This past weekend the Department of Homeland Security (DHS) warned American businesses that Iran is stepping up its attacks on corporate targets here in the U.S. The new rise in malicious activity is alleged to be part of Iran’s response to American cyber attacks on that nation’s missile launch systems.
Escalating tensions in the Middle East are frightening enough without the added twist of American companies, including small to mid-sized businesses (SMBs), becoming targets themselves.
What’s more, standard antivirus and recovery from backup may not be useful against these attacks. In the past, Iran has deployed viruses that render computers completely inoperable, perhaps most spectacularly in the case of Saudi petrochemical company Aramco.
Government agencies and huge defense contractors can afford large dedicated security teams and intrusion detection infrastructure, but what is an SMB to do?
Before we discuss solutions, we need to examine the problem in greater detail.
First and foremost, we all need to accept that there’s no such thing as security in obscurity anymore. Attempting to secure your business by flying under attackers’ radar has always been an uncertain strategy, and it’s especially risky in this era of automated attacks.
The second thing to understand is that there are two main vectors for these kinds of attacks—email and credential stuffing.
Email has been a popular virus delivery route for many years. Spam filters stop obvious malware, but increasingly sophisticated phishing attacks are making it through the filters.
In a credential stuffing attack, the attacker buys stolen usernames and passwords and then tries to use them with other services.
Many people continue to use the same password or similar passwords for their entire online existence, both personal and professional. This puts corporate networks at risk when a data breach at an online retailer gives attackers millions of usernames and passwords to try.
An expert in one article I read estimated that as much as 90 percent of remote login attempts on a corporate network can be stuffed credentials.
Let’s attack the easier problem first—remote login using stolen credentials.
As DHS noted, multi-factor authentication is a “basic” defense. We’ve written about MFA previously, so I won’t go into great detail here, but the key point is that the requirement of a second factor prevents someone from logging into your systems remotely with stolen credentials.
You also should set corporate IT policies that require your employees to use different passwords for their corporate accounts than they do for their personal services. This will reduce the likelihood that credential stuffing will succeed on your corporate systems.
Malware delivered by phishing emails is a greater challenge, but there are some low-cost/no-cost basic steps that you can take to reduce this risk.
Confused or concerned that your security solutions aren’t up to the challenge? Book a complimentary risk assessment with our in-house security expert by clicking on the image below.