Today's hackers are more sophisticated than the days of the "geek in the basement." Data is selling well on the black market, so trained programmers are looking for ways to exploit your company's vulnerable machines. But there are security measures businesses can take to protect themselves and their data from outside threats.
Think your antivirus software is enough to protect your business from outside threats? Think again. Hackers today are smart and trained programmers who are looking for any vulnerable spot in your computers. The recent Confickr worm even took advantage of social-engineering tactics. Monte Robertson, president and CEO of Software Security Solutions, explains how smaller companies can keep up with the evolution of security threats.
bMighty: What security threats should small to midsize businesses be aware of?
Monte Robertson: The latest threats are from professionally trained programmers. It used to be that the hackers were the "geeks in the basement," and all they did was put out code to wipe out hard drives. But today these are highly organized groups that are trained programmers who understand how to write malicious code to compromise systems. It's a huge market for malicious software that's attracting professionally trained folks. What they're doing is creating malware that is Web-based, and they'll take advantage of a number of threats to compromise Web servers and send out e-mails and even take out ads to draw people to Web sites.
Don't Miss: So, You Want To Be A Hacker
There's a threat called Confickr/Downadup where they're taking advantage of social-engineering tactics. You saw it come out for the election, the Super Bowl, for Valentine's Day, where you're told to open a link, and it'll take you to a Web site that is compromised with malicious code. They're getting better at it, and it's not just the porn sites. People who don't know to keep their applications on their Web sites patched are taken advantage of. Some people say Confickr has affected 9 million to 15 million machines. The disturbing thing is that a lot of these machines and people are, theoretically, protected by antivirus. What that tells me is that having antivirus or anti-malware is not enough anymore because the Web-based threat and the social-engineering threat are created by smart people.
bMighty: What are the most effective security practices that smaller companies should consider?
Monte Robertson: Training has a lot of effect. In terms of Windows machines -- say, Vista -- it has a user-access rights component, but even still, that gets compromised. Users that are using machines with local administrator rights are left wide open. You have to use programs that make business work, but if you're using ones with local admin rights, and those users surf the Internet or open e-mails or attachments, that means they have the permission to install any program, whether it's a good program or not. Hackers know that and take advantage, and if you're surfing the Web, you're open to whatever is out there.
It helps to have limited rights because then the potential is reduced to install malicious programs. It becomes a support issue because, say, a salesperson needs the latest gadget, and he has to go to IT and wait for them to install it. What I'm suggesting is if companies are using programs that require local admin rights, then encourage companies to come up with software that doesn't require local admin rights. People aren't aware that there are free solutions to protecting their machines. Is it a business decision to allow users admin rights? If so, clamp down on what you can.
There are also steps you can take to reduce risk, such as having policies. You could say, "Don't open e-mails; don't download software," but it needs to be done. People need to know how important the company's data is. Have a security policy that outlines everything from the tools you use to policies you follow -- and that identifies all the layers of security.
It takes a lot more than just software to protect users from themselves. Part of the problem is with younger folks -- they just surf fearlessly, because they don't understand how big the threat is and how silent it's become. Hackers used to want everyone to know they were there, but now they want to work in the background, slowly get into networks, because data is worth something on the black market. The bottom line is you need a blended response to a blended threat.
Next Page: Common Security Mistakes
