What is Cybersecurity
Cybersecurity: The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this. “Some people have argued that the threat to cybersecurity has been somewhat inflated”
Some might also claim that Cybersecurity is a pain. It is inconvenient. It is confusing. These are things that people who have not been hacked YET say. However…
In the words of Joni Mitchel: “Don’t it always seem to go, that you don’t know what you’ve got ’till it’s gone.”
The costs can be great for not protecting yourself from hackers. Once you have been hacked then most will change their complacent tune. At the bottom of this article I have included a list of the famously hacked who are no longer tough to convince that cybersecurity is worthy of their time. So a valid question is:
Can I protect myself from all security breaches?
Ocean’s Eleven, Ocean’s Twelve, and Ocean’s Thirteen totaled 1.1 billion in box office revenues. Then there are TV shows like 24. While sensationalized this fiction genre revolves around a proven theme that a foe with enough resources can always get into where they want. While I accept that anywhere one human can get into is vulnerable; I temper my paranoia knowing we can follow the money! It is risk vs reward. With enough money at stake a bad actor could just bribe or threaten your System Administrator. Duh! A highly targeted cyber-attack on a specific target is often called “spear phishing.” Like Captain Nemo spear phishers don’t waste as much time on minnows. While Phishing scams can be avoided with a little training and and reasonable precautions. in 2106 it was estimated that 97% of users can not recognize a phishing campaign. So many large companies have been breached in the last few years that some of your data has likely already been exposed. Yep, even if you never go online yourself.
Unless we work for a large company, most of us can’t access enough marketable secrets to fund extensive spear phishing attacks. But minnows instead face thousands of the garden variety hackers. These hackers are more cowardly thieves who carefully manage their risks. They are lower skilled and their financial success depends on gathering low hanging cyber fruit aka people with little knowledge to resist cyber crimes. Garden variety hackers are scanning millions of IP addresses for any low hanging fruit. Then they steal or scam generally $100-$2000 per target. “Maria Doe” is a minnow like us. Her IP address is scanned every hour of every day. These hackers don’t care about Maria or US laws because they operate where US laws are not enforced. They are looking for multiple smaller payouts. They budget the value of their heist below the limit of Maria’s financial resources and also below Maria’s costs of privately pursuing them. They spread their attacks across law enforcement jurisdictions so they stay below the threshold where FBI agents justify the expense to take on the case. Hackers may also use the telephone to start the conversation and convince you have a problem that does not even exist yet. They may also not steal much information. They just grab some info, then they sell it online. What info is out there that might help a scammer send you an email you would trust? Lets say that your email is JohnRowsey29@gmail.com and some low level hacker gather’s that information. Well we already know that you might trust an official gmail looking email. If we search you on facebook? We know your friends names, If your friends include Susan Rowsey and Justin Rowsey then we now know family members names. We learn that you like hunting. So if Justin emails to ask your password for Cabelas.com, gmail or comcast should you email it back to him? A better bet is to call your son and ask him how he is doing.
What is “reasonable” cybersecurity for a small business?
Most laws require businesses to take reasonable precautions for cyber security. Reasonable depends on what you are protecting. Does the value of your data make you a minnow or a whale? For a small business reasonable precautions means:
- Inventory data and devices and risks. What do you have? Why do you really need it? What would be the consequences if…?
- Get rid of unnecessary risky data. Holding data is a liability. If you do not have much in the way of sensitive data you a lower loss risk. If you have data you don’t need then: Get rid of unnecessary risky data or at least encrypt it and store it in a secure location. An encrypted dvd locked in your safety deposit box is generally safer than not encrypted on your laptop at a coffee shop. I spoke with an independent Insurance agent. Her insurance vendor stores data on her clients but she wants to personally keep her client contact info. If she were to keep her client ssn and cc# info then she has chosen much more personal liability than if she were to keep a simple address book. But still encryption and passwords are suggested.
- Up to date? All software on the network is up to date. Replace unsupported and out of date devices. Update software continually.
- Configure security levels above defaults settings. Use secure passwords. Delete inactive accounts ASAP.
- Limit access on a need to know basis.
- Back Up regularly. Also: run a disaster recovery drill. Pretend your main data storage device was hacked. Go offline with the active device and restore to the un-hacked redundant device. How much down time did you experience?
- 3rd party cloud Storage. If your data is stored by a 3rd party cloud or local software company then: Ask for their data security policy. Get a copy of cyber insurance policy as well. Claims and legal expenses they do not cover will someday be your expense.
- Firewalls with NAT protected devices
- Train staff and vendors who can access your network or data. Staff should be able to identify: Phishing, social engineering and dangerous links etc
- Monitor data login attempts to your network
- Cybersecurity response plan. Create and test procedures for disaster or breach. Unplug, repair, replace, restore plan and time line. Data down time lost business.
You might be a spear fisher’s dream if….: If you own a domain that sounds like a business name you’re definitely on a hacker’s radar. If you can access millions of dollars you are a spear fisher’s dream. If you are a federal Politicians you are a spear fisher’s dreams. If you are on TV each month then you are a hacker’s target. If the FBI director makes millions from one of your campaign donors then you are a spear fisher’s dream. Hacker’s profit daily from the cyber ignorance of today’s aging leaders! If you are a hacker’s dream then please listen to your IT professional and or at least your friend who works at the FBI.
Your potential losses increase when: You have customers’ credit card numbers, ss#s, customer addresses and personal information. If you have HIPPA information you risk fines and also legal costs. Inventory your sensitive data and consider if you really need it. Securely destroy any unnecessary sensitive data. Some businesses think they have data secured because they have a competent software provider that stores the information. But you are still at risk if: a. You do not keep all your passwords secure. b. An employee, contractor or spouse leaves with their data or unchanged password. c. Somebody stores exports of previously secure data for example for a mail merge. e. You are using old windows XP or Vista computers to access the “secure” service. f. Your PC’s are not reasonably secured with the 7 steps below. Don’t be a silly cyber whale! Call a trusted IT professional. Schedule time to identify your risk and put in place a Cyber Security Plan.
Basic and reasonable cybersecurity steps we can and should all take.
- Firewalls on?Windows software firewall and /or a hardware Router or gateway (with NAT). Router security should be set configured wisely or set to Defaults. Firewalls protect you from network attacks you did not invite. The good news is that in this day and age most of us have firewalls. The bad news is firewalls rarely protect you from yourself. Your firewall will let you and your staff go where you want and exchange information. So your firewall and your anti-malware protection will usually let you go to a dangerous link. Once you are connected your firewall will normally trusts the evil site long enough for you to get infected.
- Browse wisely, know how to dissect URLs Learn to identify if the 1st & 2nd level domain is real. See the nearby screenshot of a browser page in Chrome. So what do we know about this browsing session? We have 5 tabs open. We have recently downloaded a file named touchscreen.png Our current second level domain is returnpath Our sub-domain is blog.returnpath Our 1st level domain is .com our mouse is on a link to juniperresearch.com/… Here are some examples of safe vs unsafe links: http://support.hp.com/us-en/product/HP-Photosmart-7520-e-All-in-One-Printer-series/5199461/model/5199462/drivers is a real link. Why? HP.driverppdate.com/1315.html is not. http://www.hpdriver.net/hp-photosmart-7520-driver/ is not a safe link Why? The first level domain is in the US is commonly .com dot net .org .gov Just to the left of that is the second level domain which should also be 100% familiar or avoid the link. If you see “https://microsoft.com”, then you’re on the official Microsoft website. Any Scammer can put a familiar name like”microsoft” in a page URL as a file name, a directory or as a sub-domain name. So you may find that the URL is “http://microsoft.werscamrs.com/canon/pepsi.asp then that page is controlled by werscamrs.com while Pepsi and Microsoft have no idea that webpage even exists.” Even if it is the scammer makes an identical copy of a Pepsi web page don’t be fooled. Instead you would be within werscamrs.com website.
- Be wise with email attachment and links in your email messages. Study the dangers of phishing scams, unsafe links, and attachments. Due to Phishing scams it is not safe to just know the sender because it is easy for a scammer to spoof email addresses. You must also believe that the attachment is expected and for a credible reason.
- Be wise about your passwords Longer passwords. Complex passwords. Don’t use items easily guessed or found in your public records. Examples of poor passwords: kids birth date, Default password, same password for all your sites. the password you forgot to write down. The complex really important password your wrote down and lost. The password you changed but did not log. A note under the keyboard or on the monitor at work. Good Passwords: Can be tested at https://password.kaspersky.com/ This page will estimate time it takes for the password could be cracked with an average home computer. Here are sample results:
- 1-04-1965 (9 min to hack)
- heather (1 second)
- heather1-04-1965 (16 hours)
- Heath3r1-04-1965 (3 days)
- WeA11L0v3Fid0 (1100 years)
- p@s5w0Rd (1 sec)
- p@s5w0Rd17Jan 14 days
- t3l13ph0n3 14 days
- t3l13Ph0n3 16 days
- shopperhealth6303551216 (1 mill yrs)
- Cubs_are_Great_in_1908 (1 million years).
- Many devices or websites lock you out after a certain number of failed attempts. For these sites it is actually safe to use a password with medium level security because the hacker gets locked out after a couple failed attempts — and so do you
5. Opt into 2-step verification. Sites like gmail.com use 2 step verification. So if somebody gets your login and password but logs in from a new device they are locked out until you confirm it is you from your cell phone and you are notified of the attempt next time you login to Gmail.
6. Keep your devices and software up to date. Only download updates from safe sources. Windows or Apple OS updates. Manufacturer’s Driver Updates, Software updates from Ninite.com See also TrustedCTO.com/rpm
7. Scan for malware regularly Anti-virus like Microsoft Security Essentials or Windows defender opened regularly to check last scan and last update. Also run Spybot Search & Destroy, Malwarebytes and SuperAntiSpyware.
8. Inventory and delete un-necessary data
IT people will warn you that security leaks can be costly. Every day we encourage business leaders to take basic precautions to protect their data. The more you are creating or are entrusted with trade valuable secrets or the more sensitive your data the more you need to know about security and cybersecurity. Unfortunately, the older you are the less likely you are to understand and consider your cyber world. Cybersecurity is one area where aging professionals struggle shifting their business paradigms. Business owners have the power to decide. Usually your 30 something computer professionals are not authorized to make leadership level decisions. So ultimately business leaders make the real decisions on how much security is worth the risk. It is a balance and there is no one size fits all answer.
The right cyber security plan for you depends on:
What is the potential value of your data in the wrong hands?
Where is your data stored? Where is it backed up?
How powerful is your worst likely adversary?
What are you already doing for cyber security?
Aim for higher security if you maintain sensitive data on people or have power or money.
- Multi factor authentication. Not just username and password. but must also respond quickly to a text confirmation etc.
- Encrypt data about people. How?
- Strong encryption on laptops and portable devices. Especially for Health care info. Microsoft lost source code due to an unprotected employee laptop.
- Encourage breach victims who have had exposed SSN or credit info to put a free fraud alert on their credit files.
Do hackers see you as a whale or a minnow? A whales is a prime target likely to have financial wealth or valuable data. In the cyber world the more private data you have the more likely you are to be targeted. Hackers dream of hacking cyber whales so they invest more effort into hacking them. Sometimes hacking is a thrilling sport to these hackers. A hacker might also think: “It would be cool to hack the makers of Ocean’s Eleven” Well, Warner Brothers were hacked in 2012. (Really? Shouldn’t they know better?). Some famous data breaches include: Home Depot, Microsoft, Yahoo, Sony, Hilary Clinton, Donald Trump the DNC, the IRS and yep the FBI. The hacking of the FBI or a bank would probably be pretty challenging. They have been hacked for decades and learned the hard way to keep educated and vigilant. Their security protections strategies need to be much higher than the minimums. But hacking the DNC was predictably easy. Why?
Aging successful business leaders choose their own Cybersecurity leaks. It is your business and your security. Your IT professional will not be there 24 x 7 to protect you and chances are you would not heed her advice anyway. Business leaders today now need to know enough to avoid being cyber foolish. Still our own hubris is our downfall. “We never needed malware scanning before so why start now?”
Here is a current popular real life example. 2017 news continually updates us about the DNC and Hillary Clinton being hacked from 2015- April 2016. So what happened and how is that a security lesson to us all? The July 2016 Wired magazine quoted two cybersecurity firms, Fidelis Cybersecurity and Mandiant. Both independently corroborated that “the two groups that hacked into the DNC used malware…” Among the most damaging information garnered was not credit card info. It was personal secrets. Like how the DNC schemed and planned unfair treatment to stop Bernie Sanders from beating Clinton. Sounds like staff accessing @clintonmail.com did not scan for malware. IT Professions frequent newsgroups. I read that many feel that the hacks on the DNC were likely because many officials had the same password. For example, multiple uses were assigned something like vote2016 as a default password. Users are also suggested to change their password but they do not. So if a hacker finds one password he might have access to many other accounts on the server. I read many times that the DNC did not take basic security steps so they were hacked by multiple hackers. News outlets on the left and the right are up in arms trying to spin this into a political victory and a Russian witch hunt. But after 9/11/2001 Y I recall these same news outlets blaming the CIA for not intercepting enough of the private communications between the 9/11 terrorist cells. So we expect that our CIA will hack and hack well. However, we still get indignant when we learn that other governments are under the same expectations.
Here is a better plan. Assume there are thousands or millions of hackers. Take reasonable and affordable precautions commensurate with your own risk tolerance.
Other news reminds us that Cybersecurity is not enough if you don’t lock the front door each night. Ask yourself: “What do my detractors want and how could they get it? Apply that rule to this story: In October 26, 2016 The Washington post printed that Hillary probably violated federal election laws when video showed that she hired super pack leaders to stalk trump in Donald Duck costumes. The ducks were not illegal. But somebody knew that it is a federal election law violation for a major candidate to direct a super pack actions without both committees filing the proper in-kind services received public transparency reports. When smear tactics have a cost laws are clear that voters have the right to know who directed and funded the tactic. So somebody smelled a rat and video taped discussions all the way to the top level source. The story is now forgotten but it illustrates that if you have wealth, competition or secrets then you need to be streetwise and assume early that the spear fishers will strike.
Next prepare more specifically for your Cybersecurity Plan
- Review your sensitive data and were you store it. Securely delete unnecessary data and move necessary data to more secure locations.
- Review the templates below for small business Cyber Policies.
- Pick a template that works for you.
- Discuss it with your line level leadership.
- Customize your plan into a draft document.
- Ask your IT professional for a budget to actually implement your drafted policy.
- Adjust your policy and or your budget to match.
- Implement your plan and train your staff
- Consider cyber liability insurance. (They will want a copy of your plan).
Templates for building your own cyber security plan: SBA cybersecurity course outline Sans’ Security Policy template Stay Safe Online’s Cyber security Plan template Federal Communications Commission Small Biz Cyber Planner The Small Biz Cyber Planner
Who are hackers’ “Targets”?
Yep hackers successfully got credit card info from Target. People might also be worried because major Email providers have been hacked including: 57 million Mail.ru accounts, 40 million Yahoo/sbcglobal.com accounts, 33 million Hotmail/MSN accounts. Some of your data has probably already been hacked. Yes, even if you have not ever been online hackers have your data. The good news is that statistically you probably survived.
Some of the more famous businesses and institutions that have been successfully hacked:
City of Naperville, Starwood, Marriott, Hyatt, RBS WorldPay, Barnes and Noble, TJX, Heartland Payment Systems, Neiman Marcus, White Lodging, Sally Beauty, Michaels, 11 casinos owned by Affinity Gaming, New York’s Attorney General, PF Changs, Albertsons & SuperValu, Community Health Systems, UPS , Dairy Queen, Goodwill, Jimmy John’s, JP Morgan Chase, Sourcebooks, Kmart, Staples, Bebe, Sony, Premera Blue Cross, Anthem, Ebay, University of Central Florida, FACC, U.S. Department of Justice, Internal Revenue Service, UC Berkeley, Snapchat, 21st Century Oncology, Premier Healthcare, Verizon Enterprise Solutions, Systema Software, Tidewater Community College, MedStar Health Inc., Philippe Commission on Elections (COMELEC), Wendy’s, LinkedIn, VTech, Newkirk Products, Oracle, Dropbox, Webley, Cisco, AdultFriendFinder.com, San Francisco Municipal Transportation Agency, MacKeeper, Experian, T-Mobile, US Office of Personnel Management, Ashley Madison, Prisons in 37 states (recordings of prisoner phone calls), SAS Safety Corporation, AllMed – Central Alabama, Cottonwood Comfort Dental, Oregon Department of Veterans’ Affairs, Quincy Credit Union, Acclaim Technical Services, Hello Kitty, Landry’s, Corner Bakery, Safeway, Toyota Motor Credit Corp and the growing lists go on and on.
Related reading and random notes:
email@example.com firstname.lastname@example.org were used by Clinton from 2009-2016
The apple server Clinton was using as secretary of state was “already out of date” in 2009 so best case scenario it was an Apple Xserve G5 Cluster Node models with Mac OS X v10.4 “Tiger” From 2009-2014 the email server was run in Clinton’s Chappaqua, New York, basement. She was secretary of state from 2009-2013
Clinton’s staff used her SMSGS@State.gov, to send “all-employee” emails while SSHRC@state.gov, was used only to run her state department Outlook Calendar.
FBI testimony circa 2001 https://archives.fbi.gov/archives/news/testimony/the-fbis-perspective-on-the-cybercrime-problem
Email is rarely secure unless it blocks almost all email. This is due to the fact that it uses
Simple Mail Transfer Protocol (SMTP) is from the 1982 and was last updated in 2008. SMTP d allows spoofing. So an email to email@example.com might get through if you just change your outlook outgoing email settings to say you are firstname.lastname@example.org
Sept 30 2016 Politico Magazine
The basis for revocation or denial is laid out in Executive Order 12968 which, ironically, was signed by President Bill Clinton. It states:
“Access to classified information shall be granted only to employees whose personal and professional history affirmatively indicates…strength of character, trustworthiness, honesty, reliability, discretion, and sound judgment…and willingness to abide by regulations governing the use, handling, and protection of classified information.”
See also: Executive Order 12968 Access to Classified Information 40250 Federal Register / Vol. 60, No. 151 / Monday, August 7, 1995 / Presidential Documents
PART 3—ACCESS ELIGIBILITY STANDARDS
Sec. 3.1. Standards. (a) No employee shall be deemed to be eligible for access to classified information merely by reason of Federal service or contracting, licensee, certificate holder, or grantee status, or as a matter of right or privilege, or as a result of any particular title, rank, position, or affiliation.
(b) Except as provided in sections 2.6 and 3.3 of this order, eligibility for access to classified information shall be granted only to employees who are United States citizens for whom an appropriate investigation has been completed and whose personal and professional history affirmatively indicates loyalty to the United States, strength of character, trustworthiness, honesty, reliability, discretion, and sound judgment, as well as freedom from conflicting allegiances and potential for coercion, and willingness and ability to abide by regulations governing the use, handling, and protection of classified information. A determination of eligibility for access to such information is a discretionary security decision based on judgments by appropriately trained adjudicative personnel. Eligibility shall be granted only where facts and circumstances indicate access to classified information is clearly consistent with the national security interests of the United States, and any doubt shall be resolved in favor of the national security.
Sec. 6.4. Sanctions. Employees shall be subject to appropriate sanctions if they knowingly and willfully grant eligibility for, or allow access to, classified information in violation of this order or its implementing regulations. Sanctions may include reprimand, suspension without pay, removal, and other actions in accordance with applicable law and agency regulations.