In 2013, the Federal Bureau of Investigations (FBI) stated that cybercrime had become the number one threat to the nation, and that social engineering was rampant in 2013. In fact, as of today, 95% of cybercrime incidents start with a “spear phishing” email sent to a member of the targeted organization. Cybercriminals are targeting CEOs and other strategic planners of the organization who are often exempt from security rules within the organization, and are too busy to take a few easy steps to verify the provenance of an email with a link or an attachment, or to wait until they get to their computers to click on a link sent to them via text (SMS).
So far, the solution has been a reactive approach of adding layers of technology. As the hacking attacks increase, the IT departments are acquiring more technology to guard the network perimeter, which in turn depletes government agencies and private industry of funds that should be more profitable invested in educating all members of the organization on the A-Z of using technology in private mode.
Total reliance in technology has proven to be ineffective against today’s modus operandi of hackers, spies and cybercriminals alike. Whenever an IT department deploys a new piece of technology to secure the network perimeter, the cybercriminals will find the way to circumvent it, as we have seen during the hacking events of the past 10 years, and on 21 OCT 2016, on the DDoS done to Dyn using the malware Mirai.
Moreover, cybercriminals and spies are masking their intrusions under the pretense of normal Internet traffic and they know they can count on the “click-happy” Internet user that will, without thinking, click on a URL link sent to him/her by email or text. The goal is to compromise the individual’s cybertechnology device (phone, tablets, laptops, etc.) with the malware. Then, the infected device becomes under the control and command of the hacker and it is used to penetrate the holy grail of the organization – assets, intellectual property, and username/password/credit card information, or to control the computer to execute a denial of service attack, and other cybercrimes.
Our nation does not have a technological problem when it comes to cyber security. It has a behavioral problem – the operator is the weakest link in the security chain. It is the manner in which the operator (CEO, grandma, a child playing computer games, stay-home mom, receptionist, and anyone touching a device that connects to the Internet) opens an email with an embedded URL (regardless whether the sender is a known or unknown subject), uses portable devices, and applies privacy measures what it is causing this wave of cyber-attacks.
Therefore, every organization must have a program to educate all employees and executives, including board of directors, on risk management in the cyberspace domain. It is not enough to tell a person to be cautious while opening an email. A good educational program, like the program Meta provides, will show the step-by-step procedure to safely open an email with an attachment or a URL link regardless whether a known or unknown individual has sent it; how to properly configure an iPhone and Droid phone so it provides privacy as a precursor of security; how to secure the devices that constitute the Internet of things. Although 100% security is not achievable in any domain, this action will considerably reduce the probability of falling into the list of cybercrime victims.
There is a great movie out called IT starring Pierce Brosnan. It shows the perils of having a smarthome… where all the devices are connected to one single point of entry: your WiFi router. The movie is creepy, accurate, and a great thriller. J
This movie also makes you ponder on the official definition of Operational Security (OpSec) that I often see written in corporate guidelines and also in the government sector guidelines to users. The definition goes “OPSEC is a process to deny potential adversaries information about capabilities and/or intentions by identifying, controlling, and protecting unclassified information that gives evidence of the planning and execution of sensitive activities.” I have used bold typeface and underline the text that makes people believe that only computers with proprietary or critical information ought to be configured in private mode. This, in part, is causing the problems we see today with 95% of cyber intrusions being done through an unsecure and compromised device.
You have to imagine that any device that connects to the Internet is like a hammer. You can use a hammer to build a home, which is a noble deed, or you can use a hammer to crack a skull, which is a crime. If your computer is compromised, unbeknown to you, it can be used to conduct a cyber-attack against our nation, and it can also be used as a stepping-stone device on a drive-by-download to move child porn files across the Internet.
How many of you read my blog about passwords and two-factor authentication and immediately applied what you have learned? It is not enough to call yourself a patriot. You MUST take cyber security seriously, and put privacy ahead of convenience because privacy is the precursor of security. Your security and the security of the country at large.
That is all for now. Thank you for reading!
Meta brings the courses Risk Management When Online and Open Source Intelligence (OSINT) Collection and Analysis to your organization regardless of where you are located. Watch this short clip: https://www.youtube.com/watch?v=aRXazQuPzFs Then call us to schedule training for your team or organization.
About the Blog
This blog is updated on a bi-weekly basis and it will address a variety of topics concerning cybertechnology, privacy and ethics in the cyberspace domain.