October 22nd, 2015

Over the last few decades we've seen the trend of B2B and B2C applications becoming a standard way of doing business. Almost every company is now connected, in both directions, interacting with both customers and suppliers. Big companies rush to adhere to PCI compliance (payment card industry data security standards), whilst small and medium companies just deal with infrastructure and ongoing matters. Usually, they are not concerned with security issues; despite seeing some news reports on TV, it seems far beyond reality.

I would like to share some thoughts and misconceptions regarding cyberattacks, it may sound silly, but some managers and netadmins still have the wrong idea (the scenario has changed in the past 5 years) (ok, not really changed, but it got uglier).

Myth number 1: Just big and "famous" companies are targets for attacks like Sony or Microsoft.

Fact: Small and medium sized companies are not usually concerned about being targets of hackers, thus lowering their protection level, for example by not having web application analysis, or antivirus or software updates policies.

Myth number 2: My computer already has a antivirus, my network has a firewall. I’m safe.

Fact: Nowadays, attacks rely on outdated software such as Java, Flash player, Acrobat Reader, browsers or even Windows/Mac without automatic updates turned on. Once the user visits a malicious website, this page opens crafted commands that subvert the outdated software to install remote backdoors, leading the computer to act as a botnet (for spam, or stealing information). Antivirus has become deprecated software. Filtering through web categories and cloud based protections are most efficient now. Old generation Firewall do not provide any protection.

Myth number 3: I don’t do p0rn online, so I’m safe. I don’t have any relation with this ‘world’.

Fact: The malicious criminal targets you randomly. It scans several IPs, networks and websites in batches, in order to find outdated and vulnerable breaches. That’s the reason everybody must be protected.

Myth number 4: I don’t have a e-commerce, it’s just a _______.

Fact: If you host any web application which has any value, some automatic exploit will find it someday, and report it as exploitable. Then the malicious user will see if it can host any fake bank information for scams, or if it is worth selling. (Are you repairing tires for $100? The attacker will sell it for $30 and hack your system to charge only $5.) You may not be a target for a DoS, but your servers will be used as a vector to amplify attacks.

Myth: You guys are delusional. We don’t live in a Hollywood movie.

Fact: It’s easy… so easy and cheap to hire and hack a random website (if it hasn’t being scanned and fixed for vulnerabilities). You can hire 1,000 PCs in botnet for $50 to send spam, or with keylogs already capturing NZ banks passwords. (It’s sorted and packaged for sale!) It’s risky to withdraw money directly, so why not sell the infected users to someone who has the guts to use that information?

How can my company get the minimum level of protection?

1) Have policies that enforce software updates (operating system, browser, Java, Flash, Acrobat).

2) Awareness: don't open emails that seem suspicious (e.g. your bill has not been paid, click here to view details).

3) Have web category filters that deny access to malicious websites (or even safe websites that got infected and today host a crafted webpage).

Who can help the companies to achieve that?

1) IT staff can deploy policies to keep software updated.

2) Security / HR team with guidance to avoid social engineering exploitation.

3) REANNZ's new business unit can provide next generation Firewall protection with web filtering and deep inspection protecting against web attacks and malicious webpages.

Written by Fabricio Lima.