- Rescana Engineering
How to make your small business a hacker’s nightmare
Millions of dollars are being spent by enterprises on the latest cyber security software and services, talented engineers are hired at top dollar, and expensive consulting firms as well. Yet the headlines are full of these mega-corporations toppling one by one at the hands of the hackers onslaught. How could you, a small business owner, with a tiny budget, and your ultra busy schedule succeed in protecting your fort, while these giants continue failing? think of it this way, you have less doors and windows to accidentally leave open, your treasure chest isn’t a huge one, so it isn’t worth too much attention from the hackers perspective. All you have to do is devote a little time and effort to this aspect, like many other aspects of your business, and you will improve your chances tenfold.
Covid has left small business piggy banks broken - ignoring this would cause our plan to be flawed and lower its chances of succeeding. That’s why I’ll try and help you substitute dollars for time - be it by using open source tools (in my experience might be more labor intensive, but could help save you some money). Or by offering your employees good training and policies rather than expensive software to compensate for the latter.
Top Small business threats
This is a run down of the top threats small businesses are facing (Later, we’ll see how our defence plan will address them):
By all accords, ransomware is one of the worst modern day cyber threats. The damages from ransomware are estimated to reach a staggering 20 billion next year (https://www.thesslstore.com/blog/ransomware-statistics/#:~:text=Research%20from%20Datto%20indicates%20that,victims%20were%20SMBs%20in%202019) . Ransomware attacks have several methods of operation, which differ in the way the attacker gains access, what and how the victim’s files get encrypted, and how the ransom demands are delivered. But the end result is always the same - you will suffer a denial of service usually by denying your access to your data (but sometime it can be by keeping your website down or some other important service), and then you will be required to pay a certain amount to restore said access or service.
Supply chain/Identity theft
Unfortunately, your security depends on your partners security as well. If a partner that holds your sensitive information is breached, that information can be used against you, just like a stolen passport or any other form of identification.
Email is the de-facto way business is done today, it is used by most employees and it is an important aspect of your attack surface. Predominant email attacks are:
Phishing - when the attacker tries to convince the victim that they should divulge sensitive information, or click on a link or attachment which will in turn try to install a virus or ransomware.
Spoofing - When an attacker uses a vulnerability in the mail/dns system to impersonate one victim, while communicating with another.
Fraud - There are many different types of email scams, ranging from distress messages from stranded employees requiring money transfers, to (compromised) suppliers asking to change their bank account numbers so your next payment will go to the attacker.
Know thyself (and know thy enemy) - people process systems
Manage your assets
If you don’t know what you’ve got, there is no way you can know how to protect it. Make a living document which is an inventory of the following -
For each of these, at least have the following columns:
- Priority / Impact - set a score of 1-3 of how important this asset is to your business. How hard would it be to recover from it’s loss? How many other functions would be hindered? How much would it cost per day?
- Sensitive information handler/storage” (sensitive is usually business sensitive information like reports, system wide passwords etc. or privacy related information like customer or employee lists etc)
Learn from your peer’s failures
This is a generic guide, its purpose is to help businesses of all kinds. But your business is special, and might have special weaknesses that need to be addressed. A good way to learn about this is by looking at incidents that happened to businesses similar to your own and might have reached the news. Try to identify the business processes that are unique to your business from the inventory that you built, and then spend some time trying to identify what threats are relevant to them (more on threat modeling later).
Basic cyber security hygiene
Ok, now for the nitty gritty. The following is a list that should help you cover all your important bases.
Offline backups - as opposed to when systems fail, in which case there is no problem with your backups being online, when a hacker strikes, your backups need to be protected. There is no better way to protect the backups of your crown jewels than by keeping them offline. Pay attention that your workstation and laptops might have business critical information and might require restoration as well.
Endpoint protection - be generous here, a good endpoint protection suite will thwart a myriad of attacks, including ransomware and others. Don’t forget to have it cover your mobile devices as well.
Training (examples - https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwin8KrYlInsAhXHzIUKHZp-B3kQFjABegQIARAB&url=https%3A%2F%2Fwww.mga.edu%2Ftechnology%2Fdocs%2Fsecurity%2FUSG_Security_Awareness_Primer.pptx&usg=AOvVaw3B4q9f9UKGn6jbkidsrzAZ , https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwin8KrYlInsAhXHzIUKHZp-B3kQFjAKegQIAhAB&url=https%3A%2F%2Fwww.memphis.edu%2Fbusinessofficers%2Fdocs%2Fsecurityawareness.pptx&usg=AOvVaw2aFrfTtwtiaSLJCtJoDjzc ) - make sure to regularly give your employees some awareness training. You should also run some phishing simulations with a free tool like gophish (Gophish - Open Source Phishing Framework) or similar. Also, make sure to implement verification procedures for sensitive processes such as changing bank accounts of suppliers and payments.
Inbound mail security - This is a biggie. don’t settle for the default security that comes with your email provider (like gmail or office365). There are many good email security providers, just make sure the one you choose has a sandbox, and covers fraud (BEC - business email compromise ) and phishing attacks.
MFA - Make sure to turn on multi factor authentication for all the services you are using, and consider switching if your provider doesn’t support it.
password managers - Use a password manager, preferably one with browser integration such as onelogin or Lastpass. Password managers will make it easier for you to use a different password for each services, so if one of your partners gets compromised, it doesn’t mean all your accounts everywhere are now exposed.
Patching (software updates) - Make sure to always run the latest software on your systems. This includes client software such as office and acrobat reader, operating systems such as windows and server software as well like your file and print servers
Collect and securely store your logs - Just in case you get compromised, collecting all your logs to a secure location might give you a chance to make sure the same exact attack doesn’t succeed again. Many online log collection services come with free packages (loggly, paper tail) that should be enough for a small business, or you can install an open source server for this if you have the resources (11 Open Source Log Collectors for Centralized Logging - Geekflare). You could even use one of the large cloud providers free tiers to implement your log collection solution.
Use a systems management service like microsoft intune, jumpcloud or jamf. This will allow you to remotely encrypt your drives, and enforce complex passwords for your laptops, pcs and servers. If you are running a small shop, or want to spare the costs you can skip the central management and do it manually on each system - Every major operating system comes with built in drive encryption and password policy capabilities, use them and reduce the risks that come with hardware being stolen.
Setup domain email protection - SPF/DMARC/DKIM these will protect your email domain from being impersonated (https://dmarc.postmarkapp.com , https://mxtoolbox.com/SPFRecordGenerator.aspx )
honeypots/canaries - (Advanced) a canary or honeypot is a very effective method of detecting attackers. you can use this open source project to alert you when someone is messing around in your network - GitHub - thinkst/opencanary: Modular and decentralised honeypot ( you can even run it on a raspberry pi Use a Raspberry Pi To Catch Hackers with OpenCanary | Tom's Hardware)
Budget a pen-test/audit at least once a year - do the first one after you’ve implemented some security as to not waste your money on the obvious stuff. Make sure the assessment includes - a “blackbox” penetration test, a “white box” penetration test and an audit. Use a different company every year.
Where you probably shouldn’t waste your attention/money
A lot has been said about what you can do to protect yourself, but here is a list of things that you might want to avoid in order to be able to focus on what matters.
If you can avoid it, don’t use Infrastructure as a service (Cloud)
If possible, use SaaS (software as a service) and PaaS (Platform as a service) in that order and avoid Infrastructure as a service (AWS/GCP/Azure virtual machines). Cloud security is complex and costly (much like managing servers on premises) and most companies get it wrong (misconfiguration, patching, lost keys etc.) so as usual, it’s better to sidestep it if possible.
Due to the reduced costs of laptops and other mobile devices, covid makes us all work from home and all sorts of other reasons. The firewall has lost some of it’s flare. Your office network may host your users some of the time, but most of the time they will be working from other places, and your firewall’s protection won’t help there.
Custom websites/hosting companies (use Wix or other platforms that will handle security for you)
When you are shopping for your next website redo, make sure your designer uses a platform as a service like Wix.com or Square space, where security is backed into the platform, and not something you need to be concerned with - web site security is complicated and costly, best avoid altogether if you can.
Vulnerability management software
Whilst these are great tools, they are expensive and time consuming. for a small shop just update everything manually, and if you can spare the time, use an open source solution like OpenVas to get your reports.
These solutions provide great value, but will require a lot of resources to become effective. I suggest only looking into them when you need to comply with some regulation or after you have some dedicated security staff to manage this (everlasting) type of project.
Whilst these can prove important (especially to investigate a breach) like SIEM, they are very expensive and labor intensive projects. Instead, just just make sure to turn on native logging in your databases as a starter.
To find your weaknesses you need to think like a hacker. Fortunately for you there are methodologies out there that will help you just in case you aren’t the hacker type. a predominant one is called STRIDE (STRIDE (security) - Wikipedia). It was developed by Microsoft, and includes six types of threats which you can try to apply to any given system/process. Try to think if any of them fit, and how you can thwart them by alerts, procedures or in technical manner. These drills are time consuming, so start with your most important things first.
Have a doomsday plan
Be prepared! write down these scenarios, and how recovery should happen. This preparation will reduce the damage if something happens. Also, Imagine a cyber incidents happens while you are away on vacation.Make sure your employees can handle the first stages of a crises.
Ransomware - Make sure more than one employee knows how to restore from backups, or have a service provider on call. Run drills! Assume your backups are useless if you’ve never tested them.
fraud/phishing - Have contact lists of your partners available in case of an emergency, same for your banks and payment providers.
Cybersecurity partner - get in touch with some cyber security firms. If something happens you don’t want to start shopping under panic.
Cybersecurity insurance - If you can afford it, this type of insurance will reimburse you in case of a cyber security incident. It should cover direct and indirect damages such as cyber security service providers, PR etc.
To sum it all up
with some initial investment, some open source tools and a lot of attention. You can make an attacker choose to move to another target if he happens to scope you out. As the joke goes “you only have to run faster than the other guy when being chased by a lion :) “