Brief reminder of the “Cyber-Tsunami” on Small and Medium Enterprises (SMEs)
Let’s take a brief look at the current CRITICAL situation of SMEs at Cyber-Security, prior to share with you some ways to start answering the two questions on top of this article.
We have to play business in a web space where the question is no longer whether your website will experience cyber-attacks, but when, and how often?
According to CHECK POINT RESEARCH, here is a map of cyber-attacks identified in real time around the world https://threatmap.checkpoint.com/ThreatPortal/livemap.html.
In terms of Cyber-Security, every day proves that it is better to prevent rather than believe in the lottery of healing the damage of cyber-attacks …
Today, if no company is spared, and even large international companies are targeted, we have to cope with increasing cyber-attacks at SMEs. Indeed, 77% (about 8/10) of cyber-attacks are targeting SMEs (http://www.leparisien.fr/economie/cyber-attaques-les-pme-particulierement-vulnerables-27-04-2015 -4728719.php). This wave is mainly due to the conjunction of several factors that are among others:
- Two decades ago, the motivation of cyber-hackers was mainly the “glorious feat”. As a result, the more the cyber-victim was famous, the more the “glorious feat” was in the middle of the media… That’s why cyber-hackers targeted larger companies or larger organizations… Today, the motivation of cyber-hackers is more financial than the “glorious feat”.
- Having often been victims, big companies are more and more Cyber-Security aware, and they are reducing their Cyber-Security vulnerabilities…
- SMEs remain out of Cyber-Security aware, and they offer an attractive alternative due to their large number. Indeed, a huge number of “small profits” are preferred to few “big profits”. This is especially so because the “small profits” are yielded by easy cyber-attacks against SMEs and the “big profits” are yielded by increasingly difficult cyber-attacks against large companies.
As a result, as long as SMEs will remain cyber-vulnerable, the cyber-attacks of SMEs will keep increasing, such as a growing wave of cyber-attacks or “Cyber-Tsunami”.
Most of the time, when SMEs are Cyber-Security aware, unfortunately they are limited to apply generic “solutions” or “recommendations”… To be effective and sustainable, Cyber-Security must take into account the information system, the business process and the practices (human factor) of the enterprise.
It is therefore essential to carry out a Cyber-Security diagnosis that takes into account the main vectors of “Cyber-Tsunami”, that is to say:
- Web site URL vulnerabilities that may facilitate “Brute Force” attacks via faked URL requests. For instance, a website Backup service can be hijacked to steal sensitive data from the website (or the web server), configuration file containing passwords in plain text, source code, log file or other.
This vector is particularly critical in the case of a WordPress website, but we will further this within the related chapter below.
- Vulnerabilities in the storage of sensitive data (for examples: passwords of salaries and users).
- Risks related to the phenomenon of “Bring your own device” or the difficulty of identifying the devices connected to the network of the company.
- Failure to raise salaries’ awareness of Cyber-Security risks or failure to apply Cyber-Security measures due to constraints that ignore current practices (for example: e-mails and their attachments that are main vectors for broadcasting malwares and ransomwares).
A cyber-attack is usually headed by an exploration of Cyber-Security vulnerabilities. Such an exploration is made easier if the cyber-hackers have some technical clues about the targeted website architecture. That is the case with WordPress, which is an open source. However the attractiveness of WordPress by cyber-hackers is not only due to the fact that its sources are open, but especially to its unbound number of plugins. Indeed, if WordPress itself is kept fairly cyber-secure (via regular updates), the Cyber-Security vulnerabilities come along with installed WordPress plugins, while such an installation is too often frenzied.
According to the attempts of cyber-attacks detected by my “cyber-watchdog” on my WordPress website at a daily basis, the cyber-attacks seek to hijack the services offered by the WordPress plugins (active or not). I don’t wish to share too much sensitive technical details here, not to be useful for aspiring cyber-hackers. However I would like you to get aware your WordPress installation may well prove to be subject to hijacking. For instance, if you have installed a WordPress plugin that allows you to backup your website, it can be hijacked in order to download the “wp-config.php” file. Recall, the “wp-config.php” file contains sensitive data, for example the database password. Similarly, this backup service can be hijacked in order to download web server passwords (/etc/passwd).
Beside the backup service, a WordPress “Slider” extension can also be hijacked in order to download the “wp-config.php” file or other sensitive data on the web server.
To fight against such a potential hijacking of services offered by tens of thousands of WordPress plugins, the effective solution requires STRICTLY FILTERING the incoming requests on the website, in order to reject the parasites… Please note that such a FILTERING must be provided by judicious rules covering the types of attempted cyber-attacks rather than singular cases. In addition, it is necessary to ensure the level of Cyber-Security of each installed WordPress plugin. Warning, a deactivated WordPress plugin could be nevertheless hijacked by cyber-attacks.
To effectively meet this requirement of the company, it is necessary to set up a continuous improvement process for your effective Cyber-Security. Indeed, this must be the answer to such a high Critical Risk that is changing regularly and getting more and more malicious.