Novel security breaches have taught us lessons (or clarified ones we should have already learned). This paper reviews many key issues and focuses attention on 10 responses that we all need to adopt in our approach to security.
Most security breaches are preventable, but only if we learn from mistakes of the past and the harm experienced by others. Security breaches often demonstrate flaws, reveal misconfigurations, and expose design mistakes that many other organizations continue to have.
1. Email Is Not Private
Email has always been a plain text communication medium. However, many have forgotten that or have become confused about its security over time.
Those who use a web browser to access their email often see HTTPS as the prefix of the URL, meaning their connection to their email is secure. But that TLS-encrypted connection only protects accessing and reading your messages, not when sending or receiving them. Likewise, email client users may have configured TLS connections to their email server at their ISP or office. This type of connection provides security for the sending and receiving of messages, but only between the client and your local email server. Messages sent to other recipients across the Internet and received from others are often sent in plain text.
Email messages sent and received across a public Internet link are likely sent in their original plain-text form. Several email service providers, such as Google, Microsoft, and Yahoo, are in the process of setting up encrypted email transmissions for messages between themselves and others that join in their initiative. However, it may be years before a majority of messages are encrypted for transit.
Approaches You Must Consider For Email
First, minimize the transmission of information across email that could cause you problems (or heartache) if it was intercepted in transit, whether by your employer, family, government, or hackers. Seek out a more secure form of information transference, such as encrypted file exchange, secured chat, or video conferencing, for those items of importance or value.
Second, start using an email encryption solution. While standalone email client add-ons have been available for years, there are now numerous options to add encryption services to web-based email via browser extensions as well as encrypted email services. A few browser extensions to consider include Mailelope, PassLok for Email, and SendSafely. A few examples of encrypted email services include ProtonMail and Hustmail.
If you are still using a standalone email client, you can always use the standard S/MIME solution by obtaining a digital certificate. Or you can elect to add on a proprietary encryption tool such as PGP (commercial), GPG (GNU licensed), or OpenPGP (Open source).
No matter which solution you implement, the primary drawback to client-based email encryption solutions is that your recipient must have a corresponding solution to decrypt your messages or verify your digitally signed messages.
2. No Network Is Fully Secure
If you have attended any security training, I'm sure you were informed of the fact that security is never a completed project, it is always a journey whose destination changes often.
There is no perfectly secure network and it is impossible to construct one. There are always means to breach security, whether through technical exploits, physical breaches, or social engineering. However, many organizations seem to act like their security is complete, that their network is unbreachable, and that their environment can be fully trusted. But every year, hundreds of organizations learn the hard way that their networks are not perfectly secure when hackers break in to cause damage and steal confidential information.
All of us need to realize that most of the technology we use is rather young and it has not yet had the time to mature. We often strive to grab the latest and greatest gadget or upgrade to the newest release of a product. However, “new” means untested and thus its flaws and exploits are unknown. We are placing too much faith in the developers, manufactures, and programmers of our hardware and software. I'm not suggesting we run from technology and return to pen and paper, but I am suggesting that we take a more cautious approach when using technology to store and protect our most important information and assets.
We need to have more reliable backups. A backup is worthless if you cannot recover data from it, and a single backup only protects you from data loss if the damaging event does not also destroy the backup. Everyone needs to follow the 3-2-1 rule of backups:
3) Always have three copies of your data, the original and two backups;
2) Use two different types of media to store or host the backups, such as a hard drive and cloud storage
1) Do not store both backups in the same physical/geographical location.
We need to add additional layers of security to the existing infrastructure including storage encryption, using multifactor authentication, tracking/auditing all access attempts, having stateful inspection firewalls, and monitoring it all with intrusion detection and prevention systems (IPDS).
3. Large Organizations Aren’t Always the Most Secure
Just because a company has been successful and grown into a large corporation does not imply that it offers the best security to its customers. Often the priorities and obligations of a large organization are counter to the desires and interests of its customers.
Never assume that you are a company's top concern. Think twice about putting your most important or personal information online. Whether a social network, a cloud storage solution, or an e-commerce site, you are putting yourself at risk when you post private, sensitive, or valuable information online.
Always set your account information to private when that option is made available. Provide only the minimum amount of information in the creation of an online account, especially for new services you might not continue to use. Consider having a separate email address for use with new sites so you don't expose your primary email address before you understand more about an online site or service. Have a credit card that is used primarily for online purchases. Monitor this account for any questionable activity often.
Automation of your bill pay, paycheck deposit, and retirement investing can be a huge time saver and assist in you saving money for retirement. However, you need to check on those systems regularly to make sure the numbers are correct and the procedures are working as you defined them.
If you find a mistake or an error soon after it occurs, it can be corrected with little consequence. But failing to notice a problem after months or years could cost you big time. You must advocate for yourself.
4. Beware of Impersonation and Misinformation on Social Networks
As humans, we trust that which is familiar — whether it’s the last two miles on our drive home where we don't pay as much attention or a co-worker whom we ask to watch over our belongings while we step away.
Hackers and media outlets know this and work hard to become as familiar to you as possible. This is why you hear and see the same advertisements too often in so many different media (print, radio, TV, online, etc.) and companies establish trademarks for their products. This same concern applies to many other aspects of our lives, both in the real world and online.
We all trust our friends, that's why we call them friends and not enemies. However, when communicating with a friend through a social network, you are at risk of impersonation attacks. If an attacker can take over the account of a friend, then the communications from that account to you are no longer from your friend but from the attacker. Initially, you won't know this and are likely to be tricked into believing something false or downloading and installing something malicious. Be slow to believe information seen online, especially through social networks, even when related to someone you know and trust. If something seems odd or out of character, then contact that person through some other means (NOT the same social network site), to inquire about the concern.
There is also a wide range of people who enjoy crafting false information to mislead everyone. Sometimes they want to stir up a group, sometimes they want to get a strong reaction, sometimes they want to sell a product, and sometimes they want to use the farce as a distraction. Online information sources, even news agencies, need to be filtered through a lens of skepticism. Take the time to investigate a claim, report, posting, or headline. Find out the source, consider opposing viewpoints and perspectives, and don't believe it just because it was posted online.
5. Your Online Activities Are Being Tracked
Tracking is a fact of online activity. Most websites are free because advertisers pay the site owners. This payment is not just for the privilege of showing you advertisements but to track your activities and develop a dossier about your habits and interests.
This type of tracking is big business and it is a huge part of your online activities. You may have become aware of several initiatives to reduce tracking, such as a Do Not Track flag set on your browser to inform websites to not have your activities monitored and sold off to third parties. There are other steps you can take to reduce the amount of tracking that targets you, these include:
- Use the incognito mode or private browsing mode of your web browser.
- Disable third-party cookies.
- Set your browser to delete all cookies at shutdown.
- Use a browser plugin to control website content, such as NoScript for Firefox and uBlock Origin for Chrome.
- Use a cookie tracker to become more aware of the amount of tracking taking place, such as Lightbeam for Firefox.
- Use advertisement blockers and tracking blockers, such as Adblock Plus, Ghostery, Disconnect, and Privacy Badger.
These suggestions will greatly reduce the amount or level of tracking that targets you, however, they are insufficient to block all tracking. There are techniques, commonly labeled as super-cookies, which cannot be easily blocked. These techniques take an inventory of your web browser and related or accessible sub-systems to create a unique fingerprint of your system.
Since they don't deposit anything on your system, there is nothing to block. If your system remains configured relatively the same over time, then your unique fingerprint can be recognized each time you return to the site. To gain insight into this type of tracking, visit the Cover Your Tracks site operated by the Electronic Frontier Foundation (EFF).
I think everyone should consider using some form of tracking blocking or filtering mechanism. But I do want to present an important alternative perspective regarding online tracking. If we as consumers of the Internet can successfully block all tracking (and subsequently all target advertisement), then many of the websites and online services that we currently use for free will have to start charging us for their use. It might be a worthwhile trade-off to allow some level of anonymous bulk tracking to target advertising so we can continue to use online content without having to pay more than our initial connection fee to our ISP.
6. Staying Anonymous Is A Challenge
News reports of hackers being apprehended often state that the offenders were using anonymization services, but they made some mistakes. Often those mistakes are failing to use their anonymization tool every time they connected to their attack target. When attackers forget to use their tools, they often leave behind a trail that can be followed by investigators — you must remain aware of this as well.
I'm neither condoning attacking nor encouraging you to commit crimes or even act unethically, but there are valid reasons to be anonymous when using some Internet services. Whether needing to report a crime, seeking help due to an abusive relationship, or needing advice when involved in an embarrassing situation, there are some valid and ethical reasons for needing online anonymity.
However, for the typical user, being anonymous is extremely difficult. This is mostly because so many criminals use anonymization services to hide their identity while committing crimes, that law enforcement has spent considerable effort to breach the anonymity of those mechanisms.
However, if you find yourself in need of being anonymous (again, for a legitimate and ethical reason), here are some suggestions to keep you as anonymous as reasonably possible for any non-criminal:
- Don't use your personal system for any communications that you need to be anonymous. Don't use your smartphone, tablet, or the main OS on your primary computer.
- Install a virtualization or hypervisor product, such as Virtual Box (which is a free product from Oracle), onto a computer. This can be your primary system or a second system you dedicate for this purpose.
- Run a live or ISO version of Ubuntu in a virtual machine. Ubuntu is a simple-to-use version of Linux that any Windows user can operate. The live or ISO version of an OS will not save or retain any changes across reboots.
- From Ubuntu, install and use the TOR anonymization service, see torproject.org for instructions
- Use a different browser than the one included with the TOR tool. You will have to set the proxy setting for this alternate browser to use TOR, typically the address of 127.0.0.1 and port 9150.
- Use the incognito or private browsing mode of the alternate browser.
- While accessing the Internet, do not log onto any site for which you have an existing account.
- If accounts are needed for certain services, do not use anything about yourself in the registration process. Set up a temporary e-mail address (search on “temporary e-mail”) and do not use your real name, real e-mail address, real phone number, or any other identifying factors when setting up an account.
These steps are not convenient, but they will provide a reasonable level of anonymity while using online services. Be careful. While it may be “easy” to be anonymous, it is “hard” to stay anonymous. Most of the time, anonymous users give themselves away by being infected by tracking tools, failing to use their proxy properly, forgetting to use the proxy, or accidentally outing themselves by providing personal information or logging into their normal online accounts.
7. Vendor Code May Have Backdoors
A backdoor is a means to gain access to a system that bypasses or avoids the front door. The front door is normal regular authentication using valid account credentials. Backdoors are mostly known as being planted by a hacker once they have compromised a system through some other means. However, we have learned that several widely used products and services happen to have backdoors in them that were planted by the vendors on purpose or by an unscrupulous member of their development team.
There have been an uncountable number of discoveries of backdoors present in vendor products. Sometimes those backdoors are leftover development mechanisms that were overlooked when prepping the product for release and distribution. But there have also been instances of internal developers adding in their own unauthorized backdoor, remote access, or “god-mode” code which can be abused by themselves or others.
The problem that vendor code may have backdoors is a difficult issue to address. As these are often unknown issues until they are discovered and made public. I would recommend keeping a closer watch on security discussions and vulnerability postings. And be aware that the systems you trust and rely upon today may be shown to be flawed and insecure tomorrow. Don't place all of your trust in a single vendor or security protection. Having a heterogeneous environment and security designed with defense-in-depth in mind are essential to being prepared for the unknown.
8. Segmentation/Compartmentalization Of Networks Is Essential
It is simpler to set up a private network as one internal group. A single collective of clients and servers is much easier to manage and it also much more convenient for accessing resources. However, this openness, freedom, and convenience is also a vulnerability. We must take on the perspective that our company's security will fail at some point. When that happens, how easy have we made our environment for the discovery and access of our most valuable assets? Companies need to reconsider their network deployment.
Segmentation or compartmentalization is key to limiting damage and access once malware has gained a foothold or when a remote access Trojan has allowed a remote hacker into your organization. Different departments, processing groups, or value/sensitivity leveled systems should be separated from one another in subnets with unique IP address assignments, enforced by firewalls, and monitored by IPDSes.
This concept is a well-known security stance called Zero Trust. It is based on the notion that nothing can be inherently trusted, even elements that are part of the Internet network or have been in use for years. Each and every interaction or data exchange should be authenticated, authorized, and audited each and every time.
While this approach can seem a bit daunting to implement, it is often far less of a hassle than recovering from a breach caused by a lack of protection and proactive defense mechanisms.
9. Clarification Of Incident Response
Many companies that experienced breaches discovered that they were ill-prepared to respond to the violations. This resulted in attacks lasting longer than necessary, allowing more systems to be compromised, making it more difficult to track down the perpetrators.
This can be addressed by your organization by making the effort to clarify your incident response. You need to have a written policy, a trained team of responders (i.e., an incident response team (IRT)), and perform regular drills and simulations. We must understand that we operate in a world where security breaches are inevitable. So, in addition to buttressing up our defenses to reduce the chance of compromise, we must also be prepared to deal with a compromise if and when it occurs. A well-managed incident response procedure is the mechanism of that preparedness.
10. Respect the Reports and Alerts From Your Security Products
Many compromises are detected long before the majority of the damage or information leaks take place. Attacks are allowed to continue when the reports of these detected breaches are either overlooked or ignored.
Often initial compromises or even initial system probing events are detected months before the main offensive of an attack takes place. If the officers in our organizations respect the reports and alerts from security products and teams, a significant portion of the compromises we may experiences can be avoided.
Yes, there are going to be false positives. But the proper way of addressing false positives is to respond to and investigate every alert. Then tune and adjust the detection system to avoid being triggered by the same false event.
When millions of customers’ personally identifiable information (PII), financial information, the reputation of the company, and millions of dollars are at risk, it is essential to respect the reports and alerts from early warning solutions.
There are solid lessons to be learned from every mistake, accident, compromise, and attack. It is smart to learn from the failings of others rather than making the same mistakes and experiencing the same loss.
Whether in our personal lives and online activities or related to a global corporation, we need to become more mature in regards to our security management. We have to make these changes ourselves.
Now that you know more about cybersecurity perspectives and approaches, you should recognize that this is just a starting point of obtaining security knowledge. There are many other important security concerns that you need to be aware of. Because only with knowledge can you make a change for the better. Everyone has security responsibilities, both for themselves and for their employer. That responsibility starts with knowing more and seeking out the means to gain more knowledge.
One source of additional knowledge is the educational materials made available from Global Knowledge. Global Knowledge offers a wealth of online resources such as this article and other online materials. Global Knowledge is also a world leader in training, both live and on-demand courses.
- CISSP Certification Prep Course
- Security+ Certification Prep Course
- Certified Network Defender (CND) Certification Prep Course
- CEH Certification Prep Course
- CHFI Certification Prep Course
- CySA+ Certification Prep Course
- CASP+ Certification Prep Course
- PenTest+ Certification Prep Course
- CISM Certification Prep Course