Business Tech Vulnerabilities: Problems & Fixes

It’s fair to say that technology plays a key role in modern business. Without a thorough understanding and implementation of tech, it’s far too easy for your business to fall by the wayside. Technology is how businesses are run; contracts signed by email, customer files stored digitally rather than electronically, every employee history accessible with a few taps of a keyboard.

It’s impossible not to see these technological advancements as a good thing. Businesses have become simpler, in the best way imaginable. Technology has sped up tasks that otherwise would have taken weeks, improving the way the world works beyond doubt.

So let’s all agree: technology + business = good things.

However, there are a few downsides that no savvy business owner can afford to overlook. If you want to have a full grip on all of the tech, internet service, devices, and storage that your business uses, then you need to think about the potential that exists for vulnerabilities. By ensuring you close any potential gaps that could be exploited, you can be sure that your business is able to enjoy all the benefits of technology, but without any of the pitfalls.

Here’s a look at the areas you’re going to need to focus on.

The Employee Threat (Part One)

Everyone that accesses your business tech is a potential weakness in your systems.

The Problem

If that sounds harsh, perhaps it is– but it’s also true. Computers and technology can do a lot of the heavy lifting; they can prevent attacks on your system, ensure you maintain your records as you should, even do your accountancy work. However, these processes can only happen if they are correctly controlled by human hands.

This is a particular concern when it comes to security. Passwords are great; but humans who don’t change their default password are incredibly common. Your members of staff may have little appreciation for the way that their behavior has the potential to cause real disruption to your business.

Solutions

It’s important to preach a need for constant vigilance when it comes to tech security. If a member of staff has access to a database or your public cloud hosting, then they need to be able to prove they understand the security requirements. One way of doing this is by making each employee take a quiz to prove they at least know the basics of online security.

The Employee Threat (Part Two)

Yes, sadly, there’s more than one issue when it comes to your employees. Even if you feel you have the best staff in the world, there’s no denying the fact they have the potential to cause you all manner of problems. Let’s focus on another potential employee issue you need to be aware of…

The Problem

One of the major benefits of technology is that working has become more flexible. We can now go through important emails on our phones, browse through customer records to fix problems on the beach if we so desire– but this flexibility is also a security risk.

First and foremost, if your employees are accessing the company software or cloud when out of the office, there needs to be restriction on how they do it. For example, how are they connecting to the internet? Are they using open Wifis? If so, that’s a serious risk to your company safety.

  • Insist that any out-of-office Wifi connections must be completely secure; the home network of your employee, or a reliable mobile network.
  • All security passwords must be changed from default.
  • Never, ever, ever should an employee connect to an open Wifi network. These are simply not secure enough for your company data.

Of course, there’s no way of guaranteeing that employees are actually going to do this. All you can do is make the point, explain why it’s so important, and make it clear you will take any transgressions of this rule extremely seriously.

The Outside Threat: DDoS and Hacking

Okay, enough making you worry that your employees are going to bring down your business! Let’s give your employees a break, and move onto the threats that come from the outside.

Many of us think of hacking problems as being an issue for large companies. After all, if hackers are going to spend their time trying to breach a company, they’re going to go after the big fish– it guarantees them the bigger payday. if your business is only small, then you might just entirely overlook the hacking threat, seeing it as one that other, bigger businesses need to be concerned with. This attitude poses a real threat to your business.

The Problem

Sure, hackers want the biggest payday or to cause the maximum disruption with their work, so they’re going to target large companies. However, large companies also have far sterner security blocks than small companies. That means it’s more work for the hackers to breach them. Instead of spending weeks working on a single company, many hackers might turn their thoughts to small companies– where the vulnerabilities in the tech are easier to exploit.

One particular risk that you need to be very alert to is ransomware. Basically, ransomware means that your systems will be shut down — you won’t be able to access any of your computerized data — until you pay the hackers off. Ransomware is incredibly lucrative for hackers, even though people are always advised not to pay hackers. The truth is that for many businesses — especially those that are not as tech-aware as one might hope — their only option is to pay. If they don’t, they no longer have access to all of their business files; potentially meaning they literally can’t run their business.

As well as ransomware, you may also find yourself falling victim to a “distributed denial of service” — better known as DDoS — attack. These attacks have the potential to bring everything related to your business offline; company records, accounts, anything at all.

These two issues — ransomware and DDoS — are matters your business tech has to be alert to at all times.

The Solution

The simplest way to protect against ransomware is to completely backup your data, ideally on a daily basis. Yes, this is time consuming, but at least it means that no one can ever hold your business’ critical data hostage. If you have backups, then what’s being held ransom isn’t as vital to your business continuity. It does still pose a risk; for example, you don’t want your customer data to be leaked, but at least you can continue your business while you deal with the issue. Contact the cybercrimes department of your local police force for further assistance, but be reassured by the fact your business doesn’t have to grind to a halt thanks to those handy backups.

When you have a backup regime in place, examine the providers you use for various tech services. You will need to select your systems and public cloud hosting very carefully; decent providers will have some sort of DDoS protection included.

Will the above measures work? To a point. It’s almost impossible to ensure that you never get hacked, but the above will at least limit the damage, and make hacking harder to do.

The Update Problem

Let’s wrap things up with a simple word of warning about updates. System, software, and tech updates are annoying. When you get the notification, it’s impossible not to roll your eyes with frustration. You’re now going to have to sit through a potentially long update process, unable to do anything useful in the meantime… so you click ‘postpone’ or ‘remind me later’.

Then you keep clicking ‘remind me later’. Upgrades are always inconvenient, especially if you’re busy running a business. The idea of your system shutting down to update just isn’t feasible, or at least, you’re not willing to let it be feasible. So you keep postponing, over and over and over again.

The Problem

Let’s be honest: you know what is about to be said. This isn’t your first day online. You know that updates are important. You know that they contain security fixes which can help protect your business files. You know that you should install them immediately. We all do; we’re all well aware that those irritating update notifications are actually a good thing, our tech telling us that it’s found a way to make itself better.

If you don’t update — as you well know — then your system is going to be vulnerable. Patches for security glitches that were included in the update aren’t going to be available to you. So, it’s fairly clear what comes next…

The Solution

Update as soon as you receive the notification to do so.

Yes, it’s inconvenient. Yes, it’s annoying. Yes, it always seems to happen at the worst possible time. However, considering the stakes — the very safety of your business — then these are relatively small issues. It’s worth a little inconvenience to keep your data, your customer’s data, and your entire business operation as safe as possible.

With your vulnerabilities closing, your tech security will ensure your business continuity for years to come.

Top Tips for Staying Safe Online

With the prevalence of big computer hacking stories out there these days, the internet can sometimes feel like an unsafe place. As we devote more of ourselves and divulge more personal details to technology, it can feel somewhat risky. But there are a whole host of ways that you can better protect yourself while you are online. And the vast majority of them are very simple, so it is certainly worth reading on to find out more.

Make Passwords More Complex

Though you will have heard this advice a million times before, a surprising number of people still rely on simple passwords which can easily be hacked or stolen. You are better off using different passwords for different websites, and you also want to make them strong passwords containing a combination of letters, numbers and symbols. Where it is available on smartphones and tablets, use the fingerprint or facial recognition systems that they suggest.

Enhance Network Security

You need to ensure that any network you connect to is a secure one, so try to stick to password-protected routers that encrypt your data. Be careful when using public WiFi as it tends to be unsecured. Even if you do have a secure connection to the internet, you should still use a firewall so that hackers don’t have a vulnerable point of access from which they can get to your files and personal details.

Safe Surfing and Shopping

Ensure that any website that you share your personal information with is trusted and be careful about putting your credit card details into a site. Be careful with copycat sites which seem like the original ones but have some misspelling or bad grammar. Look out for the padlock symbol in the URL which indicates that the site is encrypted.

Set Limits on Your Spending

A major issue that people get into online is that they are tempted to spend more money than they have. So, be wary of one-click payment systems which seem very convenient but ultimately make it more tempting to spend your cash. If you are going to be playing online games like Unibet casino games, set limits for yourself so you don’t spend more than you should.    Practicing mindful spending online is an important habit to get into.

Keep Software Updated

Make sure that you have all the latest security systems installed on your software. Turn on automatic updates so this is not something that you have to think about doing yourself. Run regular scans to give yourself peace of mind and confidence that all your systems are safe. Keep on top of what all the latest scams are so you are more confident that you know what you are looking out for.

These five points are a good starting point for staying safe online. Make sure that you are always on your guard as the online world is a dangerous one, but you will put yourself in a much better position with safe internet practices like these.

Technology Is The Future

We’re in an era where technology rules our lives. There’s not much left in the world that can be done without the aid of tech. What an amazing era to be in. The advancements that are being made are huge, so much so that people are saying computers will be taking over the world before we know it. A scary thought for some, truly exciting for others. let’s explore how tech is set to be bigger than it already is.

Virtual Reality

This is a big hit at the minute. Since Playstation released their virtual reality set, things have only got better. Yes they’re a little pricey, but what you get for that price is incredible. It’s the chance to dip into another world and escape reality. The realism of it all is truly spectacular. Whether you’re gaming, watching a movie, or using their wildlife experience, you will always feel like part of what you’re doing. At the minute, all you can do is walk around, or feel like you’re walking round. There are also gadgets that let you move say for example a gun round, to make things more realistic. Now, at the minute it is purely 3D. But developers are aiming to make it 4D in the next so many years. So you’ll be able to touch and smell actual things within the game or movie etc. More information can be found on the Human Paragon website. If that isn’t going to revolutionise the technology world, we don’t know what is.

Robots

This is definitely one of the scariest, yet exciting advancements being made. So, there’s the engineering side of robotics. Arms and machines that do the intricate work and human hand just can’t manage. This really is pioneering technology. It’s helping so many companies, and is even helping to create new technology. It’s so helpful in medicine, some surgeries have parts performed by robots rather than surgeons. To say we’ve got to that stage is incredible. Now, the scary side of this is the human robots. Japan and China in particular have a huge interest in this area. As cool as it may sound, they’re being developed to have human emotions. Happiness, love, anger, and hate. So what happens when a human’s angry? They lash out. What happens when a robot is angry? Surely it’ll only be mimic the human emotion. Whilst we’re not quite there yet, advancements are being made for fully human like robots to enter out world.

Driverless Cars

This is the most interesting development. So many people have to make the long boring car journeys every day. But advancements are showing that this might not be the case for longer. Huge strides have already been made. All Tesla models now come with an autopilot feature. Basically meaning the car can fully self-drive. Some people are sceptical of the safety, but Tesla assure people it’s completely safe. There was a recent video of it in action, the car predicted a crash, and braked in time for the people in the Tesla to be safe. If this is the future, it’s amazing.

OSCP Achieved – Offensive Security Certified Professional

For the past 10 months, I have been entrenched in studying to pass the OSCP exam — a goal that, one year ago, I thought was a distant dream.

What the heck is OSCP? This is from the OffSec description:

The Offensive Security Certified Professional (OSCP) is … the world’s first completely hands-on offensive information security certification. The OSCP challenges the students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.

An OSCP has demonstrated their ability to be presented with an unknown network, enumerate the targets within their scope, exploit them, and clearly document their results in a penetration test report.

In other words, it means you are pretty good at hacking into computers through various means.

Preparation

I did 6 months of “pre-studying” by reading, researching, learning, and hacking away at vulnerable Virtual Machines offered by vulnhub.com. You may have seen some of my walk-through write-ups on this blog.

Three months ago, the Pentesting With Kali Linux (PWK) course began, which is the immersive, self-guided course offered by Offensive Security in preparation for the OSCP exam. This course consumed me, as it required a lot of time and effort to complete. If you are married and have kids, I cannot stress strongly enough the need to get their buy-in before you take this endeavor. You will not be available much during this process!

Not only do you need to get through the 375 page lessons and exercise workbook, you have to do the 8 hours of training videos that go with it. On top of that, you are given access to a virtual lab filled with 50+ computers for you to practice your hacking skills on.

The lab is designed to emulate a real-world corporation, and you are playing the role of the adversary, attempting to compromise your way into each and every machine you can find. In the end, you have to provide documentation of your efforts and successes as if you were a real-world security penetration testing professional hired to find the weaknesses in the company’s network and systems.

Needless to say, all of this takes a lot of time, effort, research, and patience. The oft-repeated mantra of the OSCP course is, “TRY HARDER!”

The Exam

This past weekend, I took the exam. The exam is a grueling 48 hour test in which you are given 5 computers that you must hack into as far as you can within the first 24 hours. The second 24 hours is for writing up your reports and documenting your efforts with detailed, step-by-step instructions and screenshots on how you did what you did.

Sleep is optional. Sustenance is highly recommended.

I opted to start the exam at 3pm Friday, based on what I had read from others who have taken the test. This gave me enough time that day to gather my thoughts, my notes, and to practice buffer overflow attacks. More importantly, it gave me a chance to nap from about 2am to 5am, which proved to be a much-needed recharge for my brain.

I hacked away for a solid 21 hours with that 3 hour nap in the middle. By the end, I had rooted 3 systems, and had a low-privilege shell on a fourth. I had enumerated the fifth system pretty well, including discovery of some valuable information. Still, I wasn’t entirely sure I had achieved the requisite 70 points (out of 100) to pass the exam.

At 3pm I went back to sleep for a few hours. I woke up about 6, then got to work on the documentation, which I completed around midnight.

Documentation

All in all, my documentation consisted of:

  • All exercises from the PWK course.
  • Documentation of 10 compromised machines from the Lab. I ended up compromising a total of 25 machines, but 10 are required to be documented.
  • Documentation of the exam machines.

All of this ended up being about 230 pages long!

I submitted everything, then spent most of Sunday snoozing and worrying about whether or not I had passed. I felt like a truck had run over me, backed up over me, then ran over me again. Plus, the anticipation was terrible. Thinking that I might have to go through all of that again was not very pleasant.

I woke up this morning (Monday) to find out that they had reviewed everything, and that I had passed!

Lessons Learned

A topic of constant debate on the NetSecFocus Slack channel is whether or not people should do the Exercise and Lab documentation, which earns you 5 points on the Exam, or if they should just skip it and go right into the Labs, do the exam, and hope to get more than 70 points.

I am a shining example of why you should submit that documentation. You might need those 5 points to pass the exam, and you are doing yourself a disservice if you skip all that valuable materials in the course anyway. It really teaches you a lot even though it can get rather dry at times.

Resources

At some point soon, I will update this blog post with resources and tips for those of you thinking about doing this certification course. It was one of the hardest things I have ever done, but also one of the most rewarding.

My Slides from Drupal Camp Asheville 2017

Thanks to all for coming to my talk! Here are my slides. Drupal Security #devsecops #dcavl @drupalasheville
DevSecOps – Slides

I enjoyed being at Drupal Camp, and it was good talking with the many new folks I met (as well as the ones I already know). If you have any questions or comments, feel free to post here or contact me directly.

Update:

Video is Now Available Too!

4 External USB Wifi Adapters for Kali Linux Pentesting

If you are like me, you have been working with Kali Linux, the Linux distribution for penetration testing and ethical hacking, and have been running it as a virtual machine on your 2015 Macbook Pro. And, you have been having issues with sniffing packets because your 2015 Macbook’s built-in wifi adapter is not going into true promiscuous mode — only a limited version that doesn’t give you everything you need. Sadly, other versions of the Macbook don’t seem to have this problem at all, so you may be finding yourself in need of an additional interface.

Or, perhaps you are not like me, and the chipset driving your PC’s Wifi adapter doesn’t let you do much at all, and you just want an external USB Wifi adapter that will make it easy to use tools such as Aircrack-ng for ethical hacking jobs.

Whatever the case, I’ve done some research and will present a few options that don’t break the bank and should provide you with a quick and easy way to do all the proper packet sniffing you deserve.

TP-Link N150

The first option on this list is the $13.45 TP-Link N150 dongle. A small USB device that sports a detachable antenna, it should get the job done if you prefer portability over power. This device uses the Atheros AR9271 chipset, which is known to work smoothly in Kali Linux (and probably most other distros).

USB Rt3070

The cheapest USB adapter, at a paltry $11.99, is the generic USB Rt3070, another dongle style device that is also the smallest you will find here. With similar specs as the TP-Link device, this one is even easier to conceal, and probably won’t raise any suspicions if you have it plugged into your laptop in a crowded place. While not the most powerful device by any means, if you are near the router you want to connect to, it shouldn’t be a problem.

Alfa AWUS051NH

Taking a big step up in everything, including features, power, and profile, we have the Alfa AWUS051NH. This one has been sitting on my Amazon wishlist for quite a while, and I think it’s about time I pick it up. It even has a holster with suction cups to stick to a window, and it will pick signals up from long range.

If you are needing to physically stay away from the target you are testing, while still being able to test it, try this sucker.

Alfa AWUS036NHA

Lastly, we have another Alfa device, both of which get really good reviews for Kali Linux in particular. At only $6 more than the AWUS051NH, the Alfa AWUS036NHA looks cooler and has a boost in power to let it pick up signals from even farther away. It also comes with the holster and suction cups for the windows of your vehicle, office, or home. According to its description, what sets it apart is the “High Transmitter Power of 28dBm – for Long-Rang and High Gain Wi-Fi.”

 

Are there others?

Have you tried any of these? What did you think? Know of any others that do a good job?