Smaller enterprises are increasingly the targets of choice for cybercrooks and no wonder. Their websites and systems might have less to plunder than those of Target and other Fortune 500 giants. But their cyberdefenses are disproportionately weaker than big-company security systems. And that makes them all the more attractive to Internet predators.
The ACFE, in response, is calling attention to the soaring online risk among small-cap businesses.
“As large organizations develop stronger controls over their networks and digital data, attacks on small enterprises have mushroomed,” said ACFE Chairman and founder Dr. Joseph T. Wells, CFE, CPA, at the 24th Annual ACFE Global Fraud Conference. He urged antifraud experts to educate small businesses about this threat and encourage their investment in defensive resources.
“While a serious attack can significantly harm a large organization, it can force a smaller enterprise completely out of business,” says Joseph Giordano, chairman of cybersecurity programs at Utica College in New York and a former cyber operations specialist in the U.S. Air Force Research Laboratory.
Case in point: CD Universe, one of the first successful online music sellers. In January 2000, a hacker stole up to 300,000 customer credit card numbers from the company’s website and demanded $100,000 in ransom, according to “Thief Reveals Credit Card Data When Web Extortion Plot Fails,” by John Markoff, The New York Times, Jan. 10, 2000.
When CD Universe’s owner refused to pay, the hacker sold the stolen card numbers over the Internet. As news of the theft spread round the world, consumer confidence in CD Universe’s cybersecurity plummeted, swiftly transforming the once promising e-tailer into a ’Net loser. By year-end, the owner sold CD Universe for a half million less than he had paid for it.
A decade and more afterward, the case’s dynamics remain compellingly relevant but are largely ignored. Why? For the same reason it’s hard to sell insurance: Few people like to spend money on preventing something that might not happen.
And since smaller companies’ cyberattack losses get comparatively little press coverage, their leadership tends to worry more about profitability and other pressing matters than they do about online risk.
“Cost is the primary criterion many small companies use to evaluate cybersecurity resources,” Giordano says. “Budget limits often force them to view optimal online protection as nice-to-have, rather than must-have.”
For CFEs who serve or seek small-company clients, the challenge is to get them to view online security as a form of catastrophe insurance — something they already embrace as essential protection against enormous losses.
If fraud examiners succeed in that educational mission, their next step is to introduce smaller clients to security resources that can help ensure their survival of an otherwise overwhelming cyberattack.
One such product is the cyber range (CR; see “Cyber Range” exhibit at the bottom of this article.), a virtual environment in which a company’s IT staff can develop and maintain skills and tools they need to detect and counter hacker attacks.
The U.S Defense Advanced Research Projects Agency (DARPA), which created the military-industrial-academic network whose communications infrastructure evolved into the Internet, also designed and constructed the first CRs. Those early ranges were the sole province of the military and intelligence communities and industrial contractors serving them.
But just as DARPA’s network led to the creation of the World Wide Web, CRs are slowly but surely entering the civilian market. Already they’re helping a few innovative companies better defend themselves against hackers and maintain the operational readiness of their IT staffs, websites and networks.
READY — OR NOT
“After cost, the other criterion smaller companies focus on is quality,” says Giordano. “They want to know whether a given CR can accurately replicate their systems and create realistic attack simulations.”
“A good CR creates authentic scenarios by, for example, embedding malware in an emulation of the full range of Web traffic your system experiences,” says Fred Kost, vice president, security solutions marketing, of Ixia Corp., a provider of Internet and network analysis products and services in Calabasas, Calif.
“To be realistic, the scenario has to present all that activity at once,” adds Kost’s colleague, senior systems engineer Chuck McAuley. “Not just the legitimate traffic, not just the attacks, but everything simultaneously. Anyone can detect an attack on a quiet network. It’s a lot harder when thousands of customers are trying to use your website. That’s why it’s important to practice dealing with real-world situations.”
For example, McAuley says, a hacker could insert data theft malware on your system while you’re trying to counter a denial-of-service (DOS) attack that has locked all your customers out of your website.
Sony Corp. knows all about that scenario. That’s exactly what happened to the company in 2011. Unfortunately, Sony hadn’t implemented and rehearsed a well-thought-out response plan, so its defense wasn’t good enough.
During a two-pronged attack on Sony’s wildly popular PlayStation website, the company’s security staff — focused on an initial DOS attack — failed to recognize a second intrusion, in which hackers stole account information on up to 77 million Sony customers. The second attack tarnished Sony’s brand and inflicted damage that lasted far longer than the briefer service interruption the first intrusion caused.
Sony’s chairman described the unfortunate sequence of events in his written response to an inquiry from a U.S. congressional subcommittee investigating the incidents.
Fortunately for the corporate giant, its vast financial resources helped it withstand the data breach’s negative effects on its reputation and income. If Sony were no bigger than CD Universe, it too could have gone under.
The message is clear: Smaller companies that don’t establish and maintain an effective cybersecurity program could be put out of business by the financial, reputational and legal after-effects of a single, well-executed hacker attack.
UNDER THE HOOD
Ixia’s CR product includes a user interface and tools for designing training exercises that realistically simulate actual Internet traffic and attacks.
It does not, however, duplicate a company’s servers and the other physical elements of its network infrastructure.
“To make infrastructure available for the exercises our product facilitates, our clients either obtain additional equipment [to run exercises against] or — if the business model permits system down-time — clients conduct the exercises on their production system environment during off-hours,” Kost says.
“Some companies fold their initial CR acquisition plan into the business case for a single project,” he adds. “But as they learn more about the CR’s capabilities, they sometimes choose to allocate the cost of a CR to multiple projects in which it would add value, creating what could be a more cost-effective business case.”
Examples could include evaluating security equipment for purchase or managing software updates without disturbing the production environment. CR producers also offer support to help clients derive more value from their products.
According to Kost, “Together, a CR and training program can help your IT team better understand how attackers think, where cybersecurity gaps or signs of an attack might exist and how to practice informed countermeasures instead of relying on uninformed spontaneous reactions.”
UNITED WE STAND
Financial constraints of the kind Giordano highlighted above need not, however, preclude cybersecurity improvements. Attitudinal, procedural and other non-technological adjustments and initiatives also can reduce risk without greatly increasing spending.
Douglas Fitzgerald, CFE, is president and CEO of the Fitzgerald Technology Group, a cybersecurity and risk management consultancy in Washington, D.C. His firm serves organizations of all sizes.
“I’m reluctant to rely on any one device or system, such as a CR, to fully resolve a security issue,” he says, citing staff interaction and continuity of operations plans as factors sometimes overlooked but well worth optimizing. “The biggest problem in a crisis is the lack of effective preparation that could have been developed by participating in physically simulated DOS attacks and talk-only ‘table-top’ exercises.”
For example, Fitzgerald’s firm will stage a DOS by either disconnecting the client’s network from all communications links or by disconnecting the server from the network. The client’s IT staff then will follow its standard procedure to bring the network back online.
Conversely, during a table-top exercise members of the organization’s various departments describe exactly what they’d do in response to an imaginary cyberattack on the organization's network.
Fitzgerald and his colleagues, after observing the client staff’s performance in each exercise, specify what might need improvement and, if so, how to achieve it.
“Role-playing facilitates mutual understanding among the departments and fosters collaboration that might not otherwise occur,” Fitzgerald says. “Our aim is to reveal to participants how ‘us vs. them’ internal conflict between departments can hurt the entire organization and cripple its response to an attack.”
Each department needs to understand that making peremptory demands during an attack might be unreasonable, Fitzgerald adds. For example, quickly putting a downed site back online might not be immediately feasible or even advisable, pending further investigation including forensic analysis that might help identify and prosecute the attacker(s).
Often, the victim organization hasn’t sufficiently rehearsed its response plan in drills and exercises, he says. So implementation of policies and procedures is often flawed and all too dependent on who’s in charge at the moment.
“If an incident is serious and can’t be resolved immediately, that’s the worst time for the CEO and every department head to call the IT chief, who can’t work or communicate if his phone won’t stop ringing,” Fitzgerald says. “This can make or break the effectiveness of a company’s response to a cyberattack.”
CFEs who encounter such situations can help by proposing that the incident response plan include a provision to immediately draw personnel from multiple business units, he adds. An ad hoc staff pool could reduce distractions for the IT staff while helping it exchange critical information with the rest of the company during an attack.
“Awareness, readiness and teamwork are essential,” Fitzgerald concludes. “Don’t let your clients assume they’re prepared for an attack. Encourage and help them to thoroughly test their security team and response plan now and at regular intervals. ‘Real soon’ could be too late.”
Robert Tie, CFE, CFP, is a New York business writer and contributing editor of Fraud Magazine.
Computer Fraud Casebook: The Bytes that Bite, edited by Dr. Joseph T. Wells, CFE, CPA
Introduction to Digital Forensics: Gathering and Preserving Electronic Evidence, Columbia, SC, September 11-12, 2014
Fundamentals of Computer and Internet Fraud, 18 CPE credits
Digital Forensics Tools and Techniques: Taking Fraud Examination to the Next Level, 16 CPE credits
Exhibit at left: Cyber Range, courtesy of Ixia Corp.
Notes on Cyber Range exhibit:
Information Assurance (IA): “Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation.” (See U.S. Department of Defense, "CIO SUPPORT: Information Assurance (IA).")
Information Operations (IO): “The integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt or usurp adversarial human and automated decision making while protecting our own.” (See the PDF by the U.S. Department of Defense, “Joint Publication 3-13.3: Operations Security,” June 29, 2006, p. 91.)
Mission Assurance (MA): “A process to protect or ensure the continued function and resilience of capabilities and assets — including personnel, equipment, facilities, networks, information and information systems, infrastructure, and supply chains — critical to the execution of mission-essential functions in any operating environment or condition.” (See U.S. Department of Defense, "Directive NUMBER 3020.40,” January 14, 2010, p.18)
Read more insight and discuss this article in the ACFE's LinkedIn group.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to FraudMagazine@ACFE.com.