Tale Of Two Compromises Provides Lessons For SMBs

SAN FRANCISCO -- RSA CONFERENCE 2013 -- At first, Matthew Prince and Mat Honen seem to have little in common: Prince is the founder and CEO of CloudFlare, a small business with a rapidly expanding client base. Honen is a writer for well-known news website.

Yet both have suffered the unfortunate attentions of hacking groups. During a combined talk at the RSA Conference on Wednesday, the two men described the attacks that caused a great deal of digital damage in their lives. Honen lost most of the data collected during his life when one group of hackers decided to gain control of his Twitter handle, @mat. (He later hired a firm to recover most of his lost photos and files.) Prince could have lost a large part of his business, after another group of hackers gained access to his personal e-mail account, which they leveraged into control of some of his business accounts.

In both cases, the attackers harvested information from one of the victims' providers and used it to fool another provider into giving them access to their accounts. The hackers in Honen's case, for example, got the last four digits of his credit card information from Amazon and used that to fool Apple's recovery mechanism into granting them access to his iCloud account.

"You do have to worry about your own security, but you also have to worry about the security of all these services," Honen said. "Amazon by itself is secure, and Apple by itself is secure, but the combination of two was not."

[The assault on CloudFlare shows that companies have to pay attention to how their security services are locked down and how the credentials for those services can be recovered. See Attackers Turn Password Recovery Into Backdoor.]

That is just one of the hard lessons that the duo learned -- lessons that are applicable to most small and midsize businesses (SMBs). Fellow SMBs can glean a few more lessons from their accounts.

1. Separate your personal and businesses lives.
Both Honen and Prince let their business and personal lives intermingle. In Prince's case, he used his personal e-mail -- which he secured with a complex password, but not with two-factor authentication -- be the contact point for the recovery of his business' Google Apps account. Because his Gmail account was only his personal e-mail, he did not think he needed to heavily secure access.

Now Prince recovers to a business account and uses an account name at Google that is not the personal e-mail address that he gives out. Instead, he uses an alias that links to his more complex account name.

"If your personal account is tied in any way to the security of the company, then that is your new perimeter," he said.

2. Use the most stringent, yet practical, security possible
Cloudflare has also moved all of its accounts to require two-factor authentication and, whenever the company talks to a new service provider, Prince always asks what additional security measures the provider can offer. The hackers had fooled an AT&T representative to forward calls to Prince's cell phone to a voicemail box -- now that cannot be done without knowing a specific code, he said.

"With any piece of my digital life, I've thought about how can I secure it," Prince said. "With any new vendor, we ask what is the most onerous security we can put on our account. And just asking that question has caused us to be better."

3. Practice attacking your business.
SMBs should not only implement better defenses, but imagine how an attacker would bypass those defenses. While hiring a penetration tester can be expensive, companies should have occasional exercises that focus on how an attacker could gain access to their systems.

Honen had not seriously thought about such an eventuality, he said. While he had valuable data on his computer, he had never backed it up locally, he said.

"I would never even think that they could have remotely wiped my entire life," Honen said.

4. Practice defending your network.
Within an hour of the attack on Cloudflare's network, the company was on the phone with Google blocking access to the company's accounts and regaining control of its systems. For Cloudflare, its most important asset was knowing who to call at its provider, Prince said.

"If I didn't know who to call, then this could have been a multiday incident and could have been much worse," he said.

Companies should practice defending their network and making a playbook of what employees should do in each scenario. Doing so can save time, when minutes can make a big difference.

5. Cloud can still be secured.
Companies cannot afford to not use cloud services, especially SMBs. Because many cloud services have good security architectures and hire more security professionals than the average SMB, they will generally make fewer missteps. Moreover, with the productivity and collaboration benefits that cloud provides for small workgroups, SMBs are unlike to forego the services.

"I've had people asked if I've stopped using cloud services, and, no, I haven't," Honen said. "There is no retreat from the cloud."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.