Major corporations with high-value assets aren’t the only organizations targeted by advanced persistent threats. While your company may not possess information coveted by cyber criminals, like nation-state secrets or credit-card account details on thousands of customers, it could be linked to organizations that do have this data. This means hackers could attack your company in an effort to reach their intended target. Part of practicing good information security encompasses looking at the company you keep and figuring out if these relationships increase the chances of your organization getting attacked.
The Target breach is probably the most famous example of attackers using this tactic. In that attack, hackers infiltrated the company that serviced the HVAC systems in Target stores and stole the credentials the vendor used to log-in to the retailer’s network. With access to Target’s network, attackers were able to upload malware that captured credit and debit-card details from the chain’s point-of-sale system. The data breach ultimately affected approximately 40 million customers.
In July, attackers used this method to install malware in the point-of-sale terminals in 1,025 Wendy’s restaurants and steal credit and debit-card information on an undisclosed number of customers. According to the fast food chain, attackers infiltrated a third-party vendor that had remote access to the cash registers used at Wendy’s franchise locations.
Your business may not need the same security measures as companies with thousands or millions of customers. But you should be aware of what, if any, sensitive information or systems your company indirectly deals with or can access. Naturally, you should make sure those systems are protected.
As the Target and Wendy’s incidents prove, service providers, especially those that can remotely access their customer’s IT environment, should review how they protect these log-in capabilities. If your company uses third-party vendors that can log-in to your network, consider asking them what security measures they have in place to keep these credentials secure.
All businesses should ask what makes their company successful since hackers are likely to target whatever differentiates an organization from their competition. Obvious answers are intellectual property, like a method for hardening steel, or data that can be used to commit financial fraud, like credit-card numbers.
And, of course, who your company’s customers are and your access to them can be just as valuable to hackers as any intellectual property. Does your business play a secondary role in facilitating major business deals? Is your company responsible for processing health insurance claims that contain personally identifiable information? This could be the data an adversary needs to pull of an attack, making your company a target in the overall campaign.
The threat landscape is now much broader and sophisticated. Adversaries are now using techniques previously employed by only nation-state attackers to access sensitive systems and laterally move through an organization. Enterprise security strategies need to evolve in the same way. Start thinking like the adversary and asking ask what information or access does a company have that would be useful to someone else.