“How I would hack you…” is a compelling opening statement to say the least. The global business community has experienced an economy left supported by our web technologies in the midst of a global pandemic, social concerns, and conflict in recent months. Prior to that, even, it would be a challenge to identify a single competitive organization that does not rely on web technologies, networks, and applications to support their finances, data, services, and more. 

“How I would hack you,” is a chilling statement for any supervisor, manager, or executive to hear — albeit one which should inarguably pique the interest and spark a level of intrigue of any business owner, executive, or manager.

What do you imagine a hacker really is? Does it invoke images of a dark, wet basement isolated in an old warehouse filled with green glowing computer screens and empty bottles of Mountain Dew? Do you think of a hooded figure tapping frantically at his laptop battle-station, actively gathering your passwords, usernames, and credit-card numbers? The reality might surprise you, and you may find it is a bit different than the action-movie persona you have seen.

In a recent webinar titled “How I Would Hack You: Confessions of an Ethical Hacker,” James Carroll, information security engineer at Secure Network Technologies, Inc., gives us a look under the hood of how it’s done by the pros. Carrol has served in his role at Secure Network Technologies for more than 10 years, protecting the data of clients ranging from NFL teams to small credit unions. He starts with an introduction on how he got into hacking by taking down other players’ networks in video games to give him the win and automatically level-up his account at breakneck speeds (a practice now discouraged by him since “denial-of-service” attacks are now considered a felony). Carroll then follows up with his presentation format, which covers: “Current Events; 2 Types of Hacks; How These Hacks Happen; The Anatomy of a Hack – 4 Phases of pwnage; Open-Source Intelligence Gathering; Gaining Network Access; Gaining Admin Access; and Where Does This Data Go?”

Cybersecurity concerns have become magnified during the coronavirus pandemic. As a result, COVID-19 phishing and SPAM-mailing is “absolutely skyrocketing” according to Carroll. Hackers are opportunistic people and are taking full advantage of the new density of offsite work — and the security vulnerabilities that come with it. He demonstrates current hacking trends that use “phishing” emails to elicit passwords and malicious-link clicks by unaware users.

Breaking this down further, Carroll describes that there are two typical types of hacks — “social engineering” and “people hacking.” Social engineering leverages what he calls “the obvious”:

• Phishing — Fake emails made to look like real ones in order to get users to click a link, share info, or download something they otherwise wouldn’t.

• Pretexting — Impersonating someone at your organization.

• Baiting — Leaving something like a thumb drive loaded with malware in parking lots outside congested areas like a workplace where someone might pick it up and stick it into their computer, infecting the whole network.

• Vhishing — “Voice Phishing”, where someone pretends to be an official source such as a government organization, bank, or even your own company.

• Physically Breaking Into Buildings — The good old-fashioned “smash and grab”.

He goes on to describe people hacking as the tendency of hackers to look for the weakest link in your organization’s teams and conventions to find a vulnerability. As an example, Carroll shows a video of a physical intrusion test performed by Secure Network Technologies where he was able to gain access to a corporate building simply by “tailgating.” Carroll, in fully forged corporate uniform wearing an “official” duplicated ID badge, was able to gain access just by following an actual employee who scanned their ID to open the door first. The employee took one glance at Carroll, saw the ID badge, and felt comfortable enough to hold the door open for him. He walked in without a hitch, carrying a box of USB flash drives loaded with test-malware to leave on the break-room table. This is one example of how a real hacker with malicious intent would gain access.

James recommends that employees should not be afraid to ask, “Who are you? Who are you with? Who are you here to see? What are you here for?” to unfamiliar entrants at the door of your organization. Additionally, he says it is a good practice to make everyone entering the building scan their own ID — describing instances where recently-terminated employees have come back in to steal data and compromise something within the business.

So how would James Carrol hack you? The same way an unethical hacker would. He calls this “The Anatomy of a Hack” and it consists of the following four phases:

1) Open Source Intelligence Gathering (OSINT for short). Successful criminals do their homework first. Open-source intelligence is used In the criminal sense to ascertain relationships, contact information, work info and ultimately – when and how you’re most vulnerable. It’s gathered from all the information you publish about your life via social media and more.

2) Gain Network Access. Gaining access to a network will allow a malicious actor to identify devices, servers, and users within your organization, further developing the identification of targets.

3) Gain User Access. Once hackers have identified a user and a system, they work to gain user access on a host system through using their open-source intelligence or other hacking techniques such as phishing, vishing, and pretexting.

4) Gain Admin. Access. Ultimately, gaining user access is the precursor to gaining administrator access — which is commonly attached to a user. Admin access will allow the hacker to install malicious software that can infect the entire network, in addition to gaining access to admin-restricted data and systems.

The goal of all this, in no uncertain terms, is to remain undetected. Just as malicious actors want to remain undetected while successfully stealing your valuable data, this remains an anchor for Secure Network Technologies’ own testing goals — to hack your organization in much the same fashion as a criminal might (without all the damage and fallout that comes with actually getting hacked), and then provide detailed results so your organization and its information-technology personnel know how to fix it (this is the part the bad guys hate). Some immediate recommendations Carrol makes for your organization is to exceed “best practices” for passwords, enable two-factor authentication for every app possible, and to stop putting your entire life on social media where hackers look first for sensitive personal information.

For any fellow nerds and aspiring ethical hackers out there, James shares some technical tools of the trade — software with fittingly cryptic names such as MetaZploit, Empire, Burp, Responder and SilentTrinity, among others. You can check out Secure Network Technologies at www.securenetworkinc.com/cnybj.    

Rob Dracker is CEO and creative director of WMC (Weapons of Mass Creation). Contact him at rob@wmcstudios.com or (315) 935-7982. This article is originally sourced from a GoToWebinar run by Ted Hulsy, CEO of Iron Path, on June 4, 2020 featuring James Carroll, of Secure Network Technologies.

“Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there is a key hidden somewhere, they won’t stop until they find it.” — Tim Cook

The COVID-19 pandemic has disrupted many standard policies and procedures for tax-exempt management employees who are working remotely. The pandemic disruption has increased internal-control risks for many organizations. Every organization must have increased focus on the inherent vulnerabilities of technology and related software applications. 

After hearing that global criminal enterprises have been focusing on tax-exempt organizations for purposes of accomplishing technology breaches, I asked John Roman from our FoxPointe Solutions information technology division to provide me with his “Top 10” recommendations for mitigating the risk associated with cybersecurity breaches. His response to me was a revelation for me as a technology dinosaur.

“We’re too small to be targeted.” “We have cyber insurance.” “We can’t afford cybersecurity.” Do these phrases sound familiar? These are often the reasons that nonprofit organizations give for their lack of sufficient cybersecurity. Unfortunately, we live in a world where hackers look for vulnerabilities, human and technical. Hackers continually scan the Internet for technical vulnerabilities using automated tools. Hackers take advantage of humans during bad situations, and today, there are many: COVID-19, a recession, civil unrest, and the 2020 elections. Hackers do not discriminate. They will target small and large businesses, educational institutions, government agencies, and not-for-profits alike.

Today, data has become as valuable as gold or oil. Nonprofits, large and small, collect vast amounts of private data of those they serve and of their donors. This is exactly what hackers want. They want to exploit your organization’s vulnerabilities, whether it be through email phishing or a phone call pretending to be your bank. The goal: steal and/or encrypt all of your data unless you pay their ransom.

What is a not-for-profit to do, especially during these times of reduced budgets, donations, and government funding? If you’re feeling overwhelmed or don’t know where to start, consider these no cost or low-cost cybersecurity best practices.

1. Patch all computer systems every 30 days with critical Windows security patches. On a monthly basis, ensure that all of your Windows computer systems are patched. For smaller nonprofits, turn automatic updates on and do not allow users to opt out of the updates. For larger organizations, ensure that your IT department is applying patches on PCs and servers. 

2. Enable anti-malware/virus and firewalls on all PCs. Ensure that every computer has active, working, and up-to-date protection. Enable Windows firewalls on all computers, especially laptops. 

3. Encrypt data at rest and in motion. Any portable device (laptop, USB drive, tablet, or phone) should have encryption enabled. Since these devices are portable, and easily lost or stolen, you will minimize the need to report a data breach should a device that contains personal information get lost or stolen if said device is encrypted. 

4. Strengthen passwords. Make sure your passwords are long and complex. Try using a passphrase that is at least 12 characters long (spaces count) to easily remember your password and ensure that it is “uncrackable”. As an example, “I love my dog spot!” will take over 64,000 years to crack. As a bonus, unless your password is leaked, you will only need to change it once per year.

5. Train your employees on cybersecurity. You and your employees are the firewall. Your best line of defense is you and the employees of your organization. Ensure that you are providing your workers with annual security awareness training. Make it relatable to them and their personal experiences. Look into training programs from LinkedIn Learning and KnowB4. Frequently send emails on the latest and greatest in terms of new threats and ways to avoid them. 

6. Comply with the New York SHIELD Act. The “Stop Hacks and Improve Electronic Data Security Act” was enacted on July 25, 2019 as an amendment to the New York State Information Security Breach and Notification Act. The law went into effect on March 21, 2020. The motivation behind the SHIELD Act is to update New York’s data-breach notification law to keep pace with current technology. Every organization that creates, processes, stores, or transmits New York State resident private information must comply. To comply, an organization must have completed a risk assessment, assigned an information-security officer, and created a written information security plan along with accompanying series of administrative (policies), physical, and technical controls. 

7. Perform frequent data backups and restores. One of the only ways to recover from a ransomware attack or from someone inadvertently deleting data from a server or PC is to have an up-to-date backup. In the example of a ransomware attack, rather than paying the ransom, which is a bad idea in more cases than not, the data that has been encrypted by the ransomware can be restored from your organization’s backup. Backups must be run daily and tested frequently to ensure that data being backed up is available for restore.

8. Plan for a disaster. It’s not a matter of if you have a disaster (data breach, power failure, pandemic, or your email is down for two hours), it’s when. Those who do not have a documented disaster-recovery plan along with corresponding procedures for recovering systems and data will spend twice the time and money trying to restore systems and data than those who have a plan. Along with your data-backup plan, create a disaster-recovery plan. Remember, “practice makes perfect”. Make sure you are testing your plan annually. Your test could be as simple as choosing one system to simulate being unavailable for a period of time and practicing how long it takes to recover from the failure. 

9. Practice good computer hygiene. Do you get your car’s oil changed every 3,000 to 5,000 miles? How about an annual physical? Of course, we all practice good hygiene. So, why not do so from a computing perspective? For example, close, disable, or delete all accounts for those who are no longer employed by the organization. Have a data-retention policy and practice it. There is no reason why you need to keep a document created and last accessed in 1998 unless there is a business or regulatory reason to keep it. 

10. Move to the cloud. Cloud providers such as Microsoft, Amazon, and the like have more security controls in place than your nonprofit can afford. Your data is probably more secure in the cloud than it is on your servers. Services such as Office365 are relatively inexpensive for nonprofits, especially those that have subscribed to Tech Soup (https://www.techsoup.org/). Cloud solutions offer anytime, anywhere, any device access to applications and data. During this pandemic, those who use cloud services were able to transition their employees to working from home more easily than those who did not use cloud computing.

The suggestions above are certainly not an all-inclusive best practice list. However, for most nonprofits, these are a good start for or continuation of your cybersecurity efforts. There are numerous cybersecurity providers who can assist. If possible, the provider should have a good understanding of not-for-profits and the intricacies of how they operate. Finally, remember, cybersecurity starts with you. It takes a combination of people, policy, and technology to form a strong cybersecurity foundation.

After discussing the above with John, I was prompted to provide you with inspirational quotes that I found very appropriate, including:

“There is no silver bullet solution with cybersecurity — a layered defense is the only viable defense.” — James Scott

“Passwords are like underwear: you don’t let people see it, it changes very often, and you shouldn’t share it with strangers.” — Chris Pirillo

Please stay safe and healthy.               

Gerald J. Archibald, CPA, is a partner in charge of the management advisory services at The Bonadio Group. Contact him at (585) 381-1000, or via email at garchibald@bonadio.com