When talking to clients, we often ask what information they are trying to protect on their network. The main answer always boils down to customer Social Security numbers and account numbers. While it’s important to protect these and other “personally identifiable information” on your network, it is imperative to realize that additional company information that is of great value to a hacker could be getting overlooked.
Confidential Business Records
First and foremost, businesses should think about any confidential business records they have. You may not think your Board meeting minutes, or other committee minutes are valuable to a hacker, but they certainly could be! Take for example Board discussions around a recently completed vulnerability assessment, penetration test, or IT audit. As a bad guy, a hacker could use this information to quickly and easily hack your network! These reports would likely show many areas of weakness in your network. Other areas of value to a bad guy might include customer files, trade secrets, operation styles, accounting records, user account information, or even something as simple as an organizational chart. All this information could help build a better profile of your organization to allow easier access to your network.
Consider your employees and how you pay them. Many organizations use a payroll software, like QuickBooks, to generate ACH files. Bad guys have been known to breach a company’s payroll software and make adjustments. They can create new employees and add them to the payroll file. Alternatively, they could adjust the routing or account number of existing employees and funnel the paychecks elsewhere. Typical verification procedures with banks, such as simply confirming file balance amounts, are not enough and would likely allow this type of breach to go unnoticed. You can read more about an example of one such case here: https://www.bankinfosecurity.com/ach-fraud-payroll-hack-drains-217k-a-3980.
Human Resource Information
Most businesses have some type of Human Resource department, an area with a treasure trove of valuable employee information that needs to be kept confidential. Not only do we have the obvious, Social Security numbers, but we also have payroll information, length of employment, departmental information and so on. While most Human Resource departments don’t have detailed health insurance information, they do have everything necessary to steal an employee’s identity. Using this information, a hacker could hijack an employee’s medical insurance to commit various kinds of insurance fraud or simply gain access to their Electronic Medical Record (EMR). According to Forbes, an EMR can sell for thousands of dollars on the dark web.
Your Machine Itself
Many nefarious activities perpetrated by hackers require a great deal of processing power. By gaining access to your business network a hacker could hijack your processing power and add your computers to my botnet. Botnets are set up to utilize the power of hacked computers to help the bad guys. Botnets can be used for a variety of activities such as sending mass spam emails, Bitcoin mining, CAPTCHA hacking, or even DDoS attacks. All of these activities are made easier for the hacker by having the processing power of thousands of computers rather than one. This image from Brian Krebs shows many different ways that a hacked PC can be used.
As you can see, even if your business doesn’t store Social Security numbers, your network has a great deal of value to a hacker. It is critically important you take steps to secure your online life and ensure you are not an easy target for hackers. It doesn’t matter if you live in rural South Dakota, or downtown Manhattan you are still on the internet and therefore still a target.
Written by: Jeff Dice
Information Security Consultant - SBS CyberSecurity, LLC
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.