It's no longer unusual to see major, massive hacks make news these days. They affect millions of individuals and cost millions of dollars to rectify.
While intriguing to read about, the security breaches of large organizations and financial institutions generally offer little in practical terms to help small and medium-sized businesses to better protect themselves. Specifically, SMBs often deploy different technology than that used in an enterprise while grappling to do more with smaller IT teams.
There's still no excuse for small businesses to skimp on security. Yes, technology pervades even non-technical sectors, and mature cloud services make it possible today to quickly setup an online presence with little more than an Internet connection and a credit card. This heavy digitization of business also means that an online hacker could also cause incredible disruption from the comfort of his or her armchair, too.
To help small businesses navigate these tricky waters, let's highlight first some real-life security scenarios that recently affected small businesses and then some practical steps for protecting against these issues.
Beware Social Engineering of Cloud-Based Accounts
A developer named Naoki Hiroshima had his GoDaddy account hijacked in an elaborate bid to steal his Twitter username, @N, for which he'd received unsolicited cash bids of as much as $50,000. The GoDaddy account controlled access to the domain containing the password reset email address of the targeted Twitter account.
While this convoluted attack didn't succeed -- Hiroshima was able to change the predefined email address for the reset password in time -- he initially had to give up his Twitter handle in exchange for control of the GoDaddy account, which controls access to multiple work domains and websites.
What's interesting here is how the hacker essentially social engineered PayPal into divulging the last four digits of the credit card number over the phone. This information was subsequently leveraged as part of the verification process at GoDaddy to gain control of the developer's GoDaddy account. (GoDaddy owned up to its role in the incident, but PayPal didn't.) As Hiroshima detained in the online magazine Medium, he exchanged emails with the hacker, who bragged about how he pulled it off.
Fortunately, things ended well. Hiroshima suffered no data loss -- and, once the story went viral and caught the attention of Twitter administrators, he got @N back.
Beware Hackers Holding Digital Systems Hostage
A promising cloud service that offered code-hosting and software collaboration was abruptly put out of service when a hacker gained access to its Amazon EC2 control panel in what appeared to be an extortion attempt gone awry. According to a public explanation left on the homepage of Code Spaces that also announced its closure, an unknown person left a number of messages at the control panel to open communication regarding an ongoing Distributed Denial of Service (DDoS) attack against the service.
When the team attempted to regain sole control of the panel, the hacker retaliated by randomly deleting artifacts from it. When the dust finally settled, much of the online storage volumes and machine images, and all backups and snapshots, had been deleted. With no way to recover this deleted data -- Amazon leaves the onus for backup entirely to its users -- Code Spaces said it was unable to continue operating.
Aside from the obvious elephants in the room -- not enabling Amazon's multi-factor authentication coupled with the high likelihood of poor password hygiene -- the other learning point is the importance of offline backups, or at least backups that aren't within reach of an armchair hacker or malicious employee. It's not known if customers lost their code for good, but this is another somber reminder not to rely on the promise of a cloud service provider when it comes to data backup. Take care of it yourself.