attacker used a people-exploit to circumvent normal safety and security protocols.
We later learned that the person claiming to be from HR had used Rebecca’s social media pages (specifically her Facebook page), to know when her vacation would begin. We also found out that Rebecca’s offices were targeted in a simple way – the company’s LinkedIn page had extensively promoted her being named the employee of the month and detailed her work with the company.
Some attacks are not as targeted, but are as effective.
In one situation, the attackers had built a list of all of the employees working at a company. They then simply used an email corresponding to their name, in the company (i.e., john.doe@somecompany.com). The attacker scripted something to run through the list, automatically sending emails to phish for targets.
“But, all we have to do is check where the email came from, right!?”
That is true. But when you have an immediate, do or die email, verifying carl@trustedcompany.com and not a malicious email like carl@trustecompany.com doesn’t always happen.
*Tip: Whitelisting can help, especially when using email filters to ONLY receive email from the company’s domain name.
The most important takeaway from these two examples is clear – never trusted, always verify. This doesn’t have to lead to a disrespectful action against customers. One phone call is quick enough to know whether a contact via email, phone or text is real.
In another instance, one of spearing and whaling, we had a CEO targeted and successfully infiltrated. The attacker had learned about the CEO, and their favorite college team. If you are like most people, you follow and post about your alma mater on Facebook and Instagram. They then slowly built smaller phishing attacks to lower level employees about the CEO.
In a few months, they were able to directly contact the CEO with what appeared to be acceptable authority within the company from other employees.
And that was that…
The hacker sent a link for a ‘cool video about *college-X*’, and upon clicking it, nothing happened. Well, nothing the CEO could see. What he was missing was that the video file link was actually a script that installed a key-logger. This small piece of software records and sends keystrokes to the end user (the hacker).
Over the next months, the CEO and the business went about day to day operations. Until a call from his bank alerted him to the fact that most of his account was gone, wired to another account. Not only this, but the attacker, we later learned, had actually collected information from the company databases. Our assumption was that they then sold that information.
To receive your free Cybersecurity for Pittsburgh Business guide, simply enter your email and click on the button. You’ll receive a link and see, as soon as possible, how secure your business is!
Not every solution is the exact same. We recommend consulting a company like Preferred IT Solutions, someone that knows about cybersecurity and how to prevent data breaches and attacks.
With that said, there are some simple things that you can do to become more secure in your business. Below you will find 6 simple steps that any business can use to become more secure doing business today.
Simply put, you need to secure the parts of your business that communicate with other parts and with your clients. If your internet is not secure, or your website is not secure, or your devices and WiFi are not secure, then you are asking for trouble.
Locks = security – that simple.
For all devices there are physical locks that you can use to prevent people from viewing and extracting data. As well, digital access controls like whitelisting, passwords and even encryption and keys can aid your business in preventing hacking.
If you have a website that sells things, whether they are services or products, they need protection. Specifically, you should never enter your credit card details on any page that doesn’t have the little lock (HTTPS/TLS encryption). What surprises many of our clients is that ALL pages on your website need a similar measure of security.
Education is the best deterrent for employees becoming victims of hacking and phishing attempts. Past these discussions and training, a standard method of best practices should be created and reviewed by ownership, management and all employees (and even outside vendors).
One big tip: Upper management and ownership must participate in these meetings and educational trainings just like every other employee.
A piece of hardware or software will have an update issued for a very good reason – ‘something’ needs fixed.
For many pieces of software, updates are usually to fix vulnerabilities and exploits in them. This is why Windows usually sees a 9:2 ration of security updates versus system feature updates.
After reading this article, you know a lot more about cybersecurity and digital data security than you did. But an article or two on the internet is no replacement for the experience and knowledge a professional like Preferred IT Solutions can give.
In this article, we’ve covered a lot of ground. We’ve looked at defining basic cybersecurity for your business, as well as defining what those particular attacks are called. We’ve also covered how some of our customers have been targeted and attacked, and how you can avoid the same. Finally, we looked at some simple steps in reclaiming your business security today.
The question now is ‘where do you go from here?’
Our answer, whenever someone asks the same is to hire professionals with experience and years of knowledge that can help your business before a hack, not after. From what our customers have experienced, you spend 3 to 10 times the amount on correcting a successful hack rather than preventing all of them.
Target, Wendy’s, Chipotle, Capital One, FDNY and many other organizations thought that their security was the best it could be and still got hacked.
Don’t be left trying to answer the question ‘what do we do now?’.