While you might assume that the Target data breach was caused by a coordinated and sophisticated malware attack, the truth is much more frightening.
SecurityWeek.com profiles MacAfee's investigation of the data breach, explaining that cyber criminals used "off-the-shelf" malware to make their attack. That's a bit like breaking into Fort Knox using a screwdriver.
The Deep Web's Secret Online Stores of Malware and Stolen Identities
Believe it or not, cyber theft is a big business and there are major marketplaces where criminals can buy and sell malware and stolen identities.
MacAfee reports that it's easy for hackers to purchase malware on underground communities on the Deep Web (also called the Dark Web), which are inaccessible to standard Internet users. In essence, this hidden Internet community offers places for black markets to sprout up. Here, hackers can purchase malware and, after using it, they can sell stolen data to other criminals who will use it to commit identity theft.
Amazingly, the hackers who broke into Target's network used relatively common and unsophisticated malware to commit the largest data breach in U.S. history.
Whom Do Hackers Target with Malware? (Hint: Me, You, and Everyone We Know)
This question reveals what people misunderstand about data breaches and security vulnerabilities. Your clients might think of hackers as nefarious criminals who set their sights on one particular company and attack until they break in. That's the Hollywood version of hackers.
In reality, hackers are more like common criminals who walk from car to car looking to see if anyone left their door unlocked. They'll steal what's made available to them.
Dispelling these myths is a key way to get clients to adopt better security practices. For more on this, see our post The Million-Dollar Client Conversation.
Adobe ColdFusion Data Breach Shows Dangers to Small Businesses
Recently, the credit card company Discover and other financial institutions began to notice a lot of suspicious activity on their customers' cards. The credit card company wasn't hacked. But it turned out that numerous online retailers were. Many were small businesses.
Security watchdog Brian Krebs reports that hackers built a botnet (a collection of thousands of computers that hackers have secretly taken over) to steal credit card data from numerous e-commerce sites. How were they able to do this?
These hackers decided to prey on a known security weakness. Old versions of Adobe’s web app language ColdFusion (CFML) had a known vulnerability that could give hackers access to data. They used their botnet to scan e-commerce sites looking for these old versions of ColdFusion, essentially testing for unlocked doors.
The result was that user data was stolen from all kinds of websites, including some small businesses. Simply being connected to the Internet put companies at risk.
(For more on the risks of outdated software, see our article Software Patches: The Good, the Bad, and the Liability.)
How to Be Ready for the Future of ID Theft and Data Breaches
Given that hackers can use relatively simple methods to steal millions of users' information, commit identity theft, and cause billions of dollars in damage, what should you do as an IT consultant? Here are some suggestions:
- Update your software. The ColdFusion data breaches could have been avoided had system administrators simply updated from old versions of their software.
- Realize liabilities continue after the job is over. After you've finished installing enterprise software or setting up a client's website, remember that you'll have ongoing obligations to that client. If the software you used has a flaw in it (*cough* ColdFusion), you could be sued if the client is hacked through that flaw. You'll need to remind clients to update software and make sure they understand the ongoing risks associated with it.
- Educate your clients. Clients have a lot of misconceptions about hackers, malware, and the risks they face. While you don't want to be accused of scaremongering, make sure your clients understand what "hacking" really is and why small businesses are vulnerable.
- Consider the benefits and risks of outsourcing / cloud sourcing. Many security experts will tell you to outsource services that handle private data. They'll say to use third-party IT companies to handle credit card transactions rather than store financial data on your own computers. That's good advice. Sort of. Actually, as the cyber-crime-fighting company TrustWave reports, 63 percent of all hacks come from vulnerabilities in a company's third-party contractors. Some third-party vendors are secure, others not so much. In fact, the ColdFusion botnet also hacked SecurePay, a tech company that secures credit card payments on websites. (See a more detailed examination of contractor liability in our article Help Your Clients Understand the Risks of Third Party Contractors.)
- Protect yourself from cyber liability lawsuits. For a small-business owner, the idea of cyber crime can be overwhelming. Hackers have many tools, but only need a few to break into a network. With all these vulnerabilities and weaknesses, it's vital for IT contractors to protect their businesses from data breach lawsuits. Errors and Omissions Insurance can pay for a lawsuit when a client sues you over a data breach on their computers (or one caused by a vendor that you recommended).
To learn more about the cost of E&O coverage, see these sample insurance quotes for small businesses.