Opinion / advice on computer security

A few guidelines
Computers were designed to talk to each other, openly and freely.
 
While we’re on the subject of computers, a computer can still do only one thing: ADD!  And it can only add two numbers: zero and one.
 
Definition of a hacker:
The term Hacker used to refer to an individual who uses computer, networking or other skills to overcome a technical problem(s). But now it often refers to a person who uses his or her abilities to gain unauthorized access to systems or networks in order to commit crimes.
 
Definition of a Virus:
A program that can replicate itself. 
 
The Internet:
a global computer network providing a variety of information and communication facilities, consisting of interconnected networks using standardized communication protocols!
 

  • Inter·net of Things
Refers to the interconnection via the Internet of computing devices embedded in everyday objects (such as toasters, washers, microwave ovens, smart watches, Amazon and Google devices like Amazon’s Alexa and Google Home) enabling them to send and receive data.

  • One thing can prevent Internet of things from transforming the way we live and work; a breakdown in security.
With these guidelines in mind I will tell you how people (Computer Users) allow their computers systems to be compromised starting with the first and only steadfast, long standing rule of every computer network administrator ever, “There are only two ways to break a perfectly designed network - add printers and users”.  I predict that this rule will be amended with adding a third way – an IoT device. 

A computer system will be compromised by:
  1. Greed – a two way street
  2. Honesty – trusting policies that have always worked
  3. Ignorance – I’m not worthy
Greed has become the one of the biggest cyber weaknesses of our time as more and more ways of exploiting this basic human trait emerge.  Greed provided the backdrop to one of last year’s biggest and most intriguing cyber heists, where personal data was used, not as ‘dark web’ currency between hackers or to syphon money from unwitting individuals, but to exploit human beings’ overwhelming appetite for avarice. Get Rich Quick scams, Click and save… 
 
Greed has also seen its share of the attacker being attacked by the target. A quick example: POP-UP says I’m infected call 800 number.  I call and give attacker remote access to my computer.  Attacker sees what he thinks is a text file on my desktop named, ‘Banking Accounts Info’.  Hacker clicks on icon and is now owned.  RAT is installed; Attacker cannot use CTRL+ALT+DELETE, Shutdown, RUN, Regedit.  Cannot take control of his keyboard or mouse, cannot end remote session.  While attacker tries to figure out what to do, I change bios passwords and discover all nodes on his local LAN.  I then install my Trojan on all nodes and do mean things.  In the end GREED cost the hacker his entire local network. 
 
Honesty is part of every enterprise with operational processes in place; most are specifically designed for the distinct needs of each business. Business Process Compromise (BPC) is a type of attack where attackers infiltrate the enterprise and look for vulnerable practices or processes. Once a weakness has been identified, a part of the process is altered to benefit the attacker, without the enterprise or its client detecting the change. The victims believe the process is proceeding as normal, but in reality the attackers are already gaining either funds or goods from the enterprise. These attacks are possible because many employees simply go through the motions of business processes, trusting policies that have always worked and are expected to continue working without any problems.
 
Ignorance about the digital world around you to just not believing you’re worth the trouble, i.e. I don’t have access to any confidential data or nothing on my computer is worth money; is a wide open door for Social Engineering which includes:
  • Phishing
Phishing scams seek to obtain personal information, such as names, addresses and social security numbers.  Using link shorteners or embed links that redirect users to suspicious websites that appear legitimate or incorporating threats, fear and a sense of urgency in an attempt to manipulate the user into acting promptly. 
  • Pretexting
Pretexting is another form of social engineering where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal their victims’ personal information. These types of attacks commonly take the form of a scammer who pretends that they need certain bits of information from their target in order to confirm their identity. Unlike phishing emails, pretexting attacks rely on building a false sense of trust with the victim. This requires the attacker to build a credible story that leaves little room for doubt on the part of their target. 
  • Baiting
Baiting is in many ways similar to phishing attacks. However, what distinguishes them from other types of social engineering is the promise of an item or good that hackers use to entice victims. Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain site.  Baiting attacks are not restricted to online schemes, either. Attackers can also focus on exploiting human curiosity via the use of physical media. 
  • Quid Pro Quo
Similarly, quid pro quo attacks promise a benefit in exchange for information. This benefit usually assumes the form of a service, whereas baiting frequently takes the form of goods offered.  One of the most common types of quid pro quo attacks involve fraudsters who impersonate IT service people who call as many direct numbers that belong to a company as they can find. These attackers offer IT assistance to each and every one of their victims. The fraudsters will promise a quick fix in exchange for the employee disabling their AV program 
  • Tailgating
Another social engineering attack type is known as tailgating or “piggybacking.” These types of attacks involve someone who lacks the proper authentication following an employee into a restricted area.
 
Then there are legitimate programs that you are allowed to use but with an outcome the designers didn’t take into account while writing the program.  Take Facebook for instance.  I can create an account, post things I made up, not for malicious purposes, and wait for someone to get into an argument over my posts.  All I get is enjoyment, or I’m a delusional sociopath who believes the voices in my head.
 
Installed plug-n-play garage door openers, security cameras, Internet Ready T.V.s, Amazon or Google home control systems, smart and not so smart phones.  My biggest warning here is if all you read is: “Open Box, Plug in, Enjoy; “WARNING! WARNING! WARNING! R.T.F.M.  Know what and who can gain access to your new toys that conveniently connect to the Internet.
 
My rule of thumb is to deny everything then only allow that which is needed at the time.  Review rules and remove allow rules no longer needed.
 
Review policies often.  Put in place checks and balances to ensure diligence, rather than just trusting things are working correctly.
 
LEARN, constantly learn about that which is in your control, and do not access that which you do not control or trust or allow the unknown to access you or your data.
 
Infecting your computer or network with a Virus is hard work.  Once infected the Virus just does its thing.  Anti-Virus software is reactionary; you have to get infected before anti-virus software starts to work.
 
I have many tools in my toolbox to clean compromised systems, guide lines for policy writing and review, do’s and do not’s before, during and after a compromise.  At the end of the day, the end user says “Nice, all’s better now” and continues to work as if nothing ever happened.  Go figure.
 
My best advice:
If it sound too good to be true – you’re about to be robbed. Ignore that email, phone call, whatever.
Passwords are a first line of defense.  1234 is not a password; it’s the key to the Kingdom!
PAY ATTENTION!  Russia influenced U.S. elections?  If they did, someone was not doing their job and/or no one was home and the doors were wide open.
Finally be ever vigilant!
 

Back to Blog