4 small business security lessons from real-life hacks

It’s no longer unusual to see major, massive hacks make news these days. They affect millions of individuals and cost millions of dollars to rectify.

While intriguing to read about, the security breaches of large organizations and financial institutions generally offer little in practical terms to help small and medium-sized businesses to better protect themselves. Specifically, SMBs often deploy different technology than that used in an enterprise while grappling to do more with smaller IT teams.

There’s still no excuse for small businesses to skimp on security. Yes, technology pervades even non-technical sectors, and mature cloud services make it possible today to quickly setup an online presence with little more than an Internet connection and a credit card. This heavy digitization of business also means that an online hacker could also cause incredible disruption from the comfort of his or her armchair, too.

To help small businesses navigate these tricky waters, let’s highlight first some real-life security scenarios that recently affected small businesses and then some practical steps for protecting against these issues.

Beware Social Engineering of Cloud-Based Accounts

A developer named Naoki Hiroshima had his GoDaddy account hijacked in an elaborate bid to steal his Twitter username, @N, for which he’d received unsolicited cash bids of as much as $50,000. The GoDaddy account controlled access to the domain containing the password reset email address of the targeted Twitter account.

While this convoluted attack didn’t succeed – Hiroshima was able to change the predefined email address for the reset password in time – he initially had to give up his Twitter handle in exchange for control of the GoDaddy account, which controls access to multiple work domains and websites.

What’s interesting here is how the hacker essentially social engineered PayPal into divulging the last four digits of the credit card number over the phone. This information was subsequently leveraged as part of the verification process at GoDaddy to gain control of the developer’s GoDaddy account. (GoDaddy owned up to its role in the incident, but PayPal didn’t.) As Hiroshima detained in the online magazine Medium, he exchanged emails with the hacker, who bragged about how he pulled it off.

Fortunately, things ended well. Hiroshima suffered no data loss – and, once the story went viral and caught the attention of Twitter administrators, he got @N back.

Beware Hackers Holding Digital Systems Hostage

A promising cloud service that offered code-hosting and software collaboration was abruptly put out of service when a hacker gained access to its Amazon EC2 control panel in what appeared to be an extortion attempt gone awry. According to a public explanation left on the homepage of Code Spaces that also announced its closure, an unknown person left a number of messages at the control panel to open communication regarding an ongoing Distributed Denial of Service (DDoS) attack against the service.

When the team attempted to regain sole control of the panel, the hacker retaliated by randomly deleting artifacts from it. When the dust finally settled, much of the online storage volumes and machine images, and all backups and snapshots, had been deleted. With no way to recover this deleted data – Amazon leaves the onus for backup entirely to its users – Code Spaces said it was unable to continue operating.

Aside from the obvious elephants in the room – not enabling Amazon’s multi-factor authentication coupled with the high likelihood of poor password hygiene – the other learning point is the importance of offline backups, or at least backups that aren’t within reach of an armchair hacker or malicious employee. It’s not known if customers lost their code for good, but this is another somber reminder not to rely on the promise of a cloud service provider when it comes to data backup. Take care of it yourself.

Beware Attackers Stealing Your Domain Name

There’s money to be made stealing the domain name of an established small businesses, as full-time lifestyle blogger Jordan Reid discovered earlier this year after forking over $30,000 to buy back her own domain name. A cyber thief had used the email confirmation system of Web host HostMonster to steal the domain from Reid and then transferred the domain into a private account at GoDaddy.

A family friend chanced upon an unknown user selling the domain name on an online auction site and alerted Reid. The matter was at a deadlock, however, despite multiple frantic conversations with both parties: GoDaddy said it couldn’t help, and HostMonster refused to initiate a transfer dispute to get the domain back, in an apparent bid to avoid admitting liability.

Ultimately, Reid took matters into her own hands by getting a friend to purchase the domain from the hacker. Once she had the domain back in her hands, she transferred it out and successfully ordered a halt to the wire transfer payment. In a nutshell, she avoided what’s likely to be an expensive and protracted lawsuit by cheating on the cybercriminal.

Moral of the story? Your domain names are probably much more valuable than you believe they are, and it’s not be as straightforward as you imagine to regain control them should they be stolen. Don’t forget, too, that control of a domain lets an attacker intercept all emails by modifying the MX record to point to its own servers. Rather than bemoan the loss of domains after the fact, small businesses should secure them appropriately.

Protect Your Small Business With Authentication, Backup

Drawing from the above security incidents, here are four steps that small businesses can take to protect themselves from hackers. They’re not exhaustive, but they should be practical and simple to implement. The idea here is to raise the bar to stymie hackers and social engineers enough that they move on to target other potential victims instead.

Use two-factor authentication. There was a time when two-factor authentication was considered a luxury, only used to protect high-value accounts. The use of a single password is no longer good enough, especially when you consider the sheer amount of data kept online these days. Essentially, everything is a high-value target. What’s more, sophisticated malware can infect smartphones and automatically steal second-factor codes for online banks accounts, whisking away the money before any alert can be raised.

Use a separate password reset address. Most, if not all, online services ask for a backup email address that can be used for the purpose of a password reset. As illustrated above, configuring this to a primary email address turns it into a single point of failure, greatly increasing the damage that hackers can cause if they gain access to it.

As such, it’s prudent to set the email address on an unrelated email account, preferably one that resides on a separate domain. Services such as Gmail and Outlook may be worth considering here. To avoid being a target of hackers or social engineering attempts, don’t use this account for day-by-day correspondence or share it with others, and secure it with a good password and two-factor authentication.

Protect your domains. Considering paying more for private registration if it’s available. This will reduce the amount of data that may be available to a hacker looking to put together a social engineering or phishing attack. Some domain registrars allow for domain names to be locked down to prevent unauthorized transfers, sometimes as a chargeable option. This may be a worthwhile investment, too.

In addition, registering for automatic renewal of domain name is a good option to prevent a domain from expiring and slipping into someone else’s hands. Many small businesses may not be aware of it, but “spectators” use automated programs keep an eye on expiring domains, snatching them up seconds after they expire and offering to sell them back to the original owners at greatly inflated prices. Be sure to keep safe the administrative email account that’s associated to the domain, as it has the authority to approve a transfer to another registrar.

Regularly create offline backups. For all the online storage services available today, it still makes sense to create regular backups of important data. Store them either offline or at locations that aren’t easily accessible by hackers who may have compromised part of your business. A variety of storage media exists – direct attached storage such as a portable hard disk drive, a network-attached storage (NAS) device, tape drives, or even a separate online service protected with a different set of credentials.

[ How-to: Build a Storage and Backup Strategy for Your Small Business ]

Additional tips, which are doable if not a bit of a hassle, include using different credit cards for different service providers and maintaining separate identities for cloud providers.

Ultimately, small businesses must keep an eye on relevant security compromises and devise and adopt measures that thwart the weaknesses that hackers were able to exploit on others. The war on the security front is never-ending – but with some diligence and effort, there’s no reason why small businesses cannot keep themselves in the clear.