Cybersecurity for Small Businesses

Guard your tech! The COVID economy has presented security risks by the bucketload, in the form of increased phishing and other hacking activity by malicious parties.

Working from home is now the "new normal", and this poses a huge set of new cybersecurity challenges for small businesses. A big reason? Remote work has now become a standard a part of workplace culture and routine.

It's vital that small businesses take cybersecurity seriously. And this includes their on-premise and cloud systems, networks and devices. If networks (on-prem or cloud) get penetrated, then all connected systems are going to be infected. Just ask Solarwinds.

SmallBizTrends has found that 1 in 3 employees believe cybersecurity of their company may be a moderate or major issue: https://smallbiztrends.com/2020/09/employee-worries-cyber-security.html

In March and April of last year, the amount of malicious attacks increased exponentially, and over 190,000 attacks were reported across business sectors. So the gut feeling of the employees was, in most cases, correct. For example, there was a 600% increase in phishing attacks, which were precursor attacks to enable attackers to get inside a company and gain elevation of privilege. See here for phishing mitigations: https://phoenixnap.com/blog/what-phishing-attack-how-to-identify-protect

Cybersecurity Ventures produced a report titled “Cyberwarfare In The C-Suite”. It stated that cybercrime would become the world's 3rd largest economy in 2021, costing the global (legit) economy around $6 trillion (yes, that's TRILLION). https://cybersecurityventures.com/cyberwarfare-press-release/

Here are a few top reasons for the explosion in attacks:

• Reduced spending from consumers during COVID forced attackers to find new ways to get credit card details
• Malicious hacker crime groups saw the confusion and desperation of people as an opportunity to exploit
• Malicious hacker groups also saw easy-to-exploit weaknesses appear in haphazardly implemented remote working patterns
• Ransomware had been growing before COVID, but it exploded as large demands were paid to free up critical systems, which encouraged other malicious actors to join
• Government actors had more attack vectors opened with weaknesses in COVID research security controls and with remote working weaknesses

Cybersecurity for Small Businesses

So here are a few bullet points for small businesses to follow, and let's start with creating awareness in the company. Provide secure working practices guidance and awareness to internal teams, https://www.microsoft.com/security/blog/secure-remote-work/.

Next, use the STRIDE mnemonic (https://en.wikipedia.org/wiki/STRIDE_(security) ) to organize some basic attack and mitigation patterns:

Spoofing
Deploy Multi-factor authentication (MFA) practices to reduce the chance of attackers replaying username/password credentials. To review all the MFA choices, scroll down to the "G2 Grid for Multi-Factor Authentication (MFA)" section at https://www.g2.com/categories/multi-factor-authentication-mfa

Tampering
Ensure data in the system is protected (e.g. encryption). Scroll down to "G2 Grid for Encryption" to find the offerings in a grid, https://www.g2.com/categories/encryption

Repudiation
Ensure auditing tools are live and monitoring for suspicious activity across the entire IT estate. Good examples to start with are

• Prometheus - https://prometheus.io/ - time-series data analysis, in-built toolset for reporting, alerting rules, great for containerized solutions.
• Nagios - https://www.nagios.org/ - created in 1999, open source, plenty of plugins, can monitor {OSs, applications, websites, middlewares, web servers, etc.}
• Sensu - https://sensu.io/ - full-stack {services, applications, servers, and reports on business KPIs}

Have an incident response strategy in-place, https://www.cyberforensicsinvestigators.com/2019/09/20/4-critical-incident-response-steps-for-dummies/

Information Disclosure
Have proper access control on the data by implementing a Role-Based-Access-Control (RBAC) or Attribute-Based-Access-Control (ABAC) pattern. More information on these controls and solutions can be found here: https://www.csoonline.com/article/3251714/what-is-access-control-a-key-component-of-data-security.html

Denial Of Service
In order to prevent attackers from flooding company API endpoints and websites, a good DoS strategy should be put in-place.

Here is a good cheatsheet - https://www.techrepublic.com/article/distributed-denial-of-service-ddos-attacks-a-cheat-sheet/.

Here are some good mitigation patterns - https://phoenixnap.com/blog/prevent-ddos-attacks.

And here are some cloud-based DDoS tools - https://geekflare.com/ddos-protection-service/.

Elevation Of Privilege
Lastly, Elevation of Privilege. This is the most evil of attack patterns because attackers are able to

• get access to internal areas they should not
• access data they should not
• perform lateral movement to other internal systems
• execute any of the attack patterns above with relative impunity

Implement a good access control system to protect against all the attacks listed above. You will find that many of the products listed under Spoofing will be here also. Scroll down to "G2 Grid for Identity and Access Management (IAM)" to find the offerings in a grid, https://www.g2.com/categories/identity-and-access-management-iam.

Finally, software design considerations

Don't forget to create a secure software development process. Create a step at the beginning of an Agile sprint to analyze a software feature or user story. Use the STRIDE mnemonic to quickly figure out weaknesses in software designs and code. STRIDE is best applied when doing threat modeling (https://en.wikipedia.org/wiki/Threat_model). Use threat modeling to do a "pentest" of the feature or user story design before any code is cut.

Automation is key to reducing the friction of the extra security steps in the development sprint, and a good automation tool is the Tutamen threat model tool (https://www.tutamantic.com). The team will be able to use their preferred drawing tool (e.g. https://www.diagrams.net) to add metadata to an underlying software design. The Tutamen process then automatically figures out the high- and low-value attack vectors, and the most probable threats along with proposed mitigations.

Conclusion

We at Tutamantic hope that this article has been helpful in creating a baseline security stance for low cost to small businesses. Contact us at support01@tutamantic.com to find more information on integrating secure software design with your software development lifecycle.