Large businesses have become accustomed to cyber attacks and have IT departments that invest in cyber protection methods to protect the businesses from the criminals.
However many smaller and medium size businesses are poorly protected from a data theft or a ransomware attack and have become targets for the cyber criminals.
Business owners and managers need to be alerted about the risks of a cyber attack and be aware of what steps should be taken to protect their businesses from cyber criminals. While it is impossible to prevent a determined cyber criminal successfully attacking the business, the steps described here will be a strong deterrent to persuade any attacker to move on. In the worst case that the attack is successful, the business owner should make immediate preparations to ensure a full recovery without paying the criminal attacker.
Why does cyber attacks occur?
Cyber attack threats occur because most businesses rely on information technology as the business management tool. Before businesses used computers, the only concern was about thieves entering the building to steal money. Locks on the doors with intruder alarms kept the thieves out.
Today businesses use computers for the administration of inventory, money, customers and sales. Businesses communicate using the Internet with messages, emails, conferences, purchasing, shipping and selling.
Thieves can break into the business computers and steal information and sell it on the dark web. Thieves can also threaten businesses with extortion using ransomware, from anywhere in the world. Cyber attack payments are demanded in crypto-currency that is difficult to trace.
Businesses must install cybersecurity methods and tools
Businesses must install cybersecurity methods and tools for protection against cyber theft and extortion. Large businesses have an IT department to plan for cybersecurity deployment. Unfortunately many small and medium businesses owners are not aware of the threats from cyber criminals until it is too late, and therefore do not make adequate cybersecurity investments.
Criminal groups are skilled in theft and extortion. The groups are located in rogue countries that are not friendly with the USA and the groups operate blatantly without regard to laws of the USA. There are also state sponsored groups that have financial, political and military objectives. The US State Department lists the states that sponsor cyber attacks and the US government prohibits the sale of certain technologies to these states. The states shield the attackers and so the US judicial system has no access to them.
Cyber criminals are successful at attacking businesses and public entities that invest the least in cybersecurity, these are education departments, government agencies, and smaller healthcare firms, etc. Cybersecurity investments have to be made before a cyber attack attempt. After a successful cyber attack it is too late.
What are cyber criminals looking for when they attack?
Data theft is one reason why cyber criminals will attack a business. The cyber criminals get access to the business data servers using one of several cyber attack methods. The criminals copy the data from the business data server to the criminals own data server. If the data has value to a third party then the criminals will sell the data via the dark web.
Defense company weapon design
Pharmaceutical company drug information
Manufacturing company product design
If the data has sensitive information then the criminal will extort a payment from the company by threatening to expose the data publicly if money is not paid.
Healthcare company patient records
Accounting firm customer financials
Government department taxpayer information
Ransomware attacks are increasing very quickly as ransomware extortion has become very popular with cybercriminals because it puts a lot of pressure on the business owner to quickly pay what the criminal is demanding. Ransomware is an easy method of extortion for the criminal and most small businesses pay as they are not prepared for the attack.
What happens once an attack starts?
The attack starts when the criminal gets access to the businesses data servers and then encrypts the business data so that the business staff no longer have access. The criminal demands a ransom payment in exchange for the key to unlock the data.
In 35% of cases the key is not provided after the ransom is paid
In 10% of cases the key is provided after the ransom is paid, but then the criminal demands a second ransom payment otherwise the business data will be exposed publicly. This is called double extortion
Criminals do not need technical skills to attack a business computer system; they can contract the cyber attack from a ransomware-as-a-service criminal business (RaaS), which will get a percentage of the ransom.
There are two methods of cyber attack, direct and inside. A direct cyber attack is an attempt by the cyber criminal to access the business network remotely, there are several channels.
Break through the Internet router using a known exploit
Break into an access port that is used by remote employees, usually by stealing a password through social engineering
Break into a third party computer system that is connected to the business network and then get access to the business
The success or failure of the direct attack depends on how well the business has installed cybersecurity.
Install a firewall to block access from the Internet
Install multi-factor authentication for remote employee access (a code is sent to a mobile phone to get access)
Install an authentication method for a 3rd party data connection that imposes strict access rules
Without cybersecurity the attack is easy. With good cybersecurity a direct attack is almost impossible, the criminal will give up and move on to the next victim.
An inside attack requires the cyber criminal to trick a member of staff to install a software on the computer that will give the criminal access to the computer and bypass the firewall. The business employee is tricked using a method called phishing, so what is a phishing cyber attack?
A phishing attack requires sending emails to many business employees. The message impersonates some business or entity that the user recognizes. The message describes some problem that requires an urgent solution by clicking a link in the message.
The email link will call the cyber criminals website to download and install a Trojan virus. A Trojan virus is a small software program that gives the cyber criminal remote access to the users computer. The cyber criminal then has access to the computer network and data servers. The user is not aware that the remote criminal is using the computer to steal business data or plant ransomware to lock the business data.
Phishing is the #1 method that criminals use to launch a cyber attack for data theft or ransomware extortion. This method is successful 98% of the time. After installation, the Trojan virus gives the cyber criminal remote access to the computer using the following procedure.
- The computer calls the cyber criminal bypassing the firewall
- The cyber criminal replies to the message with instructions
- The cyber criminal programs the computer to get access to the data servers
- The user is not aware that the cyber criminal is using the computer in the background
- The cyber criminal encrypts the server data files with ransomware
Finally the cyber criminal puts a ransom message on the computer screen demanding a payment in crypto-currency to get the key that unlocks the data.
Big businesses have big IT departments and big budgets to pay for cybersecurity that will protect them from cyber attacks. Small and medium size businesses require a cybersecurity plan that will protect them from a cyber attack for a reasonable cost. A simple 3-step plan is presented in the following sections.
STEP 1: Train staff to recognize a potential attack, provide a hotline to an IT person who can investigate
STEP 2: Upgrade the network infrastructure, add the locks and alarms to keep the bad guys out
STEP 3: Prepare a recovery plan for the worst case, the best criminals can pick the strongest locks, be prepared
Cybersecurity investments are essential for any size of business to protect from an attack by cyber criminals.
STEP 1: Staff awareness training
Business employees are the first line of defense. Cyber criminals will most likely attack the staff to get access to the business data; often with a phishing attack or attempted password theft.
The training is to help staff recognize the signs of a cyber attack. Staff should have a hotline to call if an attack attempt is recognized. The hotline should be to a skilled IT person who can immediately investigate the threat. This might be an external IT service provider or cybersecurity consultant. Once a threat is identified the clock is counting until the criminal installs ransomware, so act quickly to remove the threat before it is too late.
The cybersecurity awareness staff training should include the following subjects.
Explain what a cyber attack and ransomware is
Explain the damage that a cyber attack will do
Explain the additional security procedures required
Explain methods that cyber criminals will use to attack
List the precautions that staff must follow
Provide a cybersecurity awareness document
Ask staff to report a possible attack using the Hotline to the cybersecurity consultant
Ask staff members to identify improvements for the cybersecurity procedures
It is important to encourage and reward staff support for participation with the cybersecurity awareness training, as staff are the first line of defense to identify potential risks. Never admonish a staff member who allows a phishing attack by mistake; criticism will prevent people alerting attacks.
STEP 2: Network infrastructure upgrades
Network infrastructure in any business usually has several weak points where the cyber criminal can attack. Each of the weak points has an upgrade described in this section with the 5-step infrastructure plan.
The 5-step network infrastructure upgrade plan is as follows;
All staff computers must have updated anti-virus
Frequently update security patches for all software and firmware
Install a firewall between the network and Internet if not installed
Add a Zero Trust network access (ZTNA) end-point security firewall between the network and all devices, local users, remote users and 3rd party connections with rules for access, allow user access only with multi-factor or at least 2-Factor authentication
Monitor network accesses locally at the end-point security and alert any attempted unauthorized access; use cloud management for remote monitoring by the IT service provider
1) Install anti-virus on each user computer, update frequently
The attack technique most frequently used by cyber criminals is to install a Trojan virus on a user computer through a phishing message. The cyber criminal then has control of the computer. Anti-virus may block an attempt to install a Trojan virus if the user clicks on a phishing link. When this happens the user must advise IT security. The important anti-virus steps are listed bellow.
Do not permit a computer to connect to the network without anti-virus installed
Ensure that all anti-virus installations are frequently updated with the latest versions
2) Frequently update software and firmware security patches
All software and equipment vendors issue security patches when a security weakness has been found. Cyber criminals exploit the security weaknesses to attack the network. Some software vendors have automatic security patch updates; Microsoft Windows has automatic updating and cloud applications are updated automatically. However Windows must be updated to the most recent version as older copies are not supported. Most equipment vendors do not have automatic firmware updates.
Every company should have IT staff or an IT service provider who is checking for available software and firmware updates and installing them. The upgrade process should be a weekly exercise for all businesses. Big company IT departments will automate the process to roll out updates.
3) Install a firewall between the network and Internet
Reduce or eliminate the risk of a direct attack to the network from the Internet by installing a firewall, many different firewall products are available. With no firewall installed the ISP router can be easily attacked because the cyber criminal identifies the router type and the vulnerabilities. Businesses do not update router firmware with the latest security patches so they are easy to attack. Once the cyber criminal has access to the router then server IP addresses can be identified for the ransomware attack. The cyber criminal then attacks the server using known software vulnerabilities. This is easy for the criminal if the business did not update the server software with security patches.
The firewall effectiveness depends on the configuration, so it is essential to call an expert to configure the product. The firewall firmware requires periodic updates with security patches.
4) Install Zero Trust network access (ZTNA) end-point security to authenticate devices and users
Zero Trust network access (ZTNA) security is implemented using a dedicated gateway product. Any device or user connecting to the network must always be authenticated before access is granted. 2-Factor user authentication is essential.
Features of the Authonet Zero Trust gateway are listed below;
Authentication rules
Verify MAC of device, if approved user can connect
MAC not verified, user required to enter password
MAC not verified, user required 2FA with OTP
Verify MAC of device, user required to enter password
Verify MAC of device, user required 3FA with OTP
Filtering rules
Specify allowed / blocked network IP range
Specify allowed / blocked Internet public IP’s /domains
Monitoring
Monitor status of identified devices in the LAN network
Reporting
List the authenticated users
List IP requests but not authenticated, check for intruder
List failed authentication, send alert to admin
Cybersecurity experts agree that Zero Trust security with multi-factor authentication is the single most important investment that gives the biggest cybersecurity benefit. Many large businesses already have Zero Trust security with MFA. Most small and medium businesses do not have Zero Trust security and no MFA.
Zero Trust network access cybersecurity technology has the following characteristics.
Zero Trust network cybersecurity means never trust, always verify
All devices and users must connect through Zero Trust cybersecurity which protects business data, software and infrastructure using strict protocols, and monitors network traffic for suspicious behavior or potential threat
Zero Trust has four principles that are implemented by a Zero Trust end-point firewall
Identity verification and authentication of every user and device that is attempting to access the network. Verification uses device identity checks and multi-factor authentication (MFA) of users
Users and devices are given access only to the specific network resources they need to perform their tasks in order to limit the potential damage that can be caused by a compromised device
Users have restrictions imposed for access to Internet services that block interaction with potential attack vectors and compromised websites
Continuous monitoring of network activity can identify potential threats and provides the opportunity to take effective action quickly
With a Zero Trust end-point security firewall installed user network access can be verified using multi-factor authentication. 2 factor authentication (2FA) is a subset of multi-factor authentication (MFA). Multi-Factor authentication is an essential part of Zero Trust.
Many people are familiar with 2FA as most banks require it to access account information. The procedure is simple and illustrated in the following figure.
The user opens a login screen and enters a password
A one-time password (OTP) is sent as a text message to the user phone, usually a 6-digit numerical code that is valid for a limited time
The user then enters the code in the login screen and gets network access
2-Factor authentication blocks cyber criminal access after password theft and is a deterrent, when most cyber criminals see that the network has 2FA they give up and move on to the next victim. Any business seeking cybersecurity insurance will be requested by the Insurers to install 2FA network protection.
5) Monitor network access locally and via the cloud
Network access is monitored using the Zero Trust security gateway that logs network access to provide a real time display.
Authenticated devices
Connected devices, requested an IP but not authenticated
Unrecognized devices
Failed authentication attempts
Alerts of failed access attempts
When failed access attempts are persistent it is essential to call a security expert to investigate. A cloud managed end-point security firewall allows the IT service provider to monitor the business network remotely.
STEP 3: Prepare a ransomware attack recovery plan for the business data
Even with the best cybersecurity precautions there might be a small probability of a successful ransomware attack. All businesses should prepare and test a recovery plan that will restore business operations in a short time without paying the ransom demand. Small and medium business can work with an IT services provider to prepare the recovery plan. It is essential that the plan is tested and updated periodically, for example, each quarter. In addition to restoring business operations it is necessary to investigate how the criminal was able to access the network and block that path, if this is not done the criminal will attack again.
A ransomware recovery plan requires backup hard drives to be kept for all computers and data backups of the business data. Frequent data backups are the first step and essential to implement a recovery plan. Backup data must not be stored in the local network, as the cyber criminal will attempt to encrypt the backups before encrypting the database. The data backups must be offsite and must not be accessible on-line. Data files are backed up frequently, daily or hourly. Previous data backups are kept for some time, 1 month or more. If a cyber criminal attacks with ransomware then the last few backups may be corrupted. All staff should store personal files on a cloud account for easy restoration.
Prepare and test a ransomware attack recovery plan with the following points;
Write an attack recovery procedure, plan a budget
Backup business data daily or hourly to offsite storage
Keep 1 to 3-months of backups for a recovery history
Have multiple drives prepared to install on computers
Have the IT service provider ready for a recovery
Test the procedure periodically
If an attack occurs disconnect the network from the Internet. Next replace the server and workstation drives and finally restore the data from backups. Do not connect the Internet until the attackers point of entry is found, the cyber criminal will try to attack the restored system. The method of access may have been a user computer, but this is difficult to identify. The only sure method for protection from future attacks is to change all workstation hard drives in addition to the server hard drives.
Summary: cyber attack risks
All businesses are at risk from a cyber attack, there are no exceptions. The cost of cybersecurity is much less than the expense of an attack. Businesses face a large financial loss when a cyber attack is successful.
The cost of the ransom to release locked data
The additional cost of recovering the business if the cyber criminal does not release the data
Reputation cost for a business that is attacked, loss of customer trust
When the cyber criminal sells the business data there is a risk of lawsuits against the business
Healthcare businesses have a legal obligation to report a data breach to the HHS, and then pay a fine according to the number of patient records breached (HIPAA security)
The essential cybersecurity checklist for a business network is listed below.
Staff cybersecurity awareness training is essential to recognize a potential attack, frequently repeated
A recovery plan will minimize the damage if an attack is successful
Vigilance; the network admin should be aware of who is using the network and what is being accessed
Install Zero Trust network access (ZTNA) gateway to monitor network use; Authonet is an accessible product for smaller businesses
Install 2-Factor authentication, an essential deterrent
Have a security expert make regular checkups
Ensure that software security patches are always installed
Allow only approved people and devices to access the network
Computers should be used only on the business network, not removed and used elsewhere
Don’t allow mobile devices on the network as they connect to other networks and may have a virus
Ensure that connected devices have anti-virus and that USB ports are locked to prevent installation of a virus via USB memory
Control access to high-risk websites, personal email, etc
Access data remotely through cloud storage, do not bring storage devices, like flash drives, into the business
If staff has to work outside the business give two computers
Get cybersecurity insurance
Businesses can protect against the costly damage of a ransomware attack with cybersecurity insurance. Cybersecurity insurance can mitigate the ransomware risk, however the insurers will require cybersecurity investments. Insurers will want proof that six cybersecurity measures have been implemented.
Internet firewall installed and configured properly
2-factor authentication (2FA) with zero trust cybersecurity
Staff training
Frequent software security patch update plan
All computers must have anti-virus software with updating
A tested recovery plan has been prepared
If a claim is made the insurers will make an inspection to ensure that cyber security measures have been maintained. If cybersecurity measures have not been maintained the insurer will not pay out.
Unfortunately cyber attacks are increasing very quickly and eventually every business may be attacked. However businesses with good cybersecurity will never know that a cyber criminal tried to attack and gave up.
Any questions can be addressed to Internet Technology Answers Inc. at the following email address: info@Internettechnologyinc.com
Comments