How Small Businesses can Prepare for Big Attacks

hello everybody Welcome to the talk uh the topic today is how small businesses can prepare for big attacks it's a pretty strong pain point I'm sure many of you understand that uh you know sometimes there's a smaller budget with the smaller business and so how do you secure your assets the same way that the big guys do here's a quick overview of what I'll be talking about so introduce myself tell you the purpose of the talk any misconceptions that I commonly hear from small and medium-sized businesses uh some statistics and data points about SMB targeted cyber attacks and when I say SMB in this talk I'm talking about small to medium-sized businesses not the other thing

I'll go over some free with an asterisk and Simple Solutions and then of course paid services and how they help you and then the key takeaways afterwards so who am I uh cyber security professional with about a decade of experience I've started out in the Air Force I was doing cyber warfare operations for several years I got my bachelor's degree while I was in I mentored with something called cyber Patriot if any of you are familiar it's essentially where Air Force personnel were kind of encouraged to Mentor High School students and college students in cyber security we went through labs they had competitions it was a really fun time I loved it every second of it we had one

team one year go to State and that was awesome for me so I'm definitely proud of that time I've got multiple disciplines in my experience my bread and butter is digital forensics and incident response dfir I do a lot of threat hunting as well I'm actually building a threat hunting program at my company currently uh security information event management engineering that's kind of how I started in the Air Force malware reverse engineer and a bunch of other stuff I did spend some time as a senior analyst over at crowdstrike I learned a ton I've got some some old co-workers here as well it was a great time I loved every minute of it and now I'm currently

the incident response lead over at a company called tanium we do endpoint Management Solutions for Enterprises but I do their internal instant response and I'm a huge nerd I play tons of video games and I am all about the the nerd culture as well so why am I here well every organization in the world is a target of a Cyber attack no matter what hands down full stop every single organization every single individual is a target no matter how big or small your Target too so smbs usually don't even know what they need when it comes to cyber security usually it's an afterthought for them right it's only after they get attacked do they even care about cyber

security so I want to clear up some misconceptions around the cyber security industry the products the services that are offered throughout the industry and to kind of clear up some information that might have been falsely understood and then I want to help the underprepared organizations secure their assets because that's what we do right we protect company assets or government organization assets and information and data we want to make sure that all of that data is protected the proper way that's why we're here and so in as a result of that we can make the world just a little bit safer so let's jump right into some misconceptions these are just a handful of quotes that

I've heard from small and medium-sized business owners one of which is the misconception that recovery of a Cyber attack happens just like any other disaster right so if your building gets flooded out because of a hurricane well you have Disaster Recovery processes that you follow in order to bring back the functionality of that building and so they just assume that you would do it in a similar way when it's a Cyber attack and as many of you know that is not true so cyber attacks come with many other costs that are not directly up front with just say a fine from a government organization or I don't know it could be you know rebuilding a server that got ransomware

to something like that or say paying a ransomware payment those are not the only costs that are associated with it when you have a major Cyber attack and critical information or data is released to the public or maybe customer data is sold on the dark web the public Trust on your brand has gone down significantly and as a result you're probably going to see a significant drop in Revenue because you are now less trusted in the world so if you don't fix the underlying issue after the Cyber attack it's just going to happen again unlike say flooding where you know you can't really do much about a hurricane coming in and just flooding out an entire city you can take

precautions to help mitigate the risk of it but you can't stop it completely however when it's a Cyber attack let's say you accidentally left in Windows XP box with the other SMB open to the internet you're probably just going to get hacked and then if you recover from that attack and then you don't fix that underlying issue somebody else is just going to use it again I'm too small to be a Target as I already said in the beginning that's completely false attackers don't care about how big or how much revenue you have they don't care about any of that they target everybody regardless of size attackers may be going after thousands of organizations just like yours maybe

the same size maybe the same industry but if they only went after the big fish say Walmart Apple Adobe whatever then they wouldn't really get that big of a payout because they have a bigger security budget they have more infrastructure that and and more investment into cyber security controls but if it's a smaller Target you may get a lower amount of payout but it's going to be more reliable so if I hit a thousand organizations and only 10 of them stick I still hit a hundred organizations so it's easy money right um if you have very little to no cyber security protections implemented in your environments then it's just an easy button for them and they can get right in

a couple more we don't have the budget for in-depth cyber security well you don't really need that you don't need millions and millions of dollars to build a proper cyber security program or strategy even most of the time you can get by with a handful of free or Simple Solutions that you can Implement in your organization and it will put you far ahead of everybody else in your industry for their cyber security well cyber security is too complicated for my simple little business well again most of those cheap and free Solutions they're usually pretty easy to implement such as password managers or an antivirus software it's pretty easy to just kind of install on the host and then just let it go

they also help to stop the most common attacks who here knows what the most common attack is like way entry level sorry infection Vector that attackers will take to get into an organization email thank you I heard it uh phishing attacks right so if you had proper uh email filtering in place then less phishing emails will even be allowed to get through for your employees to click on and that's just one of the many examples out there so let's talk about some SMB targeted or cyber attacks that have happened in the past so obviously smbs tend to have less security controls in their organization as we discussed earlier lower cyber security budget they probably don't even

have dedicated Personnel that handle cyber security so the security patching might not be managed very well it could be just like yeah whenever Jeff from it has time he'll go ahead and review the patch schedule or something most likely no security awareness training or phishing training so phishing awareness is going to be one of the biggest helpers to reduce the risk for phishing attacks and it's a free solution that you can Implement obviously you want to make sure that it's good training so it might take a little bit of time and research in order to get there so they're also unaware of their attack surface they don't they may not necessarily have a good asset management

system in place and so whenever a particular server is actually compromised by an attacker they might not even know that that system even existed because somebody else implemented it and didn't go through the proper channels in order to get that system put into the asset management system and then of course like I already said lower security budget less money means less resources and you are putting it at a lower priority than other parts of the business and you're just opening yourself up to risk so organizations with less than 100 employees are actually targeted more often than others so about 60 percent of all cyber attacks are targeted at smbs and as we already discussed phishing

Remains the most common tactic for initial access and of course the covid-19 pandemic has increased cyber crime by over 600 percent since it uh started so I'm going to add a little bit more information about some statistics on the cyber attacks that are targeted at these types of organizations uh according to the DFI or dfir report by Verizon last year earlier this year excuse me only about 50 percent of smbs had a cyber security plan for 2022. um that's kind of alarming because that means that when the attack happened they had no idea what they were going to do right they had no backup plan they didn't have a strategy for how to handle and how to triage the incident or how to

recover from it none of that during the time frame of 2020 to 2021 data breaches at these smbs they grew 152 percent in comparison to the previous two years of course 27 percent of small businesses with no cyber security protections collect credit card info so that's good to know 82 percent of ransomware attacks were against companies with fewer than a thousand employees so that would be con at anything lower than a thousand employees would be considered a small to medium-sized business and so the fact that 82 of all ransomware cases were targeted at those organizations should be alarming to most people because I'm sure many of you here work for organizations that have less than a

thousand people so that means that that's more work for you and um it's more lucrative for the attackers in the long run more than half of the respondents to a survey would be less likely to continue doing business after a breach and we see this all the time Cyber attack happens maybe ransomware gets spread throughout the entire environment and they had no backup plan they had no bcdr plan implemented and then as a result of that they lost so much money during the recovery process that they ended up going bankrupt and they had to close business nobody wants that to happen and of course finally over half of smbs that fall victim to ransomware they pay

the money and you shouldn't do that the reason for this is because when you pay the ransom to the ransomware actor you are reinforcing the fact that that is now a lucrative business for them to continue pursuing and that you also have tipped your hand to other criminals that you're willing to pay the ransom note so not only are you opening up yourself to more cyber attacks you're opening up the entire world to more cyber attacks when you pay the ransom so don't do that if you can avoid it so free with an asterisk because it may not have a price associated with it but there is a time commitment that you will have to put in for these

Solutions just like with most things but there will be no monetary price that you have to pay to a company for these products or Solutions enable multi-factor authentication on every possible thing and when I say that I mean your corporate accounts is what I'm specifically talking about here every time that you have the ability to add multiple multi-factor authentication you should definitely enable it and if you're the business owner or you're an executive at the small to medium-sized businesses you should make that a requirement of every single employee there using a password manager in the correct way is important patching and updating as we mentioned earlier if you don't have a good patching and management system in place

and you have well-documented evidence on how this is all handled and when a new critical security patch comes out you need to be able to make sure that every vulnerable system has been patched within a timely manner you can create an in-house phishing awareness training it'll take some time and research if you're not familiar with performing these types of trainings for your company but it's definitely worth it because as we've said already multiple times phishing is the number one attack vector so once you have the phishing awareness training in place you can also do phishing tests slash you know simulations to help reinforce that training in all of your employees so one thing that I've seen some

companies do is they'll send out a fake phishing email that is clearly not legitimate and the link that is in there that they're trying to entice you to click just brings you to the phishing awareness training itself for your company and that's a good solution uh it does help it's not perfect nothing is insecurity but it definitely reduces the amount of risk exponentially the more people that do this training and understand it and they go through simulations they become more Vigilant because now they're looking for the simulations which means that they're looking at the real phishing emails like oh that's probably a simulation I'm not clicking on that you know I don't want my name to be on that list today

uh so you're helping out uh overall by doing something like that Implement policies and procedures in your organization so this again is targeted more at the executives or management of the the company but essentially what you can do is you can make all of these cyber security awareness trainings and everything like that a mandatory task for everybody and how you implement that kind of varies by person to person on their opinions on how it should be implemented but for basically like a blanket statement you should make sure that strong security practices and best practices are being promoted by the executive leadership so that way all employees will follow it overarching reducing the risk of the company of the cyber attacks

sorry so one such policy or I guess you can say best practice would be least privilege and this is something that you don't necessarily need money to implement it and the reason is because you probably already have some type of mechanism that you um have a separation of duties for people right why does somebody in this department need information that's in this other department if they have nothing to do with it will block that access that's basically the principle of least privilege you want to make sure that people only have access to what they need to have access to and nothing more if they need the access later they can request it and they can go through the

process that you have set up and I'm an incident response guy so of course the instant response plan I'm going to be talking about um too often I have seen it where organizations have no idea what they're going to do in the case of a major breach and that's how you do it right there you do an incident response plan you need to identify the biggest risks to your environment and then you need to set up a plan of if these systems get attacked what are we going to do and this helps for a couple of reasons and the biggest one is muscle memory so if you have a small team of I.T Engineers or something along those lines

and you don't have any dedicated security personnel there's not going to be many people in your organization who already know what they need to do in the case of a major breach so what you do is you build an instant response plan and then you test it so that way every single person in that organization who is responsible to perform certain actions during the instant response they know exactly what they need to do another big issue that I see with not having an instant response plan is that you might miss something In the Heat of the Moment so if you're getting attacked by I don't know want to cry for instance and you don't have an incident response plan and

you think you know what you're doing because you're a cyber security professional you got this right well maybe you missed something maybe you forgot to check one log Source maybe you forgot to quarantine one machine something like that and then the ransomware is still active on your network even when you think you're done with it having an instant response plan is in my opinion absolutely crucial having playbooks or run books follows along the same lines in this type of scenario what are we going to do so in the case of ransomware it has a step-by-step process or general guidelines of what needs to happen in order to ensure that the ransomware stops being spread you can contain it

and you can eradicate it going more into multi-factor Authentication it's obviously far more secure than just a password alone so instead of only typing in a username and password to log into any system you will also have to have that second factor and that could be anything from an authenticator app on your phone to a text message an email and then of course you also have Biometrics so many of us have phones that have fingerprint scanners face scanners those types of solutions those would also be considered a second Factor authentication process this also means that there's more steps for the attacker so now not only do they have to somehow get your username and password but now they also have to

figure out how to get that second Factor authentication to be utilized in the authentication process in order to break into your account so moving on to password managers and how to use them correctly they enforce strong sorry you should enforce a strong master password so your your master password is what unlocks essentially your Vault of all of your other passwords that you don't have to remember because they're stored in a vault so if you have a really really strong master password and multi-factor authentication on your password manager it'll be far less likely that an attacker can gain access to that account and since you're using a password manager you only got to remember the one

right single sign-on is another solution for this that's a little bit more on the Enterprise side so after you have a very strong master password what about all the other accounts well I want you to just randomly generate 20 plus character long passwords because you don't even have to remember them you're just going to store them in the password manager anyways so add in characters symbols uppercase lowercase numbers all of that stuff and make it long strong and you're going to feel more safe now because who's going to be able to guess that kind of password you also have the ability to monitor account access and other critical logs so now I put an asteroid here as well

usually it's a paid service add-on for these password manager services excuse me however there are ways that you can utilize that to your advantage that are well worth the money in my opinion so what does this actually mean what does it actually do for these smbs well they can now monitor who is accessing what systems at what times and sometimes you can even get the GPS location of the individual where they logged in from so this provides more insight into what is happening with all of the accounts across the Enterprise so on implementing policy and procedures establishing security is part of your culture is huge uh anybody ever heard of Google you know small company uh they several years ago

they implemented a requirement for all employees to use Fido tokens which are physical devices that you have to plug into the computer as your second Factor Authentication who here knows how many times Google's accounts have been like sorry internal accounts have been compromised zero about a single time since they implemented that uh policy and that that security is part of their culture have they had any of their internal accounts compromise as a result so establishing security is part of this culture is going to help you reduce risk tenfold and it's because people are the weak link so most attacks such as fishing you know social engineering they they don't attack any particular system right they're not really an

attack in the traditional sense what they are is they're attacking the person and their human mind to trick it into clicking something or downloading something that then drops malware or a reverse shell or whatever else so if you establishing sorry if you establish the security as part of the culture in your entire company then you shouldn't have to worry about that as much still going to be there but the overall risk will be reduced just like I was talking about earlier make sure that you create a plan for how you're going to respond to the most common attacks if ransomware is your biggest threat then make a playbook for ransomware what are you going to do when

it happens because again just because you're a small business or you think that you're not a good Target think again because you definitely are I'm including here incident response plan ransomware Playbook stuff like that require MFA on all critical accounts for all employees I kind of discussed that earlier and of course encourage Behavior related to security and what I mean by this is if you see something say something is usually how people will put it if you see something or if You observe a practice or a person in the company performing a certain action that doesn't seem very secure encouraged the behavior of reporting that and not reprimanding people for reporting that obviously that will have to be reported

somewhere so if you don't have a process for that you should probably do that and I have seen this catch threats and active attacks multiple times where somebody was just like hey my computer was acting funny and I didn't know what was going on so I you know I'm submitting a ticket to the help desk and then the help desk picks it up and they're like oh this doesn't look very good and then they send it off to the security operations center to triage turns out there was malware on that system so obviously whatever security technical security controls they've implemented on that host did not work and so having the person identify something is not correct and Reporting

it that's what actually caught it so encouraging that as part of the culture huge of course reporting phishing attempts is another major example here so whenever a phishing email comes in either suspected or legitimate you want to be able to have a process in place for employees to report that email because they might not be the only person that got it and did not click right there could be multiple people that got that same exact email and maybe none of them reported it except for one person now you can go into your email software and you can search for all the people who have been given this email and you can continue your triage from

there identifying security threats and vulnerabilities then reporting them to the security team kind of already went over that but essentially if you see uh you know you're running an old version of PHP on your website and for some reason nobody has patched it say something bring it up that's going to help you immensely so now I'm going to be moving on to paid services and how they help you no I'm not going to be selling you anything so of course the big one malware protection and Antivirus right everybody knows this it's been around forever um you know you've got McAfee you got Malwarebytes you've got all sorts of stuff you even got the new cool ones

like crowdstrike and Sentinel one and all that but for the most part that gets a little too complicated for these smbs because now you're starting to get very in-depth into the cyber security field and the expertise that it requires to understand how these systems actually work they obviously don't have time for that so it's not your mama's AV software anymore it's kind of how I like to put it it's a lot more sophisticated than it used to be and it helps way more than the old school antiviruses that you used to put on your computer from Best Buy in 2005. it's crucial to have but unfortunately it's not enough by itself and we're gonna go over that a little

bit more in a couple slides so I'm going to hold off on that email filtering and phishing protection we're going over that as well so since fishing is the most common uh initial issue excuse me infection vector having the ability to filter out potential phishing emails is huge so it will stop most phishing attempts when configured properly and it helps so much more than you think it does because the human element still plays a big role here if there are less less emails that get to your employees to click on then just buy statistics stake less emails will be clicked on it's crucial to have but again not enough by itself backup Services bcdr right business

continuity and disaster recovery I know it's boring nobody likes to talk about it but it's important and we need to have it if you get ransomware across all of your DC's and you don't have any backups or any plan to recover from that attack then you're kind of just dead in the water so having these backup services that are off-site another critical point there is making sure that they're off-site could be in the cloud maybe you have your own data center whatever the case is making sure that those backups are not stored on the same server that you're backing them up from huge and again crucial to have should be required on all critical systems

and then another very key Point here you have to test the backups because you can't just point to say oh yeah we got backups it's fine and then three years later ransomware hits you and then come to find out three years ago somebody forgot to push a configuration file to make sure that they can actually work properly so make sure that you test these and you run through bcdr tests so you can get policy and plan reviews by the third party services so this kind of ties in with what I was talking about with the instant response plans all the playbooks and the Run books you can actually have cyber security companies that review these plans for

you provide you with um you know recommendations to make them better or changes that they think you should Implement best practices that they notice you didn't have included and they can also work with you to tailor these plans and these policies to your organization because every organization is unique and you'll have different infrastructure depending on what industry you're in and all that in that you can identify the gaps improve your response and then standardizing your workflow because if you have uh three different people doing three different processes for the same malware or the same type of attack you're going to get three different results so standardizing that is going to be immensely helpful when you're trying

trying to identify the actual underlying issue security assessments is another major one all this talk about going to the cloud most of these smbs are moving to the cloud or they're starting out in the cloud and maybe they don't understand it very well or maybe they only kind of understand how it works and they're like oh my Engineers just handle that um if you don't get your environment checked by somebody else like a third party then you might be missing something and it's important to make sure that you're filling in all the gaps as consistently as possible security assessments honestly you can get away with doing them once a year I would recommend probably every six

months because your infrastructure is probably changing more often than you think it is and so verifying that your configurations are implemented properly or you don't have exposed credentials on some Amazon S3 bucket or whatever those are probably going to save you from a major breach so you could do on-prem or Cloud focused maybe both it just depends on your unique environment you can get recommendations on Improvement areas from again cyber Security Professionals and experts next one is going to be risk assessments around cyber attacks this one will be a little bit more focused on the overarching strategy of your company and essentially it'll be more focused on less technical controls and more managerial or process Focus controls so

very much focused on the executives and management of an organization they translate the technical issues into the business terms that they can understand most of the time these small businesses they only have a handful of technical people maybe you know a couple Engineers or a couple help desk individuals something along those lines being able to speak in terms that these business owners understand is going to help them immensely attack surface Management Services these can also help you more than you think they can and the reason is like I was talking about earlier sometimes you just don't even know what all systems you have under your organization you could have 3 000 machines out there but then

whatever system you're using to identify those assets it might say something like 2700. and so in your eyes you're like wow I have 2700 systems that's a lot but you're still missing 300. so being able to have an attacked surface Management Service usually what they'll have is a continuous monitoring of your entire organization and then any new asset that they identify they will immediately put it into an automated report and provide that to you this could also identify Rogue devices on your network as well so if you're in a traditional building with traditional networking and everything like that an attacker tries to throw in a rogue device to maybe capture some traffic or you know just kind of poke and prod see

what you got out there now that that device was added to your network and your tax service management system will identify that for you and then you know if you have an I.T Department they're gonna be like I don't know what the system is does anybody know what it is and when they identify that nobody even knows what the heck is going on that's when they know that there's an issue that needs to be investigated and of course public facing as well is very huge because that's going to be what most attackers have automated attacks going after they're just Port scanning constantly and if you accidentally spin up some ec2 instance that has some Service public facing

that's vulnerable to an exploit it's going to get smacked and then I'm going to bring this back around to phishing simulations as well you don't have to do them yourself there are tons of companies out there that offer those services for you so this is what I wanted to bring up earlier is that a lot of these Security Solutions are great or critical even at the um for sorry they're very critical for everything every organization out there but not by themselves there's this um defense in depth concept saying that you can't just use one security solution you have to use multiple layers kind of like an onion and you want it to be harder and harder

for the attacker to get in in between this graphic was just one that I found online I did not make it but it just kind of hits some some major points here about you know timely patching encryption sensitive data excuse me encrypting sensitive data and of course your antiviruses and your policies and procedures physical security so if you have uh traditional old-school servers that you have sitting in your own building then you're going to want to make sure that you have physical Access Control CCTV coverage all of that is part of the security of your organization as well the defense in-depth strategy is going to change from organization to organization it some of these might not affect your

business at all for instance physical security you might not need that you might be a remote only organization so you don't really need any physical security so none of these are you know hard points that you need to have but you want to make sure that the concept of Defense in depth is implemented within your organization so I ended up talking faster than I thought so here's some key takeaways criminals don't care about you or your organization they don't care if you're going through a hard time they don't care if you just had a baby they don't care if it's three o'clock in the morning they're going to attack you when they have the opportunity

and they don't care about your organization either if they can make a quick Buck off of you that's all they care about smbs are much bigger targets than you think as we discussed with the statistics from the dfir reports basic security measures go further than you think uh some of them are even free so implementing best practices alone will probably save you from more cyber attacks than you actually think they would if it's in your budget consider a low-cost third party to assist again I'm not trying to sell you anything here but they are helpful if you're not familiar with the solutions and the terms that I'm using here for the cyber security industry it would be highly beneficial

to get a low-cost third-party assessment of your environment and then have them provide you with recommendations or maybe even that that company offers to do the remediations or the changes for you and preparation is the most important part so in the incident response life cycle the first step is preparation and then you go through everything else in my opinion preparation is the most important part it's not containment it's not eradication it's none of that it's preparation because if you're not prepared then none of the other parts of the life cycle matter it all crumbles because you need to have a plan you need to understand what the risks are for your organization and you need to be

able to respond in a timely manner or else the attackers are just going to own your company thank you for your time uh does anybody have any questions

I got my Twitter and my LinkedIn up there as well if you guys want to connect yeah you talk you touched on a lot of different services that small businesses could use but one thing that I noticed wasn't in there is talking about mssps and I was just wondering is that would that be pretty critical to small business yeah so uh mssps stand for managed security service provider and essentially most of the services that I discussed here are actually included in most mssp service offerings so while an mssp is not one service in and of itself they could have multiple Services they do have one other that I didn't bring up which would be like a

sock as a service so a security operations center that this mssp has stood up and then you just ship all of your logs to them and they do the analysis the triage and all of that so you're kind of offloading that work to another organization and then they provide you with the feedback or some of them will even do remediations for you stuff like that does that answer your question anybody else

thank you for your time