-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
ID Theft Targets: Small Business
Written on October 6, 2006
Leave a Comment
|
Okay, let’s put this in the form of Jeopardy! question: What are botnets?
Botnets are automated malware written to infect multiple PC’s. Each bot collects information autonomously, harvesting new data in an obscured collective. The writer or originator of the botnet collects the harvest and brings the data to market. Bots are installed through user-initiated processes like downloading a program from the ‘Net and running it, or, agreeing to a Browser plug-in/toolbar.
Bots are bad for consumers, that’s a given, but what about small business?
E-week recently reported on software vulnerabilities that allowed credit card information to be captured from retailer POS (Point of Sale) systems. On the one hand, the problem that’s described in the article is a situation of bad software and the company’s ignorance of what the software was doing. On the other hand, it’s a wake-up call: through botnets, small businesses could inadvertantly be aiding and abedding ID theft of individuals under the same circumstances. Information can be scraped or copied from a station’s memory, because of a designed or inadvertant vulnerability in a piece of 3rd party software, and then transmitted off-site.
Imagine if you were the hacker. Where would you want your bot? Installed on a PC of an individual, exposed to the PPI (Private Protected Information) of a single person? Or installed on a POS station exposed to thousands of PPI records a day? Targetting a small business for botnet exposure is rational: it expemplifies the organized, profiteering motive behind today’s cyber criminal who’d target a known set of circumstances.
Small businesses can protect themselves by auditing their software vendor’s product through a 2nd party, or, through asking the software vendor for the results of their last software vulnerability assessment. Awareness, too, is doubly-important – it’s not just the private individual who’d be a likely target of ID theft anymore; it could be our own companies propogating a well-spring of PPI behind our backs.
R
Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.