As security threats online become more targeted, small and medium-sized businesses in Canada are more vulnerable than they may think.
An advanced targeted attack, or advanced persistent threat, uses advanced software to target specific companies or individuals with the intention of damaging or stealing data, a report released this week by FortiGuard Labs, the security research arm of Fortinet, says.
According to “Threats on the Horizon: Canada and the Advanced Targeted Attack,” some of the methods used by attackers include malware, social engineering, insiders, forged and fake certificates, and zero-day exploits. Zero-days are sold on the black market with six figure price tags, which makes it unsurprising that governments are the most common groups behind APT attacks, mainly China, Israel, Russia and the United States.
So are Canadian businesses at risk, and are they more vulnerable than their US counterparts? Richard Henderson, security strategist and threat researcher with Vancouver-based FortiGuard Labs, tells the WHIR that there isn’t much data available on why Canadian businesses are targeted, and that was part of the objective behind its latest research. He says attackers often go through Canadian businesses to gain a foothold into an American network.
“If you’re a Canadian company with a US subsidiary, your networks are often connected, using VPN connections or an internal network. If you’ve gained a hold into someone’s network it doesn’t matter if you’re on the Canadian side or the American side,” Henderson says. “In Canada, we still develop a lot of unique, high technology products that are sold all over the world, and that makes you a target for Chinese APT groups who are looking for industrial trade secrets. They are looking to steal and manufacture their own clones or beat someone else to market. There have been multiple cases now that are supposedly attributed to the Chinese, though attribution is very hard to prove.”
In the first half of 2013, FortiGuard found that of Canadian companies using Fortinet security products, 11.6 million reported unsuccessful hacking attempts, while 360,000 reported blocked phishing emails.
“It’s a multi-faceted problem here. The infrastructure thing is a big deal. We found open Apache servers all over the web that are running versions of Apache that are 16 patches out of date that are gateways to industrial control systems,” Henderson says. “They’re open, they’re exposed, they tell you quite clearly they’re running Apache 2.2. It just takes someone with a little bit of knowledge to find out what version of Apache they’re running.”
On the web hosting side, Henderson says outdated WordPress installations and Apache installations are putting small and medium-businesses in Canada at risk. Attackers are compromising IaaS servers and using them as a launch point in denial of service attacks and to serve malware, he says.
“If you’re working in any sort of technology-related business, it’s very likely that someone is interested in what you are doing. There are enough people out there whose job it is to go out and learn about this stuff,” he says. “Small and medium-sized businesses are often the target of these kinds of groups because it’s easier for them to find a way in. They don’t have to worry about targeted phishing attacks because a lot of times these SMBs don’t have to resources or the people to properly secure their network…security is an afterthought for a lot of these companies.”
Henderson says that businesses of any size should be concerned about the potential damage that APT groups can wreak on their infrastructure.
“Some of these ATP groups have walked out of these businesses with terabytes worth of stolen data, and it took very little effort from them to do it. If you’re a small or medium-sized business in technology especially, you should be concerned,” he says. “At least pay lip service to the idea that ‘if I were to have my key product or the information about my key product stolen today, what could be the impact on my business?’ If the impact is enough that it could cause serious financial harm or close you down then you should be spending some time talking to someone knowledgeable in security to figure out what you can do to mitigate the chance of things being stolen.”
“As a small or medium business owner who has farmed out that stuff to a third party, you really should at the very least be talking to your hosting provider about security instances that happen in the web space to see if you are protected from that stuff,” Henderson says. “Most web hosts have dedicated security staff, and usually they are pretty happy to answer these questions.”
Are you seeing any trends in the advanced persistent threat category through your own security mitigation efforts? What advice would you give to a small business concerned about the security of their network? Let us know in a comment.