Cybersecurity

Cybersecurity is one of the fastest growing IT fields. It is essential to every organization to keep their computer systems and data safe.

Originally, network security was a relatively minor consideration because the Arpanet was a small computer network of military personnel and university users. The real need for security arose once businesses were allowed on the Internet in 1995. These days, people give their credit card numbers to online shopping sites, do much of their banking online, and send their social security numbers to tax firms and credit bureaus. And computers controlling critical social infrastructure (such as power plants, telephone switching systems, traffic lights, and hospital equipment) can be attacked by criminals and other countries' militaries.

Passwords are currently the primary way to protect devices and information from unauthorized access. A strong password is something that is easy for a user to remember but would be difficult for someone else to guess based on knowledge of that user. In Unit 5, we saw that it is very difficult to guess a long complex password (which can be tested in sites such as howsecureismypassword.net). Luckily, brute-force password cracking algorithms take exponential time. However, passwords can also be compromised (stolen) through phishing attacks and data breaches.

Learning Objectives: I will learn to

describe various threats to cybersecurity
explain the shortcomings of relying on passwords to protect devices and digital information
describe ways to combat malware and other cybersecurity attacks

Technical Terminology

strong password - a password that is easy for a user to remember but would be difficult for someone else to guess based on knowledge of that user.
multi-factor authentication (MFA) - users are asked to present several separate pieces of evidence involving knowledge (something they know like a password), possession (something they have like a texted code), and/or inherence (something they are like biometrics).
biometrics - using unique physical characteristics such as finger prints, face recognition, etc. for identification
Phishing - a common security attack in which the victim is tricked into giving up personal information or downloading malware.
Malware - software that was designed to harm or take partial control over your computer.
Ransomware - malware that encrypts and locks computer systems until a ransom is paid
Keylogging software - a kind of malware that records every key pressed by a user.
A computer virus - a type of malware that spreads and infects other computers. Viruses can attach themselves to legitimate programs.
Antivirus or anti-malware software - software designed to scan your files and Internet transmissions looking for malware.
A firewall - a security system that controls the kinds of connections that can be made between a computer or network and the outside world.
DDoS (Distributed Denial of Service) - attack uses a virus to flood a server with many requests from many computers at once so that users of that server are denied service.
rogue access point - a wireless access point that gives access to a secure network without the authorization of the network administrator.

MultiFactor Authentication

Many organizations now use two-factor authentication (2FA) or multi-factor authentication (MFA) which asks for additional authentication in addition to the password, just in case the password gets compromised. Users are asked to present several separate pieces of evidence such as:

Multi-factor authentication (MFA) requires at least two steps to unlock protected information. Each step adds a new layer of security that must be broken to gain unauthorized access. Watch the following video on multi-factor authentication:

Something You Know: for example your password or the answers to security questions that you have set up
Something You Have: for example a code texted to the your phone or a USB security token
Something You Are: for example biometrics such as fingerprints or face recognition

Biometric Authentication: uses unique physical characteristics such as fingerprints for identification.

Biometrics became popular with fingerprint scanners, and now facial recognition technology has exploded in use for biometric authentication and surveillance. However, the problem with static biometrics like fingerprints is that if it is compromised (stolen), you can’t change your face or fingerprint to a new one. Dynamic biometrics like heartbeats or behavioral biometrics like walking gaits are more difficult to hack. Watch the video on biometric authentication.

What different types of biometric authentication have you seen in real life or in movies?

Common Security Issues for Users

Software has bugs (even published software written by professionals). And people can use those bugs for bad purposes (such as crashing your computer or implanting keylogging software to collect everything you type, including passwords and other confidential information). Software developers try to prevent security bugs and fix them when they turn up, but not every software developer distributes fixes promptly. (And not every computer user keeps up with software updates perfectly!)

The general name for programs that try to affect your computer badly is malware. Your computer can end up with malware if you or someone using your computer downloads untrustworthy software (such as from freeware or shareware sites; not everything on those sites is bad, but if you aren't careful, you might install something that is).

Malware stands for MALicious softWARE is software intended to damage a computing system or to take partial control over its operation. A computer virus is a type of malware that can copy itself and gain access to a computer in an unauthorized way. Computer viruses often attach themselves to legitimate programs and start running independently on a computer, and often can make copies and send those to other computers over a network.

People use antivirus software to help prevent these attacks. People also use firewalls to limit connections into or out of their computer. (Both your computer and your router probably run firewall software.)

Malware can spread by email attachments, downloading from sites that are not reputable, network connections from infected computers, and copying infected files from computer to computer on portable memory. So don’t click or open anything where you don’t know the source. A computer that is infected may stop working, display strange messages, delete files, be controlled by others, steal personal information and infect other computers. Recent ransomware attacks encrypt and lock computer systems until a ransom is paid.

Computer virus and malware scanning software can protect a computing system against infection. Many operating systems like Windows come with their own free malware scanners like Windows Defender. It is very important to auto-update the malware scanning software with newly discovered malware signatures. Explore the malware scanner on your computer. Regular software updates help to fix errors that would compromise a computing system. All real-world systems have errors or design flaws that can be exploited.

Have you ever had a virus on your computer? What happened and how did you get rid of it?

Unauthorized Access - You Fail.

Criminals can gain unauthorized access to computing systems in many ways by exploiting the users and the staff of the system. They can gain access through malware or by stealing or cracking passwords or hacking in through unprotected areas.

Phishing is a common technique that is used to trick a user into providing personal information usually through email. That personal information can then be used to access sensitive online resources, such as bank accounts and emails. The attacker tricks you into giving information to the attackers (such as your bank password). The attacker can then use your personal information to gain access to sensitive online resources, such as logging into your bank accounts or emails.

A malicious phishing or malware link can be disguised on a web page or in an email message. Watch the following video on phishing.

One year GUSD contracted with a security company to test all staff and student users to see who would get phished. See this document for the sample email and how TClark knew it was a scam, and what other parts you can check to make sure an email is legit. If you work for a company and fall for phishing attacks, or even the simulations from security companies, then your employer might not want you on the team any more, especially since you could be a security risk for the company... Check out this phishing quiz from Google.

Unauthorized Access - Other Attacks

Another technique for capturing passwords is keylogging software which secretly records every keystroke made by a computer user. This can be used to gain fraudulent access to passwords and other confidential information. Keyloggers can be installed through malware or hacking. Unsolicited emails, attachments, links, and forms in emails can be used to compromise the security of a computing system. These can come from unknown senders or from known senders whose security has been compromised. Untrustworthy (often free) downloads from freeware or shareware sites can contain malware.

Unencrypted information sent over public networks can also be compromised. Data sent over public networks can be intercepted, analyzed and modified. One way that this can happen is through a rogue access point. A rogue access point is a wireless access point that gives unauthorized access to secure networks. Network and system administrators protect their networks with firewalls which provide a barrier to attacks and scan their networks with network analyzers to prevent unauthorized access. Sometimes if you aren't secure, if your computer has password access to a WiFi network, and you enable Bluetooth network sharing, you are allowing anyone in Bluetooth range of your computer access to the secure network.

A Denial of Service (DoS) attack consists of sending a lot of requests to a server at the same time (for instance, requests for a web page or some data). This can overload the server's network bandwidth. A DoS attack doesn't destroy data or collect passwords; it just causes a temporary inability to reach the targeted server so other users of that server are denied service.

A variant is the Distributed Denial of Service (DDoS) attack, in which the attacker first uses viruses and other malware to take control of many (sometimes hundreds of thousands of) computers around the world. This network of infected computers is called a botnet. The attacker then launches a DoS attack from all of the victims' computers at the same time. Besides increasing the number of simultaneous server requests, DDoS makes it harder to determine who is at fault, since the attack seems to come from many innocent people.

What Can You Do?

It should not be the responsibility of the individual to ensure their safety online just as it's not their responsibility to do a safety inspection of every subway car before boarding. Without proper regulation, there are no perfect solutions that you as an individual can use to be sure you will never be victimized. However, there are things you can do that will help:

1. Run up-to-date software. The Windows 98 operating system was not sold after 2000, and not supported after 2006. But there are still computers running this obsolete system, including many in the US Department of Defense. Usually, when people keep using obsolete systems, it's because they rely on application software that runs only in the old system. Also keep your main browser up to date.

2. Use authentication to protect devices and information from unauthorized access. For example:

Use strong passwords. You need a separate password for every site you use. The only good solution is to use a password manager, a program that makes up a random password for every site. You just remember one password, the one for the password manager itself. It takes care of your other ones for you.
Enable multifactor authentication (such as two-factor authentication) so you can only access your device or account after entering specific information (typically one is a password and the other requires another of your devices or accounts or the other uses something that detects your body like a fingerprint reader). It may feel like a hassle, but each step added to the login progress adds another layer of security.

xkcd Password Strength: https://xkcd.com/936/

3. Don't click links on websites or especially in email, without first double-checking that the actual URL in the link is what you expect. (Where does this link to http://google.com really send you?) If a computer or account of someone you know has been compromised, you may receive emails appearing to come from them that contain malicious links that could compromise your system or account. As you know, it's important to keep your software up-to-date, but a common trick is a pop up window asking you to download an update. Don't click those unless you're sure it really is a legitimate update. It's best to go to the "updates" section of the app or operating system for updates.

4. Don't use sketchy software. If the advertising says that the program will get you money, free stuff, or cheats for video games, etc. it's very likely to be malware. A particularly sneaky category is fake antivirus software! Check the reviews in magazines and/or trusted websites, while double-checking the link you plan to download from, in order to make sure you're getting what you really want.

5. Regularly review your security settings for the websites, apps, and programs you use. You can control the permissions for collecting and sharing your information.

6. Install Antivirus and anti-malware software. There are free versions of several popular packages available. Read reviews to find software that will match your needs and budget.

7. Don't connect to insecure WiFi. Ideally, WiFi networks should use WPA2 or WPA3 (WiFi Protected Access) security, but WPA is better than no security at all.

8. Follow the policies of your IT Department. Oftentimes their policies are a direct result of an employee messing up and putting the company at-risk. Plus they are the ones that are most up-to-date on current best-practices.

Still Curious?

Read up on other ways that data is collected and used:

Try hacksplaining.com which describe hacking exploits and how to protect against them.
Try the PBS Cybersecurity Lab where you protect a business against attacks.
Try a Capture the Flag event where you solve computer security challenges to capture flags. A great one for beginners is picoctf.com designed for high school students. Here are some other resources.
More Cybersecurity lessons available at teachingsecurity.org