Cyber security questions (from a naive Canadian)

Factual Questions
1

I don’t know more than the basics about cybersecurity. But I have some questions. Sorry for my naïveté regarding this.

  1. Many Ontario towns, businesses, police departments and businesses have been attacked by cyber criminals. Some have paid money, others have not. Canada desperately needs a national organization that can help individuals and businesses which clearly cannot afford the expertise and expense of dealing with hackers. Do any countries have reasonable options? I have read Israel offers practical help to citizens and do not know if this is true or exists elsewhere.

  2. Some experts praise Estonia as having an innovative and groundbreaking model. Essentially, it was claimed citizens (or those willing to pay) have a highly secure means of identification administered efficiently by experts. What is it? Is it genuinely secure? Are there worried it could be broadly hacked like the bio identification system used in India?

  3. Given the high profile of targets and supposedly wide availability of powerful tools, does meaningful security even exist? What needs to change for this?

2

As a private citizen, all you can do is to:

  • Never click a link in an email for you know not where it might lead

  • Use hard to crack passwords or better still phrases. Simply substituting zero for ‘O’ in your dog’s name is not good enough. Make up a nonsense phrase like “Cats, dogs, and babies, it’s Tuesday!” (don’t use that, I got it off Google). Write them in a book so you don’t forget them and use different ones on all your important websites.

*If someone on the phone asks you for any personal details, especially passwords, hang up and if you think they might be genuine, call whoever they said they were from and ask.

*Don’t publicise your day-to-day movements or other personal details on social media. I despair at my friends who tell all and sundry that they are off to Benidorm next week so feel free to come and burgle my empty house.
No doubt others can add more but that’s enough to be going on with.

3

Thanks. Good general advice, but not exactly what I wanted. But that brings to mind some follow-ups.

  1. The general advice offered is only somewhat helpful - no matter how long or c@Mpl3x your password, it doesn’t matter at all to a keylogger or vault hacker. What percentage of major hacks are really inside jobs?

  2. One could criticize many companies or groups for failing to offer meaningful security. Individuals are certainly blameworthy, but no one expects you to know everything about, say, scintillating scotoma (a medical symptom). Why is it okay to have a privacy opt-out on some hidden third submenu? Is there any meaningful discussion about liability that doesn’t assume the average user knows a great deal about protection when this is so clearly not the case?

  3. How useful is the general advice anyway?

4

There’s quite a bit of difference between institutional attacks and personal ones.
I don’t have hard data, but IMHO, most of the disastrous institutional attacks are the result of “spear phishing” or poor server password management and security, while individual attacks tend to be due to lackadaisical OS updating, mass email phishing and telephone scams.

The number of successful attacks due to key loggers must be very small - if you have the ability to install a key logger, you can already take over a machine.

As computer users age, they get more and more gullible. My dad, who was a pioneering computer scientist, fell for a telephone scam a few years ago. Fortunately, the scammers only wanted to get him to pay recurring monthly charges, but if they had wanted to they could have installed anything they wanted on his machine.

5

That general advice is very useful for the typical home user.

As for governments and corporations, the majority of hacks result from bad vulnerability management. Patching known vulnerabilities is the number 1 thing everyone in a corporate or government IT department should be doing.

Actually, making a verified list of hardware and software in their enterprise is the number 1 and 2 thing to do. But that’s because you need to know what you have that is vulnerable.

Awareness of good security practices needs to come from the very top of an organization. Unfortunately, security is a supporting function (despite what some might say) and typically looks like a money drain for little to no quantifiable gain. But that gain CAN be known, it just takes work to determine it, work that a majority of people won’t do, because it’s hard. A good saying is “The better your cybersecurity, the less it looks like you need it” so it is hard to justify increasing the security budget if there are no hacks unless corporate or government leadership buys in.

Those towns and businesses you mentioned probably failed to implement the most basic security features - backups, vulnerability management, patch management, etc. These features are readily found in almost any guide to cybersecurity practices. If they can’t afford to practice good cybersecurity, then they should be outsourcing to a company who can.

6

Institutional attacks can be turned into personal ones. Some company exposes usernames and passwords. Those usernames and passwords are then tried at lots of other places to break into individual accounts.

Which is why, even more important than using complex passwords is never re-using a password. Each site gets a different password. So when passwords from one site get stolen, it doesn’t change your personal security at any other site. This makes it necessary to use some kind of a password manager, whether it’s a commercial or free software based one, or just writing them down in a book. Both options are far superior to using the same password (even a good one) everywhere.
As to the OP, there are lots of government agencies which give out best practices and recommendations, but I can’t point to one that provides direct consulting. That isn’t something I would know about though, so they may exist.

The problem is that in something like computer security, the defender must win every time to succeed, but the attacker only has to win once. That is why a well designed system will be implemented with the expectation that it will be broken into. Things such as segregation of services, limiting access, and backups are part of that. So, when some PC in accounting gets infected by a cryptolocker, it’s an inconvenience, not a system wide catastrophe.

7

I’m surprised no one has brought up regular backup in cyber security.
“Oh we jut got hacked and all of our data is encrypted.” “OK wipe the drives and use the last backup.”

8

Multi-factor authentication everywhere. I know there are exploits, even for MFA, but it is a big step in the right direction.

9

Clearly some countries are at least making an effort, and some countries are not. I don’t know where Canada falls on this scale.

Clearly Israel is up at one end. If we put the USA in the middle, then countries like Australia (and most of the world) are down at the bottom.

10

Estonia uses digital ID cards built on top of a Public Key Infrastructure. This is the same system that (most of) the US government uses for digital signatures, authentication, and encryption. It’s highly secure and effective.

Estonia’s innovation was getting on the PKI bandwagon early, and basically mandating it for their citizens in order to interact with government agencies and to vote. It’s unlikely that it would fly in many countries, e.g. the US, where it would be seen as too “big brother.” Not sure about Canada.

Basically, imagine being able to use your driver’s license to positively authenticate yourself to any website on the internet in a manner that’s effectively unhackable. No more passwords, no more remembering 400 different usernames, etc. It’s pretty great.

11

This. Also recovery drills. It is a common occurrence for a disaster to happen, and an organization discovers only at that time that its backups weren’t really working, or had been stored incorrectly, or didn’t cover enough stuff, or they’d meticulously overwritten the last good backup after the hack happened.

[QUOTE=steronz]
Basically, imagine being able to use your driver’s license to positively authenticate yourself to any website on the internet in a manner that’s effectively unhackable. No more passwords, no more remembering 400 different usernames, etc. It’s pretty great.
[/QUOTE]

Note that Estonia’s e-voting system is not without criticism. “Effectively unhackable” is probably an overstatement

12

Last time I had an insurance review with my agent, he mentioned insurance just for these types of attacks (which we do have). I told him I have Google sync essentially mirroring my drive in the cloud and the really important stuff (ie Quickbooks) gets backed up in two places (well, locally and the google cloud). He said that he’s been seeing cases where the software gets itself onto your computer but then waits around for weeks or months specifically so you can’t just wipe your drives and grab your backups. Your backups are all infected/encrypted as well.

I suppose I should add a physical back up back into the mix. Since Google is off site, that protects from physical damage, so I should probably start backing up to a jump drive once a month or so and then just tossing the drive in my desk drawer.

13

Absolutely. Good (tested), regular backups should be the basic level of defense for any system.

I’d say that any business or government organization that doesn’t have one available should fire their IT manager immediately!

14

Good point. The “effectively unhackable” part is where people authenticate with the voting website using PKI. After that, there’s a ton of attack vectors. E-voting may or may not ever be a “good thing,” but I think being able to view and manage your government benefits with a PKI-enabled smart-card is a beneficial.

15

Hackers are not really interested in us as individuals unless, either they already know a password that might work on our financial sites, or - the most common - they use some subterfuge to persuade us to give them what they want.

Having lots of passwords/phrases helps with the former, but being aware of the many subtle ways that crooks will use to extract information and then money from you goes a long way towards protecting us from the latter.

16

All computer-network security can be defeated with sufficient application of resources; it’s just a matter of time and money. Modern systems are sufficiently complex that there are vulnerabilities to exploit if you look hard enough. Also, computer-network systems exist to serve human beings, and human beings are a weak link; human behavior tends to be systemically exploitable.

The key with implementing cybersecurity is to set up countermeasures that make it such that the potential gain is not worth expending the resources necessary to acquire the gain. For ordinary individuals; “meaningful” security is pretty straightforward (long, human-memory compatible passwords, subscribe to off-the-shelf anti-malware, buy a USB hard drive and back up your data once in a while, don’t be an anti-social jerk and intentionally piss people off, etc…). The gains tend to be low, so attacks against individuals tend to be broad but simplistic in nature (blast a spam email to a million email addresses, for example).

As you become a more valuable target, you then need to invest in greater and more advanced countermeasures. An issue here is that human beings are generally terrible at assessing risk:

  • What’s my value?
  • What level of resources could an attacker justify using to steal from me?
  • What countermeasures could I deploy to counteract the likely attack vectors?
  • What’s the likelihood I will be targeted, and given this likelihood should I mitigate the risk or just accept the risk?

These are complex questions, and when human beings are faced with difficult questions, there is tendency to:

  1. Avoid answering the question completely and just pretend the issue doesn’t exist at all, or
  2. Answer an easier question that is only tangentially related to the core issues so we feel good about ourselves that we “dealt with the issue”, when in fact we’ve done nothing of the sort.
17

Many thanks for your replies. I was wondering if someone could educate me on how the above points would change with regard to smartphones.

18

The considerations are mostly the same; smartphones are just networked computers that fit in the palm of your hand. They share many of the same characteristics as laptops. So the security considerations are similar to servers and desktop computers, except for the added wrinkle that they are portable. So:

  1. Physical security is of somewhat greater importance, because it’s easier for a smartphone to be misplaced/stolen than a wired computer. So you have to consider what would happen if you physically lost the device in some way. Usual security countermeasures:
  • Encrypt the data storage on the device so that only authorized users can read the data on the device (since only authorized users should possess the password/key that decrypts the data to make it readable)
  • Enable remote-wiping technology, i.e configure the device to always “phone home” to some external system on a regular basis. This gives you the option to issue a remote command to automatically delete all data on the device should the lost device ever come online and check-in.
  1. Because a smartphone is mobile, you tend to use it a wider variety of networks (on your cellular provider’s network, on your home network, on your work network, on public/free wireless, etc…). Only connect-to and use your smartphone on data connections run by entities that you personally trust.

Again, the same risk analysis applies: what’s the value of my device and data, what’s the likelihood I’m going to be hacked, do I care enough to spend effort/resources to prevent issues or should I just live with the risk.

19

There are a couple of different components to this. In the US, obviously you have law enforcement organizations like the FBI who assist companies once they have been attacked. There are also groups like Infragard, which is a partnership between the FBI and private sector. But they really serve more as a source of information.

Financial damages are generally a matter for a business’s lawyers and insurance provider and cyber insurance is rapidly becoming a thing.

That’s like asking whether you should buy locks for your home because a determined SWAT team with a bulldozer could break in.

Security is thought of in terms of “threat analysis” and ROI. What are you protecting? How much are you willing to pay to protect it? vs What are the economic and reputational costs if you are breached?

Probably 90% of cyber breaches could be avoided with routine, affordable practices such as encrypting laptop hard drives, enforcing good password policies, decent network monitoring, patching software, and some basic education for employees. Much like having a plan for when your building catches fire, companies should also have contingency plans already made with their lawyers, insurers, law enforcement, IT staff, and public relations people for when a breach inevitably happens.

20

Let’s start with the basics… Many of these items in the news are not master criminals hacking into a system to exploit the data. They are ransomware. The program arrives, often in an email, someone inadvertently clicks on it and it runs. The program basically scrambles all data it finds except the files needed to run windows, and then tells you how to pay for the decryption key. They aren’t downloading or analyzing data and copying the best stuff… it walks through the network looking for any shared files it has the authority to write to. Having done network setups for a lot of small to medium businesses - the problem is so many tend to bypass the security for convenience. (Seriously, how many have that “Are you sure you want to allow this program to make changes?” turned off?) Organizations make all their shares writable to everyone because it’s easier than managing tighter security, or because the people doing the managing don’t know how to enforce write restrictions. (“Program complains? Just make everyone an admin–level user”) Where the damage is particularly bad is when the backups are everyone-write. Tapes haven’t been able to keep up with modern data volumes; current backup tech tends to be portable hard drives. If your only backup is a public-writeable disk and it’s still plugged it, it will get scrambled too. Or… the backup has not worked properly for months and nobody noticed. (Of course, if it’s an administrator that falls for this, the damage will be especially bad - almost everything scrambled. If an individual loses their data - sucks to be them. If an organization is hit, it has the potential to destroy data for dozens or hundreds of people, make basic functions like accounting and payroll impossible, etc.

The next level is the hacker who wants to acquire and use your data. They use similar tricks, but 99% of the time the exploit arrives in email - if you don’t have a good mail filter on your email provider, you are seriously at risk. The latest one I saw is an email purportedly from a colleague or customer “Here, read this document about xxxxxxx” Click on it and what appears to be a legit Sharepoint or Email login pops up. If you don’t realize it, you are providing email and password to the hacker. they now have access to your email -so many organizations allow web or phone access to email from anywhere, so now the hacker can peruse your email and you are none the wiser. Once you’ve accumulated a few years of corporate email, so many never delete anything, pretty much everything about your business is there. Common follow-ups include acquiring your email contacts, anyone who has sent you or received an email. They can now send emails pretending to be you with this same exploit. (One version I saw, they add a rule to route all incoming email to trash, so any “Hey you’re sending out spam” emails, you don’t see. Another rule trick - CC any emails to a third party mailbox so they don’t need to login, and even if you change your password, they still see your email. they can find your corporate structure, to fake things like an email from CEO to Accounting, “please send this supplier a payment - here’s the wire transfer codes”. Also, some corporations have “login to your computer from home”. If they do, I bet the instructions are in your email somewhere. A lot of third party software and websites will reset passwords automatically after verify code is sent to your email. The damage is endless. Then they can login to a session on your computer if remote access is enabled - now the sky’s the limit. Download your computer’s SAM security database and do dictionary attacks to find passwords, search for financial data, etc.

you can defeat this with several options. Good spam blocking - essential. (As is common sense) If an email contains a link, hover the mouse over it and the name should pop up - does it look legit? A Microsoft or bank login link should not go to a place like barrollo.kraduchia.ru/spazi; longer passwords make it harder to guess other passwords. Changing passwords regularly (every 90 days, for example) means if someone does have your password, it will only work for a while.

Extended dictionary attacks basically take the security database, which can’t be decrypted - and try to match similarly encrypted words to see if they are the same; there are only a few hundred thousand words, fewer common ones. Try those. Try a list of common names. try adding one, two, three or four characters after. Try common substitutes like zero for oh. An full test “aaaaaaa”, “aaaaaab” etc will take the life of the universe. The dictionary can be done in hours, with characters added to the end, capitalization and so on, weeks or months to try every combination. Make a password out of combined words like “Born2BWild” and dictionary doesn’t work, make it longer, and it takes longer. If it takes so long your password has to change before the hacker is done, then it’s a lot more secure.

The latest and greatest is two-factor - when you login from a new device or after X hours, you will get a text and need t provide that to the computer as well. This has led to the next scan, SIM-swapping, where a perp persuades (bribes) and phone company employee to switch your phone numbe to a new phone so they get these verification messages. To go through the trouble of making something like this to work, the target has to be pretty valuable.

So the analogy is good - it’s like locking the house. You can lock the doors, bar the windows, put in an alarm system, have a safe for valuables, etc. Depends how badly the thief wants to get in. A swat team with no worry about police stopping them will always get it. the casual thief will go elsewhere if the door is locked.