Earlier this week, it was reported that a cybercrime operation led by the Interpol and consisting of investigators from seven countries in Southeast Asia found almost 9,000 servers that were infected with malware, including hundreds of compromised websites.
This came just months after the Singapore Ministry of Defence (MINDEF) announced that it had detected a breach in its Internet-connected system. The incident impacted MINDEF’s I-net network, which is used to provide Internet access to servicemen and employees for personal communications and browser-based Internet access.
Attacks not going to go away
While the infected servers detected through the efforts of Interpol appear to be more benign in nature and consists of them being harnessed to launch Distributed Denial of Service (DDoS) attacks and to distribute spam, details published by MINDEF after a detailed forensic investigation revealed that NRIC numbers, telephone numbers and dates of birth – information required to log into the network, could have been leaked.
In the case of MINDEF, the breached system was fortunately on a separate network from that used to store classified military information. The data is probably not directly usable as part of further attack, though it could be leveraged for spear phishing or social engineering to glean more information about individuals.
If there’s one lesson being driven home, it is that no one is immune to security breaches. While practically all reports of cyberattacks and data leaks in recent years have originated from countries in the west, it is illogical to assume that the same threats do not exist here in Southeast Asia. Considering that switching targets is a matter of keying in a new IP address, it is arguable that cyberattacks in the region have been vastly underreported.
Yet the impact of IT means that few businesses in Singapore can disavow technology completely and continue to operate. Indeed, pervasive digitization means that the risks today are certainly much higher than in the past – and will not go away anytime.
Attackers are indiscriminate
One common mistaken assumption made by many SMEs is that they are unlikely to gain the attention of hackers, using a “we’re too small” mindset to justify their inaction or underinvestment in security. However, this viewpoint is not in line with how most hackers operate in practice, considering that they rarely target companies individually from the get-go.
Hackers often indiscriminate in who they attack, launching automated probes across swathes of the Internet to find vulnerable victims or actual attacks against a random handful of targets based on the systems that they run and see if it produces any result. They operate on the idea of finding low-hanging fruits for further investigation, or which will succumb to the automatic tools.
For instance, it’s been a month since I set up Cloudbric on TechBlogger.io, and this is how my dashboard looks like.
The top attached URL shows some of the top vectors for these attackers, and they are unsurprisingly attempts against the much debated about the divisive xmlrpc.php file – which some feel exposes WordPress blogs to unnecessary risks, and various attempts to log into WordPress. In addition, I also noticed repeated queries that are the signs of probing attempts, or repeatedly attempts to exploit poorly programmed pages with malformed requests.
So how are SMEs to defend themselves in an increasingly hostile world? For sure, it will entail doing a lot more than installing an antimalware software and keeping software up-to-date – though the latter is certainly a good start.
Defending your business
Getting on the right track necessitates that SMBs start placing a heavy emphasis on security, which could materialize in the form of hiring IT security-trained employees who are trained and well-versed to review existing IT systems, software and processes. Modern measures should be implemented to toughen the level of security in your organization, and penetration tests be conducted to find chinks in your protection.
Unfortunately, these approaches are typically not within the reach of smaller businesses. One ill-suited approach that small business owners may be tempted to adopt would be to assign someone from the existing team to beef up security. While doing something is certainly better than keeping with the status quo, my question is this: would you see a gynecologist to set a broken bone, or perhaps a dentist if you have difficulty breathing?
IT is a broad field today, and it is not reasonable to expect that any “IT expert” is capable of handling security well. And I speak from personal experience, having a 14-year-old geek who turned his spare PC into a Linux box into a router (Standalone routers didn’t exist then) which got hacked. Or when this blog was injected with a shadow site that ran from a virtual folder, sapping compute and network resources in the background.
One alternative is to outsource security to an external provider, letting them handle the work of managing security. This can be pricey however, so a middle ground may be to rely on specialized service providers to handle some aspects of it. For instance, there are providers who specializes in mitigating against DDoS and web-based attacks, email security, or cloud-powered firewalls to keep an eye on your corporate network.
There is no one-size-fits-all approach however, and a lot depends on your specific IT environment, the kinds of systems in place, number of employees, and transactional value of your business. Ultimately, SMBs need to up their security game, and to seriously invest more and think deeper about how to protect themselves.