If we have learned anything from the recent SolarWinds hack, is that many companies sell Security solutions with no measurable way of verifying this claim. In fact, most companies cannot accurately tell you why anything they sell is secure, yet we believe them. Keep in mind that banks, governments, Microsoft, Facebook, and Google have all been hacked. Also, consider that during a speech about the Pegasus spyware software President Benjamin Netanyahu famously stated, “Every system can be hacked”. Isreal created and actively sells this software to governments worldwide. So, why should we believe any company that professes secure infrastructure?
Disclaimer: This article has no affiliate links in it.
This guide is a simple introduction to the world of online security. In this article, I attempt to share general ideas around reducing the likelihood of being involved in a hack. With IT security there are no guarantees; however, you can reduce your chances of being involved in a data breach. In IT, we call this process reducing your attack surface.
Evolution Of Security
During my first internship working at a US University in the IT department back in 2006. Eventually, the day came along when the network was actively being hacked. The highly paid IT team could do nothing other than watch the hack proceed. One high ranking manager noted that the hacker was nice enough to leave them (the IT team) with one account where they could get in and repair the damage once the hack was complete. The hacker had disabled all other accounts with any administrator rights. I’m sure everyone on the team went on to have wonderful careers.
My experience includes start-ups to Fortune 500 companies in the US and Canada. I have seen endless scenarios of companies being hacked which is unfortunate. However, those situations are probably covered by some type of NDA. With that said, in an effort not to be sued, let’s focus on public knowledge incidents and remedies.
Today, there are advanced tools like those made by SolarWinds. They help companies in their goal of achieving secure IT infrastructures. Seeing they just got hacked, this may be considered laughable. There are also scanning tools like NESSUS that help companies to identify holes in their network. When these tools are utilized with a well funded and competent security team, you are headed in the right direction.
In addition, we also have security feeds that can update us on security issues related to the technology we are using. For example, the cve.mitre.org website provides a feed of all known exploits and important metadata like locations. We can use monitoring solutions like NewRelic to see where issues are occurring across a company’s entire infrastructure. Ultimately, we have lots of ways to attempt to protect ourselves from malicious activities. With all of these tools companies still get hacked.
Consequences Of Data Breaches
When your data is lost it generally falls into three main scenarios:
- Ransomware – As seen with the Atlanta GA government attack, where their court system was locked. They were required to pay money to the group that encrypted their systems.
- Espionage – The American government thinks Russia hacked into election systems in 2016.
- Sale – Your personal information like passports, drivers license, etc being sold like the Aurora Hack in 2021
They can all negatively affect you; however, some will affect you worse than others. For example, some may suggest that country-level hacks have little to do with you or me. However, when your information is being sold, it will directly result in your credit being utilized by others. Alternatively, if your local court system is hacked and you need to pay a traffic ticket, you will be directly affected if the result is you going to jail for nonpayment.
The consequences of hacks are relatively small today. Maybe you will need to invest a few days into cleaning up your credit. With the advent of 5G internet, we will all depend even more on security technology. A future that includes your car or body implants being hacked would be far more dangerous. So what are companies doing to combat this?
Security Personel & Certifications
Like university is archaic and worthless to most people’s everyday job (I have a BSc in CS), most certifications are the same. They typically cover basic knowledge that does not have any bearing on reality. With that said the top-ranked security certifications are:
- CISM – Certified Information Security Manager — $148,622 USD/YR Salary
- CRISC – Certified in Risk and Information Systems Control — $146,480 USD/Yr Salary
At this point, you may wonder if any of these people work at the companies you are sharing your private information with. If not, you probably should seriously reconsider handing them any of your info. These certifications require years of continuous career dedication to achieve, which in the current IT world of high turnover, is hard to achieve. According to ISACA, there are more than 32,000 CISM credential holders worldwide. Compared to other IT certifications like ITIL, this is a small number.
In addition, there are university degrees that specialize in security. As anyone that has attended university can tell you, their curriculum is almost always behind the curve on what’s happening in real life. My humble guess is that the hackers didn’t get this academic education, so this should not be considered a silver bullet in the pursuit of security? A master’s degree in security will get you into the door at any large company. However, this person is not yet prepared to protect your network.
In most companies, there isn’t a specialist handling security. The company may or may not invest in penetration tests to be done on their infrastructure. Chances are, there is a network, web, and/or software team that work loosely towards fulfilling the whims of the executive team
The Architecture Of A Hack
Unfortunately, most major hacks are not the glamorous scenario depicted by Hollywood. Hacks are usually the result of cheap executive teams that view technology as a cost VS an asset. On a balance sheet, you don’t see the money that’s saved, only the money that’s been spent. This makes the IT department a prime victim of price cuts.
Specifically, most hacks are the result of something not being updated. It’s that simple. The company being hacked could actually have known there was a risk with their current infrastructure, as in the case with the Equifax breach. However, for a range of reasons, most company’s host old IT infrastructure with security holes. Typically companies with a security plan, have a list of these issues and work towards fixing them on a schedule.
With that said, you don’t need to do anything to be hacked. Its been confirmed that software like Pegasus spyware can simply infect your iPhone and begin controlling your phone. There is nothing you can do as an individual to protect against something like this.
Most Hacking Scenarios
Only a few people know how to create these tools. The tools are often distributed to the world in places like the dark web. In short, someone with little knowledge can use these tools to scan networks that have these existing known IT infrastructure issues. These issues could be
- Configuration – Amazon AWS S3 storage is a popular case, where users often, misconfigure it.
- Software Version – Software is constantly being updated; however, the end-user has to apply to patch/update.
- Hardware – Using an old wifi router is a popular example, where technology exists to easily break your password.
- Focused/Malicious – DDOS attacks are probably the most popular example. Here your favorite site is rendered unreachable.
- Social Engineering – phishing scams are the most popular form. Here a user is tricked into unknowingly sharing their info.
Updating these things takes time. A company with the resources has individuals who simply focus their entire career on tracking down and patching holes. Remember our discussion from earlier, compared to the marketing department, these IT people show up as a cost on the balance sheet. If they do a good job, you never hear anything about what they do as an executive.
We are talking about generic scenarios. If a state actor or major organization want’s your information, there is little that can be done. Technology is moving at a fast pace and security is failing to catch up. Anyone with a connection to the internet can craft sophisticated attacks on any other connected computer.
Reduce Your Risk
Most people will never go through the levels outlined in this section; however, it’s nice to cover your options. A level of separation between your real information and the info you share with companies can be helpful. Let me explain.
There are websites that provide free email addresses. You should probably have one that you use for signing up for random things online. If possible, you should use a disposable phone number and concierge P.O.Boxes. Use the real information when talking to the government and other companies that need your information to do business with them.
Another great example is credit card numbers. Today, you can get your credit card company to generate a new number for a specific purchase. That way, if a company is hacked, your actual credit card isn’t caught up in the breach. If your credit card doesn’t do that, then you should consider switching cards. If you aren’t going to take this step, then consider paying in person or on delivery with cash. The power is yours to reduce the number of companies you share this information with.
If you gave your info to the government and they got hacked, you can’t do anything about that. However, giving your information to video games, random company raffles, and other organizations that provide no indication as to how they will protect your information is a bad idea.
Any company that tells you they are secure is lying in 2021. All companies aim for a secure infrastructure. Possibly, they are not aware of security issues. The best thing you can do is be careful. Only share information when needed and with companies or organizations that can be held liable when they fail. Your favorite restaurant knows nothing about security, so why are you signing up for their raffle? Do you really need to use that new bank app that requires your fingerprint?
Equifax offered to cover affected people after their incident. This isn’t a rule. Many organizations have been hacked without disclosing it to the public. However, the chances of your local mom and pop shop covering losses if caught are next to none. So the lesson here is, don’t give out your personal information unless you absolutely need to.
If you are worried about the IT security at your company and need help, our BePro Software Team can assist. Contact us today.