WWW.DISSERTATION.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Dissertations, online materials
 
<< HOME
CONTACTS



Pages:   || 2 |

«What does an SME need? A successful business works on the basis of revenue growth and loss prevention. Small and medium-sized enterprises (SMEs) are ...»

-- [ Page 1 ] --

SECURITY THREATS: A GUIDE FOR SMALL

AND MEDIUM ENTERPRISES

Security threats are becoming increasingly sophisticated and harder

to detect. Many small and medium-sized enterprises are still

convinced that a firewall, antivirus and anti-spam software are

enough to protect their networks. With cyber-crime on the increase,

it is imperative that organizations are aware of the security threats

that they face on a daily basis. The goal of this guide is to raise awareness in organizations of the importance of security and how they can deal with the threats.

Security threats:

A guide for SMEs What does an SME need?

A successful business works on the basis of revenue growth and loss prevention. Small and medium-sized enterprises (SMEs) are particularly hit hard when either one or both of these business requirements suffer. Data leakage, down-time and reputation loss can easily turn away new and existing customers if such situations are not handled appropriately and quickly. This may, in turn, impact on the company’s bottom line and ultimately profit margins. A computer virus outbreak or a network breach can cost a business thousands of dollars. In some cases, it may even lead to legal liability and lawsuits.

The truth is that many organizations would like to have a secure IT environment but very often this need comes into conflict with other priorities. Firms often find the task of keeping the business functions aligned with the security process highly challenging. When economic circumstances look dire, it is easy to turn security into a checklist item that keeps being pushed back. However the reality is that, in such situations, security should be a primary issue. The likelihood of threats affecting your business will probably increase and the impact can be more detrimental if it tarnishes your reputation.

This paper aims to help SMEs focus on threats that are likely to have an impact on, and affect, the organization. These threats specifically target SMEs rather than enterprise companies or home users.

GFI Software | www.gfi.com 2

Security threats:

A guide for SMEs Figure 1. Security threat map Security threats that affect SMEs Malicious Internet Content Most modern small or medium-sized enterprises need an Internet connection to operate. If you remove this means of communication, many areas of the organization will not be able to function properly or else they may be forced to revert to old, inefficient systems. Just think how important email has become and that for many organizations this is the primary means of communication. Even phone communications are changing shape with Voice over IP becoming a standard in many organizations.

GFI Software | www.gfi.com 3

Security threats:

–  –  –

At some point, most organizations have been the victim of a computer virus attack. While many may have antivirus protection, it is not unusual for an organization of more than 10 employees to use email or the internet without any form of protection. Even large organizations are not spared. Recently, three hospitals in London had to shut down their entire network due to an infection of a version of a worm called Mytob. Most of the time, we do not hear of small or medium-sized enterprises becoming victims of such infections because it is not in their interest to publicize these incidents. Many small or medium-sized enterprises cannot afford to employ prevention mechanisms such as network segregation. These factors simply make it easier for a worm to spread throughout an organization.

Malware is a term that includes computer viruses, worms, trojans and any other kinds of malicious software. Employees and end-users within an organization may unknowingly introduce malware on the network when they run malicious executable code (EXE files). Sometimes they might receive an email with an attached worm or download spyware when visiting a malicious website. Alternatively, to get work done, employees may decide to install pirated software for which they do not have a license. This software tends to have more code than advertised and is a common method used by malware writers to infect the end-users’ computers. An organization that operates efficiently usually has established ways to share files and content across the organization. These methods can also be abused by worms to further infect computer systems on the network.

Computer malware does not have to be introduced manually or consciously. Basic software packages installed on desktop computers such as Internet Explorer, Firefox, Adobe Acrobat Reader or Flash have their fair share of security vulnerabilities. These security weaknesses are actively exploited by malware writers to automatically infect victims’ computers. Such attacks are known as drive-by downloads because the user does not have knowledge of malicious files being downloaded onto his or her computer. In 2007, Google issued an alert 1 describing 450,000 web pages that can install malware without the user’s consent.

Then you get social engineering attacks. This term refers to a set of techniques whereby attackers make the most of weaknesses in human nature rather than flaws within the technology. A phishing attack is a type of social engineering attack that is normally opportunistic and targets a subset of society. A phishing email message will typically look very familiar to the end-users – it will make use of genuine logos and other visuals (from a well-known bank, for example) and will, for all intents and purposes, appear to be the genuine thing. When the end-user follows the instructions in the email, he or she is directed to reveal sensitive or private information such as passwords, pin codes and credit card numbers.





Employees and desktop computers are not the only target in an organization. Most small or mediumsized companies need to make use of servers for email, customer relationship management and file sharing. These servers tend to hold critical information that can easily become a target of an attack.

Additionally, the move towards web applications has introduced a large number of new security vulnerabilities that are actively exploited by attackers to gain access to these web applications. If these services are compromised there is a high risk that sensitive information can be leaked and used by cybercriminals to commit fraud.

1 http://news.bbc.co.uk/2/hi/technology/6645895.stm

–  –  –

Attacks on physical systems Internet-borne attacks are not the only security issue that organizations face. Laptops and mobiles are entrusted with the most sensitive of information about the organization. These devices, whether they are company property or personally owned, often contain company documents and are used to log on to the company network. More often than not, these mobile devices are also used during conferences and travel, thus running the risk of physical theft. The number of laptops and mobile devices stolen per year is ever on the increase. Attrition.org had over 400 articles in 2008 2 related to high profile data loss, many of which involved stolen laptops and missing disks. If it happens to major hospitals and governments that have established rules on handling such situations, why should it not happen to smaller enterprises?

Another threat affecting physical security is that of unprotected endpoints. USB ports and DVD drives can both be used to leak data and introduce malware on the network. A USB stick that is mainly used for work and may contain sensitive documents, becomes a security risk if it is taken home and left lying around and other members of the family use it on their home PC. While the employee may understand the sensitive nature of the information stored on the USB stick, the rest of the family will probably not. They may copy files back and forth without considering the implications. This is typically a case of negligence but it can also be the work of a targeted attack, where internal employees can take large amounts of information out of the company.

Small and medium-sized enterprises may overlook the importance of securing the physical network and server room to prevent unauthorized persons from gaining access. Open network points and unprotected server rooms can allow disgruntled employees and visitors to connect to the network and launch attacks such as ARP spoofing to capture network traffic with no encryption and steal passwords and content.

Authentication and privilege attacks Passwords remain the number one vulnerability in many systems. It is not an easy task to have a secure system whereby people are required to choose a unique password that others cannot guess but is still easy for them to remember. Nowadays most people have at least five other passwords to remember, and the password used for company business should not be the same one used for webmail accounts, site memberships and so on. High profile intrusions such as the one on Twitter 3 (the password was happiness), clearly show that passwords are often the most common causing universal security weakness and attacks exploiting this weakness do not require a lot of technical knowledge.

Password policies can go a long way to mitigate the risk, but if the password policy is too strict people will find ways and means to get around it. They will write the password on sticky notes, share them with their colleagues or simply find a keyboard pattern (1q2w3e4r5t) that is easy to remember but also easy to guess. Most complex password policies can be easily rendered useless by non-technological means.

2 http://www.attrition.org/dataloss/ 3 http://tinyurl.com/bysvuf

–  –  –

In small and medium-sized enterprises, systems administrators are often found to be doing the work of the network operators and project managers as well as the security analysts. Therefore a disgruntled systems administrator will be a major security problem due to the amount of responsibility (and access rights) that he or she holds. With full access privileges, a systems administrator may plan a logic bomb, backdoor accounts or leak sensitive company information that may greatly affect the stability and reputation of the organization. Additionally, in many cases the systems administrator is the person who sets the passwords for important services or servers. When he or she leaves the organization, these passwords may not be changed (especially if not documented) thus leaving a backdoor for the exemployee. A startup company called JournalSpace 4 was caught with no backups when their former system administrator decided to wipe out the main database. This proved to be disastrous for the company which ended up asking users to retrieve their content from Google’s cache.

The company’s management team may also have administrative privileges on their personal computers or laptops. The reasons vary but they may want to be able to install new software or simply to have more control of their machines. The problem with this scenario is that one compromised machine is all that an attacker needs to target an organization. The firm itself does not need to be specifically picked out but may simply become a victim of an attack aimed at a particular vulnerable software package.

Even when user accounts on the network are supposed to have reduced privileges, there may be times where privilege creep occurs. For example, a manager that hands over an old project to another manager may retain the old privileges for years even after the handover! When his or her account is compromised, the intruder also gains access to the old project.

Employees with mobile devices and laptop computers can pose a significant risk when they make use of unsecured wireless networks whilst attending a conference or during their stay at a hotel. In many cases, inadequate or no encryption is used and anyone ‘in between’ can view and modify the network traffic.

This can be the start of an intrusion leading to compromised company accounts and networks.

Denial of Service In an attempt to minimize costs, or simply through negligence, most small and some medium-sized enterprises have various single points of failures. Denial of service is an attack that prevents legitimate users from making use of a service and it can be very hard to prevent. The means to carry out a DoS attack and the motives may vary, but it typically leads to downtime and legitimate customers losing confidence in the organization - and it is not necessarily due to an Internet-borne incident.

In 2008, many organizations in the Mediterranean Sea basin and in the Middle East suffered Internet downtime due to damages to the underwater Internet cables. Some of these organizations relied on a single Internet connection, and their business was driven by Internet communications. Having such a single point of failure proved to be very damaging for these organizations in terms of lost productivity and lost business. Reliability is a major concern for most businesses and their inability to address even one single point of failure can be costly.

4 http://tinyurl.com/6ulyqs

–  –  –

If an organization is not prepared for a security incident, it will probably not handle the situation appropriately. One question that needs to be asked is: if a virus outbreak does occur, who should handle the various steps that need to be taken to get the systems back in shape? If an organization is simply relying on the systems administrator to handle such incidents, then that organization is not acknowledging that such a situation is not simply technical in nature. It is important to be able to identify the entry point, to approach the persons concerned and to have policies in place to prevent future occurrences – apart from simply removing the virus from the network! If all these tasks are left to a systems administrator, who might have to do everything ad hoc, then that is a formula for lengthy downtime.

Addressing security threats An antivirus is not an option The volume of malware that can hit organizations today is enormous and the attack vectors are multiple.

Viruses may spread through email, websites, USB sticks, and instant messenger programs to name but a few. If an organization does not have an antivirus installed, the safety of the desktop computers will be at the mercy of the end-user and relying on the end-user is not advisable or worth the risk.



Pages:   || 2 |


Similar works:

«UNIVERSITY OF LJUBLJANA FACULTY OF ECONOMICS DISSERTATION PROPOSAL (Draft) Student: Kaja Rangus Supervisor: Doc. dr. Igor Prodan Ljubljana, September 2011 INDEX 1 PROPOSED TITLE 2 DESCRIPTION OF THE DISSERTATION TOPIC AREA AND THE ISSUES THAT THE DISSERTATION ADDRESSES 2.1 Broad scope of research 2.2 Narrow scope of research 3 RESEARCH TOPIC, QUESTIONS AND GOALS 3.1 Research questions 3.2 Research goals 4 RESEARCH METHODOLOGY 4.1 Research methodology of the first paper 4.2 Research methodology...»

«General terms and conditions M.Y. Uniformes Preamble This site is operate by M.Y. Uniformes, having is registered office in Geneva, Switzerland. This present general conditions of sale apply to all the orders placed with M.Y. Uniformes company for the whole of the articles and services proposed by the www.myuniformes.com site by natural persons not business persons. Consequently, the fact for any person ordering a product offered on sale on the Internet sit of M.Y. Unfiormes implies full and...»

«Do Cash Flows of Growth Stocks Really Grow Faster? Huafeng (Jason) Chen∗ September 18, 2014 Abstract Contrary to conventional wisdom, growth stocks (low book-to-market stocks) do not have substantially higher future cash-flow growth rates than value stocks, in both rebalanced and buy-and-hold portfolios. The efficiency growth, survivorship and look-back biases, and rebalancing effect help explain the results. This finding suggests that duration alone is unlikely to explain the value...»

«The Developing Economies, XL-3 (September 2002): 284–304 AN INSTITUTIONAL ANALYSIS OF ENVIRONMENTAL POLLUTION DISPUTES IN TAIWAN: CASES OF “SELF-RELIEF” TADAYOSHI TERAO During the late 1980s and early 1990s in Taiwan, people’s protests against environmental pollution often took the form of “self-relief,” meaning that they attempted to fight polluters using their own resources, without relying on legal or administrative procedures. Why did such an extreme form of dispute become so...»

«Guide to the The Papers of Jacob M. Yingling, Class of 1952 (1930 ) Gettysburg College, Musselman Library Special Collections & College Archives Processed by Keith Swaney March 3004 MS-049: The Papers of Jacob M. Yingling, Class of 1952 (1930 ) Processed by: Keith Swaney March 2004 Provenance: Musselman Library acquired these materials from Jacob M. Yingling’s donations. Biography: Jacob Matthias Yingling was born to Jacob C. Yingling and Emma B. Grimes on September 30, 1930 in Aspers,...»

«Sung C. Bae SUNG C. BAE Ashel G. Bryan/Huntington Bank Professor (March 2012) 201 BA Bldg., Department of Finance 605 Saint Annes Ct. College of Business Administration Bowling Green, OH 43402 Bowling Green State University U.S.A. Bowling Green, OH 43403 Tel:(419) 353-5917 Tel:(419) 372-8714; Fax:(419) 372-2527 E-mail: bae@bgsu.edu AREAS OF INTEREST Teaching: Corporate Finance, International Financial Management, Personal Financial Planning, Research: New equity issues; Investment banking...»

«Panics and the Disruption of Private Payments Networks: The United States in 1893 and 1907 John A. James James McAndrews David F. Weiman Department of Economics Federal Reserve Bank of New York Department of Economics University of Virginia Barnard College The periodic financial crises which hit the United States before the establishment of the Federal Reserve System were often severe enough to occasion collective action on the part of the banking system. In order to relieve pressures on...»

«Use of management control systems in university faculties: evidence of diagnostic versus interactive approaches by the upper echelons B.J. Bobe School of Accounting, Economics & Finance, Deakin University D.W. Taylor School of Accounting, RMIT University Corresponding author: Mr. B.J. Bobe School of Accounting, Economics & Finance Deakin University Geelong Campus at Waurn Ponds Pigdons Rd, Geelong, Vic. 3217 Ph: +613 5227 2131 Email: b.j.bobe@deakin.edu.au May, 2010 1 Use of management control...»

«European Journal of Business and Management www.iiste.org ISSN 2222-1905 (Paper) ISSN 2222-2839 (Online) Vol.5, No.7, 2013 Supply Chain Disruption in the Kenya Floriculture Industry: A Case Study of Equator Flowers Jonah Kangogo1*, Wario Guyo1, Michael Bowen2, and Mary Ragui1 1 Jomo Kenyatta University of Agriculture & Technology, Nairobi 2 Daystar University, Nairobi * E-mail of corresponding author: rokchet@gmail.com Abstract The floriculture industry is one of the most crucial sectors in...»

«This PDF is a selection from a published volume from the National Bureau of Economic Research Volume Title: Preventing Currency Crises in Emerging Markets Volume Author/Editor: Sebastian Edwards and Jeffrey A. Frankel, editors Volume Publisher: University of Chicago Press Volume ISBN: 0-226-18494-3 Volume URL: http://www.nber.org/books/edwa02-2 Conference Date: January 2001 Publication Date: January 2002 Title: Domestic Bank Regulation and Financial Crises: Theory and Empirical Evidence from...»

«ISSN 2072-7925 School Buildings in Today’s Crisis CELE Exchange 2009/5 © OECD 2009 School Buildings in Today’s Crisis By Alastair Blyth, OECD To get a picture of the impact of the current economic and financial crisis on educational building programmes so far, the OECD Centre for Effective Learning Environments (CELE) has been conducting a survey of member countries and regions. The survey focuses on three main issues: the impact of the crisis on publicly funded projects, the impact on...»

«ALAN C. SHAPIRO Alan C. Shapiro is the Ivadelle and Theodore Johnson Professor of Banking and Finance and past chairman of the Department of Finance and Business Economics, Marshall School of Business, University of Southern California. Prior to joining USC in 1978, he was an Assistant Professor at the Wharton School of the University of Pennsylvania (1971-1978). He has also been a Visiting Professor at Yale University, UCLA, the Stockholm School of Economics, University of British Columbia,...»





 
<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.