Chapter 1
Security Mindset
In this book we are going to introduce you to the things you need to know to better protect your workplace and your home from technology related security attacks (cybersecurity). The best way to start is to understand our enemies. Later in the book we will examine what they may try to do and how we can protect ourselves.
To understand our enemies, we should put ourselves into their minds and understand their motivations, objectives, and techniques. Once we understand the adversary, we should think a little bit about ourselves. Where and when are we vulnerable? How do we make ourselves more vulnerable? What habits do we have that make the attackers’ jobs easier? How can we change some of those habits, and improve our security?
This chapter describes these topics by (1) considering the motivations of the hackers who attack us; (2) introducing malware (i.e., malicious software) and techniques that attackers use; (3) defining a “security mindset” that we should use in thinking about how to protect ourselves; and (4) introducing how security professionals think about security. By being security aware, we can understand what it is we do that attackers are looking to exploit.
What Do Hackers Want?
At the end of the day hackers are people, too. They are computer-literate people who are using computers to accomplish some goal they may think is “right,” whether that “right” is making money off cybercrime or pursuing an activist cause that is important to them or to do what they know is wrong. Other hackers are security professionals working to support the interests of their country, which may be at odds with the interest of our country. There are lots of motivations out there. The following list characterizes five types of hacker threats that are common on today’s internet:
–Commodity threats consist of automated cyberattacks that are placed “out there” by hackers that constantly scan the internet looking for vulnerable computers and devices to compromise. These attacks install malware on insecure computers or through malicious websites or e-mails, but without a specific mission or objective.
–Hacktivists take control of computers and install malware to accomplish some activist political goal, or to promote a cause. The group “Anonymous” is a good example, drawing attention to causes or issues the group considers to be important.
–Organized crime performs hacking to make money. It might make money by selling stolen information or access to computers to other groups, like nation-states or hacktivists. It might also make money by using stolen credit cards or medical records to perform fraudulent transactions that directly make them a profit.
–Espionage involves using hacking to further the interests of a corporate competitor or a foreign adversary. Espionage might include stealing corporate trade secrets and customer information or shutting down online services or manufacturing plants.
–Cyberwar involves using hacking to support national interests against a foreign country. Cyberwar might include stealing national security information, disabling foreign computers, or attacking infrastructure like the electric power grid.
Of the above techniques, espionage and cyberwar are perhaps the most devastating in their nature, as some nations have no qualms about wiping out hundreds or thousands of computers at their targets. For example, the attacks at Saudi Aramco and Sony Pictures disabled tens of thousands of computers, and were ultimately attributed to nation-state attackers. However, even hacktivism and cybercrime can be devastating, as we have seen through ransomware campaigns that took out entire medical networks or shut down manufacturing plants.
What Is at Stake Here?
Over the past several decades, there have been thousands of breaches encompassing billions of records containing personal information of people worldwide. These records have included names, addresses, phone numbers, social security numbers, credit card accounts, banking accounts, and health care information. How often have we gotten sent replacement credit cards in the mail, because our information had been compromised? Figure 1.1 shows some of the most recent large breaches, based on the numbers of compromised records.
Some of these breaches involve credit card numbers or banking information and were most likely perpetuated by cybercriminals looking to use that information for fraudulent transactions. Other breaches involved usernames and passwords and may have been performed by hackers looking to use those passwords to access other, more profitable, accounts (since people often reuse passwords for multiple online accounts). Other breaches involved health care information, which tends to be a treasure trove of highly personal data as well as financial details. Finally, some breaches involved potentially embarrassing personal information that could be used to blackmail individuals to get their cooperation. Here are some headlines regarding cyber breaches:
–Cable News Network (CNN), May 2016: “… LinkedIn was hacked four years ago … initially seemed to be a theft of 6.5 million passwords … turned out to be 117 million …”
–Hindustan Times (Major Indian English News Website), July 2017: “… details of over a million Aadhaar numbers published on Jharkhand govt website … personal details are now freely available.”
–Forbes Magazine, March 2018: “Equifax’s Enormous Data Breach Just Got Even Bigger … brings the total to 147.9 million Americans ... driver’s license number revealed … social security number exposed …”
–Fortune Magazine, June 2018: “... NameTest left the data of 120 million Facebook users exposed online for years …”
–GBHackers on Security (Cybersecurity Blog), August 2018: “Firebase Vulnerability Leaks 100 Million Sensitive Records – 2,300 Firebase Databases & 3,000 iOS and Android Apps Affected”
How Has Malware Evolved?
Cyberattackers generally accomplish their goals using malware. Malware is software that is designed to accomplish some nefarious goal, like giving someone remote control of a computer, or extracting usernames, passwords, credit card numbers, or other sensitive information from that computer. Over time, malware has gotten smarter, more sophisticated, and more capable. Figure 1.2 visualizes how malware has evolved over time to gain new capabilities and become more destructive.
Some highlights of these different types of malware and their objectives are as follows:
–Static viruses embed themselves within computer programs or the computer’s boot (startup) process but they require human intervention to propagate, or replicate themselves and spread like a disease, from computer to computer.
–Network viruses use the network to propagate from one computer to another and may be able to spread without human intervention.
–Trojans and worms are standalone programs that can propagate and persist on their own without requiring a “carrier” like viruses.
–Botnet malware reports back to a controller network and enables the victim computer to be used as part of a larger “botnet” consisting of thousands or millions of computers all working together.
–Remote control malware permits the attacker to remotely control the victim computer, generally despite network security capabilities like antivirus or firewalls.
–Adware and clickware cause the victim computer to display or “click on” advertisements supporting the attacker, generating revenue from advertising fraud.
–Ransomware encrypts the files on the victim computer, demanding the victim pay a ransom (typically several hundred dollars) to get back access to their computer and its files.
–Cryptojacking malware uses the victim computer to perform “cryptomining” transactions using cryptocurrency (e.g., bitcoin) on behalf of the attacker, indirectly generating revenue for them.
–Automated malware can persist and propagate across a network on its own, potentially infecting more and more computers within a target organization, after the first machine is infected.
–Customized malware is customized for each victim, or changes itself as it propagates, so it can not be easily caught by antivirus software or traditional network security mechanisms.
–Embedded malware installs itself into the “firmware” of network-connected devices or computers, or is already installed from the factory, making the devices almost impossible to “clean up.”
Attackers use malware to accomplish their goals of promoting causes, making money, or supporting their nations’ interests. Over time, more sophisticated malware capabilities and techniques have become more commonplace, with static viruses being replaced by network viruses and Trojans, and so on. Today, it is not uncommon to run across cheap, network-connected devices that are compromised at the factory, or malware-infected applications in popular mobile app stores.
The Security Mindset
A security mindset is a way of looking at the world “through the eyes of the attackers” to see how they may seek to exploit the world to their advantage. Security attackers are generally smart, capable people whose interests run counter to ours. In short, they want to exploit what we want to protect. Isn’t this illegal? Frequently, it is. The problem is that these activities are hard to trace and often cross national boundaries, making legal investigation and prosecution difficult, if not impossible.
To understand the security mindset, we should ask ourselves the following questions:
–What do we possess that is valuable, like our personal information, our financial information, or our company data?
–What potential attackers might be interested in valuable data or capability? Attackers might include hackers, hacktivists, criminals, competitors, or foreign countries.
–How do we make ourselves vulnerable to attack by using our computers to surf the web, open e-mails, or share data with others?
–What can we do to make ourselves more resistant to attack by protecting access to our data, access to our computers, or access to our networks?
–What can we do to detect if we are targeted by an attacker or if an attacker has gained access to our accounts, networks, or computers?
–What can we do to reduce the impact of an attack or enable ourselves to recover in the event an attack against us succeeds?
–If the worst should occur—attackers get ahold of all of our computer data and destroy our access to it as well—how would we clean up the mess and recover?
By considering these questions, we can get inside the mind of the attacker, and think about how things could go wrong and how it might affect us. As the adage goes, “hope for the best but prepare for the worst.” When we adopt a security mindset, we think about the things that could go wrong and what we can do to reduce their likelihood, or their impact.
A security mindset involves thinking like an adversary who does not play by the rules and is willing to cheat.
Security Awareness
Building upon the security mindset, security awareness involves thinking about how our activities affect our security posture, every day. We need to understand that actions we take and decisions we make every day can increase or decrease the chance of a successful cyberattack against us, our families, or our companies.
When we are security aware, we are thinking about the security consequences of our actions, and asking ourselves, “Is the benefit action worth the potential cyber risk?” We should apply this question on a continuous basis, thinking about what could potentially go wrong and our preparation to handle that contingency. Some examples of security awareness include the following:
–Keeping personal computing and work computing separate, so the compromise of one won’t have consequences for the other.
–Not allowing family members to use your work computer at all, or at least carefully supervising their activities.
–Not opening web links or attachments from people you do not know.
–Understanding that if the FBI thinks you are doing something wrong on your computer, they are not going to let you know via e-mail or a pop-up window.
–Understanding that offers of free money sent to you via e-mail from people you do not know probably are not real.
–Thinking twice about allowing your house guests or friends to use your computers or networks.
–Securing your wireless network, so the neighbors can not use it, however nice or well-intentioned your neighbors may be.
–“Locking down” computers and devices to be used by children, so they can not install their own software or go to “bad” websites.
–Understanding that software licenses, gaming accounts, and game currencies have value to attackers and could be targeted.
–Knowing that when you are traveling, you are vulnerable, and your computers and data are more easily targeted than they are at home.
–Having backups of everything, and multiple backups of your most important data, to guard against all the things that can go wrong.
By adopting a security mindset, and being security aware in everything we do, we can reduce the chances of things going wrong, as well as the consequences when they do. By doing this, we are protecting ourselves, our families, and our company from the cyberattacks that will occur.
Security awareness applies to us when we are at work, at home, and on travel.
How Do Security Professionals Think about Security?
When security professionals talk about security, they tend to speak in terms of risk. Is your computer secure? Well, that depends. A computer stored in a lead box stored in a bank vault protected by security guards is probably secure, but it also may not be useful. On the other hand, a computer that is powered up and sitting on your lap at the coffee shop is probably useful but may not be secure. The challenge is to find a balance between these two extremes, where your valuables are protected, while also remaining useful. Security professionals find this balance by conducting a risk analysis.
Risk analysis typically involves performing several activities according to a security risk management process. Figure 1.3 depicts a highly simplified process that uses assets, vulnerabilities, and threats to identify risk, and then implements countermeasures to reduce the risk.2
Assets, vulnerabilities, threats, risk, and countermeasures are defined as follows:
–An asset is anything of value to you or an attacker. For example, personal information such as your social security number is an asset, your computer is an asset, and your home is an asset.
–A vulnerability is a weakness that an attacker exploits to harm one or more assets you care about. For example, your computer operating system may have a vulnerability due to a missing software patch.
–A threat is the way an attacker exploits a vulnerability to cause damage to your assets. For example, a threat is a computer virus infecting your computer due to a missing software patch.
–A risk is the potential for damage to an asset. For example, a risk is a compromised computer that an attacker uses to damage one or more of your assets or steal your personal information.
–A countermeasure is a security protection designed to reduce vulnerabilities, threats, and risk. For example, antivirus software may reduce the risk of missing software patches by catching malware that has been installed onto your computer.