As 2018 is on its way out, we reflect on the plethora of massive hacks resulting in endless concern for SMBs & enterprise security professionals as well as the necessary budgetary spend to mitigate and proactively defend against malicious actors. Yes, there’s been a shift in malicious actors’ attack vectors and you are, once again, forced to devote time that you don’t have to address it.
Cisco’s report identifies a concerning shift into more advanced DDoS (Distributed Denial-of-Service) attacks. The DDoS attack vector has been around for decades and has evolved into is a popular inexpensive attack vector for malicious actors. The size, scope and sophistication of these attacks continue to grow at an alarming rate with recent DDoS attacks exceeding one tera byte per second because malicious actors can easily amplify efficacy by purchasing DDoS kits or employing someone to carry out this malicious activity through massive botnets. Generally, DDoS attacks are aimed at large enterprise networks and solely focused on the network stacks' third and fourth layers. However, the alarming shift identified by Cisco this year has been from Layer 3 & 4 DDoS attacks to a totally a more sophisticated DDoS called Application-Layer DDoS attack, which is also known as a Layer 7 DDoS. These attack vectors are hard to detect and even harder to protect against because they tend to be smaller than typical Layer 3 & 4 DDoS attacks and often go unnoticed until it’s too late. Layer 7 DDoS attacks are often referred to as “slow-rate” or “low and slow” attacks, meaning they target applications in a way that they look like actual requests from users until applications become inundated with requests and can no longer respond. In fact, you may even fail to notice an attack until after your front-end application resources are brought offline and connected back-end systems are compromised and/or damaged.
How Does This Affect My SMB?
Layer 3 & 4 DDoS attacks sounds like the stuff that large enterprise networks have to deal with, right? Well...The underlying effectiveness of a DDoS attack comes from the disparity between the amount of resources it takes to launch an attack relative to the amount of resources it takes to absorb or mitigate one. While this is still the case with Layer 7 DDoS attacks, this particular attack does more damage with exponentially less bandwidth. When a user sends a request to into its Gmail account, the amount of data and resources the user’s computer must utilize are minimal and disproportionate to the amount of resources consumed in the process of checking login credentials, loading the relevant user data from a database, and then sending back a response containing the requested webpage. Even in the event of a failed login, a front end application must make database queries or other API calls in order to produce an error webpage. When this disparity is magnified by a botnet targeting a single web application, the effect can easily overwhelm it, resulting in denial-of-service to legitimate traffic.
Sure Eric, you think, I don’t have to worry about numerology and multiple layers except when I am skiing or snow-shoveling (preferably skiiing) because I don’t have a large enterprise network...why does this matter? Layer 7 DDoS attacks have shifted focus to SMBs because of their effectiveness; SMBs don’t have the resources to absorb or mitigate an attack so effectiveness is higher and a successful compromise is equally profitable. Another reason is the proliferation of Mirai variants. Mirai, malware that turns Linux based hosts into remotely controlled "bots" to use within a massive botnet, was originally used by malicious actors to perform Layer 2 and 3 DDoS attacks. Variants of Mirai have fueled DDoS attacks, including a 54-hour barrage against a U.S. college, and aimed squarely at Layer 7.
Since your website, other customer facing applications, and supporting back end resources systems are open interface with users across the globe, they are key targets of Layer 7 DDoS attacks devised to affect the way in which the different systems interoperate. With the development of applications continuing to shift to the cloud, the application layer DDoS attack vector is becoming increasingly more difficult to defend against and mitigate.
With Layer 3 & 4 DDoS attacks, you focus on preserving your network’s bandwidth capacity and identifying network spikes and throttling; the ability to mitigate this type of attack always come down to 1 simple question: who has more network capacity, the attacker or the mitigation service? Successful defense and mitigation of Layer 7 DDoS attacks rely on the ability to accurately profile incoming traffic – to distinguish between humans, bots and hijacked web browsers. As a result, the defense and mitigation processes are much more complex than the attack itself.
Unless a malicious actor(s) has a vendetta against your SMB, a Layer 7 DDoS attack is just the tip of the iceberg. This attack vector is commonly a means to an end, setting the stage for more traditional attack vectors (e.g., exploiting known vulnerabilities, cross site scripting and SQL injection). In this typical scenario, malicious actors use a Layer 7 DDoS to weaken defenses or crash security resources, enabling them to gain access to your network and steal sensitive data for profit.
XSS (Cross-site Scripting)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into trusted websites. This attack vector is through using a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user without validating or encoding it. Yes, your web application is susceptible to malicious activity wherever it receives input from a visitor so any user forms, checkout carts, etc. An attacker uses XSS to send a malicious script or series of instructions to an unsuspecting victim. This particular Layer 7 attack vector is successful in acquiring a victim’s cookies, session tokens, or other sensitive information retained by the browser and used with that site. They can even rewrite the content of a HTML page rendered to a victim.
The basic idea premise behind the SQL injection attack vector is an attacker manipulates data passed into a web application in order to modify the query that is run on the back-end database. This might seem relatively innocuous at first sight, but it can be extremely damaging. The most concerning aspect of this attack vector is that the basic method to query a database inevitably results in a SQL injection vulnerability. And the most common “fix” is to replace each occurrence of a single-quote character with two single-quote characters, effectively “escaping” the single quotes. This unfortunately does not fix the vulnerability or solve the underlying problem. User input validation is necessary throughout your applications to eliminate the ability for malicious actors to use input fields as proxies to perform malicious SQL queries.
Defense & Mitigation
In addition to those technological recommendations, below are additional recommendations you should heed:
In the 90’s, the Internet exploded with the introduction of the web browsers, Apple was a struggling company, Google didn’t have a website while Yahoo was the king of search, and AOL inundated mail slots with CDs to keep its stranglehold on email. In the 2000’s, BlackBerry was king of the smartphone, only to be replaced shortly after Apple’s release of the iPhone and its accompanying App Store. With each decade, we’re encountering unimaginable change; we’ve gone from the desktop web era to the mobile dependency era, and now, the wearables era. While massive changes have been occurring within the Big Four accounting firms, the impact of these changes have, to date, been mitigated for the balance of the accounting profession. The next decade, however, will transform the professional accounting landscape in what many will consider to be unimaginable ways. In twenty years, the accounting profession will be nothing like it does today and along the way, there will be an unprecedented amount of turnover in firms that adapted too little or too late. In short, the profession will be under immense pressure to deliver value for its clients in a manner that adapts to sweeping technological changes.
The sweeping disruption from massive technological change and shifting consumer trends demands a new approach to how the industry creates value for clients and how accounting firms that are small to medium sized businesses (“SMBs”) can compete with the deep resources of the Big Four and emerging large firms. Some accounting offerings are more vulnerable to disruption than others. For example, transactional accounting services have been largely automated by technology; compliance is already undergoing automation and limited advisory services are following the automation trend as well. These automated core offerings require minimal to no oversight, effectively enabling larger accounting firms to leverage their resources to scale with lower operational costs, focus on different customer markets and ultimately, win customers from accounting firms that are SMBs. The impending automation of the accounting professional’s core responsibilities will force accounting firms, large and small, to focus on offering more advice and insight-based service, essentially becoming creative strategy consultants.
There are a number of emerging disruptive technologies that are likely coming up on a more frequent basis during client meetings, accounting conferences or workplace happy hours. Let’s review some of the more common ones and how they will drastically alter the professional accounting landscape:
Big Data thanks to IoT
Big data and IoT are terms that have been loosely thrown around so much that the mention of them is likely to induce a mild sense of nausea at this point. For definition’s sake, however, “big data” is the collection of data sets so large and complex that they cannot be analyzed by traditional databases or tools, such as spreadsheets. IoT is the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.
Big data impacts nearly every aspect of accounting. In audit, big data produces more data driven audits and valuable insights, providing a better experience for the client and the auditor. In advisory services, big data can identify questions, help monitor and improve business performance, and build analytical models that support a variety of product or operational improvements. In tax, big data offers the opportunity to analyze efficiencies more easily, identify tax related opportunities for improvement, and aid in evaluating global opportunities. Lastly, in managerial accounting, big data helps with risk identification and management.
IoT is already impacting consumer’s purchasing frequency with more pay-for-what-you-use models with sensors tracking actual usage. This change in purchasing will require new pricing and accounting models and lead to much larger data profiles of each customer. IoT also impacts business processes like invoicing and reporting. Lastly, IoT will impact the way audits are carried out because the availability of real-time data coming from multiple sources and automated analysis will only increase the need for continuous auditing.
New technologies, based on big data and IoT, are reaching into every area of the business world. The amount of data we are able to collect is rising exponentially, driven by the Internet of Things. Due to IoT, in two years, the number of connected devices will be three times the number of people in the world. Increased connectivity leads to larger data sets and big data gives businesses unprecedented amounts of information and the analytical tools for improved decision-making. In turn, accounting professionals can use these same tools to move from data entry, recordkeeping and simple analysis to strategic business consulting. Today, financial controllers and CFOs use structured data, unstructured data, and predictive analytics to understand massive amounts of customer information, financial trends and industry information to make insightful forecasts for clients.
Artificial Intelligence (AI)
AI is technology that enables computers to perform decision-based tasks previously left to humans. It shows up in multiple forms, including machine-based learning that can progressively become better at analysis and decisions the more it is used, and speech-based technology that can understand different voices and languages. It is largely used to digest and analyze large volumes of data at speeds faster than people can ever accomplish. These technological advances were formerly reserved for science fiction, but artificial intelligence has arrived and is rapidly evolving. Early investments by large firms, including several of the Big Four, have paid off with technology that can substantially slash the amount of time an accountant spends on complex audits and asset estimates. All firms, even small ones, should start thinking about how to adopt advanced technology like artificial intelligence (AI), whether it will be by partnering with specialized AI tech companies or building their own technology department.
In preparation for the oncoming wave of AI within the accounting profession, accounting firms that are SMBs must add, develop and retain staff with database & technology skillsets. A solid foundational understanding of data management and a high comfort level with new technologies will give accounting firms an edge as the use of AI increases in the field. Naturally, the professional skepticism auditors have is necessary to spot when automated analysis goes awry and dealing with exceptions.
If you’re thinking that your accounting firm won’t be able to keep up with the overhead costs of bringing on additional technology staff and developing our own AI products, then don’t fret just yet. AI technology is becoming more accessible and will eventually become standard fare similar to the advent of the Internet. When the World Wide Web was first publicly available, only large companies could afford to establish an online presence and develop their own networks. That has obviously since changed, and today there is scarcely a firm, or person, left unconnected to the web. The same will happen with AI technology and it will become a more necessary and common component of doing business….of course, those who are slightly behind the bleeding edge but ahead of the pack will probably be the best positioned. If you master threading that needle, please let me know ... in the meantime, Helical will continue to build out its AI capabilities.
Cognitive computing and machine learning
Cognitive computing is technology that simulates human thought processes in a computerized model. When it comes to the accounting profession, cognitive computing combines artificial intelligence and machine learning to simplify and transform how professionals find information, how they interact with applications to perform knowledge tasks, and how they make decisions.
When it comes to the accounting profession, cognitive computing will revolutionize the audit process because it can provide assisted decision-making for auditors. This judgment capability involves things like identifying key audit risks and determining how to design audit procedures to respond adequately to those risks. Audit judgment skills are typically developed and refined through years of experience, training, and interaction with colleagues; cognitive computing combines big data and AI to analyze these judgments from across thousands of audits to aid auditors in real time, while keeping client information private. Technology is paramount to your SMB’s future and similarly, your clients’ ability to leverage technology will be equally paramount to their futures. Therefore, an emerging business opportunity for your firm is IT audit, which is necessary for complying with audit standards and possibly your own client’s compliance requirements. Such a service can be readily provided alongside your standard audit offerings. Some firms, like Helical, can even white label these offerings to facilitate the ability of firms to incorporate these capabilities into their own offerings.
Most big accounting firms are investing heavily in emerging technologies. Big Four firm, KPMG, announced an alliance with IBM Watson’s artificial intelligence unit to develop high-tech audit tools, and most all major audit firms have similar initiatives underway. Understandably, accounting firms that are SMBs don’t have access to the capital to make large-scale investments in technologies like cognitive computing. Instead, these firms should look to software providers to incorporate this technology into their offerings so they can capitalize on its abilities. The most important takeaway is to embrace this technological disruption early so your firm can take advantage of the opportunities cognitive computing offers. Being open to this change will ensure that your firm is viable and can compete with the Big Four in the future.
Blockchain is currently the most hyped term you’ll find in any industry because its use case is practically infinite but at its core, its a security and accounting technology for maintaining and transfering ledger information. Since it’s an accounting process, naturally, this is the emerging technology that has the most potential to disrupt the accounting profession.
Blockchain will greatly reduce the costs of maintaining and reconciling ledgers, and will provide absolute certainty over the ownership and history of assets. It facilitate clarity respecting the available resources and obligations of companies, and free up resources to concentrate on planning and valuation, rather than recordkeeping. There are also numerous applications in external audit. Event level audits incorporated into blockchain technology will enhance both the effectiveness and efficiency of those audits and facilitate greater financial transparency.
The move to a financial system with a significant blockchain element offers many opportunities for the accountancy profession. At least initially, most of these opportunities will captured by larger accounting firms which have the resources to devote on the development and implementation of the technology.
As a result, the spectrum of skills represented in accounting profession will change significantly. Some work such as reconciliations and provenance assurance will be reduced or eliminated, while other areas such as technology, advisory, and other value-additive activities will expand. Auditing a company with significant blockchain-based transactions, the focus of the auditor will shift from confirming the accuracy or existence of blockchain transactions with external sources to how those transactions are recorded and recognized in financial statements, and how judgmental elements such as valuations are decided.
It may sound like you should replace your accounting staff with a highly technical staff, but that isn’t necessarily true. Accountants don’t need to be blockchain engineers, but they must learn how to advise on blockchain adoption and consider the impact of blockchain on their businesses and clients. They also must act as the bridge, having informed conversations with both technologists and business stakeholders. Most importantly, an accountant’s skills must expand to include an understanding of the features and functions of blockchain.
Accounting Battleground of the Future
In many ways, the future is now. Technology is causing massive disruption in the accounting industry and the most important factor for the survival of SMB accounting firms is their ability to secure their clients data. Malicious actors have shifted their focus from enterprise companies to SMB because effectiveness is significantly higher and for the level of effort, data theft is equally profitable. Thus, accounting firms that are SMBs have become the biggest targets of malicious actors; trust and confidentiality are paramount in the accounting industry and a data breach is the easiest way to lose clients to the competition. While accounting firms are evolving to incorporate more technological expertise, security of data will be one of the most important variables in the equation of continued existence and competitiveness.
Remaining competitive and preparing for growth requires modernizing your technological acumen and expertise. Most importantly, that technological expertise must incorporate acquiring or retaining security expertise to ensure that your firm remains compliant with evolving confidential and sensitive data security regulations and defending your firm against malicious actors.
The future competitiveness of small to medium sized accounting firms will center around strategic technology partnerships, evolving expertise and the ability to secure the data that such firms process. Those who embrace change will be empowered by it while those who resist or hide from change will be passed by it. For accounting professionals who are trying to make it as small to medium sized firms, their survival has never been more dependent on their ability to embrace change…and there is a lot of it coming!
In 2008, to much fanfare, Facebook introduced a new online platform called Facebook Connect, which was proclaimed as “the” scalable SSO (single sign on) or digital hall pass for the Internet. It has been pitched to companies with a simple proposition: connect to the Facebook platform, and we’ll make it faster and easier for people to use your apps because users are more apt to sign up for new mobile apps and websites if doing so was easier. In one simple click, a Facebook user can log in to any mobile app and website implementing Facebook Connect with their password. It also brought an added measure of security, since users wouldn’t need to create and remember new passwords every time they signed up for a new app. Awesome, where do I sign for this perfect solution right? A technology platform that provides immense convenience and streamlined user experience to your customers and can easily be implemented into your technology stack whether you’re part of a SME or a large enterprise. This “perfect” solution has been adopted by thousands of companies across the global, ranging from SME marketing companies to large enterprises like Airbnb and Uber.
It’s taken 10 years since its inception, but Facebook Connect doesn’t seem so “perfect” after all and perception has changed from an Internet wide single sign on solution to a global single security nightmare.
Over the past few weeks, Facebook announced that first 50 million, then 30 million account entry keys, created via Facebook Connect, had been stolen in the largest hack in the company’s fourteen year history. Since the announcement, companies large and small have been scrambling to determine the possible effects on their customers and networks.
On the surface, 30 million users are barely 3% of Facebook’s total userbase; however, the impact of this hack is exponentially bigger because those stolen entry keys can be used to gain access to so many interconnected mobile apps and websites. Stop for a second and think about how many mobile apps and websites use your Facebook account. If you’ve used all ten digits on your hands, hopefully you get the point. If you don’t have a Facebook account, I applaud you. Stats say you’re over 45 years old, you keep a 2018 equivalent of a Motorola flip phone in your back pocket, but you’re still susceptible to the third party risk thanks to your Facebook loving friends who have your email address, phone number and if they are really organized your home & work address in your contact. Let’s not get into email correspondence, chats, essentially any digital communication between you and your Facebook loving friends. This hack and its fallout underscore the lengths to which Facebook has cemented itself as the identity of the internet, and what happens when the security systems of one company — trusted by so many — fail.
Buried within Facebook's recent admission was a surprising revelation for its business customers: Facebook Workplace, used by 30,000 businesses as of a year ago, customers are impacted. If you’re a small/medium enterprise that initially adopted Slack to improve workplace collaboration and efficiency and migrated to Facebook Workplace, then congratulations your company may be exposed to serious third party risk thanks to Facebook. Let’s try to determine whether this particular nugget of the Facebook hack poses any third party risk your company. Back in 2015, Facebook announced that the Royal Bank of Scotland had signed up to use Workplace beta with the intention to roll it out to 100,000 employees. And when Facebook launched the Workplace product in 2016, it said it already had about 1,000 customers using it. During 2015-16, Facebook Workplace allowed employees to link their Workplace account with their personal Facebook account and a stolen account entry key lets you read the files and posts in a Workplace community, which is the equivalent of reading work email.
Below are some easy ways to determine your SME’s risk exposure:
Yes, that’s Facebook fix to its debacle: force users to log out to invalidate the account entry key/token. Simple enough, an inconvenience to Facebook users, but an even easier “fix”. Let’s review Facebook public timeline of this hack and dig a little deeper:
Based on the sophistication of this particular Facebook hack, it’s easy to surmise that the malicious actors were using this exploit long before September 16th and collecting Facebook Connect access tokens. Here’s what really happened:
Facebook has stated that it can’t pinpoint exactly when the malicious actors established the attack chain to exploit 3 separate vulnerabilities, but the vulnerabilities had existed since July 2017. Yikes…
There’s an obvious problem with instructing Facebook Connect users to simply force a log out to “mitigate” this hack. The reality is that Facebook with all its resources has few to no solutions for its Facebook Connect users despite a soon to be released tool that will help SME, and large enterprises alike, identify which accounts may have been tampered with through Facebook Connect. Facebook's handling of user data has been under scrutiny for the better part of this year so this hack couldn’t have come at a worse time for Facebook. Still reeling from a series of scandals that unfolded in the wake of the 2016 US presidential election, a widespread Russian disinformation campaign leveraged the platform unnoticed, followed by revelations that third-party companies like Cambridge Analytica had collected user data without their knowledge. Facebook already faces multiple federal investigations into its privacy and data-sharing practices, including one probe by the Federal Trade Commission and another conducted by the Securities and Exchange Commission. This hack will ramp up efforts to regulate Facebook and other technology companies through financial penalties, legislative efforts or both. In Europe, Facebook could face a fine totaling as much as $1.63 billion if it's found in violation of General Data Protection Regulation (GDPR), the European Union's sweeping consumer privacy law. GDPR contains a provision that companies can be fined 4% of their annual revenue if they violate the law, which encompasses rules on protecting data and a requirement that regulators must be notified within 72 hours of a breach. Ireland's Data Protection Commission, which oversees Facebook under GDPR, is heading up an investigation into the breach.
Facebook’s platform relies on trust: users trust that their pictures will be seen only by those in their networks, their private messages will be read only by the people to whom they were sent. Facebook may look like a juggernaut now, but social networks have fallen before, and surely this is just another data privacy issue just this year. This particular hack destroys trust, the very ingredient that attracts its users, we’ll know quickly about the damage done to Facebook’s brand and its users desire to continue using the social platform or take its “business” elsewhere.
Facebook Connect is a platform that levels the playing field between SME and large enterprises and streamlined offering to customers. Roughly 80% of SMEs use Facebook for marketing which makes the iconic social media platform the most popular tool for small business marketers in the digital world and beyond. With its rise in popularity, Facebook has also become the largest point of third party risk to SMEs and the recent hack is a testament to this. Not only are SMEs now firmly in the crosshairs of malicious actors, they are fast becoming their favored target because they are often woefully unprepared due to a lack of CapEx/OpEx resources, which translates into little or no cyber security measures in place. With issues like this, they are apt to now go to Google + as a social media network. I mean they’re a well known brand and certainly you can trust Google with security and transparency….right?
Cybersecurity SEC Enforcement Action