SEMA News—May 2013
New Wave of Hacker Technology Threatens Unsuspecting Businesses
Regularly making chump meat of the most sophisticated of computer defenses, hackers will be unleashing a new wave of malware in the coming year on the unsuspecting—many of whom will be completely unprepared, according to Sophos, a computer-security firm.
“Cybercriminals tend to focus where the weak spots are,” said Gerhard Eschelbeck, chief technology officer at Sophos. “Protecting data in a world where systems are changing rapidly and information flows freely requires a coordinated ecosystem of security technologies.”
Perhaps even more disturbing, hackers will be increasingly targeting small- and medium-size businesses, according to Mark Brophy, director of information technology at Rogers Townsend & Thomas. The reason, he said, is that defenses of smaller business are generally weaker, and these less-protected systems are seen by hackers as easy back doors to the much larger clients those businesses trade with. Essentially, once hackers penetrate the relatively weak defenses of a small business, they can plunder the data on its network to go after their bigger-game clients, according to Brophy.
Not surprisingly, many giant and multinational corporations are hip to the trend, and they’re responding by performing tough security audits of their smaller trading partners. If they find a security risk, many decide to simply pull work from the offending business rather than risk a “break-in by association,” according to Brophy.
Small- and medium-size businesses looking to pass these hard-nosed audits—or reassure trading partners that their mutual data is safe—will need to convince trading partners that they have a hard IT perimeter. And they’ll need to show defenses against some of the newest threats looming in the coming year.
High on the list of the new and the brutal is cloud-server-snapshot software. An insidious intruder, snapshot software can infect a cloud server where a business stores its data and take a complete snapshot of all the data that’s there—including passwords, Eschelbeck said. Meanwhile, increasing numbers of hackers are also using text-messaging theft software, which is surreptitiously added to the phone of unsuspecting users. Once activated, the software forwards all text messages sent to that phone to a hacker, Eschelbeck said.
“The potential exists for attacks like these to target Internet banking services,” he said. “Many banks send authentication codes to your phone. Malware on your phone is capable of intercepting those messages.”
Sophos has also detected increasing use of “ransomware” against small- and medium-size businesses. These apps can infect both phones and computers and render the devices inoperable. Hackers inflicting the software on businesses often demand major dollars for its removal. Not surprisingly, they rarely—if ever—follow up on removal even if the business does pay the ransom, according to Eschelback.
A Sophos employee at work neutralizing would-be hackers.
Yet another new threat is coming from computer users with average skills who can become formidable hackers with superkit software, according to Eschelbeck. These do-it-yourself packages often offer more than a dozen state-of-the-art ways to infiltrate even the most sophisticated cyber defenses. Criminals buying the software on the black market don’t really need to know how it works; they simply need to know how to point-and-click.
Granted, businesses of all sizes should be using firewalls and other network protections to help neutralize hacker break-ins. And most businesses realize that even the most sterling of computer security defenses can be thwarted without similar vigilance at the individual-device level.
“End-user computers are the weakest spot,” said Shane Sims, director of investigations and forensic services for PriceWaterhouseCoopers. “Typically, these computers are protected only by antivirus software, and the most sophisticated hackers attack at that point.”
But dollar for dollar, the best return on an investment in computer security is employee education, according to Brophy. Take the time to educate new employees about the critical need for computer security, he said. And continually reinforce top-of-mind security with regular e-mail tips, tricks and news about IT security.
Once you have the organization sufficiently alerted, the computer security experts recommend these best practices:
Read the rest of the article, "Easy Prey," in the May 2013 issue of SEMA News.