Smaller businesses may operate with the thinking that hackers won’t target them due to their relative unimportance. This is a mistaken assumption, however, as the latest real-world data from Symantec shows attacks against SMBs having increased threefold in 2012 compared with 2011. You can download the Symantec 2013 Threat Report PDf here.
One reason for the higher statistics is likely due to the fact that many of the techniques employed by hackers do not discriminate between enterprises and small and mid-sized businesses. To help SMBs better understand this, I highlight three common attack vectors used by hackers.
Watering Hole-Style Attacks
In a watering hole-style attack, hackers compromise a legit website to surreptitiously place malware within selected pages. Such malware could either target browser flaws that are already patched, or seek to exploit an as-yet-unknown (zero day) security vulnerability. Whatever the case, the idea behind a watering hole-style attack is for users to unknowingly show up and get infected.
Spear phishing is a method commonly used to infiltrate a specific organization, and involves the use of bogus websites to trick users into revealing their username and passwords. Indeed, this was how The Onion had its Twitter feed hacked earlier this month. What is more common, though, is the use of general phishing, in which emails with a link to a phishing website are sent out to as wide a target audience as possible.
Using the Same Passwords
Periodically, there are reports of how popular websites were compromised. Many instances of such attack also see attackers making away with the encrypted files containing the password hashes of users. These files are typically cracked or recovered via brute force in relatively short order, giving cybercriminals an email address and the original password that they can try on various web services. As you can imagine, this poses a significant threat to users who make use of the same password on more than one account. And depending on whether the email address is a corporate one, the hackers may also be trying their luck at your company portal.
As is evidenced from just three of the common security attacks, smaller businesses and even end users are affected by many of the security attacks out there despite not being specifically targeted. Ultimately, businesses need to do away with the mentality that they are not worth targeting by hackers, and implement sound security measures to better protect themselves.