Trust is the #1 requisite when selecting a provider, and it has been a delight to work as a startup with Specter and watch them build an I.T. infrastructure for us in such a quick time that will scale with us as we grow. Their professionalism is why we continue to be happy with the service.
- Daniel Pike, CEO Votre Allure LLC.
If your business is not prepared, getting hacked is easy! Let's take a look at some common reasons businesses get hacked.
- Bad passwords
- Deprecated software
- Failing to apply updates
- Poorly written software
- Leaving default settings on
- Employee training deficits
- And, many more...
Let's look at an example. Let's consider a case of failing to apply software updates and employee training deficits.
It's exceedingly easy to just hit 'Remind me later'. People make that mistake all the time!
In fact, many people simply attempt to find ways to completely disable their Windows Updates, and other important software updates, altogether! But, ignoring or disabling updates is a huge problem. Especially when you're a business and therefore a target for hackers.
These updates exist for an incredibly important reason most of the time. Not all of them are simply features. They often include security updates. And, where an update lurks, you can rest assured that most of the time there will be a Common Vulnerabilities and Exposures (CVE) entry pending. More on CVE's later.
What we have when you combine the inevitable human error and a system or network primed for attack is a recipe for disaster. In response to this recipe for disaster, this is a somewhat over-simplified example story of how a hacker might act opportunistically to exploit your company for monetary gain or personal pleasure.
Step 1: Reconnaissance
Knowing that employees often make poor decisions about information security and often default to trusting behavior, the hacker decides to investigate the companies employees.
Apparently the company has a listing on LinkedIn, an up-to-date company directory, and several public events where employees attended and were listed. This is more than enough information to work from without having to perform more painstaking work of active recon through phone calls, etc.
Although this company is relatively small at 20 employees, this is more than enough to work with and the hacker moves forward by creating a short-list of who should be investigated first. Suzy (CEO), Jim (Field Manager), Bob (Operations Manager), and Jill (Human Resources Manager).
Now the hacker proceeds to perform a more detailed investigation into the above four individuals. Of them, Bob the Operations Manager really stands out. He has a Facebook profile where he constantly rants about technology being the bane of his existence, reminiscing upon the better days of the past when things were simpler and more effecient (from his perspective). Some of this comes through on several posts, indicating he doesn't know how to use the edit feature when something goes wrong.
Suzy is obviously interesting as the CEO. She even has her email address listed on her LinkedIn profile. But, she appears to be pretty tech savvy and will undoubtedly be difficult to get in touch with.
Bob, on the other hand, is perfect. He seems to be technologically disinclined, and a bit jaded. That's exploitable. Unfortunately, other than Facebook, the hacker doesn't see any contact information listed.
Step 2: Social Engineering
The hacker then starts to learn just enough about the industry to be convincing in short conversations. After doing so, the hacker sets out on a series of calls over days to weeks talking to different employees. Eventually, Bob's phone number is acquired.
This particular hacker is new to the field, so rather than attempt technical attacks that may be logged on servers or be picked up as abnormal behavior by the person in charge of IT, he decides to take a more simple approach.
The hacker is simply going to ask Bob for the information he needs. Here is the conversation that takes place between the hacker and Bob. Yes, it's a fictional conversation. But, it's fairly realistic.
Hacker: Hi Bob, this is Jarod over at Microsoft's Customer Service department. We've had an abnormally large number of error messages originating from your company delivered through Microsoft Word error reporting systems. I spoke to Jill in HR a couple weeks back, and she informed me that you'd be a great person to talk to as you've experienced some problems on your machine in the past.
Bob: Hi Jarod. I'm a bit busy right now, but I'll do what I can to help. What questions do you have for me?
Hacker: Oh, this is easy. It will only take about 2 minutes. I just need to see which version of Microsoft Office is installed on your system, and what version of Windows you're running. (NOTE: the assumption that he's on a Microsoft Windows computer with Microsoft Office on it is a fair one. The lion's share of businesses use Microsoft Products. And, even if he was wrong on the software, the hacker could just pivot to a different strategy later.)
(Hacker provides instructions. Bob does as he's asked.)
Bob: Microsoft Office 2013 Service Pack 1 on Windows 7 Service Pack 1.
Hacker: Thanks so much, Bob! I really appreciate it and I'll be out of your hair now. Please have a nice rest of your day. (Unstated: There is definitely a CVE for that setup!)
Step 3: Taking Action
So, the hacker now gets to work looking for easy exploits of this old system. He'll start with low-hanging fruit in CVE's, or common vulnerabilities and exposures. These can be acquired easily via Google search.
You'll see above there are 819 CVE's listed under Microsoft Office alone! The hacker then decides to go with CVE 2017-0199, which uses a fake Microsoft Word document with an embedded script to gain a remote connection to the machine that opens the program.
The hacker then recognizes that this is a very vulnerable system on what is likely a very aged IT infrastructure. He's got a wealth of opportunity, and to date he's done almost nothing that would be suspicious.
The hacker reviews the list and ultimately decides he can take the simple "Script Kiddie" approach. (Script Kiddie is a disparaging term that hackers and information security professionals use to describe unskilled individals in the field who benefit from easy targets and tools created by much more knowledgeable individuals.) The hacker then fires up his Kali Linux box (a hacking-enabled operating system) and launches Metasploit (a software program which has a repository of scripts used in exploiting machines.)
No surprise. Metasploit already has a module that can be easily leveraged to take advantage of CVE 2017-0199! This will be easy! He just has to provide a few parameters to the Metasploit module and hit run. He'll then have a malicious Microsoft Word document. He'll send this document to the CEO, Suzy, pretending to be Bob. Ultimately the hacker will be capable of connecting Suzy's computer to his own through a server listening on his own computer for Suzy's connection after she opens or previews the file.
So, the hacker does just that. Runs the Metasploit exploit against CVE 2017-0199.
If you're feeling adventurous and want to get an inside peek at what it's like to find the CVE and to use the Metasploit exploit of CVE 2017-0199 in action (hint: easy), please feel free to watch the video below. The video below shows how in only a few minutes you can identify a CVE and create a malicious exploit that can take control of a remote computer that is vulnerable in the way we described above - a very common scenario.
Now that the hacker has created an infected Microsoft Word document, it's ready to deploy. The last part, or the deployment of the hack, is fairly simple. Simply write an email, and send the attachment.
There are two obvious routes the hacker could take to send the email. One, simply hack Bob first and send directly from his personal email account. This would be the hardest to detect, but have some additional time requirements. Two, spoof the email. That is, you can hack emails to make them look like they're coming from someone they are not. This is a little more vulnerable to the savvy user discovering it, but can be done very simply. This time, the hacker decides to use Bob's computer by sending Bob -- the less technically savvy employee -- a spoofed email first. It's going to be harder to trick Suzy.
Assuming Suzy has the same programs and versions installed as Bob, if she so much as peeks at the preview of the document the malicious script embedded in the word document will run and the hacker will have received access to the CEO's computer, and everything in it and connected to it, with hardly more than a few minutes of work, some google searches, and a few phone calls.
This is just one very simple method, of countless, for hackers to penetrate and exploit modern IT infrastructures.
No business is 100% safe from hackers. But, you can drastically reduce your odds of being hacked and just as importantly, also protect yourself from the damage if you are hacked by being pro-active. It's a non-stop, tireless effort to attempt to keep up with the hackers. But, doable.
It's important to analyze infrastructures for weaknesses, being proactive in addressing them, and creating disaster recovery plans.
We at Specter Technology Solutions work hard using industry best-practices to protect you from the many ways you're at risk of losing your business by being hacked and more! We're the IT managed service provider that the discerning business or business owner deserves to work with.