Vulnerable SMBs should think of Thermopylae when building security defence: Black Swan

Opportunistic hackers are routinely stealing so much data from SMBs that cyber criminals can’t even exploit it all, as their soft perimeters and lack of appropriate network security make them easier targets than “well run, well resourced” banks, security consultant Keith Price has warned.

Among the presenters at the FST Media Future of Banking & Financial Services conference, Price – a former information-security manager with Westpac, Telstra and the Sydney Olympics who is now director and principal consultant of security consultancy Black Swan Group – said that while banks still occasionally copped DDoS attacks from outside hacktivists, profit-focused Eastern European cyber-criminals were “going after the money” and had shifted their attention to “mom and pop” operations with minimal, outdated or non-existent security controls.

“It’s not the banks being attacked,” he told CSO Australia. “It’s the banks’ customers being attacked. How many of those mom-and-pop shops spend the $99 a year to get updates from their endpoint protection security vendors? They’re easy to compromise, put keyloggers on their computers and steal login IDs and credit card details.”

“It takes the cyber criminals a long time to get through [the data] because they have so many compromised computers.”

A recent report from Trend Micro found that 91% of targeted attacks start with a spear-phishing email, to which SMBs are particularly vulnerable as they generally have no anti-phishing protections in place.

While banks may also be susceptible to such attacks when employees click on emails they shouldn’t, their ability to invest in more-sophisticated tools – heuristic scanners, traffic monitors, back-to-base bot signal detection, and the like – makes them better equipped to detect and respond to potential breaches. Indeed, Price said, banks have generally invested enough in information security that they are seen by opportunistic hackers as being too difficult to bother with.

Yet the rules of the game change when it comes to state-sponsored attacks, whose perpetrators are less interested in personal financial gain than in accessing privileged information around national infrastructure or even future projections around the value of the Australian dollar; such information is invaluable during large-scale commercial negotiations or in compromising intellectual property protections.

“Hacktivists don’t steal money, which is against their code,” Price explained. “They want to punish decadent capitalists in an Occupy Wall Street sort of way, and they might steal your customer database to punish you. And the Chinese government isn’t going to attack your company to steal your money – but they might attack to steal your intellectual property. Your patent information, pharmaceutical designs and such are what they want to take home.”

Since even generally well-protected companies can miss subtle and well-executed advanced persistent threats (APTs) these days, Price said businesses could take inspiration from the strategy of King Leonidas I during the battle of Thermopylae, when several hundred vastly outnumbered Greek soldiers fiercely fought off an army of over 100,000 Persian soldiers for several days by blocking the only pass through which they could advance.

The Greek soldiers ultimately lost that battle, but the strategic basis of their defence can be applied to a ‘cyber kill chain’ security approach – burying the most important corporate information assets at the end of a long string of well-delineated and carefully-protected network segments linked with connections that can be instantly cut to block or strand cybercriminals’ attacks.

“The steady flow of breaches shows that you cannot protect everything – so give up on the idea that you can protect everything,” said Price, who has recently conducted an audit of dozens of third-party breach reports and concluded that the spectre of APT-driven cyber-attacks is only getting worse. “If that’s the case, you have to identify and put your crown jewels in a special subzone that, like an onion, has many layers and takes a lot of effort to be able to compromise.”

“If you apply this concept to a security architecture, you have choke points and controls to interject yourself into the cyber-attacker’s methodology,” he continued, “and you either stop them, or force them to start all over again. Done properly, it’s a lot of effort to hack – but it’s the fundamental thing we can’t get people to do properly. And that’s why they keep getting hacked.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitySMBs

More about APTCSOTelstra CorporationTrend Micro AustraliaWall StreetWestpacWestpac

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place