I read an interesting article in the Wall Street Journal today entitled Cyber Criminals Sniff out Vulnerable Firms. It’s a story of a small business owner in New York whose company was broken into by cyber criminals and stole $1.2 million from its bank accounts, although the owner was able to later recover about $800,000 of that.
The moral of the story is that small businesses feel like they are not a major target for online thefts like these. Because big companies have more money, they would be the logical target.
Yet statistics prove otherwise. According to the Verizon 2012 Data Breach Investigations Report, small business are frequent targets for hacker intrusion:
So while it is true that large businesses have more money to steal, they also frequently have more resources dedicated to implementing security. Smaller firms use off-the-shelf software like firewalls, A/V software and spam filters. Those give you the most bang for the buck because it doesn’t require a lot of human capital after the initial installations.
The trouble is that because it’s off-the-shelf, hackers can acquire them too, and try to reverse engineer them to get around them. A large company has the above software but they also have dedicated departments whose job it is to enforce security compliance and monitor if anything is wrong. Thus, a hacker has to dodge software in the small business, but software plus humans in the big business. For some hackers, the cost/benefit ratio is better for small businesses.
The owner of the business didn’t know how he got hacked. He was running Windows 7 (which is more secure than previous versions) and used an internal firewall to connect to the Internet. Their computers were running A/V software. In other words, he was doing everything that security experts tell people to do. One theory from the WSJ:
Experts say that it's possible that after one of Mr. Keilson's staffers tried to log onto the website for the company's bank, a virus may have redirected him or her to a fake page that looked identical to the bank's site.
If the employee typed in a username and temporary password provided by a secure-ID token, the virus might have sent that information to a thief who could have quickly logged into the bank's real website to make money transfers before the temporary password changed.
Passwords created by tokens tend to be valid for about two minutes, say Web security experts. It's important to note that Mr. Keilson isn't able to confirm that this is what happened.
Compromised accounts are among the toughest to deal with. That’s why they have become a favorite with spammers over the past couple of years (as opposed to using bots to send out spam directly).
One tactic for catching them is performing statistical analysis and looking for deviations from the norm. For compromising accounts that send out spam, it is typical to see someone go from sending a handful of messages a day under normal circumstances to sending out tens of thousands when they are hacked.
Cyberthieves had made off with $1.2 million, wiring the money through nine transactions of about $150,000 each to three major U.S. banks and one Chinese bank.
Mr. Keilson, an ordained rabbi and attorney who co-founded Lifestyle Forms & Displays in 1985, said the business normally makes just one or two wire transfers a day totaling no more than $300,000.
It doesn’t say how long it took the thieves to make off with the money, but if the business normally makes 1-2 transfers per day then I will hypothesize they most likely did it overnight. The business could use this knowledge as part of their detection algorithms – if any transaction is more than $200,000, or the running sum of transfers is more than $300,000, disallow the transaction and require manual clearance. In the article, the business now requires verbal clearance for all outbound transactions which is fine, but the algorithm is another layer of protection.
Verbal clearance works if there isn’t a lot of manual work involved. But when clearance gets noisy and there’s lots per day, people start to ignore them an look for shortcuts. When you scale up in size, you need a way to alert when something deviates from the norm otherwise you’re barely doing better than when there is no monitoring (because people just file them away and don’t look at them in real time).
Keeping track of deviations from the norm works when hackers and spammers make large, sudden changes in behavior. It doesn’t work as well if they fit into established patterns. Those are still difficult to detect.
Catching those requires another set of security policies.