Cyber Security 101

Take Care of the Basics

Let's cover some fundamentals of cyber security. By understanding a few concepts and taking a few simple steps, you can make your system much more secure.

Here, the 80/20 rule applies in a big way. By expending 20% of the total effort to make your system ultra-secure, you can improve your security by approximately 80%. That's to say it only takes a little time and effort to make huge strides in security!

The rank and file PC/tablet/phone user isn't protecting national security, so these first simple steps go a long way towards making you the kind of target a hacker will pass up to move on to easier systems.

First you should understand one fundamental principle that applies to all cyber security efforts.

The Cyber Security Triangle

There is a long-standing precept in cyber security illustrated by this image. The triangle represents a continuum with three points: security, functionality, and convenience (or ease of use). Any given computer system designed with security in mind falls somewhere on this continuum. The red ball represents where on the continuum the system lies.

Consider making a system more secure, represented by the red ball moving toward security. When you do that, you're forced to lose some convenience and/or functionality. An example of this would be to make your password more complex. This makes your login less prone to cracking (more secure), but makes it harder to remember and enter (less convenient).

On the other hand, if you make the system more capable by adding more programs, you move the ball toward functionality, but security and ease of use are affected. Security is diminished because you've created more opportunities for a hacker to find a vulnerability, known as increasing the attack surface. More programs also mean the system is more complex, and therefore more difficult to use and master.

Why is this important?

If you make changes which improve your security, you can expect to make your system a little less convenient, and sometimes a little less capable. This is the price we pay for better security.

Most Common Exposures

So what are the ways we commonly expose ourselves to hackers?

Phishing (pronounced fishing)

Estimates vary, but somewhere around 90% of successful cyber attacks on personal or corporate systems are by phishing.

What is phishing? It's including a link in email that leads to an exploit if clicked. When you click on the exploit link, it takes you to a website location where malware is instantaneously downloaded to your computer. Once this has been done the malware executes, completing the infection and giving the hacker access to your system.

The perpetrator will do everything he can to make the infection invisible to you. Often, the infecting page won't display anything, but will quickly redirect you to a legitimate page. All you would see is a brief flash of the infecting page URL in the address bar before the legitimate page is loaded.

Solution: Don't click the link.

The best protection against phishing is prevention. Just don't click links which lead to the infection.

How do you avoid the bad links? The simplest way is to never click links included in emails at all. Of course, this is hardly a workable solution. We rely on email links to get things done--to see a friend's Facebook post, correct account details, make payments, etc.

So what can you do to avoid trouble?

  • Hover over the link. All common email programs show the destination URL when you hover:
    Hover to see the URL Examine the link closely, especially the spelling of the domain. If the link isn't a domain you recognize as appropriate, don't click it. In this example, since the link is to facebook.com, you shouldn't have to worry about it, but if the domain were, for example, faceboook.com (notice the extra 'o'), you'd avoid it.

    Special note: Phishing schemes are becoming much more sophisticated. The email often looks legitimate based on theme colors and images. The perpetrator may even conduct some research on you via online searches to make the email appear to be coming from a friend.

Secure Your Passwords

You've heard it before. There's a reason it's important. Passwords are often cracked by use of brute force algorithm. A program is run which repeatedly tries common password variations and word combinations to break into a system.

Generally, the classic guidelines for passwords still apply. They are more secure if they:

  • Are long - the longer the better, but practically speaking, around 10-16 characters will suffice when the other characteristics listed here are employed.
  • Use combinations of upper- and lowercase letters.
  • Include numbers.
  • Include random punctuation marks.
  • Include special characters, like ']' and '@'.
  • Are changed regularly.

But these types of passwords are beginning to fall out of vogue in favor of pass phrases that are easier to remember. Such a password can often be brought to mind without using a cheat sheet.

An example would be: camel-antlers,Aren't>c0mm0n.

Test your password creativity by using a website like How Secure Is My Password. Enter a password like the ones you like to use, and it will tell you how long it would take to crack using a brute force attack. (Note: don't enter actual passwords you use, only passwords similar to the ones you like to use.)

Because passwords should be changed regularly and should be unique for each login, employing these guidelines can still be daunting unless you use a password database like Keepass.

For more information about things you can do to protect yourself online, check out this list of top 10 things you can do to harden your systems!

Being Online Is Risk, Highness

You've read the headlines. Heard the talk. The US used cyber warfare to destroy equipment being used by Iran to purify Uranium for bombs. Russia hacked systems in the US to get information that could be used to influence the 2016 election.

Those are the big guys. Their goals are political and defense oriented. But we all know there are a ton of operations out there - petty thieves and syndicates out there who just want to steal money.

"Some 15.4 million consumers were victims of identity theft or fraud last year, according to a new report from Javelin Strategy & Research. That's up 16 percent from 2015, and the highest figure recorded since the firm began tracking fraud instances in 2004."
- CNBC, 2017

The highest increase is in card not present transactions - those in which anyone with credit card information can make a purchase without presenting a card. These crimes increased by 40% from the prior year.

Are you playing a numbers game? Hoping to be obscure and safe by hiding among the millions online?

Of course we can't. The hackers use very effective scanning and searching tools to find vulnerable systems. It's no longer a matter of not being discovered, it's about being able to be invisible as well as hardening our systems.

Are you and your systems up to the challenge? Take a look at this quick quiz to see if you're up-to-date on some of today's threats.
  • What's phishing?
  • Can you be hacked if you use antivirus software?
  • What's an IPS?
  • Can you name 5 characteristics of safe password practice?
  • Would your systems pass a port scan?
  • What's a credential dump?
  • Are you protected against ransomware?
  • Have an automated backup for each of your systems?