It would be nice to imagine that when cyber criminals look for their next target, they ignore the small- and medium-sized businesses (SMBs) that simply can’t afford an attack. Unfortunately, that’s not the case. In fact, 43% of cyber attacks are directed at SMBs.
Today, a massive 80% of North American SMBs are at risk of a cyber attack. This is according to Vancouver-based CyberCatch’s Small and Medium-Sized Business Vulnerabilities Report (SMBVR), which presents data based on a review of 3,200 Canadian SMBs, and 16,175 based in the US. And it’s not surprising, really. After all, SMBs are just as likely to collect sensitive customer data as large enterprises — but they’re far less equipped to protect that data.
To stay ahead of these threats and keep attackers at bay, SMBs need to make sure they’re doing everything they can to enhance their security posture. In a recent article, we shared details from the report, showcasing the different industries in which SMBs are impacted, and the most common vulnerabilities that plague them. In this post, we’re taking a closer look at the threats themselves and the steps companies can take to mitigate them.
The three most common vulnerabilities SMBs face
In its review of Canadian and US-based SMBs, CyberCatch used their proprietary vulnerability scanner to assess thousands of randomly selected SMBs for common security weaknesses in their websites, software, or applications exposed to the internet. Specifically, they looked at organizations across 16 different industry segments, including hospitals, utilities, banks & credit unions, and manufacturers.
What they found was a high incidence of three key vulnerabilities that plague organizations across sectors: spoofing, clickjacking, and session riding. The current incidence rate for each of these vulnerabilities (82%, 64%, and 53%, respectively,) is concerning for any business, but they become particularly problematic in the context of highly critical sectors like financial services and public health.
What follows is an overview of each of the three vulnerabilities, and best practices for mitigating them.
Spoofing
Spoofing happens when an SMB’s website or web application doesn’t sufficiently verify the authenticity of data, thus accepting invalid data. In this scenario, an attacker can send scripts to fool the web server so that it discloses usernames, passwords, or even an entire customer database. In another example, an attacker could spoof the content on a website to redirect users to an attacker-controlled site that steals their credentials. Alternatively, an attacker could manipulate the database behind a website so that the information is replaced with dummy data — this means that data often used to make critical business decisions can no longer be trusted.
There are many different types of spoofing attacks, from IP address, to email and web spoofing incidents. However, what’s true across the board is that spoofing can only be mitigated with proactive measures. Companies need to remain vigilant, educating their employees about what to look out for and how to report attacks when they occur.
Other best practices include:
- Packet filtering, which can help prevent IP address spoofing by blocking information packets with the incorrect source address details.
- Relinquishing trust relationships where networks only use IP addresses to authenticate a device.
- Adopting spoof detection tools that inspect data and identify data that isn’t legitimate.
- Encrypting data in transit so that attackers can’t view or interact with the data.
- Using zero trust security practices that require all users to authenticate continually.
- Employing VPNs to encrypt data in all states.
Clickjacking
Clickjacking is the second most prevalent vulnerability across North American SMBs. It happens when the SMB’s website or software allows a bad actor to use various transparent or opaque layers to trick a user into clicking a link on another page, and then collects their information. For instance, an attacker could create an overlay on a “BUY NOW” button that takes the user to a purchasing page that’s been designed to look like the original, so that the user inputs their payment information and it goes directly to the attacker.
Similarly, keystrokes can also be hijacked. Attackers use carefully crafted web style elements and iframes to make the user believe that they are typing their password into a legitimate web page — but it’s actually an invisible frame controlled by the attacker. The attacker can then use the password to access the user’s account and compromise the system.
Since clickjacking relies on iframes to render invisible elements on top of a frame, the way to prevent it is with technical workarounds on your website that ensure it cannot be wrapped in an iframe. These tactics include:
- X-frame-options: This is an HTTP header that was designed specifically to protect against clickjacking. It is used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, or <object> tag.
- Content security policy: This HTTP header is part of the HTML5 standard and is designed so that website authors can enumerate specific domains from which resources can be loaded, and the domains that are permitted to embed a page.
Session riding
In a session riding attack, a cyber criminal can trick an authenticated user into unknowingly submitting a malicious request. This could include a change to the user’s password — so that the user is locked out and the attacker can compromise other parts of the system — to send phishing emails to other users in the network, or to delete important data.
Also known as cross-site request forgery (CSRF), session riding can be prevented through a number of mechanisms:
- Training employees around the risks associated with this type of vulnerability and what they can do to identify it.
- Assessing the risk. Session riding is more dangerous for websites or web applications that have user accounts with private information.
- Using anti-CSRF tokens, which are the most effective method for preventing session riding attacks. There are tested implementation solutions such as CSRFGuard for Java or CSRFProtector for PHP.
- Monitor your website and software regularly for any vulnerabilities that have been introduced.
Looking ahead
For 80% of North American SMBs, the risk of an attack is high, posing a significant threat to their existence. A successful attack — whether it’s spoofing or clickjacking or session riding — can have a number of consequences, including a loss of trust, reputational damage, and the cost of recovery. While enterprises may be able to weather this kind of storm, it’s a much bigger challenge for SMBs. This is why it’s vital to stay ahead of these threats and invest in building a long-term security strategy that covers all the bases.
For a more detailed review of this quarter’s insights and the cybersecurity vulnerabilities common to SMBs, download the full report.
About the Author:
Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
