The ABZs of Cybersecurity

Saturday, July 09, 2011

Pete Herzog

1789975b05c7c71e14278df690cabf26

If we want people to be safer with their information we can't go the "just say no" route since people just won't do that. Abstinence doesn't work for school sex programs and it won't work for online safety.

The main reason for this is because our physical and emotional needs are extremely complex, involve multiple chemical interactions in multiple areas of our body and you can't just will them to stop.

They are there. So here's some of the practical security awareness we provide to mollify the bad info habits of people in this age of instant communications and instant gratifications.

As you will see, we put a lot of stress in responsibility and accountability rather than just listing bad things that can happen to them. This type of treatment has had great success in helping people with bad habits and phobias. The benefit of this is to help them to control things they can control yet not completely give up most the things they enjoy doing. That means changing how they do the things they do instead of what they do. Since a person's nature is hard (impossible?) to actually change, we just want them to be aware of what the consequences are and how to avoid them even if just partially.

These are from lecture notes and are spoken, hence the conversational tone. During the discussion, pictures and common situations are discussed, things almost everyone can relate to in their daily lives, to remind people they've dealt with this before. This is also why you see nearly no solutions mentioned here because they are not the same for every audience. And we did it in the ABZ format to facilitate the learning and remembering rather than just trying to be cute or silly (but that does work with children and young teens).

The ABZs of Cybersecurity

A is for "Attack"

The more you install on your computer, phone, whatever, the more attacks your system is open too. Unfortunately this includes "security" software so choose wisely- more is NOT better. You see more interactions means more attack types and more opportunity for attackers. It's also more complicated and you get more possibilities for conflicts between applications, slowing you down or stopping you from what you want to do. You really only need to install a software that makes you allow applications to do things that you want them to do. That's called "white listing". For example, your writing application wants to connect online? Why? If you're not writing online then it doesn't need to be contacting anything. Yes, controlling each and every application is a pain in the ass in the beginning but after a little while it stops bugging you and you can forget about it. Then what you've made is called "least privilege" and it means your applications have the lowest number of privileges they need to run and so can only do exactly what they are supposed to do. That means if you do pick up something over your browser, it can only go as far as you've let your browser access files and directories on your computer.

B is for "Bullsh*t"

There is no real way to be sure of who someone is over the Internet so there should be no real trust. You shouldn't even trust the identity of someone from an encrypted and signed communication unless you've identified the signer, preferably in person, when you first accepted their public key. Of course people do to make things flow faster. And really that's what it's all about, right? So to make things go quickly and smoothly, we trust that most things are not malicious, selfish, or hurtful. We even do that offline in the touchy world. Until we get hurt or hurt others because of being used or manipulated. Same thing online or by phone. Keep your wits and expect what you say or do is maybe not with the person you think it is. That means if it's something sensitive, embarrassing, or even just to keep people from knowing where you live, then only do it in direct contact with that person. There's nothing wrong with saying, "I don't want to talk about it here, let me call you or when we see each other." rather than over an open chat or forum. After all, that's something you do at school or in the mall when you see a lot of people are around who can hear you. So that goes with everything you do online. You also should consider that just because someone you know sent you something doesn't mean they haven't been fooled or tricked into carrying a virus or something without knowing it that will get to you. One thing you learn in life is that EVERYONE gets duped, fooled, tricked, and used repeatedly throughout life and life happens on the Internet just the same. Just as you're cautious about what you do with people you meet on the street, why would you be less so when you don't have them close enough to smack?

C is for "Careless"

People are careless. You cannot trust that other people will do their part in keeping you safe. The more people you allow access to your personal information, see your status updates, or connect to, the more ways you open yourself up to being careless with you. And you know if any of those people get fooled, defrauded, compromised, corrupted, hacked, or turn evil, they're still linked to you. And they will eventually. And you're connected to them. And your screwed.

E is for "Everything"

Just remember that what happens on the Internet stays on the Internet. EVERYTHING. Equally true with gadgets that are connections to the Internet. EVERYTHING you write, send, snap, vid, post, or go has the potential to show up as info somewhere else. Preservation sites like archive.org and search sites with caching features like Google and Bing are simple-to-use testaments of this.  This also goes for SMS, email, chats, tweets, status updates, and forums. (Yes, those SMSes are stored on servers to be delivered and sometimes those servers get hacked- as some celebrities have had the misfortune to discover.) So if it needs to be said then pick up the phone to say it as it's less likely to be recorded. You'll probably be happy about the plausible deniability later especially since time heals wounds faster if there aren't posts or pix to keep reminding people.

F is for "Forms"

Keep your personal life away from business. Did you fill out a form with your information? That information can be placed in a database and sold and resold, regardless of what the privacy policy says at the time of signing up because they can just change it, especially if there are financial difficulties at the company. So wherever possible, use free e-mail accounts with non-specific or generic names to subscribe to things and then forward them as you'd like to your real e-mail. Feel free to use fake names, gender, age, etc. wherever you don't need to provide a credit card to purchase something or fill out an official government form. There's no reason to have the real stuff coalescing out there for someone to pick easily like a cherry from another's basket.

G is for "Gone"

When you buy things online, there's more going then just your money. When you spend cash you're name's not on it and nobody can keep taking more cash out of your wallet after you leave. And it's not just a problem with new or boutique online retailers because even big and established retailers lose things like your identity, shopping habits, and card info. And before you buy things from a place you never did business before, do a little searching for their name and "fraud" or "fake".

I is for "Improve"

We must become the change we seek. If you want to improve your own anything then you can't wait for others to do it for you. Take control over your own safety. Many new PCs come with serious bloatware which hasn't helped you as much as you think. Most of it you won't even use but yet there it is, running in the background. Get rid of it and take charge of what you want to protect your system. Even with the default search and destroy type security program that it comes installed with and updates constantly- get rid of it! What you need is to be sure that only the applications you have and want will access the parts of the computer they need to. Improving your own safety is only something you can do. Nobody else can successfully do that for you. You know, that's also what the Federal Marshals tell people in the Witness Protection Program. They can only protect them so far and the rest they need to do themselves to assure they stay safe. Same here.

J is for "Joining"

What you do offline also makes a difference. That means forms, coupons, sweepstakes, and other promotions like the club you join at your regular shopping center for savings and that 10% discount you get if you sign up for their credit card goes online. It goes into databases which in turn get sold and resold (even if they say right now that it won't). Sometimes it gets correlated and a profile of you is kept on your habits and travels. Should these people get hacked, and they do, then your info goes on the open market specifically for identity thieves. Remember, for them to offer any kind of deal there must be a benefit for them. Just take a moment to think about what you exchange yourself for it.

K is for "Kill"

If you don't like how something's happening, kill that connection. Just like if you don't like where a conversation is going you end it quick even if you just walk away. So pull the plug. Pull out the net cable. Kill your application the hard way and not just click the X or the "No" or wait for a shut-down. If you get pop-ups, requests, or anything else that you didn't ask for or don't want then DON'T click it away! That could lead to something you don't want to see or have. Of course it's a trick! So just kill your browser. Some security software also makes it easy for you to kill an application. Killing interrupts the process where anything else may just give it time to finish.

M is for "Mark"

Unless your business is a business keep your business to yourself. Otherwise you just make yourself an easy mark. The people who tweet or post their personal business to their status updates are telling more than just their "friends" about their day- they're also telling people how and when they're weak, biased, or wrong, key things required by any manipulator to get into your business. People are easiest exploited when they are at a low point in their lives yet many people openly post their emotional and mental state as a status update for anyone to see. How do you think cults are able to get so many smart people to believe such dumb things? By getting exactly that kind information from someone.

N is for "Nobody"

If you can't have it then make sure they can't either. That means encrypt your data AND make it tough to find. Two controls "Confidentiality" and "Privacy" are the keys to this. Confidentiality is obfuscating or encrypting the info and privacy is hiding the path to the info. By doing that, like encrypting your important stuff and then hide or disguise it as other files will go a long way towards keeping it out of someone else's hands. This way if your computer or device is stolen they will need to first find the important data files first and then they need to try to crack them. Some security solutions even trigger a full disk erase when someone gets the password wrong too many times. Some solutions will wipe themselves from disk and memory after you've been there, especially good for web browsers. Nobody but you should have access to you without your permission.

S is for "Shred"

Shred it all except your dignity. You should remember to shred your personal garbage, especially mail, before setting them out. I wish this was just paranoia speaking. Except it's how thieves make marks. Don't just throw away bills, cards, magazine reply cards with your address, old credit cards, DVDs, back-up tapes, hard drives, or pretty much anything that says who you are. Yes, even hardware should be wiped completely with special programs that overwrite files with random bits before re-selling it or just put the hammer to it before going in the recycle bin. Don't be lazy about this because the alternative, the identity mess clean-up, is a lot more work. Remember, nobody ever wished they hadn't erased or shredded their personal life from a device before someone else got their hands on it.

T is for "Three-Second Rule"

There is no 3-second rule in cyberspace. Unlike the 3-second-rule myth for food, once you drop (or put) a file, message, or status update online it doesn't mean you can pick it back up without anyone knowing you did it or it being clean. So think before you write something that could be offensive, personal, wrong, dumb, or just plain mean. This is also something you should consider when you pick up things you find online from anywhere. The moment it got put there it could have been corrupted or altered. If you download anything from the web, P2P, or any file shares: use a sandbox to verify its install before you install it all. Even things you might get from people you know might have gotten infected unknowingly to either of you. Forget what you learned in pre-school, the road to hell is paved with reckless sharing.

W is for "Wireless"

Wireless anything is like air; anyone can share your breath. So if you use wireless, use encryption. HTTPS is the encrypted option for HTTP. SFTP and SCP are the encrypted options for FTP. SSH is the encrypted option for Telnet. SPOP is the secure form of POP. Even IMAP has a secure form and don't forget to use encrypted SMTP for encrypted sending of your e-mail. Most everything you can use has a safer version to choose even if you haven't seen it. So look for it and choose it. Set up all your applications, especially e-mail, to use encryption by default. Then you don't have to worry much about losing your identity over public wireless nodes. Your security and privacy are your business so don't expect or trust the security features of wireless that's built-in to do your security for you.

Y is for "Yourdamnself"

The problem here is that current computer culture has become one of updating and patching to protect you but that's just too little too late. You can't wait for the software makers to get around to protecting you. Ever hear of a 0-day? That's another name for an attack that you aren't ready to defend against yet. YOU need to protect yourdamnself by finding security software that doesn't let anything on the computer just do whatever it wants whenever it wants. Plus updates actually add more new and untested code to your system (yes it's tested but not on YOUR unique system yet). While major screw-ups from updates are happening less often, they do happen regularly still (just search for variations of "before update I could"), minor screw-ups are the kind which keep applications from working as they always have and crashed programs or crashing your whole system and you won't really know why. YOU need to protect yourself by making sure your computer doesn't let things happen that you don't know about, including the "calling home" stuff which includes automatic updates, automatic patching, and the ever-present malware looking to hop into your file system. New computers are best re-installed without all the add-ons and adver-crud they get shipped with. I know it takes time but isn't always better starting clean? Don't allow your computer to run applications that aren't one of the ones originally installed by YOU on your computer, like off of USB keys or launched by web apps, unless you specifically want them to. So get a good security program which will prevent things from happening between your computer to the rest of the world, especially the ones you don't know about. If you want to update something for the features or better functionality then do so manually. It's YOUR job. Oh, and don't forget to disable or block your security software from calling home as well. It's always up to YOU.

Z is for "Zen"

Take a breath and relax. Being safe isn't hard to do. It just takes some getting used to, like tying your shoes or riding on the back of a flying dragon, things you probably are close to mastering by now. So don't get frustrated by it. Just get into the habit of doing it and while you won't notice you're doing it, it will always be there for you when you do need it.

The full security awareness program is available for various audiences as a course and soon to be online as well. If you are interested in it, please contact us at ISECOM for more information. As a non-profit we provide these courses and subscriptions to pay for the research and the community lessons, services, and classes we provide for free. We do appreciate your support.

If you make commercial security solutions or services which would fit into one or more of the descriptions as advised here, please contact us and we'll see how we can collaborate.

The points made in this article reflect the research findings which are outlined in the OSSTMM 3: operational security controls, security and trust metrics, and the Moebius Defense security model where environmental protection precedes security awareness. You can find OSSTMM research at the main ISECOM website.

Possibly Related Articles:
24965
Network->General
Information Security
malware Security Awareness Methodologies Cyber Security OSSTMM ISECOM Trust metrics Moebius Defense
Post Rating I Like this!
595640009b9ff10ec4d781330e3a9a40
Don Turnblade If education generally has a 3 to 1 advantage over non-education with Humans, the I agree that awareness training can help a great deal.

First, let us finish with the benefits of actually training people. We know we can shrink a companies risk of an exploit over a two year period to as low as 0.04% per company.

If all companies operated at that level of game, it would take 1732 companies sharing your information in common to have a 50/50 odds of being breached in 2 years.

No, I do not think its fair to suppose we have a met the unchangeable level of human error rates yet. Nor, are we even close to fully engaging the even the best that we can expect from exclusively low-light sample companies.

Develop smart processes for ordinary people to use rather than ordinary processes for smart people to use. We know that awareness not just public awareness but Software Developer, System Administrator, Network Administrator and Data Flow Design Awareness is a smart process for ordinary people to use.

It also does not hurt smart people to use smart process either. How many bosses require anti-buffer flow coding checks in software? A survey of 150 software developer teams by Forrester discovered that number was only 28% of the teams surveyed.






1310414733
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.