Kevin Mitnick was once the "most wanted" computer hacker in the world. After being nabbed by the FBI and doing his time, Mitnick became one of the good guys, helping businesses understand and address information security weaknesses and threats.
Mitnick, now a leading consultant and speaker on the subject of information security, and author of the New York Times best-seller Ghost in The Wires, spoke with me about the most serious threats of which every business should be aware. Mitnick says that these issues aren't just concerns for large corporations -- small companies face the same challenges, and dealing with them effectively doesn't require massive resources or IT departments. Here are the top threats, and some tools small businesses can use to address them:
Attacks are becoming more complex
The threat: Attackers have become more sophisticated, and it's often extremely difficult to detect an intrusion until after the damage is done. "Hacker gangs," often operating overseas, have acquired online banking credentials and wired funds out of corporate accounts, or stolen intellectual property, with little or no detection.
The solution: There are several solutions on the market for small- and medium-sized businesses. Cisco (CSCO) and others offer integrated services routers (ISR), which integrate routing, firewalling, intrusion detection, VoIP solutions and wireless networking, at a low cost (entry level models run around $1,000). There are more robust systems for larger enterprises, but ISR provides good baseline protection for smaller businesses.
The risk landscape is increasingly difficult to understand
The threat: Attacks are evolving every day, making it crucial -- and difficult -- to keep up with current hacker methodologies. As a result, thousands of systems are compromised every week. We often hear about distributed-denial-of-service (DDoS) attacks carried out by "botnets" of compromised computers. Hackers use similar techniques to gain access to small business computers, where they can access financial and other information, perpetrate theft and do all kinds of other damage.
The solution: Small businesses are increasingly putting many of their system functions in "the Cloud," where they can be kept up-to-date in real time. In these situations, it is critical to clearly outline expectations regarding application and data security in the Service Level Agreement (SLA).
If the necessary technical expertise is not available in-house, enlist the services of a security consultant or qualified IT specialist. Companies like Mitnick's offer advisory services and implementation of the best practices and solutions for keeping up-to-date on threats. For many companies, a modest investment in this kind of expertise can save them from far more costly problems down the road.
Outgoing network traffic can be as dangerous as inbound
The threat: Most businesses have some type of firewall for incoming traffic, but few address potentially risky outgoing connections from their own workstations. This is a major shortcoming, because a user's computer may become infected with malware that connects back to the attacker. According to Mitnick, antivirus software is only 60 percent effective at detecting and eliminating malicious code.
The solution: Reduce the number of services a user can connect to outside the company by configuring the firewall to restrict outgoing traffic to what's necessary for business operations. The ISR solutions mentioned above facilitate this type of configuration.
Desktop software is often out of date
The threat: Hackers used to focus solely on exploiting security flaws at the server level, but this has changed, and individual desktops are now common targets. One of the reasons this is appealing to hackers is that businesses rarely update the client application software that resides on individual workstations. Small businesses can be particularly easy marks for these kinds of attacks.
The solution: Products like Secunia's Corporate Software Inspector automate software updates on user desktops. These updates are as important as applying software and security patches for the operating system, as out-of-date software significantly increases the risk of a security breach. Products like the Secunia application can cost a couple-thousand dollars, but again, the investment has to be weighed against the risk.
Humans can be the biggest problem
The threat: The biggest risks to information security are people. Studies have shown that most security incidents start from within, and are usually accidental. Sophisticated attacks use "social engineering" (predicting or manipulating human behavior) to trigger the exploitation of desktop application security flaws.
The solution: Constantly reinforce to employees the dangers of opening attachments and clicking links sent in email, messenger applications and posts on social networking sites. All it takes is one person making a bad decision to compromise the entire business. One clever and effective strategy for keeping employees on their toes is simulating attacks (similar to a surprise military drill), using an Internet Security Awareness Training program, which costs about $15 per person per year.
Of course, these are just quick snapshots of key threats and tools. It's a big and complex subject (Mitnick has filled three books on it so far), but these are great starting steps for most small companies. As Mitnick says, "The most important point is that computer and information security is not, and can never be, a one-size-fits all-solution."