It's no longer unusual to see major, massive hacks make news these days. They affect millions of individuals and cost millions of dollars to rectify.
While intriguing to read about, the security breaches of large organizations and financial institutions generally offer little in practical terms to help small and medium-sized businesses to better protect themselves. Specifically, SMBs often deploy different technology than that used in an enterprise while grappling to do more with smaller IT teams.
There's still no excuse for small businesses to skimp on security. Yes, technology pervades even non-technical sectors, and mature cloud services make it possible today to quickly setup an online presence with little more than an Internet connection and a credit card. This heavy digitization of business also means that an online hacker could also cause incredible disruption from the comfort of his or her armchair, too.
To help small businesses navigate these tricky waters, let's highlight first some real-life security scenarios that recently affected small businesses and then some practical steps for protecting against these issues.
Beware Social Engineering of Cloud-Based Accounts
A developer named Naoki Hiroshima had his GoDaddy account hijacked in an elaborate bid to steal his Twitter username, @N, for which he'd received unsolicited cash bids of as much as $50,000. The GoDaddy account controlled access to the domain containing the password reset email address of the targeted Twitter account.
While this convoluted attack didn't succeed — Hiroshima was able to change the predefined email address for the reset password in time — he initially had to give up his Twitter handle in exchange for control of the GoDaddy account, which controls access to multiple work domains and websites.
What's interesting here is how the hacker essentially social engineered PayPal into divulging the last four digits of the credit card number over the phone. This information was subsequently leveraged as part of the verification process at GoDaddy to gain control of the developer's GoDaddy account. (GoDaddy owned up to its role in the incident, but PayPal didn't.) As Hiroshima detained in the online magazine Medium, he exchanged emails with the hacker, who bragged about how he pulled it off.
Fortunately, things ended well. Hiroshima suffered no data loss — and, once the story went viral and caught the attention of Twitter administrators, he got @N back.
Beware Hackers Holding Digital Systems Hostage
A promising cloud service that offered code-hosting and software collaboration was abruptly put out of service when a hacker gained access to its Amazon EC2 control panel in what appeared to be an extortion attempt gone awry. According to a public explanation left on the homepage of Code Spaces that also announced its closure, an unknown person left a number of messages at the control panel to open communication regarding an ongoing Distributed Denial of Service (DDoS) attack against the service.
Sign up for CIO Asia eNewsletters.