Tuesday, March 11, 2014

It Could Happen to You: The Value of Small Biz to Attackers

social engineering, DDoS, identity theft, phishingRead this little article yesterday and thought it might make a nice follow-up to last week’s interview with Naoki Hiroshima. Quick update on that story: @N has been restored to its rightful owner.

Unfortunately, though, that was not an isolated incident. In fact, according to this recent article on The Verge, small and mid-range companies should be especially alert to these kinds of attacks.

”Stories like Meetup's are less surprising to companies in the business of DDoS mitigation — like Cloudflare, which is currently helping the site recover. CEO Matthew Prince says they're most commonly launched against gambling sites or midrange e-commerce sites, as in this example from 2012. They're businesses with enough success to suffer from a few days of downtime, but often not enough foresight to invest in DDoS protection.”


It’s a common scenario, unfortunately. Small and mid-size businesses often do not believe they have anything of value that would interest an attacker. In our own experience with both social engineering audits and employee training, folks are pretty quick to say, “Yeah, we know we should _____________...but we’re a small company. Why would someone attack us?” That blank could easily be filled with all kinds of security procedures: social engineering training, security audits, risk analysis, or DDoS protections.

Hey, small biz. I’ll tell you why someone would attack you: because you aren’t even trying to stop them.

Now, this blog isn’t really about what steps to take to prevent an attack. If you’ve hung around here much, you’ve probably heard it all before (and can learn more at our website). Today, let’s talk about what to do when you find yourself smack in the middle of an attack.

As discussed in the article, "You can't negotiate with terrorists,” and that’s the same advice we give. The safest thing is to never engage a malicious person in any way, whether it’s an extortionist threatening a DDoS attack or a social engineer working his way through a phone scam.

Whatever you do, don’t bite—even in jest. You might be surprised how much information you give away while trying to be coy, cocky, or clever. In fact, on more than one occasion during white-hat social engineering audits, we have encountered IT departments willing to engage us, just for the chance to be funny or act superior.

What those IT specialists don’t know (but should) is that even a quick, harmless jab like “Don't insult us with your weak attacks” may tell us something we need to know. In fact, any time we get communication from a "victim,” it’s helpful. It may simply tell us that someone is there to receive our messages or threats. But more often than not, we are able to twist the communication to our advantage and give the mark a false sense of control.

Remember: an anonymous attacker has nothing to lose—and in the case of an extortionist, there’s really nothing to stop them from carrying out the attack after you pay up. If you pay them or beg them or try to intimidate them, you will always lose one way or another.

Ignore. Report. Never engage.

More About Information Security