An article published yesterday in Business Week argues that Cyber Criminals are targeting small business. The article suggests that small businesses make easy, or easier targets than larger enterprises because small businesses typically cannot allocate the same amount of money and time to information security as large companies. The negative impact of a smaller resource pool is compounded by the fact that small businesses have historically taken a reactive approach towards information security. 

The 2005 Small Business Information Security Readiness Study by the Small Business Security Institute (SBCI) found that small businesses, as a whole, were lacking fundamental information security protection. Of the 1,000 businesses surveyed, 20% had no virus or spam filtering and 60% did not have any encryption on their wireless networks. The authors also found that small firms that allocated a proportional amount of their IT budget to information security were adequately protected…an interesting correlation is found in the fact that businesses with the best protection were also businesses that previously suffered a security breach.

SBCI is planning another study for 2007, but they maintain the statistics found in the 2005 study represent what is occurring in the market.

 How can small businesses ensure that they are protecting their information and infrastructure from malicious attacks?

1) Allocate an adequate amount of resources ($) to proactively protect information- As a rule of thumb, small businesses should expect to spend approximately $200 per month, per user for information security. The amount spent on security should rise every year in proportion with the amount spent on new IT hardware (PCs, Laptops, Servers etc.) and software.

2) Continuous Administrator education on threats- Protect against threats at the network and hardware levels, but avoidance information should always be passed down to the user base. Users are notoriously undereducated on how to avoid security breaches…especially phising scams and other social engineering scams designed to deliver web based malware.

3) This is related to 2 above…lock down your perimeter(s)- Email Filtering, IM Filtering, Web Filtering, Wireless Network Encryption and Mobile Messaging Protection should all be robust and employed at all entry points.

4) Be ready- Remember, it is far cheaper and far easier to have a proactive info security policy than it is to recover from a breach.

5) Back up critical data offsite. Most authors do not present data backup as a security issue…but it is (in fact, it is more than a security issue, but it definitely intersects with security). If there is a breach (or natural disaster for that matter), you need to know that your data is safely backed up and easily accessible somewhere far from the reach of the Cyber Thugs.

Don’t become a small business info. security statistic.  

In the past several days, we have seen a large number of both SBC Global and Comcast users with blacklist problems. Predominately, the host IP Addresses are showing up on the Sorbs Dynamic User and Host List (DUHL) blacklist. By extension, users are seeing bounce back messages indicating that their emails are blocked because their IP Address is on a blacklist. We have every reason to believe that these particular blocks are false positives stemming from Net Blocking. Net Blocking is a shotgun approach to blacklisting, where a large range of IP Addresses are blocked, presumably because they are near a known spam IP. Unfortunately, for the people we have spoken with, they are at the mercy of their respective ISP/Email Host to get the problem resolved…which is a frustrating exercise according to most. Incidentally, we have also seen a large number of emails blocked by the blacklists that SBC uses to curb spam…probably no connection, but interesting.

The only other reportable trend is a large number of Level 1 blocks from an obscure German blacklist- UCEProtect. A UCEProtect Level 1 block blocks a single IP addresses that have “either wrong or missing or generic reverse dns (PTR), or dialups, open proxy’s, open relays, or which are using abusive techniques or which assigned to well known spammers.” However, most of the people on the UCEProtect list that we spoke with did not meet these conditions. This leads us into an interesting discussion topic:

False positives are a significant problem with many widely used blacklists, which is just one reason why a strong inbound/outbound email filtering solution is a superior anti-spam tool.

 The latest DHA ‘infestation’ appears to be targeting recipients’ Accounting Departments — using subject lines such as: “Billing Update, Claim (or Form) #***”, “August Payment (or Bill) Summary, Invoice #***” and others. When the message is checked for content by the inbound email server’s anti-spam solution, the body of the email contains a simple inoffensive line or two (such as “Vendor Invoice attached”) followed by gibberish in the form of random blocks of characters, digits and letters. Thus the content filtering is defeated, letting the infected message through to the end users.

On the blacklist front, we’ve noticed fewer reverse DNS issues over the past week, which is good news for those requesting de-listing. However, static IP addresses are still being mis-identified as dynamic by a few of the RBLs, and the practice of netblocking entire ranges of IPs continues on the part of both blacklist organizations and ISPs.

DID YOU KNOW? A Directory Harvest Attack (DHA) is an insidious dictionary type attack on email servers designed to probe email directories within an organization, then collect or harvest legitimate email addresses, which then receive even more spam. DHAs cause email servers to use valuable resources responding to thousands of bogus address requests, slowing the delivery of legitimate, business critical messages.

While the majority of requests since Friday have been from a large variety of ISP accounts…the common thread has been the continued elevation of reverse DNS issues. Most common scenarios have shown outbound IP addresses (“A” records) matching up with ISPs’ domains (PTR records) rather than the users…and we’re still noticing missing PTR and “A” records. Remember, any of these situations can make it difficult for receiving DNS servers to trust the senders.

Otherwise, it’s been the usual mix of RBLs listing ranges of IP addresses…or identifying static IP addresses as dynamic…with only a few isolated reports of spam messages being sent directly from the specific IP addresses.

In an unusual development, we’ve now received multiple requests from companies that have received bounceback messages from Yahoo accounts stating that SORBS blacklists were used to reject their emails. This is the first time we’ve heard of a “meeting of the minds” between ISP hosts and RBL companies. Up to now, that relationship has been more one of two opposing army camps…with neither side willing to see the other’s point of view. It will be interesting to see if this apparent change in attitude turns into a trend.

A situation that arose today illustrates the problematic nature of RBL use for spam filtering: A business owner who had been using the same email address to correspond with a client for the past seven years suddenly got a bounceback message from that client stating that she is being blocked by a public blacklist (SORBS). Further research on that site revealed that her IP address was contained in a range of addresses owned by her ISP host that have sent spam in the past.

Our intrepid communicant then tried to contact her customer using her Yahoo email account instead. She was bounced back again, but this time the message stated that her email had been blocked by yet another blacklist (SPAMCOP) in another spamming netblock. At this point, she picked up the phone and called her customer instead. As you can see, the use of blacklists can create high false positive rates…with the capacity to interrupt and damage your business communications with trusted customers.

On another note, many of the reports over the past two days have involved SBC, QWEST, VERIO and BellSouth customers — both hosted and non-hosted — who have been included in ISP spammer netblocks by JAMMDNSBL, SORBS, SPEWS, NOMOREFUNN and DNSBL. Once again, the blacklist companies are not saying that these companies’ specific domains and IP addresses have been spamming…but they are still suffering the consequences.

Reverse DNS issues have expanded again…and include missing PTR (domain name) or “A” (IP address) records…multiple PTR record listings for the same IP…with other checks showing upstream host PTR records instead of the user’s. Keep in mind that while these scenarios don’t usually create NDRs (Non Delivery Reports), they can make it difficult to get de-listed from various RBL sites.

Things have pretty much returned to normal over the weekend — we’re seeing the usual scenario: RBLs such as SORBS, SPAMCOP, FIVETEN and others are netblocking entire IP address ranges from ISPs that have included known spammers in the past…which means they’re continuing to catch non-spamming companies in their nets as well.

There have been a few new reports of open relay problems, while reverse DNS issues have dropped off again…and no new Non Delivery Reports (NDRs) from the major ISPs have popped up so far this week.