“How I Hacked Your Small Business… and How You Could Have Stopped Me” is the title of a talk I gave earlier this year at BSides College Station – back before Corona Virus had us all on lockdown.  The point of the talk is to give a step-by-step walkthrough of how I’d build an anonymous attack platform and set about to take over the infrastructure of a small business.  It wasn’t a blueprint but it was near close because I wanted to show small business owners and small business defenders what it would look like.  In the middle of the talk, I flip the script and I proceed to go into the steps for stopping me.  While this post isn’t that talk, there are some overlaps.  In my day to day work, I see the same issues time and time again and there are some points in my Bsides talk that are worth repeating.

They say you should keep your lists small but I’m having a hard time keeping this under five points:

1.  Awareness Training:  In general, I think it’s important to have attackers and defenders speak to the user base about security.  When I started digging into offensive security, I didn’t know what I didn’t know.  When I learned the tools and techniques, I changed my approach to defending.  Just the act of sharing information is enough to get people thinking about security.  For example, I might tell a user that I'm going to send them a phishing email, it's going to contain an attachment with a macro, and the email will be believable and non-threatening but it will attempt to lure you into opening the email and the attachment.  Follow that up with a phishing campaign.  I suggest running campaigns no less than once per quarter and I would tailor the campaigns for specific groups and individuals. 

2.  Password Managers:  Every single person in the company should be using a password manager.  Not the built-in manager in a browser but an actual password manager.  Browser password managers can be harvested but most real password managers are secure.  Once the users are on password managers, every password should be strong and unique.  My password manager has 828 entries and I think it's safe to say that 99.9% of them are unique.  It's taken me a long time to get to this point but now I can't imagine a password NOT being in the manager because it's extremely helpful once you get used to the change.

3.  Two-factor Authentication:  Also called Multi-factor Authentication, 2FA / MFA refers to something you know and something you have.  I know a password and I have a phone which can receive an SMS message with a PIN number.  While SMS is not a totally secure second factor it's better than nothing.  The idea is that you might get my password from a breach but you do not possess my phone.  I'm not pushing specific companies but Duo, Yubikey, and Google Authenticator are a few second factors that work well.  If two factor is introduced into as many avenues as possible, it reduces the attack surface.  For the defender implementing two factor, I would suggest making it as easy as possible for your users. 

4.  Local Admins:  Users should login as users.  If you're using Mac OS or Linux, this is a default.  In order to elevate, we are prompted for passwords.  On Windows machines though, users can exist in the local admins group which allows that user to run in the context of root in almost all instances.  There are exceptions but not enough to mitigate the damage an attacker can cause if that user account is taken over.  When I say users, that includes admins as well.  When an admin is logged into their local machine, they should be running as a user.  In the past, this was more complicated but with Windows 10, it's getting a little easier.

5.  Network Segmentation:  When I discuss network segmentation, the example I like to give is Guest WiFi.  Your guests can access the Internet but they can't come into direct contact with your equipment.  With network segmentation, we're taking this concept and we're expanding it to resources on your network.  We have a few clients using VoIP systems.  Some of those clients are using all of the bells and whistles that those systems have to offer while others are just using the basic system.  In that latter case, there is no need to have the VoIP server, the handsets, and the accompanying hardware on the same segment as the rest of the network.  Look at the entire network and decide which resources could be on their own segment.  Segments can be created with VLANs or we can get more sophisticated with routers.  The former being all or nothing while the latter providing some granularity. 

This list is just the beginning but it's a solid start to securing your small business.  Let's call this the hardened small business and in my next talk, that is my target.  ;)