Cybersecurity Brief

by Dan McCabe

Cybersecurity can mean many different things to different people and organizations. For example, a small trucking company with limited web presence would have a different view on cybersecurity than a bank that provides online statements and transactions. It comes down to the level of risk involved. Individuals and organizations with higher cyber risk need to invest in cybersecurity measures that are appropriate. In some circumstances, these measures are even enforced through regulation.

This brief will help define some of the typical language used with cybersecurity threats. It should also help distil some of the rumors around cybersecurity in general.

Security Vulnerabilities
Operating Systems (i.e. MS Windows, Apple Mac OS X, Linux, etc.) have millions of lines of code. MS Windows 7 itself has over 40 million lines of code itself. If put into a typical novel of 25 lines per page and 400 pages, the series would span 4,000 books. All of these lines of code are checked and tested to meet requirements. However, just like one could typically find a couple of grammar mistakes in a novel, so do OS companies, researchers and hacking groups. Typically, if a researcher finds a vulnerability, they will alert the company with 30 days’ notice before releasing it to the general press. Hacker groups either offer the same consolation, or exploit it to their advantage in the wild. 2014OSvuln

Mobile Operating Systems have also been compromised in various ways. Stagefright has been in the news recently affecting the Android platform. Stagefright has to do with picture and video pre-processing in text messages. Android is not alone though. Apple’s iOS (iPhone) and OS X (Mac) have a major zero-day security flaw that allows a malicious application to steal passwords and confidential account information. The flaw was reported in October of 2014 and has yet to be patched through June 2015.

Lately, car manufacturers are finding that they have a similar problem. A Chevy Volt has an estimated 10 million lines of code. It has a security vulnerability that could allow an attacker to locate, unlock and remote start the vehicle when used with a compatible cell phone app. In an extreme case, Chrysler has issued a recall of 1.4 million vehicles after it was found that a Jeep Grand Cherokee’s radio, ventilation and engine could all be manipulated remotely while the car was in operation.

Adobe Flash is synonymous with security vulnerabilities. If you can, just avoid it completely and remove it from your systems. Fewer and fewer websites are utilizing the technology.

Security vulnerabilities are going to happen. It is important to keep your software and systems up to date as best you can to mitigate vulnerability consequences. If no update is available, there are typically workarounds or tips to avoid being exploited.

Virus Protection
Yes, you should run virus protection on your computer. Even if you have a Mac. Apple had a nice bit of time where they didn’t have much of a computer population. The focus had mostly been with Windows which held a significant market share. Now that Macs are roughly 10% of the computer population, they are being targeted as well.

Microsoft has provided a base level of virus protection with Windows 7. It is called Microsoft Security Essentials and is a free utility available through their website. In Windows 8 and above, it is part of Windows Defender that is automatically installed. There are other free virus protection applications, but most of them will prompt you for upgrading to their premier suite of applications. Paid virus protection applications are generally better.

Phishing, Malware & Ransomware
Phishing is the attempt to acquire information such as usernames, passwords and credit cards by pretending to be a trustworthy entity; typically via email. There’s spear, clone and whale phishing scams. To avoid phishing these scams, don’t automatically trust an email from a known entity (i.e. eBay or Amazon). Instead, inspect the document first. Does the “from” address look appropriate? When hovering over a link, does the link actually go to their website? Is there any information provided in the message that clarifies that this couldn’t have been created by a random person guessing that you have an account?

Malware, short for malicious software, infects a computer with computer viruses, worms, Trojan horses, ransomware, spyware and adware. Malware is typically used to either exploit a user or their computer. A user exploitation can consist of random ads or keystroke logging to gather information such as credit card information. A computer exploitation is one where the malware uses the computer to act against other computers.

Ransomware is a type of malware. It will lock up a computer in any number of ways and ask for money to have it unlocked. The most recent high profile ransomware attack called CryptoLocker started in late 2013. It spread through infected files that were distributed via email and other internet communications. CryptoLocker would encrypt both computer and network files then ask for a ransom. It is estimated that the operators of CryptoLocker extorted a total of about $3 million.

Passwords
There is an enormous amount of information on the internet about strong passwords and that you should use them. You should use them and you should use a different one for every service. A strong password are 8 characters or more comprising of upper case letters, lower case letters, numeric digits and special characters ($, @, #, etc.). With that said, “P@ssword1” is not a strong password. Capitalizing the first letter, substituting an “a” with a “@” and adding a “1” at the end are all obvious.

One way to make a password different for each site is to have a strong base password and then something unique to that site. For example, a base password could be “aPh*25009TcT”. This was derived from a vehicle license plate and the Transportation Club of Tacoma initials. Once you have a strong base password, choose a unique identifier on each page to add to it. For example, Amazon has a black bar that crosses the site and a smile in its logo. The Amazon unique password could be “aPh*25009TcTBlkBar” or “aPh*25009TcTsmiLe”. In this way, it is easier to remember for the user and difficult for an attacker to replicate if the Amazon password was compromised.

For additional security, some websites offer two step verification. This typically comprises of an email or text message to further validate your identity. For example, logging into a Microsoft account can trigger a text message with a randomly generated number code. To access the account a user needs to enter both the password and then the code. Some services allow the user to trust one computer or another after providing the code so that the two step authentication doesn’t have to happen every time.

There are password services that allow you to store your passwords for other sites if you need or want to use them. Just make sure your password to access the main account is very strong and/or utilizes two step verification.

Administrator Accounts
Computer administrator accounts shouldn’t be given to the typical computer user. As an at-home example, all family members should have a non-admin user account with one or more separate administrator accounts that aren’t typically used. This protects the user to a degree from accidentally (or intentionally) installing software with unintended consequences. This should help keep a 10 year old from installing malware designed to cripple a computer when all they really wanted to do was add birds to Minecraft or change their desktop wallpaper.

 

Cybersecurity is a large topic and this brief has only scratched the surface. Large organizations like Target and Sony are being hacked every year. The Wall Street Journal stated in 2013 that the demand for cyber security experts is growing at 3.5 times the pace of the overall IT job market and 12 times the overall job market. As systems evolve and become more integrated into every part of our lives, cybersecurity efforts should be engrained as well. It is up to organizations, parents and colleagues to help enforce good disciplines as there is no driver’s license to navigate the internet and all of its associated technologies.