TEA Blog


Smaller enterprises are increasingly the targets of choice for cybercrooks and no wonder. Their websites and systems might have less to plunder than those of Target and other Fortune 500 giants. But their are disproportionately weaker than big-company security systems. And that makes them all the more attractive to Internet predators.

The ACFE, in response, is calling attention to the soaring online risk among small-cap businesses.

As large organizations develop stronger controls over their networks and digital data, attacks on small enterprises have mushroomed, said ACFE Chairman and founder Dr. Joseph T. Wells, CFE, CPA, at the 24th Annual ACFE Global Fraud Conference. He urged antifraud experts to educate small businesses about this threat and encourage their investment in defensive resources.


While a serious attack can significantly harm a large organization, it can force a smaller enterprise completely out of business, says Joseph Giordano, chairman of programs at Utica College in New York and a former cyber operations specialist in the U.S. Air Force Research Laboratory.

Case in point: CD Universe, one of the first successful online music sellers. In January 2000, a hacker stole up to 300,000 customer credit card numbers from the companys website and demanded $100,000 in ransom, according to Thief Reveals Credit Card Data When Web Extortion Plot Fails, by John Markoff, The New York Times, Jan. 10, 2000.

When CD Universes owner refused to pay, the hacker sold the stolen card numbers over the Internet. As news of the theft spread the world, consumer confidence in CD Universes cybersecurity plummeted, swiftly transforming the once promising e-tailer into a Net loser. By year-end, the owner sold CD Universe for a half million less than he had paid for it.

A decade and more afterward, the cases dynamics remain compellingly relevant but are largely ignored. Why? For the same its hard to sell insurance: Few people like to spend money on preventing something that might not happen.

And since smaller companies cyberattack losses get comparatively little press coverage, their leadership tends to worry more about profitability and other pressing matters than they do about online risk.

Cost is the primary criterion many small companies use to evaluate cybersecurity resources, Giordano says. Budget limits often force them to view optimal online protection as nice-to-have, rather than must-have.

For CFEs who serve or seek small-company clients, the challenge is to get them to view online security as a form of catastrophe insurance something they already embrace as protection against enormous losses.

If fraud examiners succeed in that educational mission, their next step is to introduce smaller clients to security resources that can help ensure their survival of an otherwise overwhelming cyberattack.

One such product is the cyber range (CR; see Cyber Range exhibit at the bottom of this article.), a virtual environment in which a companys IT staff can develop and maintain skills and tools they need to detect and counter hacker attacks.

The U.S Defense Advanced Research Projects Agency (DARPA), which created the military-industrial-academic network whose communications infrastructure evolved into the Internet, also designed and constructed the first CRs. Those early ranges were the sole province of the military and intelligence communities and industrial contractors serving them.

But just as DARPAs network led to the creation of the World Wide Web, CRs are slowly but surely entering the civilian market. Already theyre helping a few innovative companies better defend themselves against hackers and maintain the operational readiness of their IT staffs, and networks.


After cost, the other criterion smaller companies focus on is quality, says Giordano. They want to know whether a given CR can accurately replicate their systems and create realistic attack simulations.

A good CR creates authentic scenarios by, for example, embedding malware in an emulation of the full range of Web traffic your system experiences, says Fred Kost, vice president, security solutions marketing, of Ixia Corp., a provider of Internet and network analysis products and services in Calabasas, Calif.

To be realistic, the scenario has to present all that activity at once, adds Kosts colleague, senior systems engineer Chuck McAuley. Not just the legitimate traffic, not just the attacks, but everything simultaneously. Anyone can detect an attack on a quiet network. Its a lot harder when thousands of customers are trying to use your website. Thats why its important to practice dealing with real-world situations.

For example, McAuley says, a hacker could insert data theft malware on your system while youre trying to counter a denial-of-service (DOS) attack that has locked all your customers out of your website.

Sony Corp. knows all about that scenario. Thats exactly what happened to the company in 2011. Unfortunately, Sony hadnt implemented and rehearsed a well-thought-out response plan, so its defense wasnt good enough.

During a two-pronged attack on Sonys wildly popular PlayStation website, the companys security staff focused on an initial DOS attack failed to recognize a second intrusion, in which hackers stole account information on up to 77 million Sony customers. The second attack tarnished Sonys brand and inflicted damage that lasted far longer than the briefer service interruption the first intrusion caused.

Sonys chairman described the unfortunate sequence of events in his written response to an inquiry from a U.S. congressional subcommittee investigating the incidents.

Fortunately for the corporate giant, its vast financial resources helped it withstand the data breachs negative effects on its reputation and income. If Sony were no bigger than CD Universe, it too could have gone under.

The message is clear: Smaller companies that dont establish and maintain an effective cybersecurity program could be put out of business by the financial, reputational and legal after-effects of a single, well-executed hacker attack.


Ixias CR product includes a user interface and tools for designing training exercises that realistically simulate actual Internet traffic and attacks.

It does not, however, duplicate a companys servers and the other physical elements of its network infrastructure.

To make infrastructure available for the exercises our product facilitates, our clients either obtain additional equipment [to run exercises against] or if the business model permits system clients conduct the exercises on their production system environment during off-hours, Kost says.

Some companies fold their initial CR acquisition plan into the business case for a single project, he adds. But as they learn more about the CRs capabilities, they sometimes choose to allocate the cost of a CR to multiple projects in which it would add value, creating what could be a more cost-effective business case.

Examples could include evaluating security equipment for purchase or managing software updates without disturbing the production environment. CR producers also offer support to help clients derive more value from their products.

According to Kost, Together, a CR and training program can help your IT team better understand how attackers think, where gaps or signs of an attack might exist and how to practice informed countermeasures instead of relying on uninformed spontaneous reactions.


Financial constraints of the kind Giordano highlighted above need not, however, preclude improvements. Attitudinal, procedural and other non-technological adjustments and initiatives also can reduce risk without greatly increasing spending.

Douglas Fitzgerald, CFE, is president and CEO of the Fitzgerald Technology Group, a cybersecurity and risk management consultancy in Washington, D.C. His firm serves organizations of all sizes.

Im reluctant to rely on any one device or system, such as a CR, to fully resolve a security issue, he says, citing staff interaction and continuity of operations plans as factors sometimes overlooked but well worth optimizing. The biggest problem in a crisis is the lack of effective preparation that could have been developed by participating in physically simulated DOS attacks and talk-only table-top exercises.

For example, Fitzgeralds firm will stage a DOS by either disconnecting the clients network from all communications links or by disconnecting the server from the network. The clients IT staff then will follow its standard procedure to bring the network back online.

Conversely, during a table-top exercise members of the organizations various departments describe exactly what theyd do in response to an imaginary on the organization's network.

Fitzgerald and his colleagues, after observing the client staffs performance in each exercise, specify what might need improvement and, if so, how to achieve it.

Role-playing facilitates mutual understanding among the departments and fosters collaboration that might not otherwise occur, Fitzgerald says. Our aim is to reveal to participants how us vs. them internal conflict between departments can hurt the entire organization and cripple its response to an attack.

Each department needs to understand that making peremptory demands during an attack might be unreasonable, Fitzgerald adds. For example, quickly putting a downed site back online might not be immediately feasible or even advisable, pending further investigation including forensic analysis that might help identify and prosecute the attacker(s).

Often, the victim organization hasnt sufficiently rehearsed its response plan in drills and exercises, he says. So of policies and procedures is often flawed and all too dependent on whos in charge at the moment.

If an incident is serious and cant be resolved immediately, thats the worst time for the CEO and every department head to call the IT chief, who cant work or communicate if his phone wont stop ringing, Fitzgerald says. This can make or break the effectiveness of a companys response to a .

CFEs who encounter such situations can help by proposing that the incident response plan a provision to immediately draw personnel from multiple business units, he adds. An ad hoc staff pool could reduce distractions for the IT staff while helping it exchange critical information with the rest of the company during an attack.

Awareness, and teamwork are essential, Fitzgerald concludes. Dont let your clients assume theyre prepared for an attack. Encourage and help them to thoroughly test their security team and response now and at regular intervals. Real soon could be too late.

ARTICLE SOURCE: This factual content has not been modified from the source. This content is syndicated news that can be used for your research, and we hope that it can help your productivity. This content is strictly for educational purposes and is not made for any kind of commercial purposes of this blog.