Is My Business Being Hacked?
Is My Business Being Hacked?
I get asked all the time about web sites or business computers being hacked. Specifically, someone asks me whether his Internet site is being hacked or internal computers are being attacked. My answer is always the same.
"Yes. Your business is being attacked. Your web site and your internal computers are both under attack right now. No, I don’t need to look. Yes, I’m quite confident."
It feels strange to give an absolute answer to this question. Most of my answers start with, “It depends” or “probably” and get even more conditional from there. But for this question, the answer is always the same. Yes, there are nasty people out there right now attacking your web site. They’re also attacking your work computers, your home computers, your phones, and anything else they can reach.
Why Attack Me?
Why is a common follow-up question. Why would an attacker hack into your web site or internal systems? Because your assets are assets. All assets have value, and attackers know it. Attackers have to pay bills just like you and me, and they need to compromise valuable assets to pay those bills. So an attacker hacks with the intent of extracting something of value.
You might believe that your web site or computer has nothing of value. I’m sad to say that you’re wrong. The web site you run, the old boring PC you use, the outdated smartphone… these all have tremendous value to an attacker. Just because the news only reports when Google and Apple and Microsoft get hacked doesn’t mean that smaller or less confrontational sites are of any less interest. I’ve personally seen successful attacks that targeted:
- Personal Facebook pages
- Cell phone contact lists
- Holistic medical web sites
- Cooking recipe web sites
- Flickr photo streams
- Charity donation pages
- Personal blogs
- My mother’s desktop computer
I’ve also seen successful attacks against businesses of every type and size. From a two person specialty clothing shop to Amazon.com attackers are interested in hacking anything they can.
Is All This Hacking a Problem?
Yes. Because eventually the attacker will succeed and compromise whatever assets you have.
The most well-defended resources on the Internet already know that their defenses aren’t perfect. There is always the possibility that a bug is found, that a password gets discovered, or that a smart hacker finds a crafty new way into a system. And when these well-defended resources are compromised there needs to be a fast and well-planned response in place.
The biggest problem is that you probably don’t expect a hacker to compromise your assets. As a result you’re not prepared to quickly respond and fix the problem. You probably won’t know that the hacker was in your systems, or it may be months or years before you find out. During that time they could have been monitoring accounts, stealing personal data, or embezzling funds.
How Do I Stop Them?
Prevention is the best approach to computer security. The best way to stop hackers is to make sure they never get into your systems. And the best way to do that is to learn their techniques. I teach a class on Certified Ethical Hacking where we examine exactly how hackers work, the tools they use, and how they get into systems. I show my students how to use this knowledge to think like a hacker, find the weaknesses, and then fix the weaknesses before an attacker exploits them.
There are a few rules of thumb that, while not perfect, usually make it much harder for hackers to compromise your systems by protecting what hackers first look for. These include:
- Keep your operating systems and applications up to date. This means Windows itself as well as applications from companies like Adobe, Microsoft, Google, Oracle, and Mozilla.
- Monitor your systems. If your web sites or databases change unexpectedly, you may be seeing evidence of an attack in progress.
- Never trust others with your passwords. Over and over I see a situation that began with one employee loaning a password to another and escalated into a massive compromise.
- Get training on security. Most IT careers involve security to some degree. Formal training is an investment in preventing future incidents. Even a week or two of security training now will serve you well during your entire IT career.
I wish your web sites and computers were impervious to all forms of attack. But that’s not possible. Just remain aware that you and your assets are targets and that a few basic techniques can help prevent successful attacks from ruining your day.
You May Also Like
In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365. For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365
In this SharePoint training video, I want to talk about the Navigation Controls in SharePoint. They tend to fall into two kind of different categories; one with the navigation controls in a typical Collaboration Site such as a Team Site or a Project Site. These are Sites that are based on the Team Site Template … Continue reading Using Navigation Controls in a Collaboration Site in SharePoint
How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015