editione1.0.0
Updated October 9, 2023🚀 As explained by Erica
My first mobile phone, in 2000, was a Nokia 3310. Nostalgically referred to as the “brick,” my Nokia was there mostly for emergencies. Now we have mobile phones that function as mini computers and have infinite possibilities.
The first computer I used was in the computer lab in my elementary school. Instead of using that primitive Apple iMac once a week on Tuesday during our “lab time,” I now use my laptop for hours every day.
The fast pace of technology is seen not just in the devices we use, but also in the jobs we do. It would be rare to find a job today that doesn’t involve using a computer or mobile device most of the day.
storyI originally studied as an accountant. During my undergraduate studies, I remember talking with my professor about a radical idea of automated bookkeeping using artificial intelligence. Less than ten years later, I was working as a security engineer for a New Zealand growth organization that provided an accounting Software-as-a-Service product that did just that.
Why does the rate of technology matter to security? Two reasons: technology is never flawless, and finding those flaws has become automated.
The people making technology race against a clock; they need to release their product or service quickly to gain a competitive advantage, or address customer needs, or, frankly, to start making money. Security can feel like a sunk cost when an organization is focused on making their business viable.
With each new piece of technology comes new and complex software and hardware. Even the most talented engineers and designers cannot predict the future or build things perfectly on a budget. Inevitably, there will be weaknesses—and these can be used to make the technology do something it wasn’t intended to do.
This is exactly what hacking is all about—finding different ways to make a piece of technology do something it is not meant to do. Often technology is made to hold, transfer, or process data. Hacking makes it possible to access, modify, or delete that data.
The weaknesses, or vulnerabilities, are not always obvious at the start. It might take time for these to be discovered. This is the difference between known and unknown vulnerabilities. There might be some people who share the vulnerabilities they find in software and hardware with the world, but that can’t be counted on. Once a vulnerability is made public and known, it is up to everyone who uses that software or hardware to apply the fix, or to use alternative software or hardware if there is no fix.
However, just as we write scripts and code to make our technology, people can do the same to make tools that find weaknesses. These tools are like double-edged swords—the tools can be used for defense (to find weaknesses), or they can be used for offense (to attack your technology). When used for offense, we often call them exploits.
The probability that a potential security vulnerability will be identified, exploited, and lead to impact on your organization is called the risk the organization faces.
It looks like this:
You build a new piece of technology with multiple pieces of software.
If you find out about new weaknesses in the software you use, you will have to either apply the fixes, change to a different piece of non-vulnerable software, find other ways to protect your software, or do nothing.
Meanwhile, attackers might be adding those new, known weaknesses to their tool set so they can find them and hack your technology.
The more software you use, the more times you have to repeat this process.
If it feels unfair, that’s because it is.
Katie Moussouris’ interview in The Verge is a great starting point to learn about the vulnerabilities market. She has done amazing work and research in vulnerability disclosure and bug bounty programs (or organizational programs that pay for vulnerabilities found in their product).
Nicole Perlroth and Kim Zetter are fantastic authors and cybersecurity journalists that tell fascinating stories about the vulnerability market.
The Cuckoo’s Egg and The Hacker Crackdown are two popular books that re-tell stories of hacks, investigations, and computer crimes from the 1980s and 1990s.
Everything is now online. If your organization doesn’t use current tools, or even have a website, you will lose out to your competitors. Avoiding technology isn’t really an option if you want to run a business—no matter how small the business.
You might think you are too small of a business to be attacked. Surely, that could only happen to the larger company that has big and valuable data to lose. But on the internet, no one cares how small you are.
An attacker’s two most common goals are (1) to access your data and (2) to use your resources (like your servers, mail systems, or online reputation). If they are trying to harvest as much data and resources as they can, they will often go for the lowest-hanging fruit.
The concept of low-hanging fruit comes up a lot in security. Just as the lowest-hanging fruit on a tree is picked first, weaknesses in system security that are easy to find are most likely to be exploited. Examples include a website administrator login page that uses an easy-to-guess password, a server that uses software with vulnerabilities that have not been patched, or the Twitter account with the same password as a LinkedIn account that was exposed in the 2012 password breach.
The problem with these weaknesses being easy to find is that finding them can be automated. Attackers can create tools that will scan the internet to find the fruit and pluck it off the tree before any human effort is involved.
The encouraging part of this story is that it can be easy to keep your own fruit higher in the tree. That is the purpose of this book. Whether what you must protect is your personal accounts, your small business, a startup, or a growing company—there are ways to keep weaknesses further out of reach.
Definition Attackers don’t always attempt to go straight to hacking your technology. Often they might try to hack the humans, or do what is called social engineering. Social engineering is where an attacker uses psychological manipulation to get a human to do something or reveal something. Usually using fear tactics, they may lie and weasel their way through convincing you to give them access or sensitive information. These types of attacks are successful for many complicated reasons.
In general, people with less exposure to technology will be more likely to fall victim to these attacks. Think about how resistant you can be to change. When your bank moved you from mailed statements to paperless, how long did it take you to change your routine to check your accounts in your email rather than your mailbox? When your social circles moved from sending printed invitations to Facebook event invitations, how long did it take you to get used to virtual RSVPs rather than using a stamp or phone call?
When you consider those change comparisons for someone who didn’t grow up with technology, the reaction time might be slower. They might have missed a few parties, had a few late payments, or had some other negative impacts before they actually caught on and changed their behavior.
Some of you may be experts in your field of business, but have had to adapt new technologies just to maintain competitive advantage. Or you could be trying to learn one way of building a system or service using a centralized approach, only to find the industry shifting quickly to a decentralized approach (which makes it harder for you to understand if what you have is still right).
Regardless of where you fall on this scale, don’t worry—just like any business or personal risk, security just needs to be managed.
The rate of change on the attackers’ side of things is speeding up too. I am not providing you with this information to scare you into being safe, however the context is important so you understand why your data is so valuable.
Security breaches happen very often,*** and result in important data about us being leaked to the wrong people. This is data about us, our organizations, what services we subscribe to, and sometimes even sensitive data like our passwords or identity information. You can rarely go a month without reading about a data breach in the news or getting a breach notification from a service you use.
The data in these breaches have low value on an individual level. The risk of a password that is leaked still being valuable after the incident is identified is low because most organizations will force a password reset. However, you might reuse that same password or follow a similar pattern for other services.
There is also some data that can’t be reset, such as your passport number or the types of websites or services you subscribe to. For example, when a popular slot machine parlor in the US had a security breach, they leaked a large amount of personal and sensitive information about their customers. If your data was included in this breach, you can’t reset the association your identity now has to gambling services.
Insight into your password patterns and what services you use allows attackers to understand who you are and what you might be vulnerable to. If they aggregate all that data around a common unique data point, such as your email address, attackers start to build a view of someone’s online identity. A single breach of an online poker tournament website alone might not be a massive deal. If an attacker used those leaked email addresses to find users who are also signed up to other online casinos and lottery websites, then they might be able to run a pretty successful attack if they took advantage of those users’ gambling interests.
Now, don’t go all blockbuster movie, thinking that there is someone out there specifically trying to target you. Think about it instead as a wider scam attempt based on a category of people. For example, if you were to see a glimpse of the online services I subscribe to, you would see that I really love animals and have a very big soft spot for cats. You would see this through all the social media pages I subscribe to publicly, and also because of all the online pet stores and charity accounts I have (if these were ever breached). If you wanted to lure me into a scam, you might target me (and others) with a heartstring-pulling email asking me to make a donation to a cat charity in dire need. The donation link in that email would link to a fake PayPal login page that is meant to steal your credentials. The website might not sound off alarm bells right away as you expect to pay a charity via PayPal.
The growth of an industry has formed over the past few years with the rise of online breaches. These online identity groups are ideal for those that want higher success rates with their attacks and scams. The concept of data brokers is becoming a large business, where groups buy and sell breach data in order to make their portfolio of identities more valuable. The more data points you have about an individual or a group of people, the more you can infer about their online habits and vulnerabilities, making it more possible to carry out a successful attack.
We’ve talked about the fast rate of change of technology, the forced need to be online, our ability (or inability) to adapt to this change and keep our technology and systems safe, the lack of control over other services’ data breaches, and the burst of growth in the sale of our data and identities.
It’s obvious security is important. But it can feel daunting to know where to start and what to secure first.
We recommend beginning with yourself and working outward:
Start with your own security and the security of the systems and accounts you use that are managed by others. Anywhere you put your data and your money should be in this category, and your email should be considered your crown jewels.
Then turn to your family’s security, including the systems and accounts that you share and use to communicate with them. This can include their social media, email, document storage, or online payment systems.
The security of the people you do business with and the systems or accounts they use to communicate with you or pay you.
If you run a business, you have more homework, such as:
The security of any digital products or services you provide.
The security of your business’ online presence, because everyone needs to have at least a website, social media, and email (even if you are a brick-and-mortar shop or provide a manual service).
The security of your online accounts and any accounts or services that you might not manage, but hold your data (things like storage, email, social media, and any other operational or administrative systems).
The security of your office, because whether it’s remote, a co-working space, or an office, there will be an element of physical and local network security to keep in mind.
Scaling security and compliance at the company as it grows in employees, customers, the scope of its products, and the complexity of its operations.
You can start to consider which of the points above apply to you, and highlight them.
This is also how this book is organized. It’s here to help you find what applies to you, do the work, and get back to what matters most!
We have been doing the cybersecurity dance for a while—Laura recently hit her 20 year career anniversary! We’ve seen a lot, and while much has changed over the years in terms of technology, many aspects of cybersecurity have stayed depressingly the same.
We see stories in the news about large companies paying exorbitant amounts of money to regulators and their customers for losing data, or companies becoming irrelevant after undergoing an attack that also took down their competitive edge. This doesn’t even cover the hundreds of organizations that are too small for air time, that have to shut their doors after a security incident.