Professional Documents
Culture Documents
Business owners know potential customers are connected to the Internet at home, work
and on the go. Smart phones, tablets, laptops, desktops, televisions, gaming consoles,
automobiles, appliances are all devices that connect people, and their money, to a world-wide
market. Just as the Internet changed the game for businesses, it also opened the world up for
attack by new breed of cyber-criminals. These hackers use the Internet from remote locations
Over the years, criminals have preferred to target businesses over individuals because
they have more profitable information to steal. The evening news is filled with stories of data
breaches and corporations being attacked, for data such as credit card numbers, social security
numbers and financial institution information. But over the last few years, hackers have realized
that large companies are investing heavily in cybersecurity by implementing the latest intrusion
detection technology and hiring teams of information security professionals to protect their data,
devices and networks. That realization has placed new targets in their sights, the small business.
small business customers did not make improving online security a priority, 82% do not think
they are targets of attackers because they dont have anything worth stealing, 32% do not believe
they will suffer revenue loss for a days worth of being down after an attack, 31% dont have an
action plan to respond to security breaches, 24% think cyber security costs too much, and finally,
22% admit they wouldnt know where to start when it comes to implementing security.
Why are small businesses targets of cyber-crime?
Do most small business owners know they are now the main target? The answer is a
resounding, no. In an article discussing the rise of attacks targeting small businesses, Smith
(2016) points out that cyber security experts says that one of the most dangerous phrases used by
small businesses is: Itll never happen to us. In this years Internet Security Threat Report by
Symantec (2016), it was found that three out of every five cyber-attacks targeted small
businesses. That is a huge increase and looking at the data from Symantec over the last five
years, criminals are focusing more and more on small business for their targeted attacks.
It is easy to understand why many small businesses feel they wouldnt be targeted. They
believe they are too small and hackers would not be interested in what they do, when the
opposite is true. Hackers know that small businesses tend to have lower defenses than larger
corporations. By their very nature, thriving small businesses are innovative and niche, which
again is very attractive to the bad guys who may be interested in customer data and intellectual
property and know exactly how to pick out the weak targets.
Why should small businesses secure their network and devices?
Examples of small businesses getting hacked with disastrous results are discussed in an
article from My Digital Shield (2015). The first example covers a NYC mannequin maker who
had more than $1.2M stolen from its accounts as the result of a hack into online transactions.
The company kept getting error messages when it tried to make online payments and didnt
realize the site they were trying to pay on was a spoofed copy of the actual website and payments
were being taken and dispersed into four other banks, then other banks from there.
Another example describes the owner of two small magazine shops in Chicago, who was
notified from a credit card company that a data breach had sent their customers credit card
information to Russia. Who would want to break into us? the owner asked, after determining
A Bellingham, Washington burger joint business owner was hacked twice over a two
year period, due to the lack of any security tools or configurations. The credit card company
shut off his account and seized money from incoming payments and the owner was forced to
close, even after spending $12,000 for an investigation and remediation payments.
According to the U.S. Department of Health & Human Services (2010), the theft of a
single unencrypted laptop led to a small Massachusetts provider having to settle a case for $1.5
million for violating HIPAA privacy and security rules. Data breaches cost much more than just
money by damaging reputations. Losing trust could not only cost partners and customers, but
The main goal of this Cyber Security Awareness Guide is to give the small business
owners an educational reference to help protect their company and its assets. Simply being
aware that the business is targeted for attack and knowing methods of attackers will reduce the
Malware Malware is a broad term that covers several types of computer code which
has malicious intent that focuses on destroying something on a computer or stealing data.
commonly a file that has the same name of an operating system file it replaced.
networks as it travels. Almost all viruses are attached to an executable file, which
means the virus may exist on a system but will not be active or able to spread
o Worm - Computer worms are similar to viruses in that they replicate copies of
themselves and can cause the same type of damage, but do not require a host
program to spread.
These are traps used by hackers, many times embedding software into websites
most users should avoid, such as free movie or music download website. If a
user isnt aware, they could panic install the real malware payload and basically
give away control of their own system, thinking they were fixing a problem when
legitimate email. The best way to combat against phishing techniques is to learn how to
recognize them.
Examples: One of the most popular email phishing schemes is spoof what looks like an
official email from a prominent bank. It happens so often that Bank of America (2017),
in order to protect its customers and others, set up an Online Banking Email Fraud page
1. Generic greeting. To save time, Internet criminals send phishing emails in large batches
and use generic names like Security Alert or Generic Bank Name Customer" so they
don't have to type all recipients' names out and send emails one-by-one.
2. Spoofed link. Even if a link has a recognizable name, it doesn't mean it links to a real
organization. Roll the mouse over the link and see if it matches what appears in the email.
If there is a discrepancy, don't click on the link. Also, websites where it is safe to enter
personal information begin with "https" the "s" stands for secure. If "https" is not seen,
do not proceed.
Example:
3. Links to fake account pages. The point of sending phishing email is to trick someone
received, it is most likely a phishing attempt. In this sample, an email would send
someone to a fake Google page in order to steal their login name and password. This is
also done with fake banking pages, social media sites like Facebook or Twitter.
Example:
4. Sense of urgency. Internet criminals try to illicit personal information quickly by trying
to convince a user into thinking something happened that requires and immediate
response. The faster they get the information, the faster they can move to another victim.
Password Attacks: There are several types of password attacks:
o Fake websites: Spoofed sites that look real, but are not. Often a user will click on
a link in an email, website or even in a social media messenger the re-directs them
o Brute-force Program guesses passwords until the hacker gets in. Uses programs
to try combinations of various dictionary words. Cain and Abel is a Brute Force
password cracker. Should a thief steal a laptop, it would be easy to boot from a
USB drive running hacking tools to run this program, which would grab all of the
Over the years, the primary targets of hackers have been the servers, desktops and
laptops of businesses, because they have been the primary devices connected to the
Internet. In much the same way cyber-criminals redirected their attack focus from large
businesses to small, cybersecurity analysts say nefarious forces are increasingly turning
their attention to the most personal computer one owns, the device carried everywhere
and trust with some of the most sensitive secrets, the mobile smart device.
Over the last two years or so, we have seen a huge influx in the number of
hackers targeting smartphones, says Roel Schouwenberg, principal security researcher for
Kaspersky Labs, to CBC News (2014) in a story discussing how these devices are
Mobile smart devices are small electronic gadgets that put the power of a
computer in the palm of a hand, connected to other devices or networks via wireless
protocols such as Bluetooth, NFC, Wi-Fi, and 3G/4G cellular services. Smartphones and
tablets carry the most personal and financial information of the small business owner
contained in contacts lists, online shopping, mobile banking and credit card apps.
Internet access via a mobile smart device allows small business owners to access
cloud storage, where they could store important business documents, contracts, bids,
service level agreements and much more. Many small business owners also use
smartphones and tablets to process credit cards using 3rd party magstripe and smartchip
readers and installed mobile apps. The breech of one of these device by criminals would
malware implanted using the same email attacks directed at personal computers, being
delivered via mobile email apps. SMiShing (SMS phishing) is another common attack
method, sending an SMS text with what looks like account notifications, in the hopes the
device owner will click on the link and receive a virus download to the phone.
advertising Trojans.
packages.
Galaxy S7 hacked with Ransomware, where victim was infected while using the popular
Facebook Messenger app. A penalty notice warned the victim that they would be
reported as having sexual child abuse content on the phone unless a ransom was paid via
Physical Access
What if a thief break into a small business owners car or home and steals their
laptop? What if a criminal has gained access to a home office via break-in or social
engineering tactics such posing as city inspector, a gas company employee claiming there
is a gas leak or a person from the cable company here to fix the wireless problem that
Even if a computer has a password, that doesnt mean a hacker wont be able to
get to the data. Simply inserting and booting from a USB key would grant access to a
hacking toolkit included, as well as all of the files contained on the hard drive.
Here we see access all the way down to the Documents folder containing vital
working documents to our small business owner. These can be copied to the USB drive
for later review. The hacker can also embed malware into the system or any of the files
on the system, and if they are emailed to another location, the hacker has a backdoor in.
If granted physical access to a device, hacker could place a keylogger into an
open USB port, plant a wired or wireless server or boot into an unencrypted laptop or
desktop to steal data. Many criminals use social engineering skills to put themselves into
positions which allow physical access, such as posing as cable installers, maintenance
storage and keyboards, computers are tricked into divulging data, taking
Would the common computer user notice this little key grabber plugged in
multiple payloads. Plugged into a long cable connected to a USB port in the back
hacking PC. Easily hidden in an office, running wirelessly, this devices can
access information on the machine and transmit it over the Internet anywhere in
The most effective way to demonstrate weaknesses to a small businesses is to use the
same mindset, tools and methods of cybercriminals and hackers. This guide demonstrates
how devices and networks are compromised by attacking systems set up to mirror the same
environment many home-based businesses use to conduct their day to day business.
Find the target with WarDriving: Using a laptop connected to a wireless adapter and a
USB GPS receiver is an old school, tried and true way of allowing a hacker to drive
around in a vehicle, surveying the area for wireless networks and evaluating their
security.
A more modern technique is to use a smartphone, as they come with wireless and
GPS built in. The collected information is stored in a database for later analysis. The data
can be sorted and imported into a mapping application like Google Earth for hackers to
have a roadmap or uploaded to websites where hackers collaborate and share information
This information is then publicly available, not just for hackers, but people
looking for open access points to download or upload illegal content or spam email.
When the authorities conduct their investigations, the trail will lead to some innocent
Wireless Password Theft Password theft on wireless networks generally are achieved
in two ways:
o Fluxion- Wireless Access Point Spoofing: Spoofing works by presenting users
with what looks like a legitimate Wireless Access Point (WAP), when in reality
its just a laptop with two wireless cards playing man in the middle. The rogue
WAP presents what appears to be the real SSID and tricks them into connecting to
it. Once the user enters the password to connect, it is stored by the hacker.
o WiFite - Brute Force Cracking: The stealthy way to crack wireless password is
to capture real network traffic between a legitimate user and the WAP. The
cracking tool sends a signal to a client which kicks it off of the wireless network,
then captures the encrypted packets when it authenticates. Those packets are
then taken back to a more powerful computer, where it runs brute force tools
Footprinting: Once the hacker has access to the internal network, the information
gathering begins by using scan tools to find the devices. Once the devices are detected,
tools are run to find the Operating System type so targeted payload attacks can be
launched. NMAP is the tool used to find devices and determine the operating system.
Attack Systems: Attack system with live exploits to gain access by delivering a payload
that lets a hacker control the system. The demonstration will cover the AFTER attack so
A Kali Linux laptop running Kismet connected to a TP-Link wireless adapter and
The collected data can be extracted from the wardriving database and imported into a
wireless and GPS built in. While not getting the same range as the old school laptop, using a
Once the data is captured, it can easily be uploaded to wigle.net, a site used by wardrivers
Fluxion is used to trick a user into giving away their password by capturing information
from a real wireless access point, then jamming it while putting up a fake access point for the
victim to enter their password. In this demonstration, Fluxion has targeted SmallBizDemo
The target wireless access point has been identified, once the deauth command is sent, the
When the check handshake option is checked, the information gathered from the WAP is
displayed. Then a fake access point is created with the information gathered, jamming the
original access point while presenting the client with a spoofed SSID.
When presented with the fake WAP, the victim will attempt to enter the ACTUAL
Fluxion will compare the password captured from the victim to the captured encrypted
WiFite is an automated wireless attack tool which can mount multiple wireless access point
smart WPA de-authentication, cycles between all clients and broadcast deauths
When monitoring starts, a list of access points will be presented, in this case the
and system ports with NMap. The process begins by running NMap on the exploited
network to gather information about systems, but scanning the entire subnet. .
The HP computer with the IP of 10.0.0.6 will be the target, as it is probably a Windows
.
Now that a target has been chosen and an often exploitable operating system has been
found, the attack methods will change to target specific attack methods the system over the
wireless network.
Attack Systems: Attack system with live exploits to gain access by delivering a payload
that lets a hacker control the system. The demonstration will cover the AFTER attack so
Once the attack has occurred and the backdoor into the system is opened, the hacker has
complete Meterpreter shell access was well as his complete hacking toolkit. This screenshot
shows the exploit running in a background process on the target computer and has opened a
Users\Mama\My Documents would grand access to the same small business owner files shown
above in the physical access attack. Except this time, the hacker is sitting in his car across the
With this kind of remote access, the attacker can launch any number of attacks on the
small business owner. He could inject other malware to infect customers or partners of the
business, hijack the system with Ransomware by encrypting the hard drive and locking the
owner out.
The screenshot below offers a scary option to a cybercriminal with the Webcam
commands. What kind of compromising material can be capture by snapping pictures or starting
Report stolen finances/identities and other cybercrimes to the Internet Crime Complaint
Center: http://www.ic3.gov/
Report fraud, identity theft, scams or rip-offs to the Federal Trade Commission:
http://www.onguardonline.gov/file-complaint
https://www.nist.gov/news-events/news/2016/11/new-nist-guide-helps-small-businesses-
improve-cybersecurity
https://www.fcc.gov/general/cybersecurity-small-business
https://doi.org/10.6028/NIST.IR.7621r1
U.S. Small Business Administration Cybersecurity Resources for Small Business Owners.
https://www.sba.gov/content/introduction-cybersecurity
https://www.dhs.gov/publication/stopthinkconnect-small-business-resources
https://www.us-cert.gov/ccubedvp/smb
National Cyber Security Alliance
https://staysafeonline.org/
http://www.wsmv.com/story/27732818/ransomware-scam-leaves-victims-powerless
https://latesthackingnews.com/2017/03/27/images-samsung-galaxy-s7-hacked-ransomware/