The old reliables
Spam email is the most common way for cyber-criminals to deliver viruses or sell dubious products and services. Towards the end of last year one internet service provider (ISP) in the US cut off access to a provider who hosted some of the web's biggest spammers. Immediately there was a 40 to 75 percent drop in the level of spam circulating on the internet. However, junk mail is again on the increase as spammers find alternative command centres from which to relay their dubious emails. In short, spam is going to be as much an issue this year as ever.
"It is going to continue to give people a pain in the head. All you need is a tiny fraction of the people who receive spam to respond for the [spammer] to make money out of it. They can generate billions of spam messages within minutes," says Conor Flynn, technical director with Rits Information Security.
Most modern email systems come with a spam filter and a virus scanner. However, the onus is still on staff members not to respond to dubious emails which make it through the filter and to be careful about which attachments they open.
If you are constantly bombarded by spam you could talk to your IT services provider about setting up a reputation-based spam filter, provided by the likes of Ironport. These filters intelligently assess the reputation of those sending emails, rather than using the traditional method of relying on a list of known spammers.
The authors of viruses are also likely to use website advertisements and legitimate-looking links to deliver their malware. In 2009 security analysts reckon these avenue of attack will become even more popular. "You get an ad pop-up saying that it detected that your machine is infected and here is a free trial of software to protect you. Not only will it not protect you, but it is more than likely a Trojan that will steal information. We are seeing a big increase in that," says John Ryan, general manager with Calyx Security.
It's a good idea to use a product provided by known developers like Symantec, Sophos, AVG or McAfee to protect your business against these attacks. It's also important that you install the regularly supplied updates to your anti-virus program if you want it to work effectively.
The pop-up blockers featured in Internet Explorer and Firefox can stop a lot of scare-ware ads too. Those on a budget can also install the free Web of Trust extension to their browser. The extension is supported by the Web of Trust online community, whose members share their knowledge of various websites and rate if they can be trusted and if they are safe to use. The application gives a warning when you click on dubious links.
New avenues of attack
In 2008 Microsoft stopped providing Windows XP to mainstream businesses. If you buy a computer for your business this year and want Windows, you'll more than likely be getting Vista. Microsoft claims this is its most secure operating system yet, but security analysts believe hackers are already doing their best to exploit the operating system.
"Vulnerabilities will become known and they will be exploited. There will be an increase in attacks on Vista in 2009. You need to have proper security in place - in other words, your firewall and your anti-virus," says Ryan.
Microsoft has already released a service pack for Vista, which should be installed, and the operating system normally alerts users with a pop-up box each time an update becomes available for download.
SQL injection attacks are also expected to be a big IT threat in 2009. This is where hackers infect certain pages on a company's website with malware with the intention of attacking the PCs of end-users, stealing their information or even crashing the website. "That has been a fairly enormous issue in 2008. Moving into 2009 it has resulted in a huge increase in the number of legitimate sites being infected with malware and then subsequently infecting users," says Ryan.
If your business relies on its website to handle customer information, you represent a good target for those who employ such methods. The consequences of a successful SQL attack (see Issue 215 - Glossary) can be damaging legally and financially.
"If you are taking things like credit card details or any personal information - names and addresses, phone numbers, emails - they all fall under the Data Protection Act. As a holder of that information, under the Data Protection Act you have an obligation to secure it. If there is an attack and information is lost there is a possibility that you will have problems from a reputation point of view," says Ryan.
Combating SQL attacks involves a good bit of technical expertise. It requires computer users to supervise the inner workings of their website and is generally a job for IT professionals. If you are concerned but can't afford to hire someone, you can always speak to an IT security consultant.
The threat from within
Data leakage and theft are real issues for any business, and particularly for those that are forced to cut staff. A survey conducted recently by IT security company Cyber-Arks found that 57 percent of Wall Street workers are downloading sensitive company secrets in case they lose their job. It's reasonable to believe some Irish workers faced with the threat of losing their jobs have a similar mindset.
"The minute you let somebody go, they are now an 'enemy'. If they get employment with a competitor straight away, the risk to your systems and your information is very significant," says Flynn.
Laptops, swipe cards, mobile devices, and remote access solutions are just some of the methods staff use to access their company's network. These are great productivity tools but they can also be easily exploited by disgruntled ex-employees. "We would say to anybody contemplating letting staff go, consider beforehand all the methods of access [to company information] both physical and virtual that are available to them, and close them off before you do the termination," says Flynn.
It's clear that cyber-criminals and hackers are not going to let up in 2009 and any business that uses a computer or the internet needs to be careful. However, with an up-to-date IT security solution and some common sense, SMEs should be able to secure their IT infrastructure and conduct their business without undue concern. (For more on how to protect your systems, see Issue 220.)
In the next issue, we'll take a look at how to ensure your website's online payments system is secure.