Cyber Security

 

 

 

Importance of Cyber Security

Often I’m asked, how important is Cybersecurity? I surprise my audience when I respond, it’s not. You don’t have to care about cybersecurity.

Cybersecurity matters for those who want to protect what they’ve created, such as their online identity and digital lives. This includes bank accounts and sensitive information.  It also includes items such as health records too.  We have a fairly large digital footprint thanks to so much of our information being put online.

There is a real world risk verses the Hollywood risk. A Ferrari isn’t going to suddenly pull underneath a huge jet with a dangling Ethernet cable. Hollywood’s entertainment version of hacking and Cybersecurity is very different than the real world.

Hear no evil, see no evil.

I know people who say because they don’t really have anything to hide or feel they don’t have enough assets to make them a target.  They say they are not worried about cybersecurity.  If we do follow best practices and are aware of our risks, then it is possible to be less of a target.  Unfortunately, there is still a risk, even if it is small.  I want to educate people to the risk(s) so they can minimize them even further.

I think what a lot of people don’t realize is that they are not targeted because they’ve been identified to possses large sums of money.  They might not be targeted at all but just a part of a long list of addresses for the malicious actors to check.  Much like physical thieves checking houses for weaknesses.  The house with the most weaknesses stands out as a target.  A person, system, house, etc. with easily exploited vulnerabilities makes themselves an easy target and a stream of income for the bad guys.  They may or may not care about you personally but they will care if you can make them money.

Most often, a black hat hacker targets the easy money stream.

For example, if I can encrypt your family pictures you have on your computer. You are more likely to pay to get them back and unencrypted. This usually costs some ransom, payable in bitcoin.

Odds are you are going to pay it. Because it’s your sentimental data; it’s also your digital footprint. You care who has that, and that sensitive or personal pictures aren’t used for nefarious reasons.

NOTE: My generally guidance is to never pay the ransom.  The key factor to minimizing risk from ransomware is to make sure critical data is backed up (please don’t back it up to a USB drive and then keep that USB drive connected – ransomware will happily encrypt your USB drive too).  The backup must be tested to make sure you can restore it.  I have seen several situations where backed up data could not be restored and the client was forced to pay the ransom (some got their data back and some did not).

It isn’t personal, it’s about making money.

– Brian Self

Cyber Security Risk

This is what I specialize in, hopefully providing an entertaining education on why cybersecurity may become important to you, and how to mitigate the risk or even transfer it.

There are three main options we have to dealing with risk (some people suggest a fourth, but I go with three). I like to use the nemonic of ATM: accept, transfer or mitigate. It is your choice on how to address any identified risks and is made based on individual risk-tolerance.

Maybe you are the type of person that posts when you are leaving for vacation on facebook. I like to call these the “Please rob me during this timeframe” posts. If you have this high of risk tolerance and enjoy taking the risk while rationalizing that “it won’t happen to me”, well then I can’t help you. Those people probably don’t know that there is a website dedicated to tracking social media posts that people make about being on vacation or otherwise away from their property.

Are people aware of the risk? I want to help people understand the risks and where to prioritize their efforts.

Take for example 419 scams. We have probably all received them. A lawyer or barrister emails you about a large sum of money that they would like to move from a foreign country. Usually this county is Nigeria but the scam has expanded to include other countries. Once you contact the scammer they get your banking information to “transfer” you money and instead end up stealing it. These are still prevalent today and are usually in the form of a poorly worded email. These are by design and are considered a form of social engineering.

They are looking for a specific target. The typos are meant to relate to the type of person who identifies with the misspellings and feels they are helping out someone like themselves. A frequent assumption is that a 419 email scam would perform better if correctly written but actually they wouldn’t, because they aren’t targeting the demographic who thinks that way

The most susceptible are those who can be socially engineered to believe in receiving something for nothing, or a get rich quick scheme.

Cyber Security verses Functionality

I respect that there are people with varying degrees of tolerance of risk. Many people accept a lot of risk for functionality. Functionality or usability appeals to those who download the latest thing, don’t delete old applications or update their current ones, use “Password1” or the season and the year for their password, all because it’s easy… all of these examples cater to functionality over security. For the complacent, it’s not a matter of if they’ll get hacked, but when.

We protect our physical world, by locking our door at night or installing a security system. We also exist in a digital world with its own unique set of risks.

A few years ago at the DEFCON Hacking Conference in Vegas, one of the talks was titled, “I can kill you.”

It’s attention getting and what it means in a digital sense, is that the presenter had come up with a way that he could digitally make a person die. He had figured out a way to create and certify death certificates.

To society, you are dead at that point. You may be sitting here living and breathing, but on paperwork and in the digital world you cease to exist, and it’s very hard to then prove that you are alive! Even with a tangible birth certificate and driver’s license, people will default to trusting what is in their computer system, because people make mistakes, computers don’t.

Our digital worlds can be very fragile, and people rarely realize and respect just how fragile they might be.  We can take action and lower our risk.  We do have to take action though…

Cyber Security Risk Tolerance

To recognize where your digital risk lies, the first step is to identify:

What do you have that’s worth protecting?

Most respond to that question by stating they don’t have that much.

I follow this with, “Do you mind if I take a look at your bank account?”

I have yet had someone willing to have me take a look at it.  I respect that information is personal and private. In that light, I make the bold assumption that most people feel it’s worth protecting.

Other things that maybe be worth more than you realize: family pictures, contracts and agreements stored on your computer, email (even the silly ones can share information that can be useful in a scam), bank account information, passwords, and more…

What else can you think of that you would like to protect?

Wrapping up

So when I’m asked: Is Cybersecurity important?

Getting grounded on just what is important and significant for each person is the first step.

We mentioned the example of personal pictures. My daughter’s baby pictures are significant. I want the digital memories of getting to hold her as football and all of those things. If a black hat hacker accesses the computer where I pay bills, that gets serious really quickly. Those are the risks that are real today.

Personally, I don’t keep all my passwords on my computer, they are in a password safe tool that I protect with multi-factor authentication (MFA). I choose not to store that on the cloud, it’s local. My tradeoff is that I lose convenience, I can’t access all my passwords from my phone or any computer. Yes, it’s a hassle, but my risk is a lot lower.

How much risk are you incurring? Everyone from a cybersecurity expert to your IT guy at work will have a different assessment, but everyone has to decide where their risk tolerance lies. It’s my job to educate what the risks are and to make recommendations that lower them.

Often, we assume our reputable services are protecting our sensitive data but in the reality they are not…  Ultimately, businesses care about their global reputation but not necessarily repercussions to an individual.

It isn’t personal, it’s about making money.

– Brian Self

Equifax lost the information of hundreds of millions of Americans. If you’ve ever used Yahoo your username and password has been exposed to people we would prefer to not have our information. It happens.

As far as being hacked by ransomware or losing our financial data, that is a lower percentage of people.  The risk is there but with several best practices and steps the risk can be significantly lowered.

The extent of accessing your information means I can now act on your behalf. The point is not to scare people but educate them enough to recognize a real threat enough to take even small measures to make yourself less of a target.

What you can do:

  • Use multi-factor authentication everywhere possible

Authentication is the process or action of proving something is what it claims to be, with one of the most common examples being a username and password.  Authentication is typically something we HAVE, something we ARE or something we KNOW.  When we chose at least two fo these we are using multi-factor authentication.  (https://twofactorauth.org/ is a great site that can identify websites and applications that use multi-factor, or in this case two-factor authentication.)

  • Use 15 character or longer passwords that are complex

(uppercase, lowercase, number, special character, etc.).

  • Make each password unique…

Hacker’s guess a lot of passwords (don’t use “Password1” nor the season+year, Ex. “Summer2018”).  If I can get one of your passwords I will try it everywhere and odds are that I’ll get into accounts you would prefer I not get into.  Use unique passwords!

  • Lastly install security updates as soon as they are available, on all your devices.

If you install anything plan on keeping it updated.  This includes phones, routers (please change your default password on your home router, PLEASE…), laptops, desktops, tablets, SmartTVs, home IoT devices, the list goes on and on…  even our cars need security updates now.

Book Brian

Identify whether we’re a fit and check availability in only 15 minutes: 720-271-8221