Brian Krebs, a cybersecurity guru, recently published a blog about a website takeover he identified. His blog explains how he attempted to notify the IT department of the website owner. In this instance, the website owner was a credit union. The story is probably unfortunately common. Krebs, in his Good Samaritan role, attempted to let the financial institution know that their website had been compromised and what steps they might take. He even provided the skeptical employees ways to validate his authenticity. The initial staff contacts did not believe Krebs and the compromised site remained operational until finally a senior staff member realized the notification was real.
The comments posts to the blog are of equal interest. Several commenters shared stories of similar attempts to notify a business that their site was compromised, but the site owners did not take action. It seems either people are jaded about Good Samaritans or didn’t know what to do.
What Businesses Can Do
In many ways, we have all become very skeptical of someone we don’t know trying to help us. Trust is more difficult due to many examples of exploitation. We forgot the many occasions when we have offered help to others and have accepted it. Businesses should be wary, but there are ways to evaluate possible Good Samaritan actions in cyber security instances.
• Educate your staff to listen with caution to someone offering help. They should ask for the caller’s contact information and perhaps ask for a reference (person, news article, blogsite, etc.). Businesses should have a list of key people that could contact the caller, after confirming the caller’s identity through some research. Is the person on LinkedIn, have a long running blog site or security company website? What did a search engine search produce? It is likely that a Good Samaritan will be generous with his bona fides and they can be easily verified.
• If the alert is communicated through email, have a process where the recipient writes down the important information and shares it with a designated key person. The email should not be opened or forwarded until it can be determined if it is legitimate.
• Evaluate the potential risk – what is the likelihood of the caller being a social engineer vs a person of trust? The possibility of a business’s site being hacked is huge; what is the potential damage of ignoring a compromised site alert vs talking to a fraudulent caller? Would a conversation with a prank caller take that much time vs the value of a potential legitimate conversation?
• Develop a plan on how your staff should escalate issues to your IT cyber specialist. Designate specific people to investigate an alert. Identify likely action steps that will be necessary if the alert is correct. Steps might include taking the website offline, contacting the hosting company, and contacting law enforcement if the site was truly compromised.
Learn more about protecting small business from cybersecurity threats in a one-day training in Washington DC or Albany, NY. Learn more about the Cybersecurity for Small Business Non-Profits at http://www.nationalcybersecurityinstitute.org/training/
Breached Credit Union Comes Out of its Shell. Retrieved from https://krebsonsecurity.com/2016/02/breached-Krebs, B. (2016, February 16). credit-union-comes-out-of-its-shell/