Across all industries, small businesses are increasingly facing new threats related to cyber security. Whereas some have taken minimum steps to address these threats but most have not. New security threats and incidents are reported every day in news reports and a many remain unreported. This underscores the need for cyber security education of small business owners and managers. These threats have potentially serious consequences and could lead to unrecoverable damage to small businesses.

What are some consequences of the lack of basic cyber security controls?

• Loss or stolen customer data
• Loss of intellectual property
• Decreased productivity
• Legal liability
• Regulatory sanctions and fines
• Computer systems downtime
• Loss of reputation and customer confidence
• Loss of revenue
• Banking Fraud

Could this happen to you?

It is very important to understand that neither size nor industry guarantees protection from an attack. The use of computer systems and the Internet makes you vulnerable to attacks and other threats.

A 2010 survey conducted by the Ponemon Institute and Guardian Analytics of over 500 SMBs surfaced these alarming statistics:

• 55% experienced a fraud attack in the last year
• 58% of the incidents involved online banking
• Over 50% experienced multiple incidents
• 87% failed to fully recover lost funds

You are not a big, well known business. Why would anyone attack you?

While it might be the case that well trained hackers are not very interested in your small company, most online attacks aren’t carried out by expert hackers. Attacks are perpetrated by low-skilled, common criminals with access to pre-packaged hacking tools, thereby casting a wide net in hopes of finding an unprotected computer system or network. These tools are easy to use and readily available on the Internet, often times free of charge. The anonymity of a cyber attack makes it even more attractive to criminals. Many attackers use safe havens in foreign countries which do not have strong cyber crime laws.

Malicious software like viruses, worms, trojan horses, spam, bots are all vectors of cyber attacks that are indiscriminately spreading across the Internet. These attacks don’t only target your small business computer systems but also seek to use your unprotected systems to launch attack on others.

Hasn’t IT guy(s) already dealt with this issue?

Although cyber security includes traditional “IT”related issues, it primarily focuses on protecting your valuable information from all threats including physical attacks, data corruption, equipment failure, social engineering, and bad security choices due to insufficient security awareness education. Effective cyber security management requires specific training related to threats, vulnerabilities, and risks affecting computer systems, business operational processes, and most importantly you and your employees. One’s security problems cannot be addressed solely by off the shelf products. Security must be addressed in the boardroom before it is addressed in the computer room.

What are the benefits and cost of cyber security?

Besides avoiding some of the devastating consequences mentioned earlier, good security is simply good business. It does far more than increase customer confidence and protects the integrity of your businesses brand. A secure business increases customer confidence, loyalty and adds to the businesses bottom line.

Responsible businesses understand that risk management mandates that all threats, including cyber threats, be assessed and managed to protect the business, employees and customers.

The potential cost of inaction far outweighs the cost of action. Analyzing your businesses risks allows you to weigh the costs and benefits and make informed decisions.

Where do you start? Where can you get help?

Although improving your security may seem a daunting task, it doesn’t have to be. Increasing cyber security awareness helps small and medium sized businesses proactively implement simple best practices to protect their businesses. Security should be built into your business processes, information technology (IT), and most importantly your employees and contractors. Each business is unique and faces challenges particular to their operations. There is no magic pill that guarantees 100% security. The SMB Cyber Security Alliance have security experts available to help you understand your unique risks and implement solutions that work your your particular business environment.

Visit us today and sign up for your free membership at http://www.smbcybersecurity.org

The SMB Cyber Security Alliance is volunteer-run organization seeking to increase cyber security awareness in small business communities through education, awareness training, free resources and consultations, and active engagements between small business owners and local security professionals.

From the following article: http://wcbstv.com/seenat11/internet.passwords.microsoft.2.1633927.html

“The study concluded someone hacking into your computer and stealing your password is similar to a crook getting your house key.

The crook will likely use it right away and not wait until after you’ve changed the locks.

“As soon as they’ve got it, they’re using it and then they’re gone,” said Lance Ulanoff, editor of PC Magazine.

Ulanoff advises people to get stronger passwords in the first place. ”

The so-called “expert” advise: Use stronger, more complex passwords.

I guess he is not familiar with the fact that stolen account credentials are bartered and traded like goods in the hacker underground. Ofscourse you should use complex passwords. But it’s still a good practice to change it occasionally.

Microsoft Corp. today warned of a critical vulnerability in Internet Explorer that is already being exploited by hackers; it was the company’s second such admission in the past two months.

Internet Explorer 6 and its 2006 successor, IE7, contain a vulnerability that can be used by attackers to inject malicious code into a Windows PC. The oldest and newest of Microsoft’s supported browsers, IE 5.01 and IE8, respectively, are not vulnerable to such attacks.

“At this time, we are aware of targeted attacks attempting to use this vulnerability,” Microsoft acknowledged in an advisory posted simultaneously with two security updates that patched eight bugs in Windows and Office. Elsewhere, Microsoft said that the vulnerability had been publicly disclosed.

Source: http://www.computerworld.com/s/article/9168138/Microsoft_warns_of_new_IE_bug_attacks_under_way

Steganography is the means of “hiding” information within a larger file of data It poses a risk to ecommerce security because it allows data or malicious programming instructions to be hidden in other media. In the case of the former, malicious insiders (i.e. employees, contractors, etc) with access to customers financial data may improperly access that data and use steganography to forward it to their accomplices without being detected. In the case of the latter, hackers can embed malicious code in other files, such as images, audio and video files. These files can be forwarded to users as spam or made available via web sites and peer-to-peer networks in the guise of items that would attract the interest of web surfers.

Digital steganography requires special software and organizations involved in ecommerce can mitigate the risk of insiders using steganography to steal customer data by controlling the applications that can be installed on employee workstations. Network and Host-based Intrusion Detection Systems can also be used to detect unusually behavior. User education and awareness training can help make users more aware of the risk posed by downloading files from the Internet. Users can also be trained to verify the origin and authenticity of files using the hash files before downloading them.

If one suspects his/her financial information has been compromised by any means, including steganography, one should immediately communicate the fact to all affected financial institutions and close the affected accounts. Keeping an updated antivirus provides some level of protection however antivirus is ineffective against malware whose signature hasn’t been provided by the vendor. Often times, it is nearly impossible to detect ecommerce-based attacks until after the fact. It is important to closely monitor your accounts for unusual activities to be able to respond as quickly as possible

As the number of people connecting to the Internet continues to increase at a rapid pace, more and more of us are now creating our own home computer networks.
With these we can enjoy the benefits of having high bandwidth, instant access to the Internet and make this connection available to multiple computers in and around the home.
But for those unfamiliar with computer security, they are completely unaware of the risks they may be exposing their computer to.
Without implementing a proper computer security solution, your computer may become infected with viruses, spyware, and/or adware. These are all forms of malware than can play a part in rendering a computer unusable, destroy valuable information your storing, provide complete control of a computer to another person, allow someone to steal the information on your computer, record your keystrokes and give a 3rd party access to your online bank account, allow someone to use your computer to attack a computer belonging to somebody else, etc.
And if you opted for a wireless network, you could be sharing out your Internet connection to your neighbors or that person who has been sitting outside your house in the car for the last few hours. What is more, you are increasing the risk of exposing your own computer to hackers as a result.
So What Are The Basics of Computer Security?

1. Make sure that the link between you and the Internet is safe.You need to have a hardware firewall installed between you and the Internet. Most recent devices that connect you to the Internet have one built in, but in any case you need to make sure that what you have is a stateful firewall.It should give your computer full access to the Internet, but block all traffic trying to access your network when originated from the Internet side.
2. Secure your Internet router.Change the administrator password and if possible the administrative account name as well. Everyone who has bought that device will know what the default account and password is, so you must change these and make them difficult to guess. This is especially important if you have a wireless network.
3. Install anti-virus software on your computer.Make sure it scans the computer for viruses at least once a week. Keep the software up to date and make sure that the virus definitions are updated every day. Also make sure that this is monitoring the computer all the time to help prevent it being infected in the first place.
4. Install a personal firewall on your computer.Not only should this help limit the damage malware can do to your computer, but it should also reduce the chances of this spreading to other computers. Get in the habit of checking the dialogues that you are prompted with and only allow Internet access to applications that really need it.
5. Install anti-spyware software on your computer.Make sure it fully scans your computer for spyware at least every week. Keep the software up to date and make sure that the definitions are updated every day. Also make sure that this monitors your computer all the time.
6. Keep up to date with the security patches for your Operating System.Microsoft release security updates for Windows every month. However, make sure your computer is configured to automatically check for downloads every day and at a time when your computer is most likely to be turned on.
7. Secure your wireless network.Do not broadcast your SSID (Service Set IDentifier). Although it can be learned by someone who is determined, there is no point making things easy. So make sure this is disabled. Restrict access to your wireless network based on the MAC (Media Access Control) address of your computer. Yes, these can be faked, once known, but why make things simple?Implement WPA (Wi-Fi Protected Access) or WPA2, if you can, to further secure your wireless network. And use a pre-shared key which is not easy to guess.

Conclusion
Although, you can never make a computer 100% secure, the objective is to put as many obstacles in the way and put off the casual hacker. So by following these 7 basic steps you will have a more secure computing environment. And remember, by implementing proper computer security on our own computer, we are making the Internet a safer place to surf for everyone.

Author: David S McKone
Article Source: EzineArticles.com

Below you have a few copies of Hakin9 that you can download for free from the Hakin9 web site.  On the same page as the magazine you will also find dozens of great articles that you can look at.  They are all in PDF Format.

All that is required to access the downloads is to join their mailing list.  You will immediately receive through email a confirmation link with instruction on how to access the files.  Do read the past issues, you will see that coverage is very thorough and most of the content would still be applicable today with minor changes.  Hakin9 is a magazine that I like very much and it always contains great articles and howto.  The printed magazine comes with a bootable version of Backtrack plus many commercial utilities with license to use.  The best way to really appreciate if it is for you or not is by downloading some of the copies below and see for yourself.

MY ERP GOT HACKED!  Release Date: 2009-07

FREE ISSUE: My ERP Got hacked! 04/2009  Download pdf

Breaking Client-Side Certificate Protection   Release Date: 2009-03

The Real World Clickjacking  Release Date: 2009-02

Hacking Instant Messenger    Release Date: 2001-01

FREE ISSUE: Hacking Instant Messenger 01/2009  Download pdf

If this doesn’t scare you, it should.

The Washington Post, quoting unnamed sources, reported yesterday that the NSA and Google are in the process of finalizing an agreement under which the NSA will help Google better defend itself against future attacks. Under the deal, the NSA would not get access to users’ search information or e-mail accounts and Google would not share any proprietary data, the source claimed.

Google isn’t the only company to get hacked. Will the NSA be extending this helping hand to all other multi-national corporations or just the one with access to all our personal data in some form or another.

The report states that Google approached the NSA shortly after the recent cyberattacks, which it said were launched from China. However, the deal will take time to hammer out because of the sensitive privacy issues involved. If the deal goes through, it will be the first time that Google has entered into a formal information-sharing relationship with the NSA, the Post quoted its source as saying.

The prospect world’s largest search engine company teaming up with the country’s largest spy agency   should clear up any illusion of the concept of privacy in the internet.

Local wireless networks, which provide information to receive and send to the Internet, have become part of the houses and offices. Where as it is less expensive than wired networks and allows for roaming between the two offices to remain in contact with the electronic devices. But experts warn of the penetration it by the strangers or intruders in order to sabotage it.

According to views of the U.S. experts, unsecured homes networks can also be used by the neighbors in order to spam bots download unauthorized material on the rights of the songs and music, and even pornographic material without knowing the owner, which had led to legal proceedings. In particular, it is difficult to identify the person or organization that used the network. One person was detained when he stopped his car in front of a U.S. charitable organization and used its network to communicate with the Internet.

The offices of small businesses were opened that do not have secured internal networks to penetrate the large companies that make business with them; this also is applied to the home network. To overcome the problems the experts proposed to change the passwords on wireless networks from time to time and installation of cryptographic keys to the codes can be changed according to a regular basis. The radio signals can be adjusted so as not to fall outside the walls of the office.

Finally, the use of advanced software to scan wireless networks secures the development of local home and office computers “in the case of the shadows!”

Author: Shrif S Kassem
Article Source: EzineArticles.com
Provided by: Latest trends in mobile phone

Ross Anderson reports:

Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as “Verified by VISA” and “MasterCard SecureCode”. This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It’s getting hard to shop online without being forced to use it.

In a paper I’m presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace?

Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. Properly designed single sign-on systems, like OpenID and InfoCard, can’t offer anything like this. So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure. We conclude with a suggestion on what bank regulators might do to fix the problem.

Since making it’s search engine available to Chinese users in 2000 by translating it into the Chinese language, Google was faced with significant restrictions imposed by the Chinese government. As all internet communications going to and from China traverses routers owned by the Chinese government, politically sensitive queries were blocked from making it to Google’s servers, the service was made slow and unreliable, and sometimes unavailable for extended periods of time as search queries were re-routed to local Chinese search engines. As this was considered an unacceptable situation, Google had the choice of either abandoning the Chinese market, which boasted the fastest growing popular of Internet users, or come to terms with the Chinese restrictions.

In 2006, Google chose the latter and faced much deserved criticism for it.  Google offered a new service in China – Google.cn-  in which they self-censored search results based on requirements by the Chinese government. This enabled them to provide a faster, more reliable service.  
In recent weeks, Google claims to have discovered that it has been targeted, along with twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors– by hackers in China with connections to the Chinese government. The hackers used a variety of very sophisticated attacks with the apparent goal of accessing Gmail accounts of China human rights activists. Google claims that their investigation concluded the attacks were not successful in attaining that goal. Google took the unprecedented steps of publicizing their findings, including reports to the US government which lead to criticisms expressed by  Secretary of State Hilary Clinton about  China’s lack of Internet Freedom. The Chinese Foreign Ministry responded by accusing the US of harming bilateral relationships by it’s rhetoric. Google has since reported that it will no longer self-censor Google.cn, a choice which was applauded by those critical of it’s previous position, but may ultimately lead to having to shut down it’s service in China.

The fact that China censors Internet traffic is no surprise given it’s well-documented history of restrictions to free speech. These restrictions are a fact of life in China and companies, like Google, seeking to do business in China have to find a way to contend with it. Google, not withstanding it’s business-conscious justifications, can in no way defend it’s previous stand of censoring search engine results to Chinese users. Although they were doing so in compliance with Chinese laws, it was still an ethically challenged decision. It is contrary to it’s own mantra –”Don’t be evil”  and the equivalent of being  complicit in the suppression of free speech in China. I believe Google should have stood it’s ground and made it clear that any service degradation it experienced in China was due to the Chinese government interference. I say this a spectator, however, and one who knows full well moral victories do not show up on the balance sheet.