I’ve see an seven-fold increase in HTTP drive by attacks this month, particularly ZeroAccess and Blackhole variants. If you’re battling the uptick of HTTP drive-by attacks and the modern malware that they deliver, then take the following zero cost steps before you invest in more technology:

Would you trust a pilot to land a plane based on his gut?  What if you looked in the cockpit and saw no instrumentation – no altimeter, radar, or other dials? Such a sophisticated piece of equipment as a passenger jet demands it.  There’s simply too much at stake.  Your business is no different.

Image via Wikipedia

Businesses are built upon technology — technology that is flawed, often unstable, implemented incorrectly or in a hurry, and targeted by hackers.  A company’s ability to create products or deliver services is impacted when this technology fails, is abused, or manipulated.  The longer these failures, security breaches, or mis-configurations go unnoticed, the greater the impact.  A system to detect these events and alert personnel is as crucial to keeping the business healthy as instrumentation is to landing a jet.  Without it, you’re flying blind.

Consider the following situations over which you should have operational visibility:

• Early detection and alerting for system abuse, allowing the security team to block access and fix weaknesses before personal information is stolen.
• Predicting when database hard drives will be at capacity allowing additional disk to be added proactively, versus an emergency upgrade at 2AM… after the disks are full.
• Knowing exactly how long it takes a customer to login to your on-line store, or whether anyone can login at all, ensuring transactions can be completed and the speed/experience is acceptable.

This is by no means and extensive list.  It does represent monitoring/detection objectives we’ve quickly and successfully implemented for clients that must know immediately when systems or processes are at risk.  There’s no room for error — systems must be functioning correctly, always accessible, and secure from unauthorized access.  The status of these objectives (and many more) are accessible to executives and technical personnel through  their AccelOps system.  On-demand dashboards, deep analysis, reporting, and alerting let decision makers and system administrators take corrective and proactive action before the business is impacted.

If the CEO asks to take a look in your “IT cockpit” what would he/she see?  Would they have confidence that you can help them fly the plane, or would it appear you’re flying blind?

Image via Wikipedia

The FBI’s IC3 issued a warning this week about ACH fraud targeting businesses across the US.  The targets of these attacks are companies that have recently posted on job search sites.  So what’s the connection?  If you’ve posted a job opening, then it’s only logical that someone at the targeted business is expecting a resume or curriculum vitae (CV).  They are, after all, trying to fill a vacant position.  This means an email with an attached resume isn’t really  “unsolicited email”, making it more likely to be opened by the recipient.

At the core of this “resume” attack is the Zeus aka “Zbot”… a data-theft Trojan that’s responsible for stealing large sums of money from companies across the nation.  The IC3 warning highlights one recent case: a US business lost $150,000 when cyber criminals were able to nab the online banking credentials from the person that handles financial transactions.  Money was fraudulently sent in three transactions to accounts in the Ukraine and the US.  The FBI advises clients to ensure all email is scanned by an anti-virus solution.  This is certainly a good start, but technology alone won’t protect your personal or business bank account.

• Anticipate unauthorized access.  Just assume your system(s) or PC will be broken-in to.  When this happens your financial and personal data will be targeted, so make it harder for data thieves to take it.   Based on my experience as an ethical penetration tester, I know it’s all too easy for a hacker to “leapfrog” from one system to another once they’re on the network.  This is especially true if PCs are un-patched, easily guessed or blank passwords are used, and sensitive data like bank account numbers and passwords, etc., are saved to the “desktop” (or elsewhere) without encryption.  Take inventory of what sensitive information you’ve saved and whether you really need it.  If you do, store it on a secure/encrypted thumb drive.

• Buy USB thumb-drive that supports encryption.  I personally use a 2GB S200 from IronKey.  My IronKey securely stores my credentials (login & password) for every important website I use.  I do not keep login names, accounts, and password on my laptop in clear text.   When I need to login to these sites, I plug-in my IronKey and use the “secure” Firefox version that comes with it.  This adds an additional layer of web browser security.  IronKey makes both a personal and enterprise version, so this is a solution that works well for consumers and businesses alike.

• Use a separate system for banking and only for banking.  Even with encryption, a patched OS, anti-virus, firewalls, and a secure browser, I still believe that using the same PC to surf the web and manage your money is dangerous.  So buy a netbook – it’ll cost you less than $300.  Only turn it on when you have bills to pay, money to transfer, etc.  Turn it off when you’re done.  Keep it in a safe place, away from your spouse, kids, roommate, or whoever might take it for a spin on the information superhighway.    Don’t check your email, Facebook page, eBay account, do Internet research, or IM your friends from this system.  Have I made this clear?  This is no ordinary, casual, web-surfing laptop — this is your banking system — your “banktop” — keep it safe.  Use it for banking only.

• Enable alerts on key banking activities.  And finally, it wouldn’t hurt to know when an unexpected banking transaction happens.  My business bank lets me enable about 16 different alerts that can be sent over SMS or email.  I receive an alert for every successful or failed login, deposits, and transactions over a certain dollar amount.  I know within seconds if something has happened.  So far, so good.

All this protect your hard-earned cash?  You bet.  Your other choice is to use the drive-up teller or in-person banking.  There’s certainly nothing wrong with that.  But if you’re going to use Internet banking, please take it seriously — mighty Zeus is only a few clicks away.

Related articles

• Job application scam fleeces company of $150,000 (go.theregister.com)
• Scammed by a Resume – Scam Alert (lockergnome.com)
• ZeuS blackhats target online payment providers (go.theregister.com)