4 Small Business Security Lessons From Real-Life Hacks

Here are four tips for preventing social engineering and DDoS hacks from ruining your business.

It's no longer unusual to see major, massive hacks make news these days. They affect millions of individuals and cost millions of dollars to rectify.

While intriguing to read about, the security breaches of large organizations and financial institutions generally offer little in practical terms to help small and medium-sized businesses to better protect themselves. Specifically, SMBs often deploy different technology than that used in an enterprise while grappling to do more with smaller IT teams.

[ Analyses: Target Breach Has Affected Small Business Data Security and Security Must Evolve to Be 'All About the Data' ]

There's still no excuse for small businesses to skimp on security. Yes, technology pervades even non-technical sectors, and mature cloud services make it possible today to quickly setup an online presence with little more than an Internet connection and a credit card. This heavy digitization of business also means that an online hacker could also cause incredible disruption from the comfort of his or her armchair, too.

To help small businesses navigate these tricky waters, let's highlight first some real-life security scenarios that recently affected small businesses and then some practical steps for protecting against these issues.

Beware Social Engineering of Cloud-Based Accounts

A developer named Naoki Hiroshima had his GoDaddy account hijacked in an elaborate bid to steal his Twitter username, @N, for which he'd received unsolicited cash bids of as much as $50,000. The GoDaddy account controlled access to the domain containing the password reset email address of the targeted Twitter account.

While this convoluted attack didn't succeed -- Hiroshima was able to change the predefined email address for the reset password in time -- he initially had to give up his Twitter handle in exchange for control of the GoDaddy account, which controls access to multiple work domains and websites.

[ Analysis: The Moral of the Twitter-GoDaddy Breach: People Are the Easiest Thing to Hack ]

What's interesting here is how the hacker essentially social engineered PayPal into divulging the last four digits of the credit card number over the phone. This information was subsequently leveraged as part of the verification process at GoDaddy to gain control of the developer's GoDaddy account. (GoDaddy owned up to its role in the incident, but PayPal didn't.) As Hiroshima detained in the online magazine Medium, he exchanged emails with the hacker, who bragged about how he pulled it off.

Fortunately, things ended well. Hiroshima suffered no data loss -- and, once the story went viral and caught the attention of Twitter administrators, he got @N back.

Beware Hackers Holding Digital Systems Hostage

A promising cloud service that offered code-hosting and software collaboration was abruptly put out of service when a hacker gained access to its Amazon EC2 control panel in what appeared to be an extortion attempt gone awry. According to a public explanation left on the homepage of Code Spaces that also announced its closure, an unknown person left a number of messages at the control panel to open communication regarding an ongoing Distributed Denial of Service (DDoS) attack against the service.

When the team attempted to regain sole control of the panel, the hacker retaliated by randomly deleting artifacts from it. When the dust finally settled, much of the online storage volumes and machine images, and all backups and snapshots, had been deleted. With no way to recover this deleted data -- Amazon leaves the onus for backup entirely to its users -- Code Spaces said it was unable to continue operating.

[ How-to: Don't Let Hackers Destroy Your Cloud-Hosted Business ]

Aside from the obvious elephants in the room -- not enabling Amazon's multi-factor authentication coupled with the high likelihood of poor password hygiene -- the other learning point is the importance of offline backups, or at least backups that aren't within reach of an armchair hacker or malicious employee. It's not known if customers lost their code for good, but this is another somber reminder not to rely on the promise of a cloud service provider when it comes to data backup. Take care of it yourself.

Beware Attackers Stealing Your Domain Name

There's money to be made stealing the domain name of an established small businesses, as full-time lifestyle blogger Jordan Reid discovered earlier this year after forking over $30,000 to buy back her own domain name. A cyber thief had used the email confirmation system of Web host HostMonster to steal the domain from Reid and then transferred the domain into a private account at GoDaddy.

A family friend chanced upon an unknown user selling the domain name on an online auction site and alerted Reid. The matter was at a deadlock, however, despite multiple frantic conversations with both parties: GoDaddy said it couldn't help, and HostMonster refused to initiate a transfer dispute to get the domain back, in an apparent bid to avoid admitting liability.

Ultimately, Reid took matters into her own hands by getting a friend to purchase the domain from the hacker. Once she had the domain back in her hands, she transferred it out and successfully ordered a halt to the wire transfer payment. In a nutshell, she avoided what's likely to be an expensive and protracted lawsuit by cheating on the cybercriminal.

[ News: Foundation to Fight Cybercrime With Free Domain-Name Security Advice ]

Moral of the story? Your domain names are probably much more valuable than you believe they are, and it's not be as straightforward as you imagine to regain control them should they be stolen. Don't forget, too, that control of a domain lets an attacker intercept all emails by modifying the MX record to point to its own servers. Rather than bemoan the loss of domains after the fact, small businesses should secure them appropriately.

Protect Your Small Business With Authentication, Backup

Drawing from the above security incidents, here are four steps that small businesses can take to protect themselves from hackers. They're not exhaustive, but they should be practical and simple to implement. The idea here is to raise the bar to stymie hackers and social engineers enough that they move on to target other potential victims instead.

Use two-factor authentication. There was a time when two-factor authentication was considered a luxury, only used to protect high-value accounts. The use of a single password is no longer good enough, especially when you consider the sheer amount of data kept online these days. Essentially, everything is a high-value target. What's more, sophisticated malware can infect smartphones and automatically steal second-factor codes for online banks accounts, whisking away the money before any alert can be raised.

[ Reviews: Best Security Tools for Small Business ]

Use a separate password reset address. Most, if not all, online services ask for a backup email address that can be used for the purpose of a password reset. As illustrated above, configuring this to a primary email address turns it into a single point of failure, greatly increasing the damage that hackers can cause if they gain access to it.

As such, it's prudent to set the email address on an unrelated email account, preferably one that resides on a separate domain. Services such as Gmail and Outlook may be worth considering here. To avoid being a target of hackers or social engineering attempts, don't use this account for day-by-day correspondence or share it with others, and secure it with a good password and two-factor authentication.

Protect your domains. Considering paying more for private registration if it's available. This will reduce the amount of data that may be available to a hacker looking to put together a social engineering or phishing attack. Some domain registrars allow for domain names to be locked down to prevent unauthorized transfers, sometimes as a chargeable option. This may be a worthwhile investment, too.

In addition, registering for automatic renewal of domain name is a good option to prevent a domain from expiring and slipping into someone else's hands. Many small businesses may not be aware of it, but "spectators" use automated programs keep an eye on expiring domains, snatching them up seconds after they expire and offering to sell them back to the original owners at greatly inflated prices. Be sure to keep safe the administrative email account that's associated to the domain, as it has the authority to approve a transfer to another registrar.

Regularly create offline backups. For all the online storage services available today, it still makes sense to create regular backups of important data. Store them either offline or at locations that aren't easily accessible by hackers who may have compromised part of your business. A variety of storage media exists -- direct attached storage such as a portable hard disk drive, a network-attached storage (NAS) device, tape drives, or even a separate online service protected with a different set of credentials.

[ How-to: Build a Storage and Backup Strategy for Your Small Business ]

Additional tips, which are doable if not a bit of a hassle, include using different credit cards for different service providers and maintaining separate identities for cloud providers.

Ultimately, small businesses must keep an eye on relevant security compromises and devise and adopt measures that thwart the weaknesses that hackers were able to exploit on others. The war on the security front is never-ending -- but with some diligence and effort, there's no reason why small businesses cannot keep themselves in the clear.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetonline safetysecurity

More about EvolveNASPayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Mah

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts