What Small Businesses Need to Know about HeartBleed

heartbleedResearches have found a flaw that they are calling Heartbleed that affects software that is used to secure communication across the Internet.  The Huffington Post reports that about two-thirds of servers on the Internet are effected and could expose user data including passwords.

OpenSSL is free and open-source software, which means the actual code used to write it is freely available to anyone on the Internet.  A feature added in 2011, known as the heartbeat extension, allows extended connectivity for services. A flaw in this added feature allows malicious actors to read and capture data that is stored in the memory of the system.

Because of its wide use across systems such as websites, Instant Messaging services, and VPN (Virtual Private Networks) systems used to connect remote employees to corporate offices security, it is a broad issue to resolve.

What can you do about it?

As an end-user, not much. You have to wait until websites and systems have been fixed. There are some tools that have been built to test if a site has the flawed software still running on it…but this isn’t perfect. Make sure your banking websites aren’t coming up with any expired certificates and change passwords for any of your web-based sites.

For a business, make sure your IT company updates any systems that may be affected such as firewalls that typically have VPN software so that you can access your systems remotely in a secure way.  If its not up to date, its as if you are running with out any security at all.

What Small Businesses Can Learn from the Target Breach

The Target logo is posted in front of a store on May 22, 2013 in Novato, California (Getty/AFP, Justin Sullivan)

In November 2013, a group of cyber-criminals broke into one of the nations largest retailers using passwords stolen from an HVAC contractor. Once in Target’s network, these criminals were able to traverse the network and install their malicious software into some of Target’s cash registers. Once they confirmed that their access was successful, by Black Friday the majority of Target’s registers were infected. In approximately two weeks, 40 million credit and debit card records were stolen and distributed through a world wide network of brokers and sold on the black market. (Krebs on Security).

The news is filled with data breaches of large retailers such as Target and Neiman Marcus. Unfortunately, smaller companies are also targets for attacks, pardon the pun. In Verizon’s 2013 Data Breach Investigations Report reports that attackers did not discriminate based on business location, size or industry. These stories also tell us that just complying with PCI (Payment Card Industry standard) is not enough.
The traditional way to protect computer networks in the past has been to create a strong perimeter by setting up firewalls at the edge as a traffic cop on what is allowed in and out. We recommend that you look at your areas of risk and protect from the inside out. I’m going to talk about some quick best practices and how they could have prevented or reduced the affect of these breaches.

  1. Use two-factor authentication wherever possible, especially for remote access. For example a smart phone application that provides one time passwords each minute. Not only the HVAC contractor, but all remote users should have had a two factor system in place. PCI states that a two factor system should be in place to access the payment network. In this case the HVAC vendor was not connecting to the payment network…which leads us to.
  2. Separate your important stuff network from your really important stuff network. If you have systems that process payments and store Personally Identifiable Information, separate it from your main network and keep contractor systems off of your main network as well.
  3. Along those lines, only allow access to systems and data when its needed. Don’t give privilege to users or networks that shouldn’t have access. Your R&D people don’t need access to the Payroll server.
  4. Keep your systems and software up to date. Vulnerabilities and bugs can lead to holes that hackers can get in.
  5. Put in effective email filters and educate your employees. A good email filter will go a long way but none are perfect. Educate your employees on making good decisions regarding opening emails that they get. The old adage was that you don’t open email from strangers. However, your friends and colleagues are sending stuff unknowingly too. Phishing – the act of using a fake email or website to get you to give up your information – is the number one way that external threat actors are collecting password credentials and gaining access.
  6. White list your applications wherever possible. It’s like having a bouncer at your party. If you aren’t on the list, you don’t get to go inside. This isn’t always possible in dynamic organizations and is difficult/costly to maintain but probably will provide the most protection. if you have systems that are fairly static like Point of Sale terminals, white listing would go a long way to prevent the bad stuff from taking hold.
  7. Create an IT security Policy, disseminate it to your employees, follow it, and test it. Creating a policy gives you props when you are talking to a compliance policy auditor, but it doesn’t do you any good protecting an attacker. Social engineering (including email phishing and even by phone) is common vector of attack used by malicious users. Give them kudos or rewards for thwarting an attempt.
  8. Monitor all of the above using automation where possible and ensure that you or your IT team is effectively alerted when bad stuff happens.
No security measure is fool proof and the bad guys only have to be right once.  Although you may sacrifice a little convenience by using a strong pass phrase rather than 12345, you will go a long way to protect your data and your client’s data…oh and lose the post it note…