Bad things happen to companies
These businesses were unlucky - you don't have to be
Your business may be at risk on a daily basis. Viruses, attackers and even accidental user errors are serious threats with serious consequences. The following disaster stories illustrate these threats with real world examples of malicious activities and their results. The stories underline the importance of taking preventative measures, because each threat can be minimised or even avoided. Refer to the Small Business Computer Security Checklist to find out how. For more information about how the internet works and how attackers operate see An Introduction to Criminal Hacking, Viruses, and Malicious Activities.
In April 2003, internet users around the world started receiving emails containing pornography from friends and relatives. Others found their internet access terminated because they were accused of sending spam emails. Still other people found themselves signed up to newsletters they didn't want. Clearly, something peculiar was going on.
As accusations flew around the internet, people realised that a new virus known as Klez was responsible. The Klez virus used several tricks that helped it spread quickly. First, it tricked users into thinking that infected emails were being sent by real people by using addresses from the infected users' own address books. This trick had the added effect of clogging up email systems with unnecessary warnings, replies, and recriminations. Then, the virus tempted users into opening infected messages with beguiling subject lines like "a very funny web site" or "undeliverable mail".
As if this virus weren't enough, later versions of the virus made users' own files the vehicle for infection. Klez would trawl through an infected computer's hard disks, pick a likely looking document, infect the document, then forward the document to other users by email. In many cases, people's private files were sent out into the public domain in this way.
Klez exploited a problem in the Microsoft Outlook email software that had been discovered and fixed years earlier with free, downloadable updates from Microsoft. Antivirus software developers became aware of it and updated their detection software within hours, yet the virus raged for several months. In other words, this destructive and aggressive virus was preventable. Klez was one of the most destructive viruses of 2003, but it is only one of thousands of viruses that appear annually.
Email spoofing and identity theft
"I admit it. I'm a big fan of eBay. I've been using it for years as a sales outlet for some of my more interesting merchandise. Recently, I got an official-looking eBay message letting me know that my service was about to be suspended. I clicked the link in the e-mail, went to what I thought was an eBay site, filled in some personal information, and submitted it. Only later did I realise that something was wrong. I went to the eBay website and figured out that I'd been tricked into sending my personal information to some unknown source."
Sending email that looks like it comes from someone else is an old trick known as email spoofing. For the most part, email spoofing is used to get you to open a simple piece of spam because you think it's from someone legitimate - an annoying but fairly harmless activity. A different type of email spoofing, like the example described above, is known as phishing and is more dangerous. Typically, an attacker sends an email that looks very much like it comes from an official source (such as eBay or Microsoft). Links in the email take you to a website that also looks like the real thing. However, the site is just a front, and the goal of the scam is to trick you into giving away personal information, sometimes for spam lists, sometimes so that the perpetrators can steal your account information or even your identity.
"I was getting my boarding pass at the airport. I had my notebook bag right by my feet. I thought I was taking good care of it, but I didn't feel a thing when it was stolen." A stolen computer can fetch up to 50 percent of its retail price. No wonder so many get stolen.
This story is repeated thousands of times a year, and it doesn't end when the notebook computer is replaced. Lose a notebook computer and you often lose vital, even confidential, information. That could cost your business much more than the computer is worth.
Given the number of computers stolen every year, it is surprising how few users bother to encrypt their data or use strong passwords that prevent unauthorised access. It is also surprising how few small businesses train their staff on basic security measures.
A war driver is a new breed of criminal hacker. Anyone with a notebook computer, an inexpensive wireless network card, freely downloaded software, and an antenna made from a can of potato chips can hack into wireless networks in homes and companies from hundreds of feet away.
Many wireless networks are completely unsecured. Indeed, many manufacturers of wireless devices leave encryption turned off by default. Users often don't enable wireless encryption or use any other added security measures, making it a pretty easy task for anyone with a wireless setup to find and exploit the connection. War driving is more than a geek prank: Some intruders seek to access files and damage systems. Fortunately, securing a wireless network is relatively easy, and the majority of war drivers can be deterred or deflected by a few simple steps.
James worked for a successful advertising firm. His computer had a problem, so he called his technical support person. The technician arrived quickly, logged into the network using an administrator password, and fixed the problem. Under pressure to get to the next job, the technician scuttled off as soon as he finished. He did not, however, log out of the system. James, being curious, decided to look around a bit. He quickly found a spreadsheet with information on the salaries of all his co-workers. He made a mental note to ask for a substantial pay rise.
Luckily for his employer, James was only after a raise. Imagine if he had been a disgruntled employee bent on revenge. Would you like your entire staff to know how much you are paid or have access to the entire company's payroll information? What would that information be worth to your competitors?
Technology can help prevent instances like this, but technology is only part of the answer. The best hardware and software are not enough if you don't also have good policies, procedures, and training in place.
Jill, the manager of a small commercial website that sells niche software, was pleased with her new site, which was a big improvement on the old one. The company now had its own web server and broadband connection, and they no longer had to pay someone else to host the site. Jill went home content on Friday night.
On Monday morning when Jill got back to work, it was a different story. Over the weekend, criminal hackers had gained access, deleted her carefully crafted site, and replaced it with pornography. In addition, hundreds of thousands of people had been avidly downloading pictures from the site over the weekend. Her bandwidth usage had shot through the roof, and the company was facing a bill for thousands of dollars. Jill's boss had already started to receive emails from customers complaining about the site.
An antivirus software developer reported earlier this year that corporate servers receive, on average, 30 attacks a week. Most of these attacks are from dedicated amateur attackers known as script kiddies, who, without much knowledge, use tools that are freely available on the internet to probe networks for weaknesses. These tools scan the internet randomly looking for vulnerable systems, then exploit any weaknesses they find. With such tools available, a small anonymous company is potentially as much at risk as a well known multinational corporation.
Many of these tools exploit known isues that can be easily updated. For example, in 2001, a group of script kiddies calling themselves the Sm0ked Crew used a well known and previously updated vulnerability in web server software to deface websites belonging to Intel, Gateway, Disney, and The New York Times. An update to fix the problem was available long before the attack, but many administrators had simply not installed it. Taking sensible precautions in general and using up-to-date software in particular, would have easily prevented the attack.
If companies do not take basic security measures to protect themselves against teenagers with widely available tools, how can these companies defend themselves against skilled, experienced attackers with malicious intent?
Kevin was the managing director of a growing architectural firm. With 30 employees and a number of multinational clients, the company relied on its email system to keep in touch. In particular, employees used email to track change requests from their clients, so it was a vital part of the company's business. Then, one afternoon, the email server had a catastrophic hardware failure, and the data became corrupted.
"No problem," thought Kevin, "our support guy has a backup, so we can just restore it from that." In fact, the company had an elaborate tape library and dutifully kept offsite copies of its critical backups. It was only after a day's work of trying to restore the email system from the backup tapes that they realised the data hadn't been properly backed up. They had never noticed the problem and had never tested to see whether restoring the data worked properly. They did not have any kind of disaster recovery plan in place.
Information security isn't just about getting the right hardware and software; it is about getting the processes right and concentrating resources on business