Cyber Security for Small Business and
Financial Fraud Potential
InfusionPoints, LLC
Secure Business Solutions
HUBZone & Veteran-Owned Small Business
Michael A Figueroa, CISSP
Senior Vice President
Michael.Figueroa@infusionpoints.com
Independent Trusted Partner
Building Secure Business Solutions
Protecting your Information
InfusionPoints – Secure Business Solutions
• InfusionPoints combines a unique blend of business and
technology skills to help our clients with their critical security
and privacy initiatives.
• We help our clients work through these challenges by
developing an enterprise, strategic vision and roadmap that
recognizes the management and technology of security and
privacy as an integral part of your business solutions.
• Our security and privacy solutions focus on business needs by:
–
–
–
–
Defining key security and privacy strategies,
Developing secure enterprise architectures
Developing enterprise security and privacy roadmaps
Managing and implementing critical security and privacy initiatives
• HUBZone & Veteran-Owned Small Business
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
2
Agenda
• The nature of contemporary attacks on small businesses
• Small business security studies
• What businesses can do and how can we help
• Open discussion about controls businesses can implement
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
3
Contemporary Cyber Attacks on Small
Businesses
Cyber Security for Small Business and Financial Fraud Potential
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
4
Small businesses are under constant attack and the
losses are beginning to mount
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
5
How are cyber criminals targeting our businesses and
getting away with it?
• Breaking into computer networks and embedding bugs
viruses, and Trojans
• Bypassing passwords or copy-protection in computer software
and deleting files
• Defacing and/or damaging Web sites
• Attacking a web site or network and preventing legitimate
users from accessing the site or network
• Stealing valuable information such as passwords and credit
card data
• Destroying files, sites, networks, and e-mails
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
6
Hacker tools and techniques
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
7
Attacks against businesses have consistently grown in
every aspect, from sophistication to impact
• Threat agents are evolving to move away from many random
attacks to broad targeted attacks that maximize “revenue”
and minimize detection
Malicious Code
Morphing
Intruder Knowledge/
Attack Sophistication
High
Low
1980
“Stealth”/Advanced
Scanning Techniques
BOTS
Zombies
Denial of Service
Distributed
Attack Tools
WWW Attacks
Network Management Diagnostics
Sweepers
Back Doors
Disabling Audits
Automated Probes/Scans
GUI
Packet Spoofing
Sniffers
Hijacking Sessions
Burglaries
Attackers
Exploiting Known Vulnerabilities
Password Cracking
Self-Replicating Code
Password Guessing
1985
1990
1995
2000
2005
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
2010
8
Criminal networks have also been busy building their
capabilities to generate consistent cash flow
• The organizations are starting to mimic
traditional business structures
– “Executives” manage the organization as
corporate directors
– “Profilers” specialize in finding information
• They may leverage specially designed call
centers to conduct social engineering
– “Software Developers” design and develop
the attack tools
– “Attackers” specialize in conducting the
attacks
• They may leverage existing botnets under
service provider contracts
– “Human Resources” recruit and manage
financial transfer resources
• “Money Mules” are hired as financial
consultants to facilitate money transfers
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
9
Anatomy of a Botnet Cyber Attack
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
10
Standard banking practices offer no recourse to the
affected businesses
• Once the attacker is able to conduct the wire transfers, the
money is unrecoverable
– Domestic electronic money transfers will not raise any red flags
regardless of whether a company commonly uses them
– Direct wire transfers are largely anonymous and attackers can use
them to easily move money around the world
• Business accounts lack the same level of anti-fraud
protections that consumers enjoy
– Most small business owners believe that the bank will refund them for
losses due to inappropriate electronic transfers
– Even when the target alerts the bank in a timely manner of suspicious
activity the bank is under no obligation to cover monetary losses
• This attack has closed many businesses, and has hit public
utilities, school districts, universities, etc.
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
11
Small Business Security Studies
Cyber Security for Small Business and Financial Fraud Potential
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
12
A recent study that focuses on small business security
practices describes how daunting the challenge is*
• Small businesses store important company related data on their
computer systems
– 65% store customer data, 43% store financial records, 33% store credit
card information
• Business owners have an abstract understanding of security issues
– 6% fear the loss of customer data and 42% believe that their customers
are concerned about the security of their business
– 58% believe their data is not any safer in the last 12 months and 7%
believe it is less safe
• But, their access to security resources is severely limited
– 86% do not have anyone focused on security
– 53% check their computers to ensure that anti-virus, anti-spyware,
firewalls and operating systems are up-to-date
– 20% say they use the minimal threshold of security to protect customer
and employee data
*Source: 2009 NCSA / Symantec Small Business Study, October, 2009, staysafeonline.org
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
13
Another study shows the business owners may detect
issues but don’t know how to respond*
• More than half of small businesses have been a victim of
fraud or online crime in the last 12 months
• 37% had an issue with phishing emails, 15% were victim to
card not present fraud and 15% experienced IT system issues
such as viruses and hacking
• One third of businesses currently do not report fraud or
online crime to the police or banks, as they ‘believe that it
would not achieve anything
• More than half of the respondents wanted clearer
information about how and where to report these types of
crime, and 44% want a specifically named contact in their
local police force responsible for tackling fraud and online
crime
*Source: Inhibiting Enterprise: Fraud and Online Crime Against Small Business, February, 2009, www.fsb.org.uk
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
14
What Can Small Businesses Do to
Prevent CyberFraud?
Cyber Security for Small Business and Financial Fraud Potential
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
15
Small business owners are getting pushed into risky
activities outside of their core business
• Electronic Banking:
– Business banking accounts typically allow for electronic account (ACH)
transfers even if the business doesn’t typically use them
– Most small businesses make payments using checks or credit cards,
but banks don’t require prior approval for ACH transactions by default
– Withdrawing money from an account electronically requires little to
no authentication, relying instead on legacy banking transaction
methods
• Internet Banking:
– Accessing most accounts requires only a username and password
while in-person banking often requires a government-issued ID
– Banks typically do not monitor where accounts are being accessed
from and cannot adequately verify that the host is authorized
– Despite widespread ignorance to banking online safely, banks are
imposing monthly fees to “encourage” business owners to move
banking to the Internet
• Consumers are not faced with the same problem
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
16
Small business owners should first determine what
they have that’s worth protecting
• Rule #1: Don’t be complacent
– It’s one thing to have no control, it’s another to relinquish it out of
ignorance
– Attacks can and do happen, but they don’t have to impact the
business
– Ask questions of service providers (including banks) about how they
will respond should an attacker infiltrate business accounts
• Understand the business liability
• Rule #2: Assess and monitor business risks
– Follow the money to identify where the business is weakest, especially
where it lacks control but is still liable for any issues
• Electronic transfers
• Internet banking
• Rule #3: Get help when needed
– Don’t trust the service provider outright, they will look after their own
interests first
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
17
We are working to find new resources to help protect
small businesses, but the results are very limited
• Establishing a Government Program Management Office
– Discussions with several government organizations have been
encouraging, but there has been little movement to date
– Agencies like the idea, but small business losses haven’t warranted
greater attention by anyone but the FBI, and that only in minor form
• Working with Banks, Telecommunications and Services
Providers
– They place most of the blame on the business despite actively
marketing risky services to them
• Working with Vendors
– The security industry doesn’t really understand the constraints that
small businesses operate under
• Ex: How does a small business buy separate appliances for network
protection, threat detection, virus prevention, etc.?
• What’s the ROI for the business?
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
18
We are working in parallel to provide new resources
to help small businesses help themselves
• Established the CyberSecurityForSmallBusiness partnership to
provide a wide range of assistance, support, and solutions
– InfusionPoints
– Blue Glacier Management Group
– Stratum Security
• Conduct free Cyber Security Lunch and Learn seminars
– Local Chambers of Commerce
– Local Economic Development Associations
• Developed a Cyber Security website for Small Businesses,
Partners, and Members
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
19
As security professionals, we need to accept
responsibility for helping small business owners
• Use an “Adopt a Business” technique to help business owners
better understand their risks
– Start by creating a culture of security to better protect the business
bottom line and be less likely to incur liability
– Promote an understanding that cyber security is good for business and
helps prevent cyber crime on customers, fellow businesses, and our
country
• Challenge vendors and service providers to do more
– Engage in debates to help the industry evolve
• Ex: Why do anti-virus vendors make so much money preventing <50% of
new malware infections?
• Ex: How can intrusion detection systems be considered effective if they
only trigger on massive events when new attacks trend to reduce traffic?
• Ex: What are the key takeaways that a small business owner should take
away from their marketing?
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
20
Some more resources to help educate us
• WWW.CYBERSECURITYFORSMALLBUSINESS.com
• www.us-cert.gov
• www.staysafeonline.org
• www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity
• www.esrmo.scio.nc.gov/MalwareThreatsandMitigationStrategies.htm
• www.whitehouse.gov/blog/Protecting-yourself-online
• www.uschamber.com/sb/security
• csrc.nist.gov/groups/SMA/sbc
• www.onguardonline.gov
• www.ic3.gov
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
21
Open Discussion on Security Controls
Cyber Security for Small Business and Financial Fraud Potential
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
22
What are your thoughts on how small businesses can
protect themselves?
• Multi-factor authentication challenges
• Browser/OS segmentation
• Out-of-band approvals
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
23
Thank you!
Contact Information
124 W Kapp St
Dobson, NC 27017
Tel: 704-464-3161
Michael A Figueroa, CISSP
Senior Vice President
Email: Michael.Figueroa@InfusionPoints.com
Website: www.InfusionPoints.com
Confidential – © 2010, InfusionPoints, LLC – All Rights Reserved
Distribution Prohibited Beyond Target Audience Without Author Consent
24
