According to a recent Homeland Security Department report, checking in from your home computer leaves big companies vulnerable to hackers, who scan corporate systems looking to find the remote access software that lets employees look at the system while they are not on the job site.
Once the hackers detect the software, they run a high-speed program that guesses at passwords until they hit on one that works. Armed with that information, the hacker has access to computer systems without setting off security alerts and uses a sophisticated malicious software called Backoff to get access to personal credit information.
A collaborative effort of Homeland Security, the National Cybersecurity and Communications Integration Center, the Secret Service, and an online security firm called Trustwave SpiderLabs, the report is an important reminder of how computer networks are vulnerable to attack from multiple points in spite of rigorous efforts to safeguard information.
The report does not name names, insiders say that the hackers have gained access to over a dozen retailers, including Target, Neiman Marcus, Michaels, P.F. Chang's, Sally Beauty Supply and Goodwill Industries International.
Once they have entered the network, hackers use the Backoff malware to steal credit and debit card numbers off the in-store cash register systems. The numbers are collected and then resold on the black market, where they are worth as much as $100 a piece.
Because the breach comes through a trusted source, such as the remote access granted by Target's heating and cooling software, it was not initially detected. Moreover, the Backoff malware, first identified in October 2013, is so sophisticated that a fully patched and updated antivirus engine was not initially able to detect its rogue function.
The malware not only steals data from the stores' payment systems but also updates within the host computer system itself, preventing the malware from being denied access if the machines crash and have to be rebooted. Over time, the hackers continue to refine the malware to make it more difficult for computer systems to detect it.
Antivirus software alone is not going to solve this problem. The report suggests that retailers need to reduce the number of people with remote access, make passwords more complicated, and install a two step authentication process by which employees enter a second password that changes each time they log in in order to make it harder for computers to hack the system.
Brad Maiorino, Target's chief information security officer, notes that companies need to build security systems with a military grade toughness so that they can be aware of any suspicious or usual activity on the server.
"All of the same tools and techniques that governments are using for attacks . . . are available for sale in the black market," Maiorino points out. "And for the right amount of money, you can go out and create a cybercrime ring at a relatively low cost."
Whether your employees are remotely accessing expense management software, corporate database or even email – be sure you have a mission critical security solution in place.
- Three Questions to Ask About End-User Support
- Why is Your Company STILL Doing Manual Expense Reporting?
- Why Are Manual Expenses so Inefficient?
- How I Did it: Eliminating the Risks of Paper-Intensive Expense Processes
- Beyond Efficiency: How Spend Data Delivers the Biggest Benefits of Expense and Invoice Management
Our choice of Chrome River EXPENSE was made in part due to the very user-friendly interface, easy configurability, and the clear commitment to impactful customer service – all aspects in which Chrome River was the clear winner. While Chrome River is not as large as some of the other vendors we considered, we found that to be a benefit and our due diligence showed that it could support us as well as any large players in the space, along with a personalized level of customer care.
We are excited to be able to enforce much more stringent compliance to our expense guidelines and significantly enhance our expense reporting and analytics. By automating these processes, we will be able to free up AP time formerly spent on manual administrative tasks, and enhance the role by being much more strategic.