I sat through a couple of sessions in the Singapore leg of the Hacker Halted 2010 conference yesterday, which was an eye-opener for me. While my mind is still abuzz with the repercussions of what I learned, there are a few points that I find especially pertinent to SMBs.
Security is More Than Hardware
If it's not obvious yet, security is much more than a couple of security appliances or intrusion-prevention devices. In a panel discussion consisting of security experts Ralph Echemendia, Tim Pierson and Jayson E. Street, it was clear from their collective experiences that while attempts at network penetration tests succeed "like 60 to 80 percent" of the time, social engineering attacks have a success rate of 100 percent.
Exploiting the ignorance of employees in the area of security best practices is also high on the list of attacks that require no malware to work. A member of the audience, who was understandably reticent to furnish details of his company, shared how in a sanctioned phishing "test" on his company of 1,500 employees more than 100 staffers gave up their user ID and passwords. This represents a staggering 6 percent of the work force, and there is no doubt in my mind that these (potentially) commandeered accounts could have been use to penetrate even further into the organization via social engineering.
Security is for All, Including Administrators and Programmers
Conventional wisdom dictates that general security training is necessary for all staffers, and has to do with training them not to blindly give out their passwords or click on proffered URLs. After observing the Night Hack Live segment though, I am now convinced that this is a completely inadequate posture for businesses to adopt.
What I found frightening as the various experts demonstrated their hacking skills was how mundane the entire process was-almost to the point of being boring. There was no magic wand or superlative hacking software involved; the whole process was instead conducted methodically as security defenses were probed, dissected and exploited using freely available tools.
In one example, a normal Web login prompt was modified from the client end to increase the maximum size of the field. An SQL overflow was enacted, which led to the creation of a file on the Web server via a relatively unknown but common script command. This new script was then used to upload a much larger file, which led to the exposure of the database password. Like peeling an onion, the database was accessed next, and another obscure database-specific command used to upload a database plug-in, which blew the gates off the remaining access restrictions.
In a nutshell, there is no way that administrators and programmers can effectively configure or code safeguards into the systems they maintain or build, unless they are first made aware of these loopholes used by hackers to penetrate systems.
The Relevance to SMBs
So how were my observations relevant in the context of SMBs? You see, SMBs are usually quick to invest in things like fire and flood insurance, put in anti-competitive clauses in employee contracts preventing them from waltzing over to a competitor, formulate and test out disaster recovery and business continuity plans-the list goes on. Essentially, they invest (and insure) heavily against threats that might put them out of business.
As I explained in "Why SMBS Should Pay Attention to Security," it is trivial to purchase a malware kit to construct new, unique malware or requisite a hacking toolkit to probe a company's network. And with even mid-sized businesses being increasingly targeted by hackers, SMBs have run out of time to shuffle their feet any more over security.
In closing, I want to say that SMBs need to reassess their budget and prioritize greater efforts and resources toward securing their data and computing assets. And remember, proper antivirus defenses and employee training on security best practices are just step one of a long list of preventive and proactive security measures that SMBs need to take.