Cybersecurity: An Introduction
From numerous newspaper headlines, highlighting computer hacking and leaking of email and other confidential data, Cybersecurity seems to be like the weather, much talked about but: “Nobody does anything about it.”
While we can’t, at present, do anything about the weather, we can do something about Cybersecurity (see Glossary). While we do it, however, hackers and leakers are also increasing their capabilities and their incentives keep growing since more and more of our business, government and financial life is going online. It is an arm's race: us against them.
The ability for Ransomware hackers to be easily paid with anonymized Bitcoin increases opportunities and incentives. And the stolen data is also becoming more valuable.
The recent Hack of the NSA’s (USA National Security Agency) own Hacking technology has provided hackers with even more tools.
Who are Threat Actors, and what is their level of threat?
Serious Threat Actors
Nation states, including Russia, China, USA and North Korea who engage in Cyberespionage, theft, sabotage and product alteration.
Company competitors who engage in Cyberespionage, theft and product alteration.
Organized crime who engage in Cyberespionage, fraud and theft.
Terrorists who engage in sabotage and violence.
High Threat Actors
Activist/hacktivists who engage in Cyberespionage, data theft, sabotage.
Disgruntled current or former employees who engage in misuse of data, physical theft, fraud and sabotage.
Reckless, untrained or distracted employees who engage in accidental breach or misuse of data.
Medium Threat Actors
Thieves who engage in physical theft, Cyberespionage, fraud.
Mentally ill or irrational individuals who engage in physical theft or sabotage.
Vendors or partners who engage in accidental leak or intentional fraud or theft.
Low Threat Actors
Individual leaker with a specific purpose who engages in deliberate data leak or misuse of data.
Protecting against such threats requires a multifaceted approach.
This article introduces a few basic Cybersecurity principles.
Communicate to Employees
Regularly talk to employees, including senior management, about Cybersecurity.
Explain that a system is only as secure as its weakest link.
Hold regular, focused sessions to explore different types of Cyberattacks.
Warn about Social Engineering.
Train to recognize a Cyberattack.
Encourage the raising of red flags even if they turn out to be innocent.
Advise employees of an incident as soon as possible after it happens.
Regularly test employees’ Cybersecurity knowledge.
Personally Identifiable Information and Confidential or Sensitive Data
Hacking PII enables Identity Theft.
Avoid storing PII on local storage devices, e.g. laptop, USB, hand-held computers.
Be careful when using the Web. Just one single character spelling mistake in the address bar can direct you to an undesired website.
Ensure that any recipient of PII has a legitimate need for the sensitive data.
Use a secure transmission method such as special secure email or:
Securely encrypt the data using proper encryption software.
Communicate the password by telephone only.
Protect the data you are handling
Regularly and securely back up the data that you use.
The IT department is also responsible for constantly, redundantly, and securely backing up the entire company’s data. However, this article focuses only on user actions.
Segregate personal files from business files.
When outside the office, especially using WIFI, use a Virtual Private Network (VPN) with end-to-end encryption to secure your communications.
Always try to use mobile phone network data, even if more expensive, since it is more secure than WIFI, even WIFI at a top hotel.
Be careful about disposing of data. Ensure that files are not merely deleted but that the data is securely overwritten by the IT department.
Make sure to securely delete data from systems before disposal when replacing or upgrading your computer.
Email and Computers
Safely manage your email account
All company business email should be sent from a company email address.
Avoid using personal accounts for business.
Be wary of email Phishing (see Glossary) scams.
Do not open attachments from an untrusted source.
Do not click on any links in an email without first forwarding (do not “reply” since the reply address could be fake) that email to the trusted sender’s address already in your address book and receiving confirmation from them.
Never provide your user ID and password to others.
Company employees should have no expectation of privacy in anything they store, send or receive on the Company’s email system, as the Company may monitor messages at any time.
All use of email should be consistent with Company policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.
The Company email account should be used primarily for Company business-related purposes. Personal communication is permitted on a limited basis, but non-Company related commercial uses should be prohibited.
Email should be retained only if it qualifies as a Company business record. Email is a Company Name business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.
Email that is identified as a business record should be retained according to the Company record retention schedule.
Company email system should not to be used for the creation or distribution of any disruptive or offensive messages.
Users should be prohibited from automatically forwarding Company email to a third party email system. No individual messages forwarded by the user must contain confidential information.
Users should be prohibited from using third-party email systems and storage servers such as Gmail to conduct Company business.
Securing Personal Computers
Disconnect personal computers from the wireless network when using a wired network.
Auto-update operating system.
Install and update anti-virus and anti-Malware software.
Create a unique user ID for others when sharing a computer.
Enable pop-up blocker on browser.
Use a password manager with a highly unique secure passphrase.
Make considered decisions and consult IT department prior to installing or downloading software.
Passwords may not be left on an unsecured note, especially a sticky note posted on a computer.
All sensitive or confidential information in print or electronic form must be secure at the end of the day or when left for an extended period.
Computers must be locked when workspace is unoccupied.
Computers must be shut down completely at the end of the work day.
File cabinets containing sensitive, restricted or confidential information must be kept closed and locked when not in use or when not attended.
Keys used for access to sensitive, restricted or confidential information must not be left at an unattended desk.
Laptops must be either locked with a locking cable or locked away in a drawer.
Printouts containing restricted, sensitive or confidential information should be immediately removed from the printer.
Upon disposal, restricted, sensitive or confidential printed documents should be shredded in the official shredder bins or placed in locked confidential disposal bins.
Whiteboards containing restricted, sensitive or confidential information should be erased.
Storage devices such as USB drives must be secured in a locked drawer.
If possible, lock your office.
In 2006, Bill Burr of the USA National institute of Standards and Technology (NIST) wrote “NIST Special Publication 800-63”. This document advised people to protect their accounts by inventing awkward new passwords with obscure characters, capital letters and numbers and recommended regularly changing passwords. This became the standard and many organizations adopted the recommendations.
In June 2017, the Special Publication was thoroughly redrafted. One problem was that our clever passwords were not that clever. We want to easily remember our passwords so we gravitate toward predictable combinations.
Now, long, easy-to-remember passphrases are considered preferable to crazy characters. A passphrase is similar to a password. However, it is relatively long and constructed of multiple words, which provides greater security against “dictionary” attacks (a hacker trying millions of common words).
Safely Manage Passwords
Create and maintain a strong password or passphrase.
Instead of a password, consider using a complex passphrase using random words put together and easy for you to remember.
Poor, or weak, passwords have the following characteristics:
Can be found in a dictionary, including a foreign language dictionary, or exist in a slang, dialect, or jargon.
Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets and friends.
Contain work-related information such as product names.
Contain number or letter patterns.
Contain common words spelled backward, or preceded or followed by a number
Memorize passphrase or secure in encrypted or secure locked box
One way to memorize is to create a password based on words scrambled from a song verse or other easily recalled saying.
Do not share your password with anyone.
Do not re-use passwords between sites and services. Use a password manager protected with a complex passphrase and two-factor authentication.
Use two-factor authentication if available and when reasonable
Two-factor authentication means that if someone obtains your password, a second authentication, such as via a text message to your mobile phone can prevent access.
Do not provide login details over email or via a link that you have carelessly clicked on.
Always carefully type in the correct web address in the address bar of a browser before entering any login details over the Internet.
Do not store your password where others can see or access it, or store it electronically in an unencrypted format.
Especially, do not store the password on a sticky note on the screen of your computer.
Do not use automatic logon or allow your browser to keep and remember your password.
Administrator: Person who administers a computer system or network and has access to the Administrator account. An Administrator, or a Threat Actor masquerading as an administrator, has wide, sometimes complete, access to all the data on the system.
Advanced Persistent Threat: A long-term stealth attack on or infiltration of a system. Also a group, such as a State Actor, with advanced cyberattack capabilities.
Black Hat: Programmers who ‘Hack’ into systems to test their capabilities and exploit vulnerabilities for Cybercrime. See White Hat.
CIO/CISO: Chief Information Officer/Chief Information Security Officer. Person responsible for ensuring the security of systems and data in an organization.
Critical infrastructure: Physical and virtual assets that are essential to the operation of an organization or a nation.
Cyberattack: An offensive act against computer systems, networks, or infrastructure.
Cybercrime: Technology-enabled crimes, often, but not always, for personal or financial gain.
Cyberespionage: The practice of theft of confidential information for the purposes of covert, unethical and/or illegal competition among individuals, organizations or nations.
Cybersecurity: The discipline and practice of preventing and reducing the impact of attacks on computer systems and networks.
Cyberwarfare: Internet-based conflict waged in order to attack, disrupt, or destroy computer systems.
DoS/DdoS or Denial of Service/ Distributed Denial of Service: Thousands of devices accessing a site simultaneously and continually, leading to overload of its ability to deliver web pages to legitimate users.
Hack/Hacker/Hacking: Refers to individuals who maliciously breach computers and related systems.
Identity Theft: Check fraud, credit card fraud, financial Identity fraud, criminal identity fraud, governmental identity fraud, license plate number identity theft and mortgage fraud committed by pretending to be someone else. For example, a stolen identity allows a person to take out a loan in another’s name and then disappear, leaving the unfortunate person whose identity has been stolen to sort everything out. It may take years and much grief to retrieve the person’s destroyed credit rating..
Malware: Malicious software, including viruses, Ransomware and Spyware.
Phishing: Deceptive attempts to trick users into handing over PII. It is usually done over email, tricking a person into clicking a fake link or attachment in the email.
PII or Personally Identifiable Information: Data about an individuals, including name, passwords, credit card numbers, Social Security Numbers, Social Insurance Numbers, Driver’s License number, and bank account details.
Ransomware: Malware used to hold an individual or organization to ransom, typically by encrypting files or an entire hard drive and demanding payment to ‘unlock’ the data.
Social Engineering: The practice of manipulating human beings in order to gain access to data or computer systems. It often takes the form of a fake phone call from “John in the IT Department” asking for your password to “fix” your computer.
Spyware: A form of Malware. Software whose aim is to gather information about a person or organization without their knowledge. It may send such information to others without the user’s consent. It can take over control of a device without the user’s knowledge.
State Actor: A government.
Threat Actor: An individual or entity that has the potential to impact, or has already impacted, the security of an organization.
White Hat: In contrast to Black Hat, programmers who ‘Hack’ into systems to test the system’s capabilities, and report vulnerabilities to the Company or authorities for fixing.