||Tweet this page|
As yet another high-profile attack hits a major website, Gordon Holmes reports on a new government scheme that aims to protect small businesses against cyberattacks
Another month, another data breach. At least, that's how it seems to me. I suspect most of you will have seen reports of a group of hackers calling themselves 'The Impact Team' who released details of 33 million accounts allegedly registered with the online infidelity site Ashley Madison. Apparently the hackers took exception to the dubious morality of a web platform that encouraged its members to commit adultery and stole a reported 300 gigabytes of data.
The Canadian police are conducting enquiries into the hack as well as the subsequent release of members’ account details. Having worked closely with the Mounties in the past, I know them to be efficient, cyber-savvy and extremely persistent. It's true - they always get their man (or woman).
However, in reality there are far more breaches, where web servers are hacked and stolen account details are posted, than those we read about in the papers. On the side of the good guys are a number of 'white hat' researchers who make it their mission to identify potentially vulnerable websites and contact the site administrator to warn against the flaw, so giving them the opportunity to plug the security hole. However, there would also seem to be a large number of commercial sites whose administrators are more concerned with the bottom line than the security of their users.
This situation was brought to my attention recently when one of my contacts in the cyber-intelligence field called to ask what I thought about a post he had found on www.pastebin.com.
For those of you who haven't heard of this site, pastebin.com is one of a number of pasting sites that have long been used by members of the programming community to post plain text (known as ‘pastes’) and to share source code or other such coding snippets. However, the ability to use the site anonymously, or just under your chosen username, made the site a bragging ground for hackers to strut their stuff.
My contact had found what appeared to be the contents of an insecure server. The paste included full details of emails, usernames, passwords and orders made with a particular small business in the UK. My friend’s dilemma was whether he should inform the data owner of this compromise, and we agreed that to let the company know was the best thing to do.
We then contacted the third arm of our security triumvirate: another trusted colleague with extensive experience in the identification and remediation of server breaches. He was able to quickly identify that the business server was vulnerable to SQL injection attacks. He thought it highly likely this kind of attack had occurred, resulting in the attacker being able to bypass the normal admin login and access the company's database directly.
This tale has a bittersweet ending; our server expert was able to advise the company as to how to beef up the server to reduce the chances of attacks like this happening in the future, but this still left the business owner with the prospect of contacting his compromised customers to explain what had happened. I do hope that this chap doesn't suffer too much reputational damage. Let's face it, the real problem lies with his web host, not with him.
The business concerned was operating in the same way as hundreds of other small businesses; growing its customer base and concentrating on delivering its core services to the best of its ability. The problem is that, with no available budget for cyber-security and an absolute requirement to operate using the internet, businesses such as this are ripe for targeting by the small-minded yet tech-savvy idiots seeking to increase their 'kudos' rating among their equally small-minded peers.
There is a government initiative aimed at raising cyber-security levels within organisations. This initiative is backed by industry including the Federation of Small Businesses, the CBI and a number of insurance organisations who offer incentives for businesses that implement the scheme.
The scheme is called 'Cyber Essentials', and it aims to help businesses raise their cyber-security level. Cyber Essentials is described as low-cost and light-touch, and defines a set of controls which, when properly implemented, provide organisations with basic protection from the most prevalent forms of internet-based threats. In particular, it focuses on threats which are widely available online and require low levels of attacker skill. Businesses are independently assessed and then helped to achieve certification, so demonstrating to potential customers that they are safe to trade with. I anticipate that this basic standard of business cyber-security will become mandatory in certain areas, particularly when dealing with government contracts.
If you run a small business and you don't have a large cyber-security budget at your disposal, therefore, there is relatively low-cost assistance available. Go to www.gov.uk and use the search term Cyber Essentials: there's plenty of worthwhile reading there. Let's face it: it's unlikely my friends and I will be around with free advice should you be the next unfortunate victim of a data breach.
For more, and to stay abreast of everything that's going on in the world of technology, Subscribe to Computer Shopper magazine today, and get your first 3 issues for just £1 »