Dec. 1, 2007 – How hackers are likely to cripple small businesses
Small business owners don’t think they’re at risk for getting hacked, but they’re often at greater risk than larger companies.
By Justin St. Clair
Published in the St. Louis Small Business Monthly
It was an innocent high school project that led Matt to try his hand at hacking. He read a book on the subject that gave him enough information to get started.
“Most kids do it just to see if they can,” says Matt, whose name has been changed because he agreed to speak on the condition of anonymity. “I read a book on a professional hacker who’s now an IT security consultant. That got me curious, so I tried it.”
He called a local company, lying about his identity, and within minutes he had all the information he needed to break into their system. For Matt, it was just a simple thrill. But once he broke in, he could have wreaked havoc on the company’s entire IT infrastructure.
Matt is what you would call “a nice kid.” He pulls good grades, plays high school sports, and is always on time for his part-time job. But he’s also part of a growing number of young people who are delving into the intriguing world of computer hacking. Everything the curious mind needs to know about hacking – including the tools to do it – is free on the Internet.
Two Kinds of Hackers
There are two very different kinds of “hacker.” An “ethical hacker” is a computer programmer or designer with excellent skills who a company might hire to test the security of its information systems and pinpoint weaknesses by attempting to break in.
The other kind of hacker is someone who takes their computer skills and uses them for intrusion or illegal activity. This negative form of hacking has a subculture with its own language, rules, and moral code. And their primary targets are small businesses.
Small Business is Prime Target
“Small business owners think it’s a very low percentage that they will get hacked – but in fact, it’s actually a higher percentage if their network is on the Internet,” says Michael Leyden, Director of IT Technical Operations at St. Charles-based The Newberry Group.
Larger companies usually have IT departments and personnel assigned to keep the IT infrastructure safe. But smaller companies don’t have these resources. And, if the truth be told, small business owners are often more interested in “producing” than “protecting.” Why? Probably because “protecting” is a long term goal and “producing” is the number one immediate goal.
But to unethical hackers, the unlocked doors that result from that mentality are pure temptation.
“Hackers like to go after small businesses – because they’re easy,” says Matt.
It’s enough to make any small business owner feel vulnerable. The bad news is that no IT system is totally secure. There’s always a way in. But the good news is that you can do some very simple things to greatly reduce your vulnerability. By knowing the hacker’s technique, you can greatly deter recreational hackers like Matt and frustrate professional hackers.
Reconnaissance
“The first thing a hacker will do is reconnaissance or ‘foot printing,’” explains Rich Berry, Senior Computer Security Systems Specialist at The Newberry Group. They’ll check your website. They’ll look for news articles. In short, the unethical hacker will get as much information as they can from public sources.
That’s why your company being “in the news” creates such a temptation. News articles give the unethical hacker two things: information – such as the names and titles of your IT people; and motivation – hacking a news-making company is something about which to brag.
There’s not much you can do to stop the reconnaissance. But the good news is that information available to the public usually isn’t enough to compromise your IT system. It takes more detailed information. For this, the unethical hacker turns to “social engineering.”
Social Engineering
“Social engineering is when you pretend to be someone you’re not or you’re just making seemingly innocent social conversation but your goal is to get specific information,” Berry says. “For example, from the information gathered in their reconnaissance, the hacker will call your Help Desk and act like they are someone in your company.”
That’s exactly how Matt got the information he needed to hack into a company’s system.
“It’s real easy to get a hold of company’s exact IT information if you just act like you’re a person from the inside,” Matt says. “They’ll tell you virtually everything.”
It’s a simple trick that preys upon a good employee’s natural desire to be helpful. An unethical hacker will call any of the employees (new employees are especially vulnerable) and act like a fellow employee, a customer service rep, or even one of your own IT staff members.
“I just acted like I was with their IT Security team and the employee told me anything I wanted to know,” Matt says.
Pretending to be IT support people, unethical hackers will use simple questions like: “Oh by the way, what kind of operating system are you using?” or “Do you know your IP address or the range of IP addresses?” or “What kind of phone system are you using?” Well-meaning employees and executives want to sound knowledgeable. They don’t realize they are exposing the company when they answer the question.
Scanning
Knowing your company’s IP (Internet Protocol) address is the next stage of unethical hacking. If social engineering doesn’t give them the answer, the hacker will use “scanning.” Basically, the hackers use programs (again, free on the Internet) to scan which systems on your network are live and reachable from the Internet.
Scanning techniques include network ping sweeps and port scans. Both firewalls (which set up a wall between the Internet and your internal network) and Intrusion Detection Systems (which look for suspicious activities and raise an alarm if there is an attack) can help stop the unethical hacker at this point. It’s important to keep your firewalls and detection systems up-to-date as older versions may be compromised. The real trouble begins if a hacker can break through and get into your system.
Enumeration
Once the unethical hacker is inside your system, they will connect to the computers in your network and examine the directories and files to gain more information. This is called “enumeration.” This step is very intrusive, comparable to them physically entering your office and rifling through your desk and filing cabinets.
The intruder is typically looking for user names, account information, and clues to passwords, along with the type and version of your software. Once again, up-to-date Intrusion Detection Systems can alert your Network or Systems Administrator that someone is up to something inside your network.
An encryption application is also a very good preventative measure. Many types of over-the-counter encryption devices and programs are available, but they are usually limited to individual computers or simple networks.
The Newberry Group’s Encric Key (www.thenewberrygroup.com) is able to encrypt both files and data on individual computers as well as entire enterprise network systems. Consult an IT security specialist for which encryption application would work best with your system.
Penetration
With the information learned from enumeration, the unethical hacker’s next step is “penetration.” If your software is old, bugged-up, or simply configured incorrectly, the unethical hacker can exploit these vulnerabilities in order to take the first steps to gain control of the entire system.
It’s at this step that the unethical hacker is truly inside your network. Again, a good, strong encryption application can limit the access of the hacker to your critical data.
Advanced Penetration
The next step is called “advanced penetration.” In this step, the intruder uses the compromised computers (or user accounts) to launch additional attacks on your network. The hacker can break into the administrator root accounts, install backdoors, and implant Trojans or key stroke loggers to gather critical information from your active network.
Erasing or Covering the Tracks
In the final phase of hacking, the hacker eliminates any records or logs showing his malicious behavior. To cover his tracks, the unethical hacker will delete the log files, disabling your system’s auditing programs, and hide his implanted files.
The hacker can install a series of programs (called a “root kit”) that replaces your existing system software. It allows the hacker to cover their tracks and continually gather new information from your network – without you knowing anything about it.
Fixing a Compromised System
If the hacker achieves this level of penetration and is covering their tracks, you are beyond prevention and damage control. You need major surgery.
It takes a thorough analysis of your system to detect all the possible problems the hacker could have embedded. This is nothing you want to attempt to fix on your own or with over-the-counter software.
Two different professionals need to be involved in the fix. First, a trained and certified IT Security Specialist should thoroughly audit your system and network to discover the problems. Second, you should hire a second certified IT Security Specialist to do the fix based on the audit.
Never use the same company to do both. The IT “auditor” will keep the IT “fixer” honest and vice versa. It also helps prevent a single IT Security firm from “camping out” in your accounts payable.
Education key to Prevention
There is a long list of software and hardware solutions, each designed to address one or several of the steps an unethical hacker would use to compromise your system. But the simplest and least expensive preventative measure is educating your employees.
“Employees are your greatest asset – but they are also your greatest risk,” Leyden says. “They have to be trained not to answer any questions about your IT or communications infrastructure. Just say ‘I don’t know’ or ‘I’m not sure.’”
If this sounds too simple to be effective, it’s not. Just knowing the type of system or the kind of equipment your company uses equips the unethical hacker with exactly the information they need to crack your system. It’s like a safe cracker asking “What kind of safe do you have?”
Also, employees need to be educated as to what types of questions their IT staff would ask and what they would not ask. For example, your Network Administrator and staff should have the means to access user accounts and override passwords. It’s part of their job description. It needs to be known that they will not be asking for user access information.
In addition, IT staff members need to be trained not to give out passwords and user account information unless they can positively identify the person making the request. Simply being told that the inquirer is a “corporate executive” should not be enough to relinquish user account information.
“Write a small, widely distributed user policy explaining what you’re doing and why you’re doing it,” Leyden says. “Then strictly enforce your own policy.”
And what would Matt the hacker advise?
“The main thing would be to train your employees first…from the receptionist on up,” Matt says. “Most hackers will attack externally, not from sitting inside your company. And get the latest updated software – it’s going to be a lot harder to hack into it.”
If You’re Concerned
If you’re concerned that your IT system may be vulnerable, it is best to hire a certified IT Security firm to perform a penetration test or audit. A legitimate outside firm will have certified “ethical hackers” who will attempt to penetrate your system using the means available to an unethical hacker.
“While a company with an IT department can do their own testing, the advantage of hiring an outside firm is that there is an element of surprise,” Berry says. “You don’t know when it’s going to happen; only that it will happen. Also, you can be certain inside information wasn’t being used to perform the penetration. We would just use publicly available information.”
Instead of causing problems, the ethical hackers will report to your executives and your internal IT Security staff the strengths and vulnerabilities of your system. Again, it is best for an outside firm to perform the audit and a second certified party (your own IT staff or an external firm) to do the fix.
What Happened to Matt?
Meanwhile, Matt is still a nice kid and is doing well in school. He remains intrigued with the intricacies of the IT world but has matured enough to realize the inherent danger of unethical hacking. But while Matt stopped short of causing any real damage with his hacking skills, there are more and more “good kids” every day acquiring the same abilities, tempted by the same thrills.
Discovering your vulnerabilities is the first step toward protecting yourself from the kind of unethical hackers who would steal vital information or destroy systems just for the cheap thrill. Hiring a certified IT Security professional to pinpoint your system’s security weaknesses can keep you from discovering those weaknesses after it’s too late.
Hacker Damage
Popular unethical hacking activities:
1) Breaking into computer networks and embedding bugs, viruses, and Trojans
2) Bypassing passwords or copy-protection in computer software and deleting files
3) Defacing and/or damaging Web sites
4) Attacking a web site or network and preventing legitimate users from accessing the site or network
5) Stealing valuable information such as passwords and credit card data
6) Destroying files, sites, networks, and e-mails