Attackers will often use these three categories together in an attack. Click on the links below to learn more.
There are four main types attackers. Each has its own skill level and targets:
These are lone hackers with little to no actual tech. skills. They use hacking tools developed by more capable hackers and follow tutorials posted online. Their attacks are often done to gain attention, experiment, or get a rush from a challenge; and these attacks are usually little more than a nuisance and pose little threat.
Hacktivists are individuals or groups with a political agenda. Their skill level and resources vary. These groups aim to disseminate confidential information and/or take down websites. Examples include WikiLeaks and LulzSec.
According to EY's cyber professionals
, organized crime has moved off of the streets and into the cyber realm. Easily hiding their identity and whereabouts, the ability to defraud many people at once, and lower costs of operation are a few reasons they've made the move. These are the groups behind many of the spam and credit card frauds. They typically have more resources and often skills than hacktivists.
APT's, or Advanced Persistent Threats, are hacking groups sponsored/bought or owned by nation states. They're usually after information (government, intellectual property, etc.), but they have created and used cyberweapons
. They represent the greatest threat because they are willing to wait and have more resources than any other type of attacker. They usually target businesses, utilities, and other governments. Being targeted on an individual level by an APT is unlikely. It would be like encountering a bear on a hike and then having it attack you (to get away, you could trip your friend, but if that bear wants to take you down, you're going down). That said, it is possible to defend against APT's, but it requires high levels of diligence.
In order to better understand digital risks, it's good to have a basic understanding of how computers (e.g., laptops/desktops, servers, smartphones, IoT devices, cars - essentially anything with a CPU) work and interact with each others (i.e., networks). I'll begin this section by talking about how computers and networks work and then discussing the risks. But don't worry - I won't be getting into any technical details. If you have questions, feel free to reach out to me.
How Computers Work
Systems & Networks
How Computers Work
When I first learned how to program, I was surprised to find out that computers aren't magic boxes. Instead, you have to tell them exactly how to perform tasks, and they follow those instructions exactly (which can be good and also really frustrating when something goes wrong and you can't figure out why).
For example, let's pretend I'm a computer and you're trying to get me to put an apple in your hand (we'll assume the apple's already in my hand). If you say, "put the apple in my hand," I won't have any idea what you mean. If you tell me to raise my hand, I could raise it 1mm or high above my head and do so really fast or really slow (or anywhere in between). So, you'll have to tell me to raise my hand by 45°. Once I've done that, you'll need to tell me how to drop it (perhaps by raising each of my fingers).
Once you've successfully taught me how to put an apple in your hand, you can save those instructions as a program (we'll call it "Put the apple in my hand"). The next time you need an apple, you'll only need to tell me to "put the apple in my hand," and this time I'll do it since I have the instructions on how to perform that task.
If you want to try writing a simple program, Codecademy offers several, easy-to-follow tutorials (for beginners, I recommend Python).
Systems & Networks
Computers don't typically run a single program like putting an apple in someone's hand. Modern computers are typically running millions, and often billions, of instructions each second from a variety of programs. A lot of those programs are interacting with each other and create an operating system (e.g., Windows, Mac OS, and Debian Linux).
At a lower level, the physical hardware componenets (such as the CPU, RAM, hard drive, keyboard, and monitor) form a system that enables computers to run those millions or billions of instructions each second. This physical system then joins with the operating system, allowing computers to work the way they do.
Because computers are systems, troubleshooting problems when they arise can be difficult - when a program or piece of equipment isn't working, the problem may actually stem from another, misconfigured program or a failing piece of hardware. In this way, fixing a computer problem is akin to a doctor diagnosing an illness based on a set of symptoms - a headache may be caused by a cold, muscle tension in the neck, or a brain tumor (this is why being on tech. support can last so long; but just like doctors, there are competent and incompetent tech. professionals).
Most computers don't interact with just themselves - most computers send/retrieve information with other computers (i.e., networking). They do this through sets of rules called protocols. The most common protocol you use everyday is IP (Internet Protocol), and it dictates a lot of how the internet works. There are many other protocols (e.g., FTP, TCP/UDP, and SSH) that are used independent of or with IP, but I won't discuss those here. Using these protocols, computers owned by individuals and organizations connect with each other and form the internet.
This video and accompanying learning module from Khan Academy
explain more about how computer networks and the internet function.
The table below lists five common risks you may face (some even on a daily basis) and what you can do to mitigate those risks. A lot of other risks exist, but these are risks that you can directly control and mitigate.
Weak passwords mean an attacker can easily brute-force your passwords to gain access to your account. When data breaches occur that contain peoples' usernames and passwords, the problem is that those leaked passwords are used in future attacks. Password attacks account for variants, like cheese, ch33s3 and che3se123. All of those are easily guessed.
Cracking passwords boils down to statistical probabilities and time (and ideally encryption). This means that the stregth of your password is a combination of length and character set (letters, numbers, and symbols). Statistically, the avg. number of attempts needed to guess your password is (Character Set ^ length)/2. The amount of time to crack a password depends on how many guesses/second the attacker can make.
Guesses over the internet range in 100's/sec., while offline guesses can easily reach billions/sec. (yes, with a "b") One security expert was able to crack 350 billion guesses/sec. in 2012, and as of 2013 the NSA was purportedly capable of one trillion guesses/sec.
By clicking these links, you can see how quickly passwords can be guessed online/offline and lists of the 1 million most common passwords and several million other passwords. Who knows, maybe one of your current passwords is on one of those lists? (fyi, some of the lists will take awhile to load if you click to view them)
Phishing is where an attacker attempts to get sensitive information directly from you. This information is commonly usernames/passwords, credit card information, and other types of personal information.
These types of attacks come most commonly in the form of emails. The email can be personalized and look like it's from your bank (or any other organization) or include links to fake login portals, exactly mirroring the legitimate login portal (these are easy for an experienced attacker to setup).
To help determine if a site is fake or real, look at the URL* (the address in the bar at the top of your web browser). URL's look like site.name.com (or .org, .edu, etc.) The main name of the company will be at the end of the URL (name.com). Anything before the name is legitimate (like login.name.com). Let's use Facebook as an example. A legitimate Facebook URL will look like facebook.com or login.facebook.com (always ending in facebook.com). A fake address will look like facebook.xyz.com
*This isn't a fool-proof method, though. URL's can still be made to look just like the real address. To determine if it's real, 1) check if there's a green lock icon to the left (i.e., the site is in HTTPS), and/or 2) copy everything in the URL and paste it into a document. If you see things like "< script > " or odd-looking things in the URL, type in the address you normally visit and/or contact customer support.
In sum, if you get an email with a link to your bank or other sensitive online account, don't click on the link - enter in the URL you normally use and/or call customer service. Alternatively, you can inspect the URL to determine if the address is legitimate or a hoax.
- Don't click links in emails - enter in the address manually
- Before entering passwords or other sensitive information online, make sure the URL is correct.
- For website that require logging in, make sure you're using HTTPS
|WiFi - Public
Public WiFi leaves you open to WiFi Sniffing. This is where an attacker will gather all of the information on the network. In short, if you use your local coffee shop's WiFi, any- and every-thing you do online can be viewed. This includes background data sent from your smartphone (if it's connected). Unless your data is encrypted, this data is visible in plaintext.
Even if your data is encrypted, if the service you're using doesn't use strong enough encryption, attackers can still view your data. Powerful software like Wireshark are available for free and make WiFi sniffing possible. Other software lets attackers decrypt and view encrypted data.
Attackers can also conduct Man-in-the-Middle Attacks where the attacker can change information in-transit before/after you get/send it.
Another tactic attackers use is creating fake WiFi hotspots. These hotspots can be named similar to a legitimate one (e.g., Starbucks_Wifi vs Starbucks_WiFi) or even be the same name - there's absolutely nothing preventing them from doing that. (Each device broadcasting a WiFi hotspot can be named whatever the creator wants it to be. While you wouldn't want to name your WiFi the same as your neighbor's, an attacker may very well want to do so.)
- Use a VPN (a way to securely view over the internet)
- Visit websites in HTTPS (HTTPS Everywhere is a great extension that automatically forces this to happen).
Most browsers will display a green lock in the URL/address bar when HTTPS is in use
- Double check WiFi hotspot names before connecting, and always use HTTPS in public
|WiFi - Personal
If someone knows your WiFi password, they can conduct the same attacks as if your WiFi were a Public WiFi network. Even if you have a strong password, your WiFi is still vulnerable if you're using weak encryption (i.e., WEP and WPA).
- Use a strong WiFi password
- Use WPA2 encryption on your router
If your applications or operating system (e.g., Windows, Mac OS, Debian Linux, iOS and Android) are out-of-date, they're very likely susceptible to an attack that could let an attacker get full-access to your computer, even if they're on the other side of the world. Zero Days and other exploits exists in old software and are discovered as new programs/updates come out. This is why updating your computer is extremely important.
- Update your applications, programs and operating system when updates come out
If an attacker physically gains access to your device, it's game over. They can brute force your password or use exploits to bypass security measures, gaining access to your data.
This is why iPhone and Android logins only permit a certain number of login attempts - this slows the attacker down. If your password is strong enough, that may make cracking your password in a reasonable amount of time impossible. And if too many incorrect attempts are made, the phone's data will be erased (or your password deleted, leaving your data encrypted - for all intents and purposes, deleted), reasonably protecting your data (although if improperly erased, the data can still be extracted by experts).
This video and this video by Dr. Anthony Vance, a security researcher at Brigham Young University, discuss how you can (not) make your computer 100% secure.
Protecting your data if someone gets physical access to your device can be hard, but you can mitigate this risk by ensuring your devices are encrypted and use strong passwords.
A security system is only as strong as its weakest link, and humans are often that weakest link. Social Engineers abuse trust to manipulate people into revealing information or granting unauthorized access to accounts and physical locations. Social engineering can be surprisingly easy to do and, in conjunction with humans frequently being the weakest link in security frameworks, the best hackers will often use this as their primary "hacking" tool.
For instance, in this video, a reporter asked hackers to hack his life. Right in front of him, one of the hackers called his phone provider's customer service hotline and, while talking to a company representative, got full access to his account, added a new account, and had the password changed. This is not by any means uncommon or unusual.
One of the world's most expert social engineers and hackers, Kevin Mitnick, was at one point being hunted down by the FBI. He evaded them for quite some time by tapping the FBI's communication networks and finding out what they were going to do next to get him. His ability to do this involved a lot of social engineering.
If you want to learn more about social engineering and/or Mitnick's story, I recommend reading Ghost in the Wires (you can also see Mitnick doing a live social engineering attack at Defcon, a hacking convention).
Habits & Resources
Your ability to lower your exposure to cyber risks depends on the habits and security mindset you develop. Nothing will ever keep you 100% safe - getting hacked or having your credit card information stolen is as likely as you getting physically ill. But like good health habits, you can keep yourself safe online by:
- understanding the basics of technology
- knowing the risk landscape
- staying informed
- using appropriate tools
This site has been dedicated to helping you understand the first two bullet points. Listed below, in the resource section, are reputable security news sites/blogs and tools you can utilize.
That said, cyber risks are just one of the many types of fraud schemes. The fraud portion of this site discusses how to recognize fraud schemes in general, for both organizations and individuals, and has a resource section similar to the one below.
And once again, if you have any questions, please feel free to contact me.