independent trusted partner building secure business solutions protecting your information...

Independent Trusted Partner Building Secure Business Solutions

Protecting your Information

InfusionPoints, LLCSecure Business Solutions

HUBZone & Veteran-Owned Small Business

Michael A Figueroa, CISSPSenior Vice President

[email protected]

Cyber Security for Small Business and Financial Fraud Potential

mailto:[email protected]

Confidential – © 2010, InfusionPoints, LLC – All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author Consent 2

InfusionPoints – Secure Business Solutions

• InfusionPoints combines a unique blend of business and technology skills to help our clients with their critical security and privacy initiatives.

• We help our clients work through these challenges by developing an enterprise, strategic vision and roadmap that recognizes the management and technology of security and privacy as an integral part of your business solutions.

• Our security and privacy solutions focus on business needs by: – Defining key security and privacy strategies, – Developing secure enterprise architectures– Developing enterprise security and privacy roadmaps– Managing and implementing critical security and privacy initiatives

• HUBZone & Veteran-Owned Small Business


Agenda

• The nature of contemporary attacks on small businesses

• Small business security studies

• What businesses can do and how can we help

• Open discussion about controls businesses can implement


Contemporary Cyber Attacks on Small Businesses



Small businesses are under constant attack and the losses are beginning to mount


How are cyber criminals targeting our businesses and getting away with it?• Breaking into computer networks and embedding bugs

viruses, and Trojans• Bypassing passwords or copy-protection in computer software

and deleting files• Defacing and/or damaging Web sites• Attacking a web site or network and preventing legitimate

users from accessing the site or network • Stealing valuable information such as passwords and credit

card data • Destroying files, sites, networks, and e-mails


Hacker tools and techniques


Attacks against businesses have consistently grown in every aspect, from sophistication to impact• Threat agents are evolving to move away from many random

attacks to broad targeted attacks that maximize “revenue” and minimize detection

Password GuessingSelf-Replicating Code

Password CrackingExploiting Known Vulnerabilities

Disabling Audits

BurglariesHijacking Sessions

Sweepers

Sniffers

DistributedAttack Tools

Denial of Service

GUI

Packet Spoofing

Network Management Diagnostics

Automated Probes/Scans

WWW Attacks

“Stealth”/AdvancedScanning Techniques

1980 1985 1990 1995 2000 2005 2010

Intr

uder

Know

ledge/

Att

ack

Sophis

tica

tion

High

Low

Attackers

Back Doors

Zombies

BOTS

Morphing

Malicious Code


Criminal networks have also been busy building their capabilities to generate consistent cash flow• The organizations are starting to mimic

traditional business structures– “Executives” manage the organization as

corporate directors– “Profilers” specialize in finding information

• They may leverage specially designed call centers to conduct social engineering

– “Software Developers” design and develop the attack tools

– “Attackers” specialize in conducting the attacks• They may leverage existing botnets under

service provider contracts– “Human Resources” recruit and manage

financial transfer resources• “Money Mules” are hired as financial

consultants to facilitate money transfers


Anatomy of a Botnet Cyber Attack


Standard banking practices offer no recourse to the affected businesses• Once the attacker is able to conduct the wire transfers, the

money is unrecoverable– Domestic electronic money transfers will not raise any red flags

regardless of whether a company commonly uses them– Direct wire transfers are largely anonymous and attackers can use

them to easily move money around the world

• Business accounts lack the same level of anti-fraud protections that consumers enjoy– Most small business owners believe that the bank will refund them for

losses due to inappropriate electronic transfers– Even when the target alerts the bank in a timely manner of suspicious

activity the bank is under no obligation to cover monetary losses

• This attack has closed many businesses, and has hit public utilities, school districts, universities, etc.


Small Business Security Studies



A recent study that focuses on small business security practices describes how daunting the challenge is*• Small businesses store important company related data on their

computer systems – 65% store customer data, 43% store financial records, 33% store credit card

information

• Business owners have an abstract understanding of security issues– 6% fear the loss of customer data and 42% believe that their customers are

concerned about the security of their business– 58% believe their data is not any safer in the last 12 months and 7% believe

it is less safe

• But, their access to security resources is severely limited– 86% do not have anyone focused on security– 53% check their computers to ensure that anti-virus, anti-spyware, firewalls

and operating systems are up-to-date– 20% say they use the minimal threshold of security to protect customer and

employee data

*Source: 2009 NCSA / Symantec Small Business Study, October, 2009, staysafeonline.org


Another study shows the business owners may detect issues but don’t know how to respond*• More than half of small businesses have been a victim of

fraud or online crime in the last 12 months• 37% had an issue with phishing emails, 15% were victim to

card not present fraud and 15% experienced IT system issues such as viruses and hacking

• One third of businesses currently do not report fraud or online crime to the police or banks, as they ‘believe that it would not achieve anything

• More than half of the respondents wanted clearer information about how and where to report these types of crime, and 44% want a specifically named contact in their local police force responsible for tackling fraud and online crime

*Source: Inhibiting Enterprise: Fraud and Online Crime Against Small Business, February, 2009, www.fsb.org.uk


What Can Small Businesses Do to Prevent CyberFraud?



Small business owners are getting pushed into risky activities outside of their core business• Electronic Banking:

– Business banking accounts typically allow for electronic account (ACH) transfers even if the business doesn’t typically use them

– Most small businesses make payments using checks or credit cards, but banks don’t require prior approval for ACH transactions by default

– Withdrawing money from an account electronically requires little to no authentication, relying instead on legacy banking transaction methods

• Internet Banking:– Accessing most accounts requires only a username and password while in-

person banking often requires a government-issued ID– Banks typically do not monitor where accounts are being accessed from

and cannot adequately verify that the host is authorized– Despite widespread ignorance to banking online safely, banks are imposing

monthly fees to “encourage” business owners to move banking to the Internet• Consumers are not faced with the same problem


Small business owners should first determine what they have that’s worth protecting• Rule #1: Don’t be complacent

– It’s one thing to have no control, it’s another to relinquish it out of ignorance

– Attacks can and do happen, but they don’t have to impact the business– Ask questions of service providers (including banks) about how they will

respond should an attacker infiltrate business accounts• Understand the business liability

• Rule #2: Assess and monitor business risks– Follow the money to identify where the business is weakest, especially

where it lacks control but is still liable for any issues• Electronic transfers• Internet banking

• Rule #3: Get help when needed– Don’t trust the service provider outright, they will look after their own

interests first


We are working to find new resources to help protect small businesses, but the results are very limited• Establishing a Government Program Management Office

– Discussions with several government organizations have been encouraging, but there has been little movement to date

– Agencies like the idea, but small business losses haven’t warranted greater attention by anyone but the FBI, and that only in minor form

• Working with Banks, Telecommunications and Services Providers– They place most of the blame on the business despite actively

marketing risky services to them

• Working with Vendors – The security industry doesn’t really understand the constraints that

small businesses operate under• Ex: How does a small business buy separate appliances for network

protection, threat detection, virus prevention, etc.?• What’s the ROI for the business?


We are working in parallel to provide new resources to help small businesses help themselves• Established the CyberSecurityForSmallBusiness partnership to

provide a wide range of assistance, support, and solutions– InfusionPoints– Blue Glacier Management Group– Stratum Security

• Conduct free Cyber Security Lunch and Learn seminars– Local Chambers of Commerce– Local Economic Development Associations

• Developed a Cyber Security website for Small Businesses, Partners, and Members


As security professionals, we need to accept responsibility for helping small business owners• Use an “Adopt a Business” technique to help business owners

better understand their risks– Start by creating a culture of security to better protect the business

bottom line and be less likely to incur liability– Promote an understanding that cyber security is good for business and

helps prevent cyber crime on customers, fellow businesses, and our country

• Challenge vendors and service providers to do more– Engage in debates to help the industry evolve

• Ex: Why do anti-virus vendors make so much money preventing <50% of new malware infections?

• Ex: How can intrusion detection systems be considered effective if they only trigger on massive events when new attacks trend to reduce traffic?

• Ex: What are the key takeaways that a small business owner should take away from their marketing?


Some more resources to help educate us

• WWW.CYBERSECURITYFORSMALLBUSINESS.com

• www.us-cert.gov

• www.staysafeonline.org

• www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity

• www.esrmo.scio.nc.gov/MalwareThreatsandMitigationStrategies.ht

m

• www.whitehouse.gov/blog/Protecting-yourself-online

• www.uschamber.com/sb/security

• csrc.nist.gov/groups/SMA/sbc

• www.onguardonline.gov• www.ic3.gov

http://www.staysafeonline.org/

http://www.staysafeonline.org/

http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity

http://www.esrmo.scio.nc.gov/MalwareThreatsandMitigationStrategies.htm

http://www.esrmo.scio.nc.gov/MalwareThreatsandMitigationStrategies.htm

http://www.whitehouse.gov/blog/Protecting-yourself-online

http://www.uschamber.com/sb/security

http://www.onguardonline.gov/

http://www.ic3.gov/


Open Discussion on Security Controls



What are your thoughts on how small businesses can protect themselves?

• Multi-factor authentication challenges

• Browser/OS segmentation

• Out-of-band approvals


Thank you!

Contact Information

124 W Kapp StDobson, NC 27017Tel: 704-464-3161


Email: [email protected]: www.InfusionPoints.com

Contact Information

124 W Kapp StDobson, NC 27017Tel: 704-464-3161


Email: [email protected]: www.InfusionPoints.com



http://www.infusionpoints.com/



http://www.infusionpoints.com/

independent trusted partner building secure business solutions protecting your information...

Documents

small business michael

target audience

rights reserveddistribution

business needs

small businessescyber

critical security

technology of security

key security