by Timothy McQuiston Vermont Business Magazine Most cyber security requirements are self-evident and obvious. But they can be annoying chores that are easily put off, like car maintenance. Getting your car worked on can be expensive and time-consuming. And as with car repairs, cyber security is a hassle, can be expensive and is also necessary, despite the opportunity to procrastinate. But cyber security measures ultimately can save a business much money and a lot of heartache.
John Burton of NPI at a cyber security seminar in June. VBM photo
“It is a bit like going to your dentist or tax accountant… but in the end you have to face it,” said John Burton of NPI in South Burlington.
Cyber security experts beat the drum of staying ahead of the problem, which can cost a small company dearly if its Web site is compromised or its credit card processing system is hacked. New rules coming in October will place much of the cost of stolen credit card information onto the retailers themselves, if they don’t get card chip readers.
Cyber security professionals in Vermont use analogies which invoke your mother because while the technology can be mind-boggling, the consequences of not being diligent with cyber security can result in disaster.
The good news, according to professionals, is that most cyber problems are preventable. But it’s still going to require vigilance and certain level of suspicion by business owners and managers (even of employees and co-workers), especially for those many small businesses in Vermont which do not have in-house IT.
“You don’t have to spend a lot of money to solve 80 percent of your problems,” Burton said.
It will not require the $100 million that Target has set aside for technical upgrades after its credit card data was famously hacked (the 2013 pre-Christmas cyber theft cost banks $200 million and Target paid another $10 million directly to customers). But it will cost you something for security and peace of mind.
To put the cyber threat in Vermont in perspective, an AARP Vermont study released in June found that 34 percent of adult Vermont residents say they received notification of a security breach at an organization with which they’ve done business in the 12 months prior to taking the AARP survey. One out of eight (12%) of these respondents say they believe the breach resulted in someone using their identity to purchase products or services without their authorization.
When asked by AARP Vermont what action they took as a result of the notification, one in five (19%) say they did nothing, while two out of three increased the monitoring of their bank and credit (61%), nearly half changed their online password with that company (46%), and about one-quarter put a credit alert on their credit file (27%).
Overall, AARP Vermont said that 14 percent of Vermont adults in the last two years have had someone actually rip them off financially, typically through a credit or debit card.
For the most part, it isn’t a software or hardware problem, Burton said, “It’s a people problem,” often with employees who might be poorly trained or, alas, out to rob you.
Misconfigured security systems are the most common problem, Burton said. End-user error, like clicking on a malicious attachment, is second. Only 20 percent of breaches are from someone specifically targeting you.
Burton said that encryption and backups and passwording your computer and mobile devices and changing out strong passwords regularly and keeping them secure is a chore and necessary and should be your first line of defense.
“A lot of people use lousy passwords. Use very simple things. Why? Because we can remember lousy passwords! We all remember our dog’s name or our kid’s name,” Burton said.
“Don’t share your passwords.” Maybe you call into work. “I’m sick today! Can you log into my computer and run the payroll? Not a good idea.” Have a second login for that kind of contingency that has limited access to exactly what you need done.
People have 10 or 20 passwords now. You may opt to get a “vault” to store passwords with access from a single master password.
And that goes for mobile too. Mobile devices, especially, require diligent encryption and security, Burton said.
“Encrypting mobile data is a good thing. Anything that is a mobile device needs to be encrypted,” Burton said, “everything from personal to business.”
Despite the commonsense nature of all of this, we can all be duped. “Lost” USBs are a common trick among hackers, Burton said. They leave a USB, as if it were accidently dropped where someone can find it, you pick it up and, what do you do? Plug it into your own computer to see what it is. Then you’re hacked.
Updating software with the latest versions, Burton said, is vital. Vulnerabilities include outdated software patches, and using an old OS, such as Windows XP which is not longer supported by Microsoft.
“The newer are more secure.” But perhaps wait to install the newest version, Burton said, until the first big service pack comes out that fixes the bugs.
“Browsing is a lot of what happens with people in terms of security problems,” Burton said.
“My browser got hijacked once at home,” he said. “It was very frustrating.”
“Call a pro,” said Rubin Bennett of rbTechnologies in East Montpelier. While most of us Vermonters, even without an IT staff, can be pretty sophisticated with electronic devices, the level of the technology and the ultimate risk are too high to rely only on your own street smarts.
And these systems need to be maintained.
“They require care and feeding, just like anything else,” Bennett said.
Burton offered these bullet points for business:
Overall Security Action Plan
- Take stock - Analyze your security needs
- Scale down – Remove unneeded data
- Lock it - Implement network and device policies & controls
- Plan ahead – Review your data protection plan yearly
- Train often– Discuss security tips at each staff meeting
Key Security Behaviors
- Always Login with your own account, don’t browse using an Admin login
- Don’t download/install from untrusted sources
- Don’t respond to pop-up windows
- Use secure connections for sensitive work like banking
- Don’t click on links & attachments or reply to unsolicited email
- Use complex passwords, keep protected, don’t share them and change them often
- Lock your screen or logoff when leaving
- Don’t plug in unknown USB devices
- Encrypt sensitive transfers & stored data
- Protect systems from malware and viruses
- Use a commercial grade, professionally installed firewall and Wi-Fi
- Download & install software updates weekly
- Backup important data and securely store it offsite daily
- Control physical access to computers and networks
- Limit employee access to only data and software needed for their work
- Train employees about your security policies
Website
“You’ve been breached. You have to contact your customers. That’s the low,” Burton said.
Website protection is difficult in part because the nefarious characters are really out to be jerks and are happy to bring down a Website or infect it because they can. It’s sort of cyber vandalism. But of course this can be disastrous to a business that loses its Website even for a short period of time. Businesses are wondering what they must do and can do, given limited staff and limited funds. And what are the priorities?
“First, start by using strong passwords and two-factor authentication where possible on login pages,” recommends Chris Maulding, Information Security Administrator for Twinstate Technologies in Colchester. “Having these in place is a must. Outsourcing to a company that specializes in security and updating services can help keep costs down and allow for you to focus on other IT needs and business processes.”
After beginning with this basic information, Maulding suggests that the next step is to be constantly updating the CMS (Content Management System), Operating system or other systems running a Website.
“Doing so will keep you from being exploited by a piece of software that is out of date and vulnerable,” said Maulding. “There are other measures that can be taken, implementing a Web application firewall that has an Intrusion Prevention System/Intrusion Detection System (IPS/IDS) to protect from malicious attacks. Vulnerability scanning and penetration testing are other steps that require a specialization, as not every IT person knows what they are looking for.”
“Typically a website becomes unavailable due to some sort of attack known as a denial of service,” said Twinstate Technologies CEO, Devi Momot, CISSP, GSLC, GISP. “Basically, this means that the adversary has flooded the site with so much noise and network traffic that legitimate traffic cannot get in or out. The regular, run-of-the-mill denial of service is able to be guarded against by blocking the address that it is being sent from. However, the more difficult denial of service attacks are using multiple places to attack from; and, it is tricky to guard against the numbers that adversaries are able to muster with current technology, as well as the ability of wrong-doers to create nasty malware today. For instance, those wanting to create a hassle for a Website can distribute their malware – the pieces of code that create the “flood” of traffic to many computers on the Internet.”
“These computers could be owned by my grandmother, aunt, uncle, friends and foes; it does not matter,” Momot said. “The wrong-doers can “seed” those computers through a number of methods, and then, their computers start sending traffic to the targeted website.”
Note: If readers are interested in learning more about this topic, it is recommended they do some reading about Botnets.
Rubin Bennett of rbTechnologies said a Web attack “is usually not somebody. It’s usually a ‘bot’ that finds a vulnerability and exploits it.”
The robot is looking for a site to host malicious content. They’re often just developed by kids showing off (the Target breach apparently was designed by a Russian teenager) and seeing how much damage they can do.
“Why they do it? I don’t know,” Bennett said. He said the attacks generally fit the stereotype of someone young from Eastern Europe or Asia.
“A question I am often asked is: Why are we hearing so much about cybercrimes today? What is happening? The truth is that it is easy to be a cybercriminal, very easy, and it is difficult to catch them,” said Momot. “Pair that with nation states that like to cause harm, and whether for a reason of belief or economics, you end up with the situation that we have today. Some countries have formal education to teach criminal techniques of hacking and code writing. Many of these techies are available for hire, with guarantees and technical support to help someone practice cybercrime. The lay person no longer requires any technical skill to enter into the business of cybercrime.”
Some things that readers should be aware of are that the biggest element in the favor of criminals is society’s complacency.
“I attended a Roundtable conference last month in which we were divided into groups,” said Momot. “There were approximately six or eight groups of six or so individuals. The professional backgrounds of the attendees consisted of business, academia, government and cyber security experts, such as with our team. We were asked a number of questions and were all asked to address each question without involvement of the other tables and then report on it. One of the top items that we identified as a major issue facing us, when it comes to cybercrime, is people doing nothing. We believe that individuals are aware they should do something but may not be doing anything at this point. I believe that media, such as VBM, can help to change that. We have encouraged the government members we have come in contact with so far to develop some PSAs around the subject, as well. We all need to work together to protect our privacy, economy and freedom to access resources when and where we want.”
Ted Casassa, Chief Information Officer, Secured Network Services Littleton, NH, with clients in the St Johnsbury area, offered his expertise on protecting your Website for businesses without in-house security experts
- If your website looks old and out-of-date, you’re going to be a greater target because the assumption is that the site is less secure and easier to shut down. Keep the software upgraded so the site looks modern. The site can still be simple, but it needs to be updated. Adding fresh content or changing content from time to time helps, too. “If you ignore your site and it looks out of date, it’s likely to be more of a target,” Casassa said. “If it looks like it’s from 1995, that’s not good.”
- When you’re hiring a website service provider, make sure they have some type of security certification. Ask for written proof that they’re keeping it up to date. Make sure they test the site for vulnerabilities on a regular basis.
“The buzz word is penetration testing,” Casassa said. “Is the site tested for security vulnerabilities on a regular basis? You can also hire a third party to do this.”
Overall, he said, “There is no silver bullet for security. So a big part of it is being aware. The more often you do updates, the more apt you are to notice something.
“Always pay to keep everything updated as far as security goes. Make sure everything is up-to-date and everything’s backed up. Everything else is a variable.”
Credit Cards
Recently a dry cleaner and a medium-sized grocer in Vermont were hit by cyber thieves who gained credit card information. This makes sense as the large retailers have bolstered their security after some notable hits. But these smaller entities don't have the means or perhaps don't think they'll be targets. But the thieves probably see them as low-hanging fruit. These are retailers who have a lot of foot traffic and a lot of transactions. Even if they are relatively small transactions, the credit cards can be maxed out if stolen. How can these retailers protect themselves?
According to Devi Momot, these are a few things that Twinstate Technologies recommends, keeping in mind that the team has many more suggestions.
- Don’t ever click on a link in your email that is not verified as legitimate. Pick up the phone, call the person that sent it, and make sure it is REAL. Many hackers are “planting” malware in perfectly innocent owners’ computers and networks using what is called phishing. Today, there are ways to take a legitimate website, such as for a bank, retailer, hospital, or any other, and in a matter of minutes make a replica of that website. The difference is that instead of the information you type into the site for your account, such as account numbers, going to the place you think it is going, it is going into the hands of a criminal.
- Strengthen passwords. Computers today can crack a short eight-character password very easily. Passwords need not be difficult to remember, but they should be difficult for a computer to guess. Passphrases are generally recommended more often, and that should be at least 12 characters in length and with a mix of numbers and special characters. For example: br0wntux3d0m3 can be easily related to “brown tuxedo me”. Also, try to keep your banking, social media, email and business passwords different from each other. It is also commonly recommended that you not use your corporate email address for social media accounts.
If we estimate how long it takes to guess an eight-number password, it is under 30 seconds. By adding letters and a character, and making it 12 in length as compared to 8, the time estimated to crack the passcode can increase into years and years with today’s average computers.
- Third-party connections. Another area that is often overlooked is what third parties have access to in your systems, your employee’s information or other confidential company information. Are they secure in how they are handling the access to that information or the connection to your business? It should become quite standard to request that those who have connections to your systems or have custody of information from your business are asked to provide verification of the privacy and security that you expect for the handling of the assets.
“Statistically, the majority of breaches today are rated as low difficulty,” adds Momot. “From our observation, many businesses are not taking some of the most basic protective measures. Those that we find to be inconsistent in most every business are:
(1) Patching of software. A business will generally believe that their patching is kept current so that “holes” in their security are kept to a minimum. With the assessments we have done over the past several years, only one customer has actually done these in a safe and consistent manner.
(2) Antivirus / Antimalware on continuous scan. There are so many new pieces of malware thrown at us every day that these systems will not catch all of the threats. However, AV/AM is still a necessary piece of your defensive measures. If your computer cannot handle to process this continuously, then it is likely time to get a new computer.
(3) Replace your dated firewall technology. Many of the firewalls in use today are dated technology. Since our environments are not one-hundred percent protected from viruses and other malware, we have to assume that, someday, we will be breached. We recommend that customers use technology that can recognize if an external connection is attempting to be made to a bad actor; this may be an attempt to extract information from your business, or something similar. Having services that provide enhanced functions at the perimeter is increasingly important, as is having a service partner actively watching your alerts for intrusions - indeed, a worthwhile measure, as well.”
“Pointing again to statistics, it is likely we will all be breached at some point,” said Momot. “Therefore, we need to have systems in place to detect when that has occurred and management to act on the detection. Detection without a corrective response is just worthless noise. If you react to the incident quickly and effectively there is a great likelihood that you will minimize the negative impact from the breach.”
Ted Casassa had these tips for small retailers:
- Make sure your network is secure to prevent credit card information from being easily accessible by thieves. “Always make sure your point-of-sale systems aren’t on a publicly accessible wireless network. That’s usually the biggest mistake,” Casassa said. “Some people don’t even think of that.”
- Every credit card machine you add multiplies your risk. Keep the number as low as possible. “The fewer machines you have, the less you are at risk,” he said.
- Sometimes credit card theft or fraud is an internal issue, not the work of outside hackers. Know which employees are taking credit card information over the phone and on site, and limit that to just a few trusted people – as few as possible. “Limit that to a couple folks internally, and have cameras. Knowing who these employees are, that’s the biggest thing.”
- Make sure you always know who is accessing the network at a given time. They key to this is never sharing usernames and passwords. You always want to be able to look back and find out who was accessing the network, and when.
- Know that any business accepting credit cards needs to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). Standards are more lax for small businesses that have fewer credit card transactions, but many small businesses still do not have the resources to become compliant. “Small businesses struggle with PCI,” Casassa said. “If you’re unsure what to do, hire an expert. PCI compliance is also a lot of work. If you’re a business owner, do you really want to be an expert in PCI?”
- Another point on PCI: As businesses grow, the standards change and become stricter. Companies need to be aware of that threshold and prepare to make changes.
“These (small Vermont) retailers can protect themselves by making sure they are following compliance standards that are in place for the credit card industry and having separate networks for processing credit card data versus day-to-day traffic,” said Twinstate’s Maulding. “This can help greatly. Also, using firewalls and other on-premise security can be helpful.”
Rubin Bennett supports the new card reader requirements for credit and debit cards.
“We’re finally catching up with the rest of the world,” he said. The PCI self-assessment questionnaire alone will help retailers understand their own security needs.
He said retailers should outsource their payment systems completely, including having payments go directly from the card reader to a third party vendor.
“If you’re doing it yourself, you’re crazy,” Bennett said.
While the vendor has often been the source of credit card breaches in the past, using them and the new card readers absolves the retailer of much of the liability.
All the professionals insisted that documents, statements, financial and personal information and especially pieces of paper with credit card information should be destroyed as soon as possible. Some companies still write down customer credit card numbers.
Jon Burton recommends using a professional service to destroy sensitive documents and electronic data. If you’re shredding documents yourself, use a cross-cut shredder so a “dumpster-diver” can’t just piece them back together.
One cannot start too early to learn about cyber security. Young children have been found to have clicked on a nefarious link or Website while sitting at a parent’s computer.
In June, Norwich University held a week-long pre-college cyber security program for 20 high school students called GenCyber@NU (link is external). Funded by the National Security Agency and the National Science Foundation, participants learned and applied basic concepts of programming, forensics and cryptography, through a series of gaming, modeling, and simulation activities with peers and faculty mentors in a university setting.
“I believe if we all work together we can improve the security of the Vermont small business community,” John Burton said.