David R. Han
Small and medium-sized enterprises (SMEs) are very susceptible to cyberattacks, but many of them ignore the threat, hoping it will pass them by, or perhaps they do not recognize its severity. Cybersecurity is getting a lot of attention due to the actions of hacktivists, cybergangs and nation states. Hacktivists are trying to make a statement, cybergangs are seeking easy money, and nation states are using hackers to conduct espionage.
Cybersecurity attacks have increased in frequency and affect virtually all industries. Law enforcement is relegated to playing catch-up because it is hampered by the lack of laws and the fact that cyberattacks often originate in other countries. Ultimately, the cyberattacker is aided by the ignorance of users, naiveté of companies and the difficulty of capture/enforcement. SMEs must take action now to secure their networks from hackers or continue to accept the risk of assured intrusion and cyberpilfering of their most precious assets.
The Internet is as lawless and free as the Wild West,1 and everyone faces the same dangers and potential pitfalls. Cyberattacks are a common occurrence. “The average time to resolve a cyberattack is 18 days, with an average cost to participating organizations of US $415,748 over this 18 day period.”2 This means that the average dwell time is often greater than 18 days. The dwell time is a measure of the time an intruder is on the network before being discovered and extricated. With that in mind, how much damage can an intruder do in 18 days beyond the explicit cost of US $415,748?
To mitigate some of these dangers and pitfalls, all businesses, regardless of size, must implement a minimum set of safeguards (firewall, intrusion detection/prevention system [IDS/IPS] and antivirus). Each business can scale its security measures to meet its needs, and it can choose to implement more stringent security measures.
SMEs are generally unsecure due to the lack of properly trained security personnel and a correlating lack of security measures.3 “A typical medium-sized business with 50 to 1,000 users has an average of 1.8 IT professionals on staff, according to McAfee research. In addition, only eight percent of companies within this market segment typically have a security specialist on staff.”4 If only 8 percent of medium-sized businesses have a security specialist on staff, who is doing the security work within the other 92 percent of medium-sized businesses?
Figure 1 shows the annualized cost of cybercrime for fiscal years 2010 and 2011. The reported maximum value of cybercrime in 2011 is US $36.4 million. Dividing that total by the average cost of an intrusion (US $400,000) reveals that an estimated 91 attacks were concluded in fiscal year 2011. In the “First Annual Cost of Cyber Crime Study” conducted by the Ponemon Institute in 2010, the 45 organizations in the study “experienced 50 successful attacks per week and more than one successful attack per company per week.”5 SMEs cannot continue to ignore cybersecurity.
Most people are familiar with the story of the three little pigs. The three little pigs provide a good analogy of how SMEs can approach cybersecurity. In this version of the story, the hacktivists, cybercriminals and nation states portray the Big Bad Wolf. The three little pigs are SMEs that go off on their own to try and protect themselves from the Big Bad Wolf.
First Little PigThe first little pig was the youngest brother and did not really understand the threat posed by the Big Bad Wolf. The first little pig thought the company was entirely too small to be of interest to the Big Bad Wolf. He decided to rely on security through obscurity and not really implement any security. His company just did not have enough resources to pay for a cybersecurity engineer, much less an IT specialist. Besides, all the organization did was make washers that they sold to a defense contractor. Who cared about a company making specialty washers for the defense industry?
The first little pig failed to properly understand the threat that the Big Bad Wolf posed. In this day and age, with the advanced tactics used by the Big Bad Wolf, small companies that supply parts to bigger companies represent the soft vulnerable underbelly. The bigger company’s defenses were stronger than the Big Bad Wolf’s capabilities, but by hacking into the smaller company and exploiting the trust relationship, the wolf was able to get into the bigger company’s networks.
The first little pig thought he could not afford cybersecurity, but the truth was that he could not afford not to implement cybersecurity measures. Bigger companies are starting to understand the threat posed to them by smaller, unsecured businesses. Bigger companies cannot extend the boundaries of their networks to compensate for smaller companies that do not have or cannot afford security countermeasures.
The first little pig was hacked and, due to the intrusion, was forced to file for bankruptcy. He then went running to his sibling’s arms.
Second Little PigThe second little pig understood a little more about cybersecurity than her little brother. Her company made circuit boards used by other companies in their computers. She knew she had to comply with federal mandates and government regulations. But, security was more of a hassle than anything, so she did just the bare minimum to comply. With the recession, did the government not realize that every dollar spent on compliance directly impacted her bottom line? With any more requirements, she would be forced to start laying off some people or cutting back hours. The security architecture included an IDS, firewall and antivirus, but nothing had been patched in 18 months and the antivirus DAT file was 10 months old.
While the second little pig had security measures in place, by doing the minimum required to comply with the mandates and requirements, her company was really not much better off than the first little pig. The bare minimum, while satisfying requirements, does not offer much in terms of security. Additionally, not patching and allowing the antivirus signatures and definitions to be forgotten vitiated the security measures she had in place. Zero-day attacks are not as prevalent as the number of successful intrusions perpetrated through vulnerabilities that remain unpatched long after the patch was released. Stuxnet was one of the biggest cyberattacks and Stuxnet’s attack vectors included zero-day attacks and unpatched vulnerabilities.6
Cybercriminals sending a flood of emails containing malicious links create most botnets or attachments,7 which infect users’ workstations and beacon back to the command and control (C&C) server for additional malware or instructions. The botnet herders (those who control the botnets) use unpatched vulnerabilities to gain control of the victim machines.8 “The most common detection and mitigation techniques include flow data monitoring, anomaly detection, Domain Name Server log analysis and honeypots.”9 Companies that implemented a security incident event management (SIEM) system “experienced a substantially lower cost of recovery, detection and containment than non- SIEM companies. In addition, SIEM companies were more likely to recognize the existence of advance persistent threats (APTs) than non-SIEM companies.”10
The second little pig received a spear-phishing email from a friend who was stranded in Albania and had no cash. She clicked the link and entered her banking information to send her friend US $100. She did not think anything about the fact that she had not spoken to her friend since high school. Her corporate bank account was hacked and her company’s accounts emptied.
Now, the first and second little pigs had to run to their older brother.
Third Little PigThe third little pig was the oldest. He had seen and experienced more. His company made missile systems and had recently started selling them to Taiwan. He took a proactive stance toward cybersecurity. His company complied with all of the government mandates and actively participated in associations that worked with the government to shape the requirements. Cybersecurity was baked into every system, and it was a force multiplier. Including security in the early requirements development phase ensured that things were done securely and saved the company money because there was no expensive redesign to bolt on security at the end. His company’s security architecture was robust, with an IDS/IPS, firewalls, demilitarized zone and a modest honeypot. The enterprise’s antivirus was continuously updated at different times throughout the day. The IDS/IPS did not just focus on signature-based defensive measures, but also looked at the heuristics to detect anomalous behavior and network activity that behaves like malware. The third little pig was able to protect his brother and sister and stave off the Big Bad Wolf…for today.
If companies employ good IT hygiene, such as patching vulnerabilities, malicious code such as agent.btz11 and even its more sophisticated cousin, Stuxnet, would not be as effective. “Most of what we see today is exploitation—that’s theft, stealing secrets, either commercial or military,” US Department of Defense (DoD) Secretary William J. Lynn told Ray Suarez on PBS Newshour. “[But] we know the tools exist to destroy things, to destroy physical property, to destroy networks, to destroy data, maybe even take human lives.”12
The largest threats to SMEs are a result of the following:
SMEs can implement protective measures to proactively defend their networks. Any measures an SME implements must be composed of people, processes and technology. As previously discussed with the second little pig, there is a minimum level of security measures involving technology that should be implemented. Technology serves well for automating work and processes. However, even with the most cutting-edge SIEM system implemented and fine-tuned to rule out all false positives and catch all false negatives, someone still has to be there to investigate the alerts and interpret the reports. Technology alone is not the solution, but should be part of the solution. The following is a list of what an SME can do to protect its networks:
MSN Money recently published an article listing “9 Ways to Avoid Cybercrime.” These tips are good tips and apply to SMEs and consumers alike:14
Figure 2 provides a comparison of small, medium-sized and large organizations and “reveals that the cost mix for specific cyberattacks varies by organizational size. Specifically, small organizations (less than 5,001 seats) experience a higher proportion of cybercrime costs relating to malicious code and malware. In contrast, large organizations (greater than 15,000 seats) experience a higher proportion of costs relating to malicious insiders, stolen or hijacked devices, and denial of service.”15 SMEs are faced with considerable resource constraints, but there are different ways to secure their networks and information.
SMEs are beginning to address cybersecurity and put safeguards and defensive countermeasures in place.16 For some businesses, their delayed action and hesitant response is too little too late. The cost of cybersecurity can provide a bit of “sticker shock” for SME executives and decision makers. But the cost of inaction far outweighs the upfront cost of cybersecurity. The threats are real, and if an SME has not been hacked, chances are high that it will be soon. If an SME continues to think that it is too small to be important, it must be reminded to consider whether the information it has might cause damage to a customer or to a business partner. What is the potential impact of that information being stolen, being hijacked or being posted on the Internet for everyone to see? Will the damage be something the SME can recover from, or will the damage cause it to file for bankruptcy? The longer SMEs take to implement the appropriate security countermeasures, the more risk to which they are exposed. The only real option SMEs have left is to treat risk by mitigating the threat and achieving an acceptable amount of residual risk.
1 This term refers to the western US during the gold rush of the second half of the 19th century.2 Ponemon Institute, “Second Annual Cost of Cyber Crime Study: Benchmark Study of US Companies,” August 2011, www.arcsight.com/collateral/whitepapers/2011_Cost_of_Cyber_Crime_Study_August.pdf3 Prince, Daniel; “Event Reveals New Insights Into Businesses’ Cyber Security Concerns,” School of Computing and Communications, Lancaster University, 29 September 2011, www.scc.lancs.ac.uk/info/news/001214/4 Moscaritolo, Angela; ”SME Security: Sizable Differences,” IT Security News and Security Product Reviews, SC Magazine, 1 May 2009, www.scmagazineus.com/sme-security-sizable-differences/article/136042/5 Ponemon Institute, “First Annual Cost of Cyber Crime Study,” ArcSight, July 2010,www.riskandinsurancechalkboard.com, www.riskandinsurancechalkboard.com/uploads/file/Ponemon%20Study(1).pdf6 Naraine, Ryan; Emil Protalinski; Dancho Danchev; “Stuxnet Attackers Used 4 Windows Zero-day Exploits,” ZDNet, 14 September 2010, www.zdnet.com/blog/security/stuxnet-attackers-used-4-windows-zero-day-exploits/73477 McDowell, Mindi; “US-CERT Cyber Security Tip ST06-001—Understanding Hidden Threats: Rootkits and Botnets,” US Computer Emergency Readiness Team (US-CERT), 24 August 2011, www.us-cert.gov/cas/tips/ST06-001.html8 Ibid. 9 Cisco Systems Inc., “Botnets: The New Threat Landscape White Paper,” 23 October 2011, www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns441/networking_solutions_whitepaper0900aecd8072a537.html10 Op cit, Ponemon Institute, August 2011 11 The agent.btz malware was not specifically written to target the US Department of Defense (DoD), but three years after the initial breach occurred in 2008, the US DoD is still combatting the effects of agent.btz and its newer variants. Stewart, Phil; Jim Wolf; ”Agent.btz Worm Won’t Die After 2008 Attack on Military,” Breaking News and Opinion, The Huffington Post, 17 June 2011, www.huffingtonpost.com/2011/06/17/agentbtz-worm-attack-military_n_878880.html12 Parrish, Karen; “Cyber Threat Grows More Destructive, Lynn Says,” US Department of Defense, 15 July 2011, www.defense.gov/news/newsarticle.aspx?id=6469013 Mandiant, “MANDIANT: Intelligent Information Security: Advanced Persistent Threat,” 25 October 2011, www.mandiant.com/services/advanced_persistent_threat14 Datko, Karen; “9 Ways to Avoid Cybercrime,” MSN Money, 14 September 2011, http://money.msn.com/saving-money-tips/post.aspx?post=12ad8244-9ffe-434f-8795-a3668b5e1a3515 Op cit, Ponemon Institute, August 2011 16 Net-security.org, “40% of SMBs Suffered Breach Due to Unsafe Web Surfing,” Help Net Security, 12 October 2011, www.net-security.org/secworld.php?id=11773
David R. Han is a technology consultant specializing in information assurance, and works as the computer network defense (CND) architect for policy, plans, and governance, risk and compliance management. He supports the US federal government, ensuring that agency cyberincident handling and response processes align with federal mandates, industry standards and management best practices. Han has more than 27 years of process engineering, quality engineering, compliance management, metrics development and requirements analysis experience.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.