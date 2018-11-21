article

How bad is the threat landscape facing small to midsize businesses (SMBs)? In a word: bad. Really bad. And it's getting worse. The reason that SMBs are now the focus of hackers is because they are, as we used to describe it in my Navy days, "a target-rich environment." There are a lot of SMBs making up the large majority of all businesses. And they are, as a class, poorly defended if they're defended at all.

And while smaller companies may not have gazillions of dollars to steal, that really doesn't matter. Most cybercriminals couldn't get their hands on vast sums of money anyway because the financial services firms that have all of the money are much too well defended. Trying to hack them is a waste of time. But laying waste to an SMB is frequently a piece of cake. In many cases, their protections are rudimentary, their security staff (if there is one) is poorly trained, and while their security budget varies, it's usually between little and nonexistent. From the bad guys' perspective, you'll get far more money and useful assets for your efforts from SMBs.

All of this means that, as the IT person in a smaller company, you'll face a wide range of attacks from a wider range of weapons, and you'll have fewer resources and less time to do anything about it. Keep reminding yourself that this builds character.

Knowing Malware Categories

Sorting out the types of malware you're likely to see is almost pointless because they change by the day. What's more useful is to point out the general categories of malware and discuss what to look for. It's also important to realize that the specific name of the malware is less important than its ultimate goal. Are the bad guys after money, assets, or intellectual property (IP)? In some ways, those are more important than the specifics of how they attack.

Stu Sjouwerman, founder and CEO of KnowBe4, says that, ultimately, the primary attacks on SMBs are aimed at delivering ransomware or they're aimed at CEO fraud. But there are also plenty of attacks on assets which take the form of cryptocurrency mining attacks. Cryptocurrency mining takes over your servers, either on your premises or in the cloud, and uses up your computing capacity for mining cryptocurrency.

CEO fraud attacks attempt to collect enough information that they can spoof your CEO's emails and cause your accounting department to send them money. And, of course, ransomware is designed to prevent access to your data until you pay money. Then, after you pay, they might restore your data (or they might not).

How Malware Is Sent

In nearly every case, these attacks arrive by email in the form of a phishing attack. Occasionally, you'll find them arriving from an infected website, but phishing emails constitute by far the most significant vector in such attacks.

The malware that's delivered is frequently something like Dharma, which is still around even though it's one of the original strains. What's changed is that Dharma (and variants of Petya) are now being delivered in pieces that arrive on different vectors. You may find part showing up as a .NET file, other parts being delivered as a disguised JavaScript file, and still others as HTML applications. Your security software will probably never notice.

Protecting Against Malware

"Traditional antivirus is dead." Sjouwerman explains. "If you really want to protect against this type of attack, you want next-generation endpoint protection." Sjouwerman said that three examples of next-generation endpoint protection include Carbon Black, Endgame, and Fireeye.

He also said that it's critical that you focus on patching. "Identify the 10 most-used applications in your organization. Patch them religiously. Get a weapons-grade process in place so you always have the latest version."

Finally, he said that you use new-school security awareness training. Sjouwerman described new-school training as using simulated attacks, followed by remedial training, regularly and frequently, including social engineering attacks. He pointed out that automated malware detection will never be enough on its own. You need to construct a security tool kit that every network user must employ either through written policy or default.

For example, even SMBs can deploy a robust identity management system fairly easily as a cloud service, which will allow IT managers to control access at a granular level and enforce stronger passwords at the server level. Another example is web surfing via a business-owned device, which should be mandated to happen only through a virtual private network (VPN), either through a service provider's servers or those in your data center.

If it sounds like there's actually not a lot that's really new, that's probably true. But there's plenty of malware that's being used in new ways. For example, using software that's already out there to create an attack is a growing means of getting access to networks. One example is the FlawedAmmyy remote access trojan (RAT), which is a RAT that's built on the Ammyy Admin remote administration software. This RAT lets the attacker take over everything in the target computer, giving them the ability to get what they need for further attacks.

Invest in the Right Anti-Malware Tools

But for any of these to work, they need a vector (that is, a pathway). Recently, the primary vector for virtually all attacks was email. A phishing email usually does it, but sometimes the email may contain malware in an attachment. Either way, someone needs to click on something which will then release the infection. Of course, a good idea is to deploy anti-phishing and anti-trojan measure on or near your email server, which is a good reason to consider a hosted email provider if your IT staff lacks the email skills to make that happen.

While there are some new strains of malware appearing constantly, it's impossible for an SMB's IT or security department to keep up with them. The only real solution is to invest in the right tools and the right training. The best way to fight malware is not to allow it into your network in the first place. You can do that with some good endpoint protection and good training.

