Protecting Your Information Technology

Written by Christopher Myers

In today’s environment, where there are currently over 210,000 active computer vulnerabilities, and where cyberattacks against individuals take place every 10 seconds, users of information technology cannot afford to simply ‘cross their fingers’ and hope that they will not fall victim to an attack.^1,2 If you’re curious about the true cost of cybercrime, the Federal Bureau of Investigation’s Internet Crime Report is a veritable wealth of information. In 2021 alone, there were $6.9 billion losses to cybercrime, with ransomware leading to an average loss of $13,194 per victim, phishing attacks with an average loss of $136 per victim, investment fraud  with an average of $70,810 per victim, and email account compromise leading to an average loss of over $120,000 per victim.³ If these numbers sound high, you should also consider that the FBI reported that their victim loss statistics don’t even include estimates of lost business, time, wages, equipment, or third-party remediation services used by victims.⁴

A single cyberattack could place you tens or hundreds of thousands of dollars in debt. If you’re concerned after reading those statistics, then you at least partially understand the dangers of falling victim to cybercrime. The next logical step then, is to minimize the chance of becoming a victim. Thankfully, there are several policies that you can adopt that will greatly increase your defenses and ability to recover from an attack. In the below paragraphs, I will focus primarily on mitigation and deterrence. Readers should be aware that there are other options, including transference (cyber insurance), acceptance, and avoidance, but transference has not yet proven to be a viable option, and the last two are simply unhelpful considering the likelihood and the scope of possible damage from cyberattacks.

The simplest and most effective task that any individual can take in order to increase their personal cybersecurity is to patch all software they use, so that it is updated to the most recently available versions. Why is patching the first suggestion, before even using an antivirus, firewall, or an intrusion detection system (IDS)? Because criminals targeting individuals are using the exploits that are easiest to acquire, and those exploits are related to unpatched software.

Research shows that attackers are most likely to use malware that exploits a single simple vulnerability that can cause a high impact to software.⁵ The premise behind this idea is that attackers utilize an economic model (often unintentionally) that will maximize the amount of gain and minimize the amount of work that has to be done to create and deploy an exploit. After all, it takes a substantial amount of time and energy to develop a zero-day exploit (which is an exploit that the software vendor is unaware of).

Instead of discovering their own zero-days, cybercriminals will search for recently-revealed zero-days and simply copy those exploits for their own use, with the knowledge that many users don’t bother to patch their devices. Simultaneously, software providers are aware of this and are much more likely to patch out exploits that are easy to use and that could cause a significant amount of damage to an organization. An extreme example of this kind of exploit-usage is the ‘Duqu’ zero-day malware (thought to be related to Stuxnet, commonly known as the world’s first digital weapon), that used a Windows vulnerability in its font mechanism to execute code that allowed the collection of keystrokes and system information. Just a year after the reveal of Duqu and Stuxnet, the same vulnerability that Duqu used ended up as the most commonly targeted vulnerability in 2013.⁶

Because of this, patching is seen as a first defense against the most common types of malware. Failing to patch is the equivalent of leaving your vehicle’s doors unlocked or your front door open 24/7. By simply closing holes that criminals can use to get in, they are more likely to bypass you in order to find an easier victim. Both trusted software vendors as well as cyber-focused government organizations highly suggest patching as one of the first steps in bettering your cyber-hygiene. Intel communicates the benefits of patching, specifically annotating that patches minimize the chance of cybersecurity incidents by protecting against commonly-known vulnerabilities.⁷ The second step in the Cybersecurity & Infrastructure Security Agency’s well-known Shields Up cyber defense campaign is to ensure that software is up to date through patching.⁸

The first step offered in CISA’s Shields Up campaign is actually our next technique that can better your personal cybersecurity, which is multi-factor authentication. Multifactor Authentication requires two or more methods in order to verify an individual’s identity. When referring to methods, these include knowledge (passwords), biometrics, location, and more. Since cybercriminals can brute force passwords (often through offline dictionary attacks), use phishing to steal passwords, or use channel-jacking attacks, MFA helps to ensure that users are out of reach of most attacks that can compromise systems.⁹

Software like Microsoft’s Authenticator app and the Duo Mobile authenticator app can halt an adversary’s access to user accounts when those adversaries have the passwords to those accounts, and these applications also provide users with awareness of when those accounts are being accessed by other entities.¹⁰ Some tech-savvy users may want to go so far as purchasing a physical token that is required to access certain devices, like a Yubico Security Key, a Feitian ePass Security Key or a Kensington VeriMark Fingerprint Key. As a simple start though, most MFA applications can be easily downloaded and used on your mobile device, tied to any accounts that you’d like to associate with them. MFA is readily available on a majority of financial and email accounts, and it would be wise for the users of those accounts to immediately ensure that MFA is activated and properly being used (and not ignored).

While MFA can ensure that even stolen passwords don’t immediately allow access to an account, I will add that passwords should still be up-to-date with the current standards. The National Institute of Standards and Technology offers the best password standards in its Special Publication 800-63B. NIST explains that passwords (memorized secret verifiers, as they refer to them in the publication) should be at least 8 characters in length, not contain repetitive or sequential characters, should not contain words related to the username or service, and should not contain dictionary words.¹¹

Passwords also should be different for every account, so that if one is compromised, then the rest are still safe from attackers. For readers that feel this is too overwhelming, don’t simply give in and use basic passwords, and don’t store your plaintext passwords in a document on your computer. A better option would be to use a vetted and approved password manager like Bitwarden, iCloud Keychain, or 1Password. These software applications can generate passwords and remember them for you, ensuring that the only complex password you need to memorize is the one that accesses your password manager.

Beyond patching, MFA, and passwords though, there is another practice that will increase your cyber hygiene and minimize damage even if you end-up with malware on your physical systems. Keeping a regularly updated (and encrypted) backup of your data is key to ensuring that you don’t fall victim to a ransomware attack. For the unaware, ransomware is malware that encrypts your personal data and locks you out of your own computer or mobile device. Often, attackers will then call or message you to request a specific amount of money in return for the key to unlock your data.

Personal projects, photos, and financial information can all be stolen when falling victim to ransomware. In this kind of attack, you could very well re-install a clean version of your operating system, but you would lose all of that personal information if you are not utilizing a backup. An accessible offline encrypted backup is the best option, as anything that is connected to your computer could also be infected by the same ransomware (leading to connected backups also being encrypted by the adversary). Cloud backup solutions are also beneficial, but if you only use this technique, then you are trusting your data to an organization that can also be hacked and/or suffer from a data breach.

If you choose not to use a backup, then you should at least ask yourself: what is currently on your computer or mobile phone that could be compromising if released to attackers, and what documents, photos, and videos would set you back emotionally and financially if they ended up being inaccessible? At the very least, it’s highly suggested that you sanitize your digital environment. After all, even if you do use a backup, the ransomware attackers may have already exfiltrated your data in order to sell online, or use for their own devices (just think… if an adversary has even a single one of your tax returns, they could use that information for identity theft, applying for credit cards without your awareness).

The four primary cyber hygiene methods I noted above should help to transform your digital interactions, giving you greater awareness of your environment and minimizing your susceptibility to cyberattacks. You may wonder why I didn’t annotate antivirus in any of the above paragraphs. That is primarily because most people are already using it. Some of the best antivirus programs already come as default activated software with Microsoft and Apple products (and if you’re using Linux, then you are very likely already aware of your best options… because contrary to popular belief, Linux can be hacked). Going back to the first suggestion, in order to successfully use your Antivirus software, it needs to be updated regularly.

Beyond these suggestions though, some readers will want to further their cybersecurity and advance beyond the basics. If they choose this route, then I would suggest educating yourself about your available firewall options (you likely already have one in place with your home router), as well as possible Network (and Host) Intrusion Prevention Systems and Intrusion Detection Systems. The sad reality is that you can’t trust organizations to manage your cybersecurity for you, even though it’s their products’ vulnerabilities that lead to successful cyberattacks. But with awareness and motivation, you can minimize the chance of even the most dangerous cyberattacks, and you can be prepared to respond in case you or a family member is attacked. After all, the world of Information Technology, including its users and attackers, is only growing.

References:

1. National Vulnerability Database. National Institute of Standards and Technology. (n.d.). https://nvd.nist.gov/vuln
2. Ivanov, A., Emm, D., Sinitsyn, F., & Pontiroli, S. (2016, December 8). Kaspersky Security Bulletin 2016. The Ransomware Revolution. Securelist by Kapersky. https://securelist.com/kaspersky-security-bulletin-2016-story-of-the-year/76757/
3. Federal Bureau of Investigation. (2021). 2021 Internet Crime Report. FBI Crime Reports. https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf
4. Ibid.
5. Allodi, Luca, Fabio Massacci, and Julian Williams. Rep. The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures, 2017.
6. Threat Report. (2013). (rep.). 2013 Threat Report. Helsinki.
7. “What Is Patch Management? Benefits and Best Practices.” Intel. Accessed April 27, 2023. https://www.intel.com/content/www/us/en/business/enterprise-computers/resources/patch-management.html.
8. “Shields up: Guidance for Organizations: CISA.” Cybersecurity and Infrastructure Security Agency CISA. Accessed April 27, 2023. https://www.cisa.gov/shields-guidance-organizations.
9. Weinert, Alex. “All Your Creds Are Belong to Us!” Microsoft Security, Compliant, and Identity, July 24, 2020. https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124?country=us&culture=en-us.
10. “More than a Password: CISA.” Cybersecurity and Infrastructure Security Agency CISA. Accessed April 27, 2023. https://www.cisa.gov/MFA.
11. NIST Special Publication 800-63B. National Institute of Standards and Technology. (n.d.). https://pages.nist.gov/800-63-3/sp800-63b.html#singlefactorOTP