IT Adviser
Accessible Ways to Thwart Hackers
You don’t have to spend a bundle to secure your practice data
By Joe Dysart
Regularly making chump meat of the most sophisticated computer defenses, hackers will be unleashing a new wave of malware on unsuspecting ophthalmologists and other small businesses in the coming year – many of whom will be completely unprepared, according to Sophos, a computer security firm.
“Cybercriminals tend to focus where the weak spots are,” says Gerhard Eschelbeck, chief technology officer at Sophos. “Protecting data in a world where systems are changing rapidly and information flows freely requires a coordinated ecosystem of security technologies.”
Perhaps even more disturbing: Hackers will be increasingly targeting even the smallest of businesses, says Mark Brophy, director of information technology at Rogers Townsend & Thomas. Hackers know the defenses of smaller business are generally weaker, he says. Plus, hackers see these less-protected systems as easy back doors to the much larger clients those businesses trade with, such as third-party payers. Essentially, once hackers penetrate a small business, they can plunder the data on its network to go after their bigger game clients, Mr. Brophy says.
The New and Brutal
Many giant and multinational corporations have responded by performing tough security audits of their smaller trading partners. If they find a security risk, many decide to simply pull work from the offending business rather than risk a “breakin by association,” according to Mr. Brophy.
Small and medium-sized businesses looking to pass these hard-nosed audits, or reassure business partners that their mutual data is safe, will need to prove they have a hard IT perimeter. And they’ll need to show defenses against some of the newest threats looming in the coming year.
High on the list of “the new and the brutal” is cloud-server-snapshot software. An insidious intruder, snapshot software can infect a cloud server where an ophthalmology practice stores its data and take a complete snapshot of all the data there, including passwords, Mr. Eschelbeck says.
Hackers use snapshot malware to penetrate systems like this IBM cloud server.
New Threats to Security
Meanwhile, growing numbers of hackers are using text-messaging theft software, which is surreptitiously added to the phone of unsuspecting users. Once activated, the software forwards all text messages to that phone to a hacker, Mr. Eschelbeck says. “The potential exists for attacks like these to target Internet banking services,” he says. “Many banks send authentication codes to your phone. Malware on your phone is capable of intercepting those messages.”
Sophos has also detected increasing use of “ransomware” against small and medium-sized businesses. This app can infect both phones and computers, and render the devices inoperable. Hackers inflicting the software on businesses often demand major dollars for its removal. Not surprisingly, they rarely remove the ransomware even when a business ponies up the ransom, says Mr. Eschelbeck.
Computer users with average skills also pose a new threat. They can become formidable hackers with superkit software, according to Mr. Eschelbeck. These do-it-yourself packages offer multiple ways to infiltrate even the most sophisticated cyber-defenses, he says. Criminals buying the software on the black market don’t really need to know how the apps work. They simply need to know how to point and click.
Protecting the Weakest link
Granted, ophthalmology practices of all sizes should be using firewalls and other network protections to help neutralize hacker break-ins. And most ophthalmologists realize that even the most sterling of computer security defenses can be thwarted without similar vigilance at the individual device level. “End-user computers are the weakest spot,” says Shane Sims, director, investigations and forensic services, PriceWaterhouseCoopers. “Typically, these computers are protected only by antivirus software, and the most sophisticated hackers attack at that point.”
But dollar for dollar, the best return on an investment in computer security is employee education, according to Mr. Brophy. Take the time to educate new employees about the critical need for computer security, he says. And continually reinforce top-of-mind security with regular e-mail tips, tricks and news about IT security.
| Best Anti-Hacker Practices |
|---|
Once you have educated your staff about the need for computer vigilance, security experts recommend small businesses adopt these best practices: ■ Encrypt all mobile devices. Securing all mobile devices, including Android devices, by getting your computer department — that may be you — to fully encrypt the units can be effective, says Gerhard Eschelbeck of Sophos. Make sure all SID cards used in those devices are also encrypted. And ensure that all data and applications on the devices can be erased remotely if the they are lost or stolen. ■ Encrypt all cloud data. Before cutting any deal with a cloud provider, ensure your contract enables your practice to encrypt the data your business generate before sending them to the cloud, according to Ken Rashbaum, principal, Rashbaum Associates. With that safeguard, your data and that of the companies you do business with should be impenetrable, even if a hacker takes a snapshot of the cloud server. ■ Defeat ransomware. Rebooting your computer with an antivirus software program that contains its own operating system can neutralize ransomware programs such as Reventon, Citadel and Troj/Ransom. Essentially, the tool runs your computer with its own operating system, finds the ransomware on your system, and destroys it, Mr. Eschelbeck says. Sophos’ solution for this problem is Sophos Bootable Anti-Virus. Unfortunately, some ransomware is so sophisticated that even these tools cannot defeat it, according to Mr. Eschelbeck. ■ Deep six the superkits. While no bulletproof shield against all the ravages of a superkit exists, you can take some common sense steps. Install updates to all the software on your devices ASAP, Mr. Eschelbeck says. And be sure to disable security-vulnerable software such as Java and Flash whenever you’re not using those programs. ■ Armor passwords. Strictly forbid your employees from using the same passwords at work and at home, Mr. Brophy says. Hackers are aware of this habit, and regularly troll personal email accounts, hoping to find passwords they can also use on employee work accounts. ■ Respect the rule of 12. Prohibit the use of passwords shorter than 13 characters. The darker corners of the Web are rife with programs that can auto-crack any password that is 12 characters or less. Essentially, hackers simply attach these programs to a specific email account and let the program run until it reveals the account’s password. |
The most fastidious and determined hacker can permeate almost any defense system, but these steps and those listed in the box above can be like a locked car to a car thief; he’ll move along to an easier target. OM
|
Joe Dysart is an Internet speaker and business consultant based in Manhattan. His Web address is www.joedysart.com; His e-mail is joe@joedysart.com. |
![]({"src":"/media/jv0py3a4/42013.jpg","focalPoint":null,"crops":[{"alias":"thumbnail","width":1110,"height":700,"coordinates":null}]})