Low Hanging Fruit of Cybercrime

On the front page of today’s IBD, there was a very timely article which should be a call to action to any business, and particularly small business. The article, “2015 Cyberattack Threats Lurk For Stock Exchanges, Law Firms,” raises several concerns and predictions on the heels of the massive attack on Sony Pictures at year’s end.

The key takeaway from the article, which should become a call to action, is the tightening of security defenses by many large firms in the wake of the attacks from this past year. As larger organizations bolster their defenses, small to midsize businesses become the low hanging fruit of cybercrime.

Applications, services, and data are moving to the cloud. Employees as well as their employers are demanding near constant connectivity which co-mingles personal assets with organizational assets. And, the Internet is becoming an Internet of Things where almost every conceivable device or appliance can be connected to the vast network of cyberspace. The attack surface for most small businesses is large and that is a concern.

What is an attack surface? In the everyday vernacular, a good analogy would be to consider an ordinary home or office. Within the premises there are valuable assets such as furniture, jewelry, family members or employees, cash, sensitive information and papers, etc. The valuable assets are what a criminal seeks to acquire. The attack surface would be anything which could potentially provide a path or means to access the valuable assets, such as a door, window, crawl space under the house, ventilation duct, etc. A criminal in this case could scope and attack any of these surfaces attempting to gain access to the valuables.

In cyberspace, attack surfaces are similar to the physical world, although not always visible or in focus of most businesses. Corporate assets such as laptops are obvious attack surfaces, as are tablets, smartphones and other mobile devices. Web applications, cloud access points, data stored in public clouds, etc. are other examples. How many small businesses actually know and can articulate their attack surface? I would venture that the answer is “not many.”

So what should a typical small business do to reduce the risk of being the low hanging fruit of cybercrime? The first step is to list all of the functions and activity of the business, and then under each to identify the tools and systems used to conduct those business activities. This activity should help develop what would be called the asset register and is essentially a list of valuables for the business. An example from the physical world would be a list of all valuables with cost and receipts kept in a safe deposit box for insurance purposes in case of theft, fire, or other disaster.

Next, review all of the ways the assets are used and accessed. Some of this can be accomplished by brainstorming or a desk audit, although for a business of any size much beyond a sole proprietor, it will be necessary to interview key employees engaged in executing the business tasks and processes. This exercise may yield some surprises as it is not uncommon for teams and departments to stand up IT systems outside of the scope and view of either IT or the security department. Cloud based services make it very easy to setup applications and place data outside of the traditional premises   Worse, some of these applications in the cloud can be setup to access data and systems which otherwise would not be accessible from outside the organization.

As the review of business functions and tasks will produce the list of valuables, or asset register, the review of how those assets are accessed will identify the attack surfaces. Then, decisions can be made regarding the business necessity of all of the access points in the attack surface to determine if they can be reduced. In other words, can we do with fewer windows and doors? And if we can’t, how can we make them more secure because previously, we may not have even known the assets and/or access existed much less made them secure. Let’s walk through a small example.

The IBD article today mentioned medical practices as potential targets. Why? Because they hold a wealth of personal information which could potentially be used to gain identity, credentials, and other information to setup fraudulent accounts, etc. For our example, let’s use a busy dental practice.

Our group of dentists has a thriving practice and employs several people from front office, business manager, assistants and hygienists. The chairs are always filled and appointments are booked months out into the future. The business activities are very straightforward: (1) schedule appointments, (2) provide care to patients, (3) bill insurance and collect patient payments, (4) process payroll for the employees, and (5) maintain group benefits such as retirement, health insurance, etc. for the employees. I may have missed a few although these would be the primary functions and are a good example for discussion purposes.

So what is our list of valuables for the dental practice? We can identify banking data, patient data, and employee data as three primary assets. All three of these would be prime targets for cyber criminals seeking to commit financial crimes.

Now what is our attack surface? Here we will need to speculate a bit as this is a hypothetical example. For discussion purposes, we may have computers in every room and at the front desk. Those computers might be connected to the Internet. There would be a database which contains very personal and private information on all of the patients as charts and other personal information are increasingly digitized. There would be access to insurance databases for submitting claims for payments, as well as perhaps financial information for each patient. The systems may connect to the bank account used for the practice as well as vendors for ordering supplies. Plus, the dentists and/or the office manager may have mobile devices which connect to calendar information (with patient name) and perhaps banking applications.

We have a pretty extensive attach surface as described above. I mentioned that the computers in the office connect to the Internet, so this is a great place to run with our example. While a policy does exist that employees may not use office computers for personal business, the employees of this office do casually use the Internet in between patients, on breaks and at lunch. The hygienists can check email and Facebook from the computers in their rooms, and  the office manager is always busy surfing the web and frequenting online shopping sites when not ordering supplies or submitting payroll and/or claims. Can we see a problem here?

Email, Facebook and websites represent a substantial risk to our assets here at this practice. Clicking on a questionable link in an email, Facebook, or even visiting a compromised website can provide a criminal with an entry into the practice. It is estimated that 67% of malware is inflicted by legitimate websites that do not even realize they are infected, and then the malware is spread to unsuspecting website visitors.

One day, one of the hygienists clicks on a link sent to her by a Facebook friend for a funny video. The link does display a video, but in the background, silently loads malicious software on the computer Kim uses in her exam room. As Kim has full access to patient data, our attacker now has compromised Kim’s credentials and gains full access to the patient database as well as the billing data. It may now be possible to create fraudulent banking transactions as well as insurance claims. Even worse, the patient data is now exposed and the patients of this thriving practice are now at risk of identity theft as so much personal information has been exposed, all compliments of their hygienist, Kim.

What can be done to reduce the risk and shrink the attack surface at this dental practice?

An obvious start would be to lock down the computers in the patient exam rooms. There really should be no business case for allowing the staff to access the Internet and things such as personal email and Facebook from computers in the exam room which also access patient data. If the dentists in the office wish to provide access to employees on break, then they should consider a separate computer in the break room which has no access to patient data for employee use, similar to public computers in a hotel business center. The office manager should also be prevented from web surfing and shopping from the same computer used to process banking, payroll, and insurance claim transactions. A dedicated computer should be used for processing banking and insurance claim transactions which is used for nothing else and locked down to specific sites needed to effect those transactions.

We could go on and explore other options, although I think for demonstration purposes the case is well made. There are many steps any small business can take to reduce risk and avoid being the low hanging fruit of cybercrime. Securing valuable assets is not particular complex, although it all starts with simply understanding what and where the valuables are, and what ways they can be compromised or stolen. Then, controls can be implemented which reduce the attack surface and thus reduce the risks.\

Ted Lloyd, CISM

Comments are closed.