Cyber Plot Highlights Need For Vigilance

A huge global cyber-espionage ring has been running for the past five years, stealing corporate data from up to 70 companies in over 14 nations, according to data released by computer security firm McAfee--a grim reminder that IT security is paramount for businesses of all sizes.

While small businesses will not likely find themselves the direct targets of corporate espionage, the data collected in the course of even a small firm's daily business may be of interest to cyber-thieves, particularly data related to customers' financial payments. Credit card and other banking information is a highly lucrative target, and many small businesses can be on the receiving end of computerized burglaries without even realizing it.

That's because the method of attack outlined by McAfee in its report this week can be leveled against corporations, small businesses, and individuals alike. And all it takes is one employee answering one malicious email.

The attack even has a clever name: spear-phishing, which is basically a personally targeted email to someone in a company (large or small) who has more than the usual access rights to other computers in that organization. The message can seem to come from a colleague and be as innocuous as "Hey, check out this site, it's hysterical." Or something seemingly more professional, such as a forged note from the IT department that requests you to confirm your login and password information by visiting the "IT Web site."

High-value individuals, such as the ones targeted in the operation exposed by McAfee, may receive very well-crafted fake messages or even a series of messages from a seemingly legitimate contact to build the trust factor even higher before delivering the actual phishing message.

Once delivered and clicked by the unsuspecting victim, the link will open the "funny" or "official" page in the user's browser, at the same time surreptitiously downloading a small packet of software code that takes advantage of known vulnerabilities within the browser, bypassing the computer's normal security routines. This malware code is referred to as a remote access tool (RAT), which will park itself all nice and quiet-like on your company's computer hard drives, invisibility providing access to the computer for anyone who knows it's there.

Small businesses are often targets for this kind of RAT attack, since RAT malware can easily be programmed to find high-value data (like credit card and bank data) and send that quietly along to the RAT authors. It's a low-risk attack for cyber-criminals, since no resources are wasted on infecting computers that have nothing of value for the criminal, and the odds of being detected are very low.

It's a prevalent problem, too: my own inbox gets about one or two of these types of spear-phishing emails a week, most detected by my spam filters. The ones that get through are often rather clever, though I am further protected from these attacks by the fact I run Linux instead of Windows. But I am geek by nature, so that helps me. What can the average small business user do?

First, make sure you and your employees know that they should refrain from surfing and answering personal e-mails on work machines. That's a start, but since cyber-attackers can just as easily send phishing messages to a work e-mail account, it's not perfect.

A stronger approach is to dedicate a machine in the business place to email correspondence and have nothing else on that machine. If that machine is a non-Windows PC (such as Mac OS X or Linux), so much the better. You can leave that machine connected to the network, but only if the user account information for the email PC is different for the user accounts for the computer(s) with the financial data. If you have multiple employee machines, it might be easier to flip that around and segregate the financial data machine(s). That way, if a user's machine is compromised by a RAT attack, their machine's information can't be used to log into the computers with all of the secure data.

The only way these solutions work is if remote login on the data machines is turned off, and the login information on the high-value computers is different from what a user would use elsewhere on the network. The accounting worker for a small business, for instance, would have to use one login/password for the computer with the financial data and another username/password combination for the rest of the network.

Other technological solutions include turning off your browser's capability to run scripts when it opens a website, and above all else, keep your browser updated. There are still, for instance, thousands of users who are running Internet Explorer 6, which is probably the most security-hole-ridden piece of software in history. Even Microsoft thinks so. Keep updating your software. It's not perfect, but it helps. (For more on how to choose the right browser for you company, see Harry McCracken's latest AllBusiness column: It's Time To Choose A New Web Browser.)

None of these approaches are perfect. Good spear-phishing can fool even the most savvy person on an off day. And throwing up obstacles that make it harder for malware to be loaded onto a high-value computer will help prevent many mistakes, but not all. But with your company's data and your customer information on the line, security diligence is very much worth the effort.

---

Brian Proffitt is a veteran technology journalist, analyst, and author with experience in a variety of technologies, including cloud, virtualization, and consumer devices.Follow him on Twitter @TheTechScribe and Google+ at +Brian Proffitt.