The Game has Changed:
Small Business Security and IT Advice
in the Age of Cybercrime
David Javaheri, President and CEO of
The Game has Changed :
Small Business Security and IT Advice
in the Age of Cybercrime
David Javaheri
Direct iT
39 Emerson Road
Waltham, MA 02451
781-890-4400
www.Directitcorp.com
All rights reserved. No part of this publication may be reproduced or transmitted in any form by any means, electronic or mechanical, including photography, recording or information retrieval system, without written permission from the author.
Printed in the USA.
Copyright 2020 Direct IT Inc.
Copyright 2011 Technology Marketing Toolkit, Inc
Contents
Dark Web marketplace ads selling credit card numbers, bank accounts, and social security numbers
Introduction:
The Game has Changed
W hen I started helping businesses with iT over 15 years ago, security and risk management was part of the job. I helped my customers with antivirus and backups and of course made sure they were password-protected and had the latest service packs. However, at the time for most small businesses there was an understanding that small businesses were not targets for any cybercrime that would put them out of business. At worst, a virus-infected computer might be used to send spam email but overall a small business owner did not need to worry about hackers. For the most part, small business owners had nothing to worry about.
However, by 2012, two new factors changed this dramatically. In 2009 the rise of cryptocurrencies like Bitcoin empowered the black market by giving cybercriminals a relatively anonymous and secure way of doing business with each other. Second, by 2011 dark web marketplaces arose that became the eBay of cybercrime anonymous websites where a little bit of Bitcoin can purchase drugs, or cybercrime tools, or stolen personal information with a seller and buyer ranking and review system just like eBay. One person might just sell social security numbers and addresses. Another might sell credit card numbers. Someone else might but both of those lists and use them for some sort of mail-order fraud (like tricking craigslist sellers into thinking theyd received a legitimate payment and handing over expensive laptops or other goods). Basically, now each cybercriminal only needed to know how to do one small role in the process to make money.
Cryptocurrency and dark web marketplaces caused a separation of roles, whereby the hacker who steals a credit card number doesnt have to know how to do credit card fraud; he can just steal the number and sell it to another hacker who specializes in credit card fraud. The two hackers never have to know each others names to work together. This separation of roles led to an explosion of cybercrime because now criminals can work together on an ad-hoc, crowdsourced basis. Secure email and things like Tor (The Onion Router, an anonymous network on top of the internet) and the dark web also became catalysts allowing cybercrime to grow exponentially.
Also in 2012 and 2013 we saw the rise of ransomware and the idea that it is worth at least a few hours of a particular hackers time to target a small business with the goal of extracting a relatively small sum (i.e. $3000-$7000+) from them. The Cryptolocker virus was just the beginning and evolved into the Petya network which is essentially an outsourced/ crowdsourced ransomware franchise where a single criminal gang runs acts like a ransomware reseller, charging a percentage to smaller hackers in exchange for providing all of the software and money laundering backend needed. Similarly, business email compromise and CEO impersonation attacks started also showing that a hacker may target one small business. Large lists of known usernames and passwords from data breaches (such as LinkedIn) also led to a new, much more targeted form of password attack because so many users re-use the same or similar passwords. Hackers can download a single 170GB list that has over 2 billion usernames and passwords compiled from various breaches chances are, some of your past passwords are in that list.
Enterprises have their own security solutions for these problems but a lot of these solutions are expensive, complex, and assume that you have a full-time IT department with extra time available to manage complex security gear. Intrusion detection systems, binary whitelisting, hardware encryption, Security Event and Information Management (SEIM), vulnerability scanning, penetration testing, risk assessments all of these were great security solutions for companies with million-dollar IT budgets. What I had to do with Direct iT is develop a set of forward-thinking solutions to the same problems that are actually appropriate for small businesses in cost, labor, and management overhead. Not just doing what everyone else is doing but taking some of the best off the shelf solutions and building my own products from scratch where the market fell short for small business.
David speaking about cybersecurity and wire fraud to a group of realtors
Going to Bat Against Cybercrime
A nd by 2013 it started happening. I got calls from financial companies who had just been hacked and fired their previous IT guys, and needed help with digital forensics, remediation, and re-securing their networks after security incidents. I started hearing about customers getting targeted for ransomware via email or via weak passwords. My customers in the financial and mortgage service industries started seeing elaborate tech-savvy wire fraud gangs target their transactions. People who thought they were fine setting their password to Password1 started calling my support line after their email accounts ended up being used as part of an elaborate ebay scam. Wed been helping secure customers who were banks or in other security-critical industries for years, but now we were getting questions from ordinary small businesses about needing the same level of security we used to only need for banks or military contractors.
My business partner and product designer, Patrick Engelman, is a white hat hacker with extensive technical experience with security system design theory and practical security. He had a lot of experience with enterprise security systems and knew they would never work for our small business clients. The only solution was to have our research lab and product development team start focusing on unique approaches to these problems. We had to build our own multi-tiered ransomware protection systems, our own encryption products, our own vulnerability scanning, our own training systems and our own compliance packages. Many of these would be integrated with RemoteNet and BlueBox, our network management solution or My Efact: Paperless Office, our cloud based document management system. Most importantly, we needed to build a set of procedures, systems, and ongoing training to make sure that our products would never fall behind the security curve, because it was very clear that the cybercrime revolution was not going to slow down any time soon.
