Archives For small business security

ohioSpeaker Notes for Tomorrow’s Session in Cincinnati…

This morning I am headed to Ohio to meet with business leaders in the Cincinnati area – Another Digital Money session on Stopping Hackers!

If you provide IT services to businesses, I hope you’ll consider doing one of these with me at some point. Every business needs it, and most don’t understand the threats they are up against.

It’s a busy fall for us. Last week we wrapped up a session in San Francisco with large reseller executives, then headed down to work with a large sales team in Irvine, CA.  And tomorrow, Cincinnati, a session sponsored by InTrust-IT…

The Most Frequently Misunderstood Truth In Small Business

The big question always comes up, “Why would anyone want my data? After all, we’re just a local business. There’s nothing interesting here.”  I think Verne Harnish answered that question last week. If you’ve read his books, Rockefeller Habits, and Scaling Up, you know he’s a small business with very little in the way of infrastructure. Like me, he’s a speaker and a business coach, supported by a small team. Yet his blog post tells the story of a $400K ruse that caught him and his team completely by surprise.

Why small business? Because small businesses still have money, take out loans, and process credit cards. They have bank accounts and payrolls. Today’s hacking tools are largely automated. So sending out hundreds or thousands of scamming emails takes the hacker very little time. When one lands, the hacker will follow up. Small businesses are also largely unprotected by this sort of thing.

It might be a fraudulent invoice or request for ACH wire transfer. In Verne’s case he writes, “They sent an email to my assistant completely imitating my style, subject line, and signature asking her to wire funds to three different places.” This is getting more and more common. The more data we put online about ourselves, the easier it is for someone to impersonate us!

Tomorrow’s Session is About Digital Money and the Value of Data

Digital Money, my latest book, goes into detail on this. Data aggregation is in motion, pooling our data in one place where it can be analyzed.

There are several major data aggregators out there doing this. But the idea is to collect enough data to profile YOU. This is usually for the purpose of some analysis or marketing effort. We’re seeing it used right now in the election. That’s right. The candidates are leveraging this data to figure out who is likely to be on the edge, and needs a push. The data tells them both who to target  and how to influence them.

That data in the hands of the hacker allows the hacker to act just like Verne, or whoever they need to be, to issue orders to the team. Verne’s on stage in Russia, meanwhile his team is getting instructions to transfer funds. Will they? Of course. They’ve received these requests in the past, and they were real. There’s no reason to question them now, and the hacker knows that. These attacks are well scripted and highly successful. And the likelihood of prosecution is low.

Can it be stopped? Not completely. But there are ways to reduce the risk…and that moves us to a managed security program that involves people and technology, well equipped to deal with these common attacks. A program that detects these threats early on, before data has been compromised, and stops them before damage is done. Tomorrow, my goal is to give our audience the business-level understanding they need to make wise decisions going forward. And then to point them to the tools and process they’ll need to combat these attacks in the coming year.

© 2016, David Stelzl

 

Advertisements

assessmentOne Thing to Look For In Your Next Security Assessment…

If You Want To Convert To Projects & Managed Services

Are you assessing your client’s data security? More importantly, is your assessment turning up urgent issues.  A week or so ago I posted on finding urgent issues – The Bot is your client’s number one enemy.  Do you know what you’re looking for?

We’ve become lazy. Too many security assessments depend on scanners to find open ports and missing patches. But as I mentioned in a recent post, missing patches are not urgent. However they may be one of the reasons your client has bots on their network.  But if you can’t come up with any bot activity, it’s kind of hard to get the client to see why the patches are so important.

$1 HC Book Ad

More On How To Close Security Business!

So Exactly What Are We Looking For? How Do You Find A Bot?

In the House & Cloud book I recommend using a pro-bono assessment to build justification. If the company you’re calling on sees value in you, there may be an opportunity to actually do some business. If not, you can’t expect them to just sign up and try you.  The assessment is the perfect service to both build justification and rapport.  But you had better find something urgent if you’re going to unseat the competition.  The Bot is your answer.

This is especially true in the small and midsize businesses. They lack the sophisticated security technologies needed to detect and stop the installation of botware on their computers. So chances are, if you look, you’ll find it.  So what is a bot?  It’s software, from an unauthorized user, used to gain access to your client’s computers. It comes in through email and infected websites, or downloads.

Your job in a pro-bono assessment is simply to find evidence of bots (or something else that just as urgent.) Don’t worry about over analyzing what they are and where they came from. If they exist, it means botware can get in, and the company is not properly detecting and stopping it. You job is not to prove an eminent disaster. Bots are bad, even if they are dormant when you find them.

Bot Symptoms – Like Burglars, They Make Noise

When a bot hits a computer, that computer becomes a zombie.  The bot software is installed and begins to execute it’s function on that system – a set of instructions to do something. That “something” is often detectable! While no one can physically stop all bots, early detection and response is the key to minimizing the impact.  Some of these symptoms include:

  • PCs begin communicating with known Command and Control Servers (C&C). “In the traditional botnet, which includes a C&C server, the bots are typically infected with aTrojan horse and subsequently communicate with a central server using IRC. The botnet might be used to gather information such as credit card numbers. Depending on the purpose and structure of the botnet, the C&C server might also issue commands to start sending spam or begin a DDoS (distributed denial of service) attack,” – WhatIs.Com
  • IRC stands for Internet Relay Chat. While there may be some good uses for this type of traffic, chances are your SMB client is not purposely using this method of communication. So if IRC traffic is detected, you should assume there is something wrong.  Further investigation may be needed, but it would be out of scope – so report it as being “highly likely” symptomatic of malware.
  • There may also be DNS requests coming from these systems in an effort to spoof…or there may just be reports of slow computers that are bogged down by running these background processes.  Of course, this may just be a cluttered Windows Computer in need of repair.

How Do You Detect A Bot?

Most of the assessments I review never mention botware or zombies. They only talk about patches and ports. The scans they are using have little or no information that the client will find interesting.

While it is possible to run some detection tools on each PC,”polymorphic viruses” have pretty much defeated traditional AV technology. Your client may need some education on this before moving ahead.

The alternative is to look at the network.  As we mentioned, IRC traffic is probably not authorized traffic. So that’s the first thing I would look for. While it is possible to use a packet sniffer here, network switches make this more difficult – basically you would be looking for unencrypted keywords sent on IRC channels. IRC runs on port is 6667 by default, but the entire port range (6660-6669 and 7000) must be checked.

If you have the ability to access firewall logging, mass mailing can be detected over SMTP from a central location. This is often a sign of botware being using to send spam.  Is spam urgent? Yes! It’s illegal in and of itself. But chances are it contains something worse such as illegal pharmacy marketing or worse, child pornography.  Make sure your client understands what would happen if they were suspected of distributing either one. For one, their family would be ruined long before they could prove their innocence.

If endpoints on the network are simultaneously hitting a single external site, that can also be a sign.  This would be true if the C&C had instructed these bots to launch a distributed denial of service attach (DDOS).

Note: Don’t bother checking server and email logs for this type of activity. Bots don’t go through the normal channels of communication and will not show up in your client’s log files.

This May Sound Technical But It’s Not

In most cases you have someone technical working with you, if you yourself are not that technical. If you’re in sales and you don’t really understand the urgencies listed on the deliverable, neither will your client.

There are a few terms here that border on bits and bites, but with a few Google searches you should be able to nail down these terms and be able to communicate them in simple language to your client.

There’s a enormous amount of business waiting on the other side if this blog post. Learn these few concepts, locate the urgent issues in your next assessment, and be able to share the results (business impact) with your prospect. The rest is easy.

…quod erat demonstrandum

Copyright 2015, David Stelzl

 

 

 

TALC100% Signed Up To See If Their Data Is Safe!

Yesterday’s event in Las Vegas was a great success. We had representatives from the local cybercrime enforcement unit of the Las Vegas Police Department, as well as Fire Department, along with just over 20 business leaders.  Delon Lukow, President of ProStar offered an assessment to each attendee as a thanks for attending.  This initial assessment will help business leaders determine if there are in fact symptoms of data theft, or major holes in their security strategy. Every person there agreed to take this first step.

After the meeting I had the opportunity to meet with Lukow to review the most important elements of small business risk, and what risks small businesses are most likely to face. It is ProStar’s mission to help educate business leaders in this region, to take a more proactive stance against cybercrime.  My hope is that more SMB focused technology companies will sponsor these types of events.

© 2015, David Stelzl

Thanks again to our sponsors including Cox Communications and Nuvestack!