Cyber Security for Small Business and Financial Fraud Potential

InfusionPoints, LLCSecure Business SolutionsHUBZone & Veteran-Owned Small Business

Michael A Figueroa, CISSPSenior Vice PresidentMichael.Figueroa@infusionpoints.comCyber Security for Small Business and Financial Fraud PotentialIndependent Trusted Partner Building Secure Business Solutions Protecting your Information Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentInfusionPoints Secure Business SolutionsInfusionPoints combines a unique blend of business and technology skills to help our clients with their critical security and privacy initiatives.We help our clients work through these challenges by developing an enterprise, strategic vision and roadmap that recognizes the management and technology of security and privacy as an integral part of your business solutions. Our security and privacy solutions focus on business needs by: Defining key security and privacy strategies, Developing secure enterprise architecturesDeveloping enterprise security and privacy roadmapsManaging and implementing critical security and privacy initiativesHUBZone & Veteran-Owned Small Business

2Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentAgendaThe nature of contemporary attacks on small businesses

Small business security studies

What businesses can do and how can we help

Open discussion about controls businesses can implement3Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentContemporary Cyber Attacks on Small BusinessesCyber Security for Small Business and Financial Fraud Potential4Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentSmall businesses are under constant attack and the losses are beginning to mount

5Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentHow are cyber criminals targeting our businesses and getting away with it?Breaking into computer networks and embedding bugs viruses, and TrojansBypassing passwords or copy-protection in computer software and deleting filesDefacing and/or damaging Web sitesAttacking a web site or network and preventing legitimate users from accessing the site or network Stealing valuable information such as passwords and credit card data Destroying files, sites, networks, and e-mails

6Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author Consent

Hacker tools and techniques

7Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentAttacks against businesses have consistently grown in every aspect, from sophistication to impactThreat agents are evolving to move away from many random attacks to broad targeted attacks that maximize revenue and minimize detectionPassword GuessingSelf-Replicating CodePassword CrackingExploiting Known VulnerabilitiesDisabling AuditsBurglariesHijacking SessionsSweepersSniffersDistributedAttack ToolsDenial of ServiceGUIPacket SpoofingNetwork Management DiagnosticsAutomated Probes/ScansWWW AttacksStealth/AdvancedScanning Techniques1980 1985 1990 1995 2000 2005 2010Intruder Knowledge/Attack SophisticationHighLowAttackersBack DoorsZombiesBOTSMorphingMalicious Code8Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentCriminal networks have also been busy building their capabilities to generate consistent cash flowThe organizations are starting to mimic traditional business structuresExecutives manage the organization as corporate directorsProfilers specialize in finding informationThey may leverage specially designed call centers to conduct social engineeringSoftware Developers design and develop the attack toolsAttackers specialize in conducting the attacksThey may leverage existing botnets under service provider contractsHuman Resources recruit and manage financial transfer resourcesMoney Mules are hired as financial consultants to facilitate money transfers

9Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentAnatomy of a Botnet Cyber Attack10Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentStandard banking practices offer no recourse to the affected businessesOnce the attacker is able to conduct the wire transfers, the money is unrecoverableDomestic electronic money transfers will not raise any red flags regardless of whether a company commonly uses themDirect wire transfers are largely anonymous and attackers can use them to easily move money around the worldBusiness accounts lack the same level of anti-fraud protections that consumers enjoyMost small business owners believe that the bank will refund them for losses due to inappropriate electronic transfersEven when the target alerts the bank in a timely manner of suspicious activity the bank is under no obligation to cover monetary lossesThis attack has closed many businesses, and has hit public utilities, school districts, universities, etc.11Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentSmall Business Security StudiesCyber Security for Small Business and Financial Fraud Potential12Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentA recent study that focuses on small business security practices describes how daunting the challenge is*Small businesses store important company related data on their computer systems 65% store customer data, 43% store financial records, 33% store credit card informationBusiness owners have an abstract understanding of security issues6% fear the loss of customer data and 42% believe that their customers are concerned about the security of their business58% believe their data is not any safer in the last 12 months and 7% believe it is less safeBut, their access to security resources is severely limited86% do not have anyone focused on security53% check their computers to ensure that anti-virus, anti-spyware, firewalls and operating systems are up-to-date20% say they use the minimal threshold of security to protect customer and employee data*Source: 2009 NCSA / Symantec Small Business Study, October, 2009, staysafeonline.org13Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentAnother study shows the business owners may detect issues but dont know how to respond*More than half of small businesses have been a victim of fraud or online crime in the last 12 months37% had an issue with phishing emails, 15% were victim to card not present fraud and 15% experienced IT system issues such as viruses and hackingOne third of businesses currently do not report fraud or online crime to the police or banks, as they believe that it would not achieve anythingMore than half of the respondents wanted clearer information about how and where to report these types of crime, and 44% want a specifically named contact in their local police force responsible for tackling fraud and online crime

*Source: Inhibiting Enterprise: Fraud and Online Crime Against Small Business, February, 2009, www.fsb.org.uk14Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentWhat Can Small Businesses Do to Prevent CyberFraud?Cyber Security for Small Business and Financial Fraud Potential15Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentSmall business owners are getting pushed into risky activities outside of their core businessElectronic Banking:Business banking accounts typically allow for electronic account (ACH) transfers even if the business doesnt typically use themMost small businesses make payments using checks or credit cards, but banks dont require prior approval for ACH transactions by defaultWithdrawing money from an account electronically requires little to no authentication, relying instead on legacy banking transaction methodsInternet Banking:Accessing most accounts requires only a username and password while in-person banking often requires a government-issued IDBanks typically do not monitor where accounts are being accessed from and cannot adequately verify that the host is authorizedDespite widespread ignorance to banking online safely, banks are imposing monthly fees to encourage business owners to move banking to the InternetConsumers are not faced with the same problem16Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentSmall business owners should first determine what they have thats worth protectingRule #1: Dont be complacentIts one thing to have no control, its another to relinquish it out of ignoranceAttacks can and do happen, but they dont have to impact the businessAsk questions of service providers (including banks) about how they will respond should an attacker infiltrate business accountsUnderstand the business liabilityRule #2: Assess and monitor business risksFollow the money to identify where the business is weakest, especially where it lacks control but is still liable for any issuesElectronic transfersInternet bankingRule #3: Get help when neededDont trust the service provider outright, they will look after their own interests first17Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentWe are working to find new resources to help protect small businesses, but the results are very limitedEstablishing a Government Program Management OfficeDiscussions with several government organizations have been encouraging, but there has been little movement to dateAgencies like the idea, but small business losses havent warranted greater attention by anyone but the FBI, and that only in minor formWorking with Banks, Telecommunications and Services ProvidersThey place most of the blame on the business despite actively marketing risky services to themWorking with Vendors The security industry doesnt really understand the constraints that small businesses operate underEx: How does a small business buy separate appliances for network protection, threat detection, virus prevention, etc.?Whats the ROI for the business?18Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentWe are working in parallel to provide new resources to help small businesses help themselvesEstablished the CyberSecurityForSmallBusiness partnership to provide a wide range of assistance, support, and solutionsInfusionPointsBlue Glacier Management GroupStratum SecurityConduct free Cyber Security Lunch and Learn seminarsLocal Chambers of CommerceLocal Economic Development AssociationsDeveloped a Cyber Security website for Small Businesses, Partners, and Members

19Confidential 2010, InfusionPoints, LLC All Rights ReservedDistribution Prohibited Beyond Target Audience Without Author ConsentAs security professionals, we need to accept responsibility for helping small business ownersUse an Adopt a Business technique to help business owners better understand their risksStart by creating a culture of security to better protect the business bottom line and be less likely to incur liabilityPromote an understanding that cyber security is good for business and helps prevent cyber crime on customers, fellow businesses, and our countryChallenge vendors and service providers to do moreEngage in debates to help the industry evolveEx: Why do anti-virus vendors make so much money preventing