Cautionary Tales for SMBs from Hacked Water System

by

As you probably read or heard last week, the small city of Oldsmar, Florida, population 13,500, narrowly escaped a disaster from a cyber attack.

A hacker manipulated the Lye ratio in the water system of the city near Tampa using the remote access tools the city’s water department deploys to remotely manage the chemicals that make the city’s water safe to drink.

The story doesn’t tell us as much about the vulnerability of our nation’s critical utilities, however, as it does about what can happen when municipalities and businesses cut corners on the technology they use.

Oldsmar turned out to be fortunate in this case.

First, the hacker chose to access the system during working hours in full view of on-site staff, who immediately alerted their superiors to the attempts to drastically change the lye content in the water. Had the hacker attempted to do this after hours, the problem might not have been caught until the next morning.

Second, the water plant still remotely accesses the system with Windows 7 32-bit computers a year after Microsoft retired that operating system and declared it unsafe, but that was the least of the plant’s security transgressions.

The computers used to access the plant’s treatment control system shared the same password for remote access. In addition, all appeared to be directly connected to the Internet without a firewall.

Budget concerns justifiably come into play with cyber security measures at small municipalities, just as they do for small businesses.

But using different passwords, changing them from time to time, installing a firewall, and implementing multi-factor authentication offer low-cost protection that any organization can afford.

Another cost-effective measure would be cyber security awareness training for employees and management.

For information on what a security awareness training program can do for your business, visit https://threatucation.com, call me at 302-537-4198, or email me at ericm@threatucation.com.

Auto-Forwarded Emails Costly to Small Organizations

by

One of the least publicized but most dangerous cyber attacks against small businesses involves auto-forwarding emails to cyber criminals.

Hackers use Social Engineering tactics like phishing emails to con email login credentials out of unsuspecting users. The hackers then use those credentials to set up the compromised accounts to automatically forward the victims’ emails to themselves.

From there, the hackers can collect the victims’ forwarded emails to perform all sorts of frauds including Business Email Compromise attacks, Payroll Diversions, blackmail, extortion, malware infections, and the resale of Personally Identifiable Information or proprietary files.

The FBI considers it enough of a threat to warn businesses about such attacks after seeing losses from BEC’s in the U.S. of more than $10 billion from 69,384 victims from 2013 to 2019.

We have seen this attack ourselves at a client that lost more than 8,000 emails to the attackers before the scheme was discovered four months after an auto-forwarding rule was installed in an email account.

The lost emails included the PII of the client’s customers. The client had to notify each customer and offer free credit checks for a year. Had there been more than 500 PII records stolen, the client would have suffered the embarrassment of notifying the media.

In a typical BEC attack, a hacker pilfers the email user name and password of the victim with a phishing email that warns that their email account has been compromised and they need to log into their account and change their password.

Of course, the link in the phishing email takes the victim to a fake web page that sends the user’s original password to the hacker while the victim mistakenly believes they have protected their account by changing their original password.

The hacker then watches the victim’s account for emails with, say, suppliers and, mimicking a legitimate contact from one of those emails, sends a fake invoice that looks authentic enough that it is paid by the victim’s company.

The hacker might also jump into an email chain between the victim and a supplier about an order and submit their own quote or proposal to the victim in a malware-laced attachment.

To protect yourself against a forwarded email attack, consider these options:

  1. If you use Office 365 in your business, your system administrator can set an alert to notify you if email forwarding has been set up to automatically forward an employee’s emails. That forwarding rule can then be deleted.
  2. If you use another email program or service, routinely check your account for any auto-forwarding rules that you did not set.
  3. If your email service allows it, prohibit automatic email forwarding to external email addresses.
  4. Be wary of quotes, proposals and other emails seeking payments that do not match the tone of the contact you routinely work with or have spelling or grammatical errors. In those cases, call the contact if something seems amiss.

The FBI provides more information on BEC attacks here.

For help with disabling auto-forwarding emails, you can call us at 302-537-4198 or use our Contact Form to email us.

SMBs Not too Small to Hack

by

A colossal data breach like the one of Solarwinds should serve as a reminder that small business owners, too, need to keep an eye on their cyber security measures.

While data breaches at small businesses don’t generate those kinds of headlines, they do cause pain in the affected SMBs including not only financial losses but also operational disruption and loss of time and reputation.

In the past year, 35 percent of small businesses who experienced a data breach either closed their doors or filed for bankruptcy,  according to a survey of 1,006 small business owners by the National Cyber Security Alliance.

Additionally, in a 2019 Ponemon Institute study, 66 percent of SMBs said they suffered a cyber attack in the previous year, 69 percent said an attack eluded their intrusion detection system, and 57 percent reported succumbing to Social Engineering attacks like phishing emails.

The fact is, you’re not too small to hack.

Cybercriminals continually tune the efficiency of their mass attacks on small organizations because they handle the same types of sensitive information as large enterprises but don’t have the sophisticated security measures that big companies deploy.

They have also learned to target specific small businesses because of the unique value of their data or because of their relationships with larger companies.

So, the need for SMBs to pay attention to their data’s security has never been greater.

But, just how do you protect your data without breaking your bank account?

In its Q1 2020 Wave Security Awareness and Training Solutions document, titled “Behavior and Culture Reign Supreme over Awareness and Punishment”, Forrester Research determined that the best security awareness training vendors aim to change negative employee behaviors by fostering a culture of cyber security within organizations.

Threatucation’s motto has always been “Creating a Culture of Cyber Security in Small Organizations”. We have long championed this approach over phishing email simulations designed to punish an employee with a bad score for succumbing to a phishing test.

While phishing simulations are part of Threatucation’s Cyber Security Awareness Training program, we really create a culture of Cyber Security with our unique policy-based approach that helps employees understand the reasoning behind the policies, the ramifications of violating them to the company, co-workers, customers and board members, and how to recognize and properly react to cyber attacks.

The whole process takes just 3 steps, starting with a Cyber Security Risk Assessment to ensure the security measures you ultimately choose to protect your business actually match your data security requirements.

For a free, no-obligation Cyber Security Risk Assessment for your business, contact us at info@threatucation.com or 302-537-4198.