Whether your business is a big fish or a small-fry home office, you can get hacked just the same, and the stakes are higher than a few canceled credit cards. Here are a few tips to protect your users and your networks -- steps that even enterprise-class security specialists may slip up on.
Know who might be targeted -- and how and why
With the recent news of attacks on U.S. companies including Google, many business owners might be thinking, "That wouldn't happen to me -- I don't have anything so valuable on my servers that an attacker would go after it." Many attacks aren't targeted at all, but are the result of self-selection. That is, the attacker casts a wide net by sending thousands of messages to a harvested list of email addresses, and the ones that respond -- either by clicking a link or via a ping-back embedded image in the email -- are the self-selected targets to pursue.
Targeted attacks -- or "spear phishing," as they have come to be known -- are a more dangerous animal. A good attacker performs reconnaissance by scanning a target organization's Website, quarterly SEC filings (if a public organization), and press releases to find names of key personnel and email addresses.
If that fails, attackers will probably prowl industry conferences and public speaking events (slideshows are almost always archived on the conference Website with the speaker's name, title, and email address); they'll also check out social networking sites -- it's easier for a hacker to bait the hook by figuring out who's in charge through Facebook fan pages and LinkedIn profiles.
While your average spammer is looking for quantity, a spear phisherman is looking for quality. Any key executive that regularly handles sensitive documents or has elevated permissions on a company's file server is a potential victim. Although you might jump to the top of the organization chart and think that the CEO is where spear phishermen would focus their lasers, consider your CEO's executive assistant, as well. This person is accustomed to receiving hundreds of email messages a day for the CEO from unfamiliar senders, and is likely charged with sorting all inbound messages. The assistant is more likely to be stressed, behind a deadline, and pressured to avoid delaying important messages -- and thus more likely to make a poor computer security decision.
For similar reasons, a general counsel or staff attorney at an organization is also a good target, especially with an Adobe PDF attack. Attorneys regularly exchange large PDF briefings between one another and between companies. It wouldn't be a stretch to imagine sending a mock cease-and-desist email message from a spoofed address of your favorite influential intellectual-property law firm and include a PDF with a malicious payload. The attorney wouldn't think twice about opening such a message; and once the payload within the PDF is executed, the attorney's machine is effectively "owned" by the attacker.