Nearly every organization that has ~50 employees or more has an accountant and a lawyer on staff, or those that don’t, certainly retain the services of them. Yet even with all of the breaches in main stream media, cybersecurity professionals are still having to explain why we’re needed before we get to the important stuff, how to improve the defenses or correct their weaknesses.
This is particularly a problem in my opinion with small/medium businesses, especially community banks. They pay accountants and lawyers to keep their books in order and to keep them out of court, yet they don’t hire any security experts to protect their most important assets, their customers and their money. If and when electronic breaches occur they lose customers and money. We see them hiring a lot of independent “computer people” and organizations that target them because they know they have regulatory requirements. It is rare that either the independent consultant or the organizations that purely target community banks have the knowledge and expertise to properly secure banks against the constant barrage of attacks they face.
Granted I’m a bit biased, but I would encourage more small organizations to ask to seek the credentials and experience of the individuals they are paying for their cybersecurity services. After all, would you hire an accountant without a degree or without the proper training? Would you hire a lawyer straight out of law school to represent you in an important case?
Protecting your electronic assets is as important as ever. All of us continue to become more dependent on computers and the Internet, hire people that understand how to protect your business. Ben Franklin’s saying, “An ounce of prevention is worth a pound of cure” definitely applies to cybersecurity.
It’s always fun being a security guy and receiving attacks. I find myself respecting some of the SPAM I get from time to time for its sheer psychological and technological brilliance. However, on May 26th, 2009 the attack I received wasn’t as funny. I’m sitting in my office working trying to make a living and I receive the following text message which is obviously disruptive at best:
From: jason@server-system.net
|VISA alert: #740875 ACCOUNT FROZEN, call us at 1-866-527-0498
Unfortunately I have some of my cards send me balance alerts and such so my first instinct was “Oh great, which stupid credit card company do I have to sit on hold with now in order to fix something they screwed up?” The more I looked at it, I was like that number doesn’t look familiar at all. Then I looked at the from address with more scrutiny and then the lightbulb went off, oh this is bogus you idiot! So even the guy with alphabet soup after his name was *almost* fooled by this little act.
Based on my years of wireless telecom experience, I’m sure all the wireless providers are frantically trying to stop these attacks. I’m sure the technology behind the scheme is very similar to email-based social engineering attacks. A botnet, randomized text and subject, same story new medium. I called the number to gain insight, but it was already dead. My guess is that they use VoIP somehow to further their anonymity. I look forward to getting another message so that I can call it more quickly to gain further insight. If someone else receives one of these, please share the phone number immediately so that I can call it!
This type of attack will only gain in popularity. Consumers will get increasingly annoyed with unsolicited text messages. With the lack of awareness, I’m sure the attack is considerably more successful vs. a traditional email-based attack. A majority of people no longer trust their inbox, but their cell phones are another story. Make sure your friends and family are aware that anonymous sources can send text messages just like they do via email.