It’s bad enough to get a bunch of calls from irate suppliers wondering why you haven’t paid bills that are months overdue. But it’s even worse if you have no idea what they’re talking about. That’s how one small business owner found out what it was like to have his entire business hacked and cloned by people he never met and never caught.
Page 57 of 64
Identity theft is the fastest growing crime in the history of America, and businesses are not immune. There were more than 16 million victims of identity theft in the U.S. just last year, which works out to more than one new victim every three seconds. To put that in perspective, that means there were more victims of identity theft last year than there were reported murders, attempted murders, burglaries, attempted burglaries, arsons, vehicle thefts, purse snatchings, pick pocketings, shoplifting, and check fraud combined. With so many crimes and criminals in circulation, don’t make the mistake of assuming that it will never come creeping into your business.
Did you know that there was an average of one data breach every single day in the U.S. last year? That more than 800 million records were exposed in data breaches last year? Or that the average cost of a data breach is now a staggering $3.5 million?
These are not statistics you want to be part of or costs you want to incur. So remember the following tips as part of your breach prevention program:
So you’re thinking about finally launching your first website. Or you’ve had a website up and running for years but it’s time for an upgrade, an overhaul, and brand new chapter in your online presence.
You’ll have plenty of things to think about and to get right, so just make sure you don’t leave security as an afterthought.
“There are two types of companies: those that know they’ve been breached, and those that haven’t figured it out yet.” Those were the words of a highly successful venture capitalist behind some of the most successful cybersecurity companies. And while the chances of being a victim of a security breach are very high, it’s not a forgone conclusion. There are steps every business should take in order to avoid falling victim, or at the very least limit the damage.
It seems a no-brainer that the recent massive eBay data breach should be a much bigger story than the Target breach. After all, the Target breach “only” affected 110 million customers where the eBay breach impacted closer to 150 million customers.
In what we can only hope is a sign of things to come, law enforcement around the world showed unprecedented cooperation in shutting the shades on a gang responsible for creating and sharing a nasty piece of malware that was spreading rapidly around the world.
The malware is known as Blackshades, and was allegedly created by a 24-year-old Swedish man who ran his malware operation like a legitimate business. The entrepreneur was very committed to making his malware as popular as possible, hiring a marketing director, customer service representatives, and a customer service manager.
It’s not often we get a chance to attend a security breach postmortem — a step-by-step, hack-by-hack, mistake-by-mistake account of what went so horribly wrong. The U.S. Commerce Department recently presented their report into all the mistakes Target made, and which could have avoided, in its recent massive data breach.
The report provides what’s referred to as an “intrusion kill chain” that highlights all the places Target had a chance to spot the breach and stop it. But missed. For example:
- The hackers were able to identify a potential Target vendor or supplier to exploit because Target made such a list publicly available. That was the starting point for the hackers.
- The vendor targeted had very little security in place. The only malware defense they appeared to have used to protect their business was free software meant for personal and not business use.
- The vendor’s employees had received little if any security awareness training, and especially on how to spot a phishing email. So the hackers used a phishing email to trick at least one of those employees into letting them in the back door.
- Once in the vendor’s systems, the hackers were able to use stolen passwords without the need for authentication because Target did not require two-factor authentication for low-level vendors.
- The hackers are suspected of gaining further access from the vendor by using a default password in the billing software the vendor used. If the default password had been changed, the attack might have stopped right there.
- There were few controls in place to limit access the vendor had on the Target network. Once the vendor had been compromised, Target’s entire networks were exposed.
- When the hackers installed their Point of Sale malware on Target’s networks and began testing the malware, that activity was detected by Target’s security systems but the alarms were simply ignored.
- When the hackers created an escape route and began moving the stolen data off Target’s networks, that activity triggered alarms too but once again, the alarms were ignored.
- Some of the data was moved to a server in Russia, an obvious red flag for Target security which once again was missed.
- The login credentials of the vendor were used throughout the attack, yet Target’s security system wasn’t able to detect that those credentials were being used to perform tasks they weren’t approved for.
We keep saying that every business large and small has important lessons to learn from Target. Don’t waste the opportunity. Double-check your own security and see if there are any obvious gaps you haven’t spotted but need to be sealed. Need help? Give SiteLock a call any time, 24/7/365, at 855.378.6200.
Cybercrime is often little more than a battle of wits, and much of that battle is focused on the bad guys finding and exploiting vulnerabilities in an web application that the good guys missed. Poorly or hastily written code can leave weak points for hackers to exploit, often to great effect. While a developer’s goal is usually to create a great app, sometimes security takes a backseat to style and function. Even the best and most security-conscious developers can still miss things, which is why the option of being able to automate a 100% comprehensive review of every app on your website is invaluable.
The Devil is in the Details
The security landscape is littered with massive security exploits that were traced back to simple mistakes in coding. Even the recent massive Heartbleed exploit, which affected the security of almost the entire internet, was traced to a few mistakes years ago by one of the many volunteers who helped create the open source technology.
Even more troubling: it now appears that hackers were aware of and actively exploiting that mistake for nearly two years before security experts discovered it. And who knows how much damage and havoc they managed to cause.
That’s why protecting your code from exploits is so critical. Most websites are really just a collection of different apps and plugins developed by third parties, and the security of your website depends on how careful and skilled those third parties are.
Identifying Your Vulnerabilities
To tackle this problem and shut down yet another point of attack, SiteLock recently added something called TrueCode to its arsenal. TrueCode uses Static Application Security Testing, or SAST, to peer as deeply as possible into the source code of the applications you use on your website, and then map what it finds. Those results are then delivered to you in a simple report that outlines the severity of any findings and what you can do about them.
It’s a powerful and important way to see how your applications are currently working, what other applications they interact with, and what vulnerabilities they could be creating. And it can even identify critical vulnerabilities and mistakes before you even launch the app, denying hackers the opportunity to exploit it.
As SiteLock put it “TrueCode is like having a hacker proofread your code.” And that’s a fundamental pillar of all security. Most vulnerabilities are small, isolated, and hidden from the untrained eye. But when you have experts go through that code, line by line, from the perspective of a hacker, you have a much better chance of finding and fixing that tiny error that could blow a massive hole through your security. And your business.
And it’s not as if TrueCode has to interrupt your business or website to complete this detailed probe. TrueCode actually takes a copy of the application code and does all the testing in its own cloud-based lab. Exactly how security should be – an enabler and not a disrupter or inconvenience. Your customers and your website will never notice the difference, but they will definitely appreciate it.
There are many simple rules to security – it should always consist of multiple layers, it should never stand still, and we should always try to look at website security from the perspective of the hackers. TrueCode hits on all counts. Contact SiteLock today and learn how to integrate TrueCode into your web development workflow.
Update: SiteLock has been recognized by Gartner as part of its magic quadrant for Application Secuirty Testing. Get the full report and learn what makes TrueCode so noteworthy.
Every year about this time, Verizon comes out with an annual review of the results of its investigations into thousands of data breaches and security incidents from around the world.
The report can be very data heavy and even a little depressing, but we can learn great things from it. Here are just ten: