In today's digital age, small businesses face increasing cybercriminal threats. With limited resources and often less stringent security measures, small businesses are frequently prime targets for cyber attacks due to their inability to detect and respond to cyber threats. Recognizing the signs of cybersecurity risk and taking proactive steps to enhance cybersecurity can be daunting. That's where our free cybersecurity checkup comes in. This post will explain what a cybersecurity checkup covers, why it's crucial for your business, and how to get one free.

What Does a Free Cybersecurity Checkup Include?

Our free cybersecurity checkup is designed to identify risks in your current security posture and recommend actionable steps to enhance your protection. Here's what it includes:

• Risk Identification: We begin by reviewing your existing security measures and providing an overview of vulnerabilities that may be present in your environment. This involves analyzing your digital footprint to see where you might be vulnerable to cyber-attacks such as phishing, ransomware, or insider threats.

• Threat Assessment: We evaluate the potential unique threats facing your business sector and operational model.

• Security Best Practices Review: We will assess your current security policies and procedures against industry best practices. This includes evaluating your employee training programs, access controls, data encryption methods, and backup solutions, among other focus areas.

• Detailed Report and Recommendations: At the end of the checkup, you will receive a comprehensive report detailing our findings and practical recommendations to improve your cybersecurity. This report will help you prioritize addressing identified risks based on their potential impact and provide a clear action plan.

Why Do You Need a Cybersecurity Checkup?

• Awareness: Many small business owners are only aware of their cybersecurity vulnerabilities once it's too late. A cybersecurity checkup provides a clear picture of where you stand and what you must do to protect the business you worked so hard to build.

• Cost Savings: By identifying and addressing vulnerabilities early, you can avoid the potentially devastating costs associated with data breaches and cyber-attacks. For many small businesses, a single cyber-attack can be a game-ender.

• Trust: Demonstrating a commitment to cybersecurity builds trust with your customers, suppliers, and partners. It shows that you take the protection of their data seriously.

Our free cybersecurity checkup is invaluable for any small business looking to enhance its security posture. We understand small businesses' unique challenges and are here to help you improve your cybersecurity measures.

Take action before a security breach! It’s not a matter of “if,” it’s a matter of when. Contact us today to schedule your free cybersecurity checkup and take the first step toward securing your business. To get started, please complete the form here or call +1 (770) 710-9399.

Please Note: Our Free Cybersecurity Checkup is only available to Small Businesses with fewer than 100 employees.

Introduction to Shodan

The business world is increasingly digitized, with more devices connected to the Internet daily. With the increase in internet-connected devices, small businesses are becoming increasingly exposed to new technological opportunities, but often at the expense of increased cybersecurity risk. Shodan is a powerful tool that can be incredibly valuable for small business owners who want to control their cybersecurity posture and proactively identify potential issues with their internet-facing environment.

Unlike traditional search engines that index web content, Shodan scans the Internet for information about devices and services, including banners and metadata that can provide insights into the security posture of these assets. Small business owners can use this tool to identify internet-connected devices, ranging from seemingly simple "Internet of Things" (IoT) devices to sophisticated server systems, as well as identify services running on those devices, open ports, determine which assets are publicly accessible and potentially vulnerable, and even track changes in exposure over time.

What Shodan Can Do:

• Identify Devices: Locate routers, servers, and IoT devices online.

• Detect Services: Enumerate services running on open ports.

• Assess Exposure: Help determine which assets are publicly accessible and potentially vulnerable.

• Monitor Changes: Track changes in exposure over time.

Guide to Using Shodan for Your Small Business

Setting Up Your Account

Visit Shodan and sign up for an account. Consider purchasing a membership for advanced features and increased query limits. The membership is a one-time payment of $49 for a lifetime account upgrade - no subscription required! Some of the benefits of a Shodan Membership include:

• Monitoring & Alerting: Monitor the devices you expose to the Internet. Set up notifications, launch scans, and gain complete visibility into what you connect. The membership lets you monitor up to 16 IPs to ensure your home or small business network isn't exposed to the Internet.

• Command-Line Interface: The official Shodan CLI allows you to automate your workflow or efficiently get the necessary information without visiting the website. With a Shodan membership, you can access almost every aspect of the Shodan platform from the CLI - no coding is required!

• Search Images: Shodan collects screenshots for many different services. As a member, you can access a new search interface that makes browsing those screenshots much more straightforward. Additionally, Shodan performs OCR on those images so that you can also search for the text inside the photos.

• Integrations: The improved API plan for members makes plugins for tools such as Metasploit, Recon-ng, and Maltego more powerful. You'll have the entire database of Shodan a fingertip away from your favorite programs.

Identify Your IP Space

Before we start, let’s cover some quick basics about the differences between what may be considered a typical home network vs. a small business network.

• Home Networks are typically simpler, consisting of a few devices connected to the Internet through a single residential router. These networks often lack sophisticated security measures and are primarily used for personal activities.

• Small Business / Home Office Networks are often more complex. They may include additional hardware and software layers to support business activities. These networks usually resemble small enterprise environments with multiple internet-facing devices. Ideally, this environment features enhanced security measures, various subnets, and specialized networking equipment to securely handle personal and business data.

Let’s dive in! Begin with identifying your endpoint IP address or range:

• Endpoint IP Identification: Start by identifying the external IP address of the device you're currently using. You can easily find this by visiting websites like WhatIsMyIP.com or by searching "what is my IP" in a search engine.

• Determine Your Network Range:

• Router and Firewall IPs: Typically, the external IP address you identify from your endpoint will be assigned to your network's edge device, such as a router or firewall. This device manages both inbound and outbound traffic for your network. For small networks, this may be the only internet-facing device you have. For more complex environments, there may be several.

• Consult ISP or Network Administrator: For more precise information on your full IP range, consult your Internet Service Provider (ISP). Businesses may have multiple IP addresses or ranges assigned.

Utilize Shodan to Scan Your IP Range

• Conduct a Basic Shodan Search: If you have multiple IP addresses or an IP range assigned through your ISP, enter your IP range in Shodan using the syntax below. This will list all devices in your subnet visible on the Internet.

  • net:YOUR.IP.RANGE/24

Analyzing Your Results

Understanding your search results and identifying potential risks is crucial - particularly if you have limited IT or security experience. This section guide will help you interpret what you find in Shodan searches and highlight why some findings might be concerning.

1. Identify Devices and Services

   • Standard Services: When you run a Shodan search, you'll see various services listed under each device. Focus on common ones like:

     • HTTP (Port 80): This is the standard port for web servers. If this appears without HTTPS, it suggests that the data sent to and from this service is unencrypted, which is not secure.

     • HTTPS (Port 443): The secure version of HTTP, indicating encryption is used. This is expected for any web service handling sensitive data.

     • FTP (Port 21) is used for file transfers. It is insecure as it transmits data, including passwords, in plain text. FTP should never be used, especially for internet-facing devices.

     • SSH (Port 22) allows secure remote access to devices. While safe, unexpected SSH services might indicate unauthorized access points.

   • Unexpected Services: Discovering services you do not recognize or have no recollection of setting up might indicate misconfigurations or unauthorized installations. For example, an open Telnet port (Port 23) is typically considered insecure and should be investigated.

2. Check Banners

   Banners are the information services displayed when someone connects to them, often including the type of service, software version, and other vital details.

   • Check for Outdated Software: Banners showing older software versions can indicate security risks, as these may contain known vulnerabilities that attackers can exploit.

   • Check for Possible Misconfigurations: Sometimes, banners might reveal default configurations that haven't been changed (e.g., default usernames or service settings), which are easy and prevalent targets for attackers.

3. Review Certificates

• SSL/TLS Certificates: These certificates are used by HTTPS services to ensure secure communication. Shodan can show you if a certificate is:

  • Expired: An expired certificate can cause browsers to warn visitors that your site is insecure, which may harm your business reputation.

  • Misconfigured: Certificates should be issued using the correct domain name and a secure configuration. Any discrepancies indicate potential security weaknesses and represent threats to your business.

Common Red Flags and Their Implications

• Open Ports: Each port on a network can serve as a door or a gateway that allows specific types of network traffic in and out. An "open port" means that the port is configured to accept connections, which can be necessary or potentially dangerous. Having numerous open ports can unnecessarily increase your business’s attack surface, providing more opportunities for malicious actors to attempt to access your network.

  • Example: A small retail business might use port 443 for secure online transactions but finds that other ports, like FTP (21) or Telnet (23), are open. These protocols are not secure and should be closed to prevent data theft or unauthorized access.

  • Action Steps: Use a tool like Shodan to scan your IP address and identify open ports. Review whether each open port is necessary for your operations and close those that aren't. Ensure that necessary ports are protected with strong security measures, like firewalls and intrusion detection systems.

• Default Settings & Passwords: Many network devices and software are installed with default settings and passwords, which are widely known and easily accessible online. Operating with default settings and passwords is akin to leaving the key in the lock of your front door. It's an invitation for attackers to enter easily.

  • Example: A small consultancy firm sets up a new router but doesn’t change the default admin password. An attacker uses this default password to gain access and redirect internet traffic through malicious servers.

  • Action Steps: Always change default usernames and passwords during the initial setup of new devices or software. Use strong, unique passwords for different devices and services. Consider using a password manager to keep track of them securely.

• Exposed Sensitive Services: Sensitive services, such as databases, management interfaces, or API endpoints, are critical to the operation of a business but can expose significant vulnerabilities if accessible via the public internet. If these services are exposed and accessible, they can be targeted for data breaches, leading to significant financial and reputational damage.

  • Example: A small healthcare provider uses a database to store patient records. If this database is inadvertently exposed online without proper security controls, it could be accessed or hacked, leading to a breach of sensitive patient information.

    Action Steps: Ensure that sensitive services are inaccessible from the public internet. Use network security measures such as VPNs for remote access, firewalls to block unauthorized access and robust authentication mechanisms. Regularly audit your network using tools like Shodan to check for exposures.

Setting up Shodan Monitor:

Shodan offers a monitoring service, Shodan Monitor, that allows members to continuously monitor their internet-facing assets. This service is designed to help you maintain ongoing awareness of your network's security status by sending notifications when various security-related issues are identified. Remember that you can monitor only up to 16 assets with a standard membership. This cap includes IPs, domains, and entities identified through search queries. If the number of monitored assets exceeds the limit due to dynamic updates (e.g., new subdomains or IPs discovered), your monitor may temporarily pause or return an error. Managing and prioritizing the assets you wish to monitor actively is crucial.

1. Access Shodan Monitor: Navigate to Shodan Monitor.

2. Add Monitoring Targets:

   • IP Addresses/Network Ranges: Add specific IPs or entire network ranges representing your internet-facing infrastructure.

   • Domains: Enter your business domain to monitor the primary domain, associated IP, and related subdomains automatically.

   • Configure Search Queries: Set up custom search queries that reflect your specific security concerns (e.g., searching for outdated software or unauthorized open ports).

Wrapping Up: Best Practices for Security Hygiene

Some strategies to consider based on the findings you may encounter on Shodan - If any of these items are outside your expertise, engaging with professional services, such as those offered by CCI, to audit and fortify your network is always an option!

• Verification and Reduction: Assess the necessity of each service and port discovered on your devices. To minimize exposure, unnecessary services and ports should be disabled. Strive to limit the number of devices and services accessible via the Internet.

• Securing Configurations: Default credentials must be replaced with strong, unique passwords, and configurations should be hardened against attacks.

• Routine Audits: Perform regular security audits and penetration tests to gauge the strength of your defenses.

• Updates and Security: Keep all software current and apply secure configurations.

  • Prioritization of Findings: Tackle critical and high-severity vulnerabilities promptly, considering their potential impact and exposure.

  • Patch Management: Apply patches expediently for any services flagged as outdated or vulnerable.

• Consistent Monitoring: Use Shodan Monitor to periodically monitor your network's exposure to quickly identify new or altered vulnerabilities.

• Network Configuration Management: In relevant environments, evaluate and adjust firewall rules and network segmentation to reduce business exposure.

Final Thoughts

This guide is intended as an introductory resource. Shodan can be an extremely valuable tool, and this guide only scratches the surface of its capabilities. The help documentation provides more information on how to use Shodan.

While Shodan can provide invaluable insights into a small business's online presence and potential vulnerabilities, if you need additional support, consider contacting cybersecurity professionals to conduct a deeper analysis of your environment and develop defensive strategies for your specific use cases. 

At the Center for Cyber Intelligence, we have over 15 years of cybersecurity expertise and a commitment to providing accessible, clear guidance to make cybersecurity achievable for small businesses like yours. Don't wait until it's too late—secure your business today and gain peace of mind knowing that a partnership with CCI will fast-track you to protecting the company you worked so hard to build.

The emergence of virtual Chief Information Security Officers (vCISOs) is revolutionizing cybersecurity for small and medium-sized businesses (SMBs). At the Center for Cyber Intelligence (CCI), we offer a unique vCISO service specifically designed for small organizations. Our vCISO service provides premier security expertise, enabling small organizations to fortify their cybersecurity landscape without the overhead of hiring a full-time executive. We understand the challenges SMBs face with limited resources and increasingly sophisticated cyber threats, and our vCISO service is here to help.

Our virtual CISO services empower businesses like yours to dynamically scale cybersecurity measures in line with operational growth and evolving threat environments. By engaging with CCI's vCISO service, small businesses gain a sense of security and preparedness, benefiting from tailored security strategies and best practices drawn from across the industry without geographic limitations. This approach enhances their security posture and ensures compliance with relevant regulations, preparing them to counter current and emerging cyber threats effectively.

CCI's vCISO services offer flexible and cost-effective access to talent that is capable of addressing specific challenges on an on-demand basis. This model supports the needs of continuous risk assessments, compliance reviews, and cybersecurity training, all integral to maintaining robust cybersecurity defenses. With CCI's vCISO services, businesses like yours can enhance their cybersecurity measures without breaking the bank.

Don't wait for a cyber threat to strike. Take a proactive step towards enhancing your cybersecurity by partnering with a CCI. Our services can transform your cybersecurity approach and ensure that the business you worked so hard to build remains resilient against the evolving landscape of cyber threats. For more information about how a vCISO can benefit your business, contact us here.

Last Updated: October 27, 2022 - 12:15pm EST

On October 19, 2022, Security researchers at SOCRadar announced they had identified sensitive data associated with 65,000 entities that was publically exposed because of a misconfigured Microsoft server. This data leak reportedly includes Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property. SOCRadar has published additional information about their findings here.

The misconfiguration was reported to Microsoft and resolved on September, 24th 2022. However, according to researchers at SOCRadar, the data is suspected to have been public facing for multiple years. The general consensus thus far has been that you will know if you are impacted by BlueBleed. Microsoft has reportedly sent a notification to all impacted entities via the Microsoft Admin portal.

Microsoft’s announcement of this event can be found here. This post has also been archived here.

Due to the limited information available from Microsoft, CCI wanted to consolidate some resources we have identified that may aid in your investigation into this event. We will update this article as more information becomes available.

Please Note: We can not provide any specific data associated with this event. We do not have access to any data related to this event. The information referenced within this article is derrived from Open Sources.

Resources:

• BlueBleed Search Engine: Organizations may check to see if they may have been impacted by the BlueBleed leak using SOCRadar’s “BlueBleed Search Engine.” The BlueBleed search will only show if a domain name was detected in the data leak or not. The search engine does not provide any other details about the searched domain names. Further, SOCRadar does not have access to the data identified within the BlueBleed data leak and encourages any suspected impacted users or organizations to reach out directly to Microsoft for more information regarding the scope of potential impact.

• Grayhatwarfare Bucket Discovery: Security Practioner, Kevin Beaumont, identified at least one bucket named “olyympusv2.blob.core.windows.net” that has been publically indexed on Grayhatwarfare. To access this link, you may require a Premium or Enterprise-level subscription to Grayhatwarefare.

• BlueBleed Metadata - This file contains information identified and made public by Kevin Beaumont. This file contains the list of filenames across the Azure Storage blobs that are identified as being included in the BlueBleed event. This is not an exhaustive list of information exposed. Within this file, you will note several types of file extensions such as .msg (email threads), .pdf, .doc, etc. There are also .bak files (MS SQL server backups) - these files contain database tables that may include additional sensitive information. Columns in the file provided by Kevin are:

  • filenamefullPath

  • url

  • size (bytes)

  • lastModified

  You can search this file for information related to your organization. However, as the buckets/blobs are now closed to the public, the links to any files will almost certainly not work. We suggest approaching Microsoft with the names of the files identified as being associated with your organization to aid in your efforts to persuade Microsoft to provide further details about the potential impact caused to your organization.

  I have downloaded a copy of this file - if the link above no longer works, please reach out to me at chris.cooley@centerforcyberintelligence.org and I will provide a copy of the information to you.

Recommended Actions:

The Center for Cyber Intelligence recommends any organizations suspected of being impacted check the Microsoft Admin Portal for a message containing the references MC442408 or MC442057 and the subject “Investigation Regarding Misconfigured Microsoft Storage Location.”

Some reporting indicates the message ID will imply whether Microsoft is providing you with detailed information regarding your potential exposure:

• MC442057: Microsoft indicates that they are unable to provide you with detailed information.

• MC442048: Microsoft has potentially provided you with a copy of your data

If you received a notification, CCI recommends:

• Request the affected data from Microsoft via your admin portal if you have not already received it. Feel free to use filenames you may have identified from the resources here as leverage.

• If possible, identify impacted persons and warn and educate users about the threat of spear phishing. We believe that the disclosed information could be leveraged by a malicious actor to craft very targeted and realistic spear phishing attacks.

We will update this post as more information becomes available.

*Note: This information is provided by the FBI to assist cyber security specialists protect against the persistent malicious actions of cyber criminals. The CCI is happy to share this information to further information sharing initiatives. The information is provided without any guaranty or warranty and is for use at the sole discretion of the recipients.

TLP: WHITE

This FLASH Report is is an update to the report the FBI released on 14 October 2020, Alert Number MU-000136-MW. The FLASH has been updated to include additional technical details and a blog post by SonarQube addressing this issue.

Since April 2020, unidentified cyber actors have actively targeted vulnerable SonarQube instances to access source code repositories of US government agencies and private businesses. The actors exploit known configuration vulnerabilities, allowing them to gain access to proprietary code, exfiltrate it, and post the data publicly. The FBI has identified multiple potential computer intrusions that correlate to leaks associated with SonarQube configuration vulnerabilities.

On 31 July 2020, SonarQube released a blog post addressing this issue, which can be accessed at https://blog.sonarsource.com/public-response-code-leaks

Download FBI Flash

The FBI encourages the reporting of information related to suspicious or criminal activity to your local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field-offices. CyWatch can be contacted by phone at (855) 292-3937 or by email at CyWatch@fbi.gov.

By reporting any related information to FBI CyWatch, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks.

1. Check Your Devices: Before making any online purchases, make sure the device you’re using to shop online is up-to-date. Next, take a look at your accounts and ask, do they each have strong passwords? And even better, if two-factor authentication is available, are you using it?

1. Only Shop Through Trusted Sources: Think about how you’re searching online. Are you searching from home, on public Wi-Fi? How are you finding the deals? Are you clicking on links in emails? Going to trusted vendors? Clicking on ads on webpages? You wouldn’t go into a store with boarded up windows and without signage, the same rules apply online. If it looks suspicious, something’s probably not right.

2. Use Safe Methods for Purchases: If you’re going to make that purchase, what information are you handing over? Before providing personal or financial information, check the website’s privacy policy. Make sure you understand how your information will be stored and used.

Be safe and remain vigilant this holiday season! More information about holiday and online shopping safety can be found on the CISA website at: cisa.gov/shop-safely

*Note: This information is provided by the FBI to assist cyber security specialists protect against the persistent malicious actions of cyber criminals. The CCI is happy to share this information to further information sharing initiatives. The information is provided without any guaranty or warranty and is for use at the sole discretion of the recipients.

TLP: WHITE

On 20 November, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published an FBI Flash (Alert MU-000140-MW) disclosing a number of IOCs associated with Ragnar Locker Ransomware.

The FBI first observed Ragnar Locker ransomware in April 2020, when unknown actors used it to encrypt a large corporation’s files for an approximately $11 million ransom and threatened to release 10 TB of sensitive company data. Since then, Ragnar Locker has been deployed against an increasing list of victims, including cloud service providers, communication, construction, travel, and enterprise software companies. The FBI is providing details of Ragnar Locker ransomware to assist with understanding the code and identifying the activity. Ragnar Locker actors first obtain access to a victim’s network and perform reconnaissance to locate network resources, backups, or other sensitive files for data exfiltration. In the final stage of the attack, actors manually deploy the ransomware, encrypting the victim’s data.

Download FBI Flash

If you find any of these indicators on your networks or have related information, please contact FBI CYWATCH immediately.

• Email: cywatch@fbi.gov

• Phone: 1-855-292-3937

By reporting any related information to FBI CyWatch, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks.

*Note: This information is provided by the FBI to assist cyber security specialists protect against the persistent malicious actions of cyber criminals. The CCI is happy to share this information to further information sharing initiatives. The information is provided without any guaranty or warranty and is for use at the sole discretion of the recipients.

Questions regarding this PSA should be directed to your local FBI Field Office. The CCI encourages the public to report information concerning suspicious or criminal activity to their local FBI field office (www.fbi.gov/contact-us/fieldoffices) or the FBI’s Internet Crime Complaint Center (www.ic3.gov).

Local Field Office Locations: www.fbi.gov/contactus/field-office

On 23 November 2020, the Federal Bureau of Investigation (FBI) issued an announcement to help the public recognize and avoid spoofed FBI-related Internet domains. The FBI observed unattributed cyber actors registering numerous domains spoofing legitimate FBI websites, indicating the potential for future operational activity. The FBI’s main official website is www.fbi.gov.

Spoofed domains and email accounts are leveraged by foreign actors and cybercriminals and can easily be mistaken for legitimate websites or emails. Adversaries can use spoofed domains and email accounts to disseminate false information; gather valid usernames, passwords, and email addresses; collect personally identifiable information; and spread malware, leading to further compromises and potential financial losses.

Cyber actors create spoofed domains with slightly altered characteristics of legitimate domains. A spoofed domain may feature an alternate spelling of a word or use an alternative top-level domain, such as a “[.]com” version of a legitimate “[.]gov” website. Members of the public could unknowingly visit spoofed domains while seeking information regarding the FBI’s mission, services, or news coverage. Additionally, cyber actors may use seemingly legitimate email accounts to entice the public into clicking on malicious files or links.

The FBI urges all members of the American public to critically evaluate the websites they visit, and the messages sent to their personal and business email accounts, to seek out reliable and verified FBI information.

Download this FBI Public Service Announcement here for a list of identified spoofed FBI-related Internet domains.

*Note: This information is provided by the FBI to assist cyber security specialists protect against the persistent malicious actions of cyber criminals. The CCI is happy to share this information to further information sharing initiatives. The information is provided without any guaranty or warranty and is for use at the sole discretion of the recipients.

TLP: WHITE

On 22 October 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (Alert AA20-296B) warning that Iranian advanced persistent threat (APT) actors are likely intent on influencing and interfering with the U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process. APT actors are creating fictitious media sites and spoofing legitimate media sites to spread anti-American propaganda and misinformation about voter suppression.

The Cybersecurity Advisory followed a joint press conference from the Director of National Intelligence (DNI) and FBI Director on election security, alerting the American public that Iran had taken specific actions to influence public opinion relating to the 2020 U.S. Presidential Election.

The FBI is now providing a list of indicators of compromise (IOCs) pertaining to a threat group, assessed to be located in Iran, conducting operations aimed at influencing and interfering in the 2020 U.S. Presidential Election.

Download FBI Flash

This publication is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.