101: Yes, Your Company is a Target

/* The first in a series of posts that will focus on fundamentals, with an eye towards providing no- or low-cost options to the SMB community, who are simultaneously target-rich and knowledge poor. */

 

No company is too small or unimportant to be attacked. Your perception that the size or nature of your business makes you an unattractive target is just that: your perception, not how the bad guys think. Today anyone with any computing resources is at risk because the various nature of attacks available to bad actors makes even individual systems valuable. In fact, that you don’t deal with money or billion-dollar trade secrets arguably makes you a better target because you’re not paying attention to the risk like banks and fortune 500 companies are.

Yes: there was a time when the nature of your business is what made you a target for cyber criminals and other malicious actors. Banks, credit card companies, and so on were where the bad guys went because, to coin a phrase, that’s where the money was.

Later, individuals were targeted because the bad guys figured out how to fool people into either giving up the details of their bank accounts, or personal information, or tricking them into giving them access to their computers where the bad guys would find financial and personal details to exploit. Those threats still exist today, but the mere fact that you have computing resources of any type means you’re a target. Why? Two primary reasons: cryptocurrency and ransomware.

Cryptocurrency

If you’ve never heard the term cryptocurrency before you’ve probably heard of bitcoin. Bitcoin is a cryptocurrency. A detailed explanation of the math behind bitcoin is beyond the scope of this book, suffice it to say that creating bitcoin – or any other cryptocurrency – requires a computer. Generally speaking the more computers the better. The problem is that you tend to require more resources to make cryptocurrency as time goes on. In the case of bitcoin, the electrical power you need to operate the computer to make the coins exceeds the value of the coins. The solution? Hack other people’s computers so that you earn the coins, and they get stuck with the power bill.

I’m not just talking about PCs. A former colleague of mine bought a half-dozen LED, Wi-Fi-enabled light bulbs, so you he could control when and where the lights came on in his house while he was away through his mobile phone. Being a good security nerd he regularly checked his Internet logs and he noticed his light bulbs were connecting to an Internet address in China.

His light bulbs.

Turns out the small computer chips in the light bulbs he bought had bitcoin mining code on them, as well as the promised functionality of being able to adjust brightness and when the lights came on. To reiterate: someone at a factory in China figured out how to get people around the world to make him money by screwing in a light bulb.

Ransomware

Ransomware is a mash-up of “ransom” and “malware” (a/k/a malicious software, a/k/a computer virus). It is successful to the tune of several hundreds of millions of dollars a year, and it has been around in one form or another for almost 30 years. A ransomware attack is very simple: someone infects your computers, encrypts the data on them, and demands that you pay them in order to get the key that will unlock your data.

“We don’t negotiate with terrorists…or kidnappers…or datanappers…whatever!”

A lot of people advocate for that sort of response. They’re usually people who’ve never been infected with ransomware, and the viability of their company is usually not hanging in the balance.* If you don’t have current backups of your company data, you really don’t have a choice but to pay the ransom. You could engage a cybersecurity company to help you, but the cost of such services is almost certainly going to exceed the price of the ransom, and there is no guarantee that they will be successful.

“But what if I pay the ransom and they don’t send me the key to unlock my files?”

That’s certainly a risk, and it happens to some people, but in my experience (and everyone I’ve ever talked to who works these issues) the people behind ransomware attacks give up the key once they’re paid, and victims get their files back. In fact, the biggest, most “reputable” ransomware practitioners have set up online help forums you can use to work out any problems you might have in paying the ransom or decrypting your files. Why? For the same reason they deliver when paid: its good business. If you think about it, in order for ransomware to work at scale, people have to know that they’ll get what they pay for. They have to be able to conduct transactions quickly and easily. If word gets around that you’ll get stiffed if you pay, no one will pay. Why shortchange a few hundred people and make $50,000 when you can be a nice guy to a few thousand people and make $5,000,000?**

 

You do not need to be a bank or deal in sensitive intellectual property to be a target of bad actors online. The mere presence of an Internet-connected computer of any type is enough to put a bull’s eye on your corporate logo. Cryptocurrency mining and ransomware are just the two most significant threats you need to be concerned with both now and for the foreseeable future. All the traditional cyber threats: phishing, CEO fraud, stealing banking information, stealing your identity, your PCs being co-opted as a part of a botnet, are also still in play. At some point some new threat we haven’t conceived of yet will come along. The point: if you’ve got something someone else wants, they’ll figure out a way to take it from you. You cannot avoid all attacks. What you can do is make it harder for the bad guys to turn you into a victim. You can make it more expensive and time-consuming to attack you. You goal should be to reduce if not eliminate the bad guy’s return on investment.

 

* As ransomware began to take off as a threat a few years ago, even an FBI computer crime agent admitted that absent current backups, there was only one course of action available to you: paying the ransom. Of course, they had to walk that statement back a bit later, but the proverbial cat was out of the bag. If a property crafted ransomware infection runs its course in your company, and you don’t have current backups, the probability that any cybersecurity company can help you do anything other than pay the ransom, is very close to zero. If it doesn’t run its course completely, or there is a flaw in its execution or implementation, there is a chance that the keys to unlock your files can be found without paying the ransom, or that files can be restored, but the cost to get those keys could be more than the ransom. Ask the City of Atlanta how that math worked out for them. If you find yourself in this situation, well, you know how to do a cost-benefit analysis.

** As noted, there is a risk that even if you pay you won’t get your files back. It pays to take some time and do some research to find out if you’re dealing with professionals or bullies. As odd as it sounds, if you’re dealing with professionals you’re in a much better situation. Professionals do this for a living, so getting paid – at scale – is important. If you’re dealing with a bully – someone who is doing it just to f’ with people – you’re out of luck. They’re not going to give you the key.

Leave a Reply