The past eight years or so have seen a tremendous rise in sales of firearms, ammunition and accessories, from licensed firearm dealers as well as private sellers. That’s great news for all of us in this business; unfortunately, it’s also great news for cyber criminals. We’ve seen the stories in the news about high-profile cyber breaches in the healthcare and retail industries, and perhaps the most damaging breach of all, the Office of Personnel Management’s security clearance database. These breaches have impacted not only the organizations involved, but also the personal lives of everyone whose data was stolen.
Cyber criminals — hackers, to use the popular term — go after companies and government agencies in part because of their high profiles, but increasingly bad guys also go after smaller companies assuming they may have less sophisticated security on their websites or in their stores. Partner industries and support channels are popular targets, too, like web-hosting companies or the payment card factories themselves. SurfWatch, a cyber-threat intelligence provider, reported in its October 2016 blog “several massive data dumps totaling more than 130 million records,” from victim organizations including a popular do-it-yourself website development company.
These attacks against the support side of the retail industry can result in a greater amount of overall damage when consumer card or account information is stolen. In the case of supply chain attacks, like stealing payment card numbers from the factory before distribution, they’re very difficult to detect until they’re offered for sale. Verified payment card numbers — actual Visa or American Express numbers — cost only 10¢ to $20, which gives you an idea of how many are stolen every year to make it worth the bad guys’ efforts.
Even small, independent gunshops are connected to all of this through the networks that process card payments and manage the backends of websites. The sad fact these days is that even small family-run shops are nearly as vulnerable as larger, higher-profile chain stores, which is why the entrepreneur must start considering the same threats the big shops do.
“Cyber security” is not nearly as complicated or expensive as it sounds. In a nutshell, it’s simply all the steps we take to make sure that our computers, our information and our employees are safe in the course of our chosen business.
Employees? They’re part of the cyber system? Absolutely.
Often people in the information security field refer to computer users as “liveware.” Maybe it’s a bit cynical to reduce a user to just another system component, but it’s pretty accurate. Ultimately, nothing happens without input from somebody at a keyboard.
In most cases, every employee at a retail store accesses a computer at some point in the course of an average day. Point-of-sale terminals are almost always hooked up to the internet, whether on the “brick & mortar” shop counter or as a plug-in unit on a mobile device at a gun show. Likewise, it’s safe to say that everybody has an email account that they check a few times every day on the same internet connection that the cash register sits on.
See Where I’m Going With This?
Our employees have to be informed and educated about the kinds of threats that can come in over the network, just as they are about the threats that might walk in the front door. Cyber threats like “phishing” and “ransomware” have become the most prevalent methods used by hackers and cybercrooks, for a very simple reason: they work.
Phishing — using an email to trick the recipient into letting the hacker into the network — is just a new, digital form of what we call “social engineering.” That, in turn, is just a newer term for “snookering” someone. I like to use the analogy of Tom Sawyer getting his friends to whitewash his fence. Best social engineering ever.
With phishing, the hacker puts together an email that looks like it’s from your bank, your insurance company, popular internet auction site or some other organization that most of us would automatically trust, telling the user that their account is suspended, overdrawn or similar. I’m not talking about those emails from a prince in Africa who needs your help with his $42 million escrow; nobody falls for that anymore. Some of them are darn convincing. I have to admit I’ve almost fallen for one or two myself. The objective is to get the user to respond without a lot of thought by presenting a situation that spins up your emotions, not your logic. But when the recipient opens an attached file or clicks on a link in the email, the “malware” underneath silently installs itself on the computer and lets the bad guys in without anyone knowing until it’s too late.
Cybercrooks have also turned to phishing because it’s a lot easier than trying to break into an average computer or network these days. New computers come bundled with security features such as firewalls and antivirus applications. Most internet providers provide another layer of technical security for users, in part to cover any liability they may have from a breach. It takes time to break into these kinds of technical protections, just like it takes time to pick a lock or disable a door alarm. It’s a lot easier to exploit someone’s trust to let you in through the back door.
Ransomware is a fairly recent outgrowth of phishing; it’s literally blackmail on the digital side of things. In this case, when the recipient clicks on a malicious attachment or hotlink, the malware locks up the user’s files or even the whole computer, and displays instructions on how much to pay and how to pay it to get the files unlocked. This is nasty stuff, and can be difficult to deal with once it happens. And like real-world ransom, if the user or company pays, it’s often just the first down payment, and the mutts want more.
The best defense against these kinds of threats is employee education. There are literally megabytes of information available free on the web to train your people on how to detect and react to suspicious email messages they might receive. Meanwhile here are some tips to keep in your pocket:
- Never trust an unexpected email, even from friends and family. Other people in your circle of trust may have fallen victim to a hacker, who now has their address book and is using it to send phishing emails. If you get a note out of the blue from someone you know, call them or send them a fresh email to ask if they really sent the other one. I do it all the time; nobody minds, and often it’s the first sign that their email address is compromised.
- When you receive a bright, shiny email purportedly from a bank or company you know — and you will receive one — look for obvious signs that it’s fake: bad grammar, misspelled words, etc. Take the time to really read it before responding.
- Use your mouse pointer to “hover” — not click — on the sender’s email address. If the message supposedly came from your bank, but hovering shows the sender’s real identity
as something different like “firstname.lastname@example.org,” it’s fake.
- Likewise, hover over the links in the message. When it’s malicious, the link to reset your password will display as anything but the company it’s supposed to be. On your tablet or phone where there is no mouse, it’s usually safe to press and hold the email address or link, which shows the true address
These are the methods that I teach my own employees at work. They are effective, easy to learn and most importantly, they’ll prevent a breach when people use them every day.
I mentioned previously some of the technical methods to prevent getting hacked — firewalls, security software, etc. These are effective ways of keeping bad guys out of your business, but they have to be set up and maintained properly. Your internet service provider can help set up your firewall; it’s usually part of the service you pay for. If it’s not, maybe you need to switch. Just saying.
Security software, such as antivirus and antimalware applications, has been around for at least 20 or 25 years. There is absolutely no reason to not have it on every computer you own, and again, keep it up to date. New exploits come out just about every day of the week, and reputable security vendors will automatically update your software if it’s configured properly. Again, talk with your service provider if you’re not sure how to do it.
So that’s all the bad news. The good news is, well … I’m sorry, in this area I have no good news. The cyber threat is real, just as real as the clowns walking through your door with ski masks on, and frankly it’s much more likely to happen. But it IS manageable.
In the real world of brick and mortar, we have alarms, good locks and we train our employees to keep their eyes up when opening and closing. The cyber world has reached a point where we need to take similar actions on that front. We need secure websites and secure transaction support; we need to know how to handle email threats; and we need to know that none of this is going to go away. Frankly, it’s going to get worse as technology gets faster and cheaper.
In my business, there’s a popular saying to describe the challenge we have, “We have to find every possible weakness there may be, whether it’s hardware, software or liveware. The bad guys only have to find one.”
Please don’t give them that one.
L.M. Larsen is the Director of Cyber Security for Apple Federal Credit Union, and has more than 20 years in information technology, cyber security, forensics and counterintelligence consulting experience. He is also a lifelong firearms and shooting enthusiast. Featured image: Point-of-sale terminals are almost always hooked up to the internet, whether on the “brick & mortar” shop counter or as a plug-in unit on a mobile device at a gun show; courtesy of iStock.