Protection Begins with Low-Hanging Fruit

Everything is now online. If your organization doesn’t use current tools, or even have a website, you will lose out to your competitors. Avoiding technology isn’t really an option if you want to run a business—no matter how small the business.

You might think you are too small of a business to be attacked. Surely, that could only happen to the larger company that has big and valuable data to lose. But on the internet, no one cares how small you are.

An attacker’s two most common goals are (1) to access your data and (2) to use your resources (like your servers, mail systems, or online reputation). If they are trying to harvest as much data and resources as they can, they will often go for the lowest-hanging fruit.

The concept of low-hanging fruit comes up a lot in security. Just as the lowest-hanging fruit on a tree is picked first, weaknesses in system security that are easy to find are most likely to be exploited. Examples include a website administrator login page that uses an easy-to-guess password, a server that uses software with vulnerabilities that have not been patched, or the Twitter account with the same password as a LinkedIn account that was exposed in the 2012 password breach.

The problem with these weaknesses being easy to find is that finding them can be automated. Attackers can create tools that will scan the internet to find the fruit and pluck it off the tree before any human effort is involved.

The encouraging part of this story is that it can be easy to keep your own fruit higher in the tree. That is the purpose of this book. Whether what you must protect is your personal accounts, your small business, a startup, or a growing company—there are ways to keep weaknesses further out of reach.

Plan for Human Error

​Definition​ Attackers don’t always attempt to go straight to hacking your technology. Often they might try to hack the humans, or do what is called social engineering. Social engineering is where an attacker uses psychological manipulation to get a human to do something or reveal something. Usually using fear tactics, they may lie and weasel their way through convincing you to give them access or sensitive information. These types of attacks are successful for many complicated reasons.

In general, people with less exposure to technology will be more likely to fall victim to these attacks. Think about how resistant you can be to change. When your bank moved you from mailed statements to paperless, how long did it take you to change your routine to check your accounts in your email rather than your mailbox? When your social circles moved from sending printed invitations to Facebook event invitations, how long did it take you to get used to virtual RSVPs rather than using a stamp or phone call?

When you consider those change comparisons for someone who didn’t grow up with technology, the reaction time might be slower. They might have missed a few parties, had a few late payments, or had some other negative impacts before they actually caught on and changed their behavior.

Some of you may be experts in your field of business, but have had to adapt new technologies just to maintain competitive advantage. Or you could be trying to learn one way of building a system or service using a centralized approach, only to find the industry shifting quickly to a decentralized approach (which makes it harder for you to understand if what you have is still right).

Regardless of where you fall on this scale, don’t worry—just like any business or personal risk, security just needs to be managed.

How Attackers Get to Know You

The rate of change on the attackers’ side of things is speeding up too. I am not providing you with this information to scare you into being safe, however the context is important so you understand why your data is so valuable.

Security breaches happen very often,*** and result in important data about us being leaked to the wrong people. This is data about us, our organizations, what services we subscribe to, and sometimes even sensitive data like our passwords or identity information. You can rarely go a month without reading about a data breach in the news or getting a breach notification from a service you use.

The data in these breaches have low value on an individual level. The risk of a password that is leaked still being valuable after the incident is identified is low because most organizations will force a password reset. However, you might reuse that same password or follow a similar pattern for other services.

There is also some data that can’t be reset, such as your passport number or the types of websites or services you subscribe to. For example, when a popular slot machine parlor in the US had a security breach, they leaked a large amount of personal and sensitive information about their customers. If your data was included in this breach, you can’t reset the association your identity now has to gambling services.

Insight into your password patterns and what services you use allows attackers to understand who you are and what you might be vulnerable to. If they aggregate all that data around a common unique data point, such as your email address, attackers start to build a view of someone’s online identity. A single breach of an online poker tournament website alone might not be a massive deal. If an attacker used those leaked email addresses to find users who are also signed up to other online casinos and lottery websites, then they might be able to run a pretty successful attack if they took advantage of those users’ gambling interests.

Now, don’t go all blockbuster movie, thinking that there is someone out there specifically trying to target you. Think about it instead as a wider scam attempt based on a category of people. For example, if you were to see a glimpse of the online services I subscribe to, you would see that I really love animals and have a very big soft spot for cats. You would see this through all the social media pages I subscribe to publicly, and also because of all the online pet stores and charity accounts I have (if these were ever breached). If you wanted to lure me into a scam, you might target me (and others) with a heartstring-pulling email asking me to make a donation to a cat charity in dire need. The donation link in that email would link to a fake PayPal login page that is meant to steal your credentials. The website might not sound off alarm bells right away as you expect to pay a charity via PayPal.

The growth of an industry has formed over the past few years with the rise of online breaches. These online identity groups are ideal for those that want higher success rates with their attacks and scams. The concept of data brokers is becoming a large business, where groups buy and sell breach data in order to make their portfolio of identities more valuable. The more data points you have about an individual or a group of people, the more you can infer about their online habits and vulnerabilities, making it more possible to carry out a successful attack.