Consumers enjoy a generous security blanket when it comes to recuperating losses related to hacked bank accounts, ACH/Wire fraud, and stolen credit cards. This protection often leads to lax security controls on the publics’ part. However, businesses do not have the luxury of this protection. If an individual suffers a hacked bank account or ACH fraud, the bank will usually make them whole. Swap out the victim from a consumer to a business and suddenly the business is left to burden the loss.
The Protect Your Business series will help businesses learn more about how to implement solid controls to protect your business and secure the low hanging fruit that make many businesses an easy target for hackers.
The concept of ‘defense in depth’ (DiD) will be very familiar to readers within the InfoSec industry. In short, this concept emphasizes the need to structure security in layers for greatest protection. Defense in depth can be utilized regardless of an entity’s size and will provide security benefits in relation to the time and resources available.
The following diagram is an illustration of a basic layered network defense.
The outside layer is perimeter security, which might include a firewall, VPN, antivirus, intrusion detection systems (IDS), access control lists (ACLs), physical access controls (locks, RFID access controls, etc.), multi-factor authentication, mutual authentication, and many other types of controls.
Within your network there are many internal controls (administrative, physical, and technical) that can be implemented including data encryption, documented policies and procedures, segregation of duties (where possible), accounting/finance controls, strong passwords, and application/network activity reviews. These controls make up the internal layer of defense.
At the center of this illustration is the ‘Human’ factor of the business structure – the employees. The human element can be any security plan’s greatest strength or its Achilles heel. Human controls include proper training, regular reviews of access rights, accountability, and password management.
To show how much security relies on the human element, let’s look at a real life example I encountered over the past years.
Jack (not his real name) is the senior accountant for a local pet shop chain. The company has three locations and 37 employees. Due to the company’s small size, Jack is also responsible for administrating the company’s network and user accounts. The company had recently installed a robust firewall and felt quite secure based on the firewall’s reviews. The accounting and operations personnel were allowed remote access (via Microsoft remote desktop) to a server on the company network that was used for banking, accounting, and inventory management. This allowed the staff to complete accounting and product ordering duties from home. The owner was very proud of this and touted it as a benefit to employees to assist them in balancing their work and personal lives.
Jack regularly received complaints from employees about forgotten passwords and decided that it would be more efficient to change all the user passwords to the same password. Since Jack had more experience with technology than anyone else at the company, the owner approved Jack’s idea, thinking that it would free up Jack to focus on his accounting responsibilities.
A few weeks after the password change, Jack was performing the month-end bank reconciliation and noticed four large payments of $9,000 to an unknown customer. After reviewing current purchase orders, Jack had found nothing to support the mystery payments. In a panic, Jack called the companies bank and requested a stop payment. The bank politely notified Jack that the payments had originated from the companies account and had already been processed. Furious, Jack argued that the payments were fraudulent and that the company had not approved nor originated the payments. The response was less than comforting. “We apologize, but the bank is not liable for fraudulent business account activity. Have you considered an insurance plan specifically for electronic fraud?” Jack engaged a forensic accounting firm and further research showed that the payments had originated from the company’s internal server used for banking. After a thorough investigation, the firm discovered that around the time of the fraudulent payments, there were unusual remote desktop sessions originating from IP addresses outside of the United States. When the firm discovered that all of the company’s users had the same password, they surmised that a password had been shared outside of the company or the information sold online. Eventually the deed was tracked to a regular store employee who was promptly terminated. The company was still stuck with the $36,000 loss and the forensic investigation bill, which set them back about $48,000.
How did this happen? Shared or ‘generic’ passwords are extremely dangerous. Hackers need only know that all employees have the same password, and that the company used Microsoft remote desktop to connect directly to the server. From there it would be relatively easy for a competent hacker to discover an accounting employee’s email address (often the same as their login) and the public IP address of the server used for banking to facilitate the fraud. Having a firewall did nothing to protect the company from this security breach due to the mismanagement of passwords and the lack of properly layered defenses. Security quickly became a hot topic at the pet shop with the implementation of unique user passwords, a secure VPN for remote access, and user access to the server restricted to local access only.
This type of story is not uncommon, in the past several years small businesses have become an increasingly popular target for hackers due to lack of attention paid to IT and network security. Even with good intentions, limited physical controls, and technology controls (a firewall) in place, lax controls over the human element failed to prevent a breach.
Passwords alone are not enough to provide the security your business needs to protect its investments and operations. Businesses have to approach security in layers to achieve any form of effective defense against the various digital threats that target the small business community today.
The next segment in this series will expand on alternate approaches to layering your security using the defense in depth principle.
