My car was making…a sound. A bad sound. A kind of crunchy wrongness that only happened at a certain speed. I couldn’t replicate it at will and definitely couldn’t make it happen while the car was parked. I was about to be forced into a scenario I hate: visiting a mechanic with nothing more than a sound to imitate and a vague, “It’s broken?!”
I don’t mind mechanics. They’re honest people doing essential work. When my car’s manual says it’s time for a belt replacement or a tire rotation, I am more than happy to walk into my local shop, drop the keys, and announce what I need.
It’s the off-schedule, surprise issues that bring up my sense of dread. Is it a sensor? Some fluid leak somewhere? Did I forget some routine maintenance? Is it the spark plugs? (Spark plugs are a car thing, right?)
My unease about going to the mechanic is rooted in my shallow vocabulary for all things automobile. I couldn’t even begin to describe where I thought that crunchy sound was coming from. Starting a conversation with my mechanic was going to be very difficult.
At Asylas we recognize that your concerns around the cyber security of your business are not unlike my fear of going to the mechanic. We want to empower you to be in conversation with us about your business’s maintenance needs and its dread-inducing “crunchy sounds.”
We want to give you the equivalent of the car user manual. A vocabulary lesson on information security that will allow you to walk into conversations with confidence. To tackle your challenges with specificity. We recognize that the topic is broad and often intimidating. It can be hard to pick up the phone or send the first email if all you know to say is “help?!”
We developed this explainer in the hope that learning more about these terms helps you put a name to your concerns and empowers you to start a much needed conversation about protecting your business. You’ll feel at least twice as smart after you read this list. And we’ll marvel at your adept use of security terminology when you call us to talk about your needs.
The Basics: Terms You Probably Read, Hear, and Use Already
Software is the instructions that allow you to interact with your devices. Your computer’s operating system is software that manages the hardware and other software programs. All your favorites like iTunes and Excel and Photoshop are software.
Recently a friend told me, “I lost all my phone numbers because I didn’t send my data to the clouds [sic].” The cloud is software or services that run on the Internet, rather than on a local device. Your Google Document and the iCloud account that stores all your phone numbers aren’t living up in the sky somewhere. They’re living on a server–lots of servers actually–right here on earth.
The cloud is great because it frees up memory on mobile phones and laptops and makes streaming video for your sick kid who’s stuck on the couch a reality. The cloud is not great when a lost Internet connection means no content. And any information you share on a cloud-connected device is potentially vulnerable to hackers.
Antivirus software monitors a computer or network to identify all major types of malware and prevent or contain malware incidents. Think Norton, McAfee, and Malwarebytes on your home PC. Good antivirus software is updated daily with the newest viruses on the web.
Breach (a.k.a., Data Breach)
Breaches make headlines all the time. Ahem, Equifax and Target. A breach is any release (intentional or not) of private or secure information to an untrustworthy entity. Target’s breach released 40 million customer credit card numbers to hackers. Equifax exposed the personal data of nearly 150 million Americans. A breach is every company’s worst nightmare.
Firewalls have been a component of network security for decades. They may be hardware (like in a router), software, or a combination of both. A firewall monitors the incoming and outgoing traffic on a network and blocks or allows that traffic based on a defined set of security guidelines. A firewall makes computers connected to the internet less attractive to hackers.
A virus is any piece of code that can copy itself and infect a computer without the user’s permission. Viruses can corrupt or delete the data on your computer. They may also hijack your browser and send you to malicious sites. Viruses arrive via email attachments, web downloads, and removable media (think thumb drives and the like).
VPN (Virtual Private Network)
Think of VPN as a fortified tunnel that allows data and other information to be shared securely between networks. Over a VPN connection, you can share confidential data over a public connection as if you were sharing it on a private network. Think about an employee who works remotely and uses a standard residential internet service to connect to the web at home. If they handle any confidential or sensitive company information, they need to be given access to a VPN to protect company interests.
Hackers come in more than one flavor. The bad guys are the black hat hackers who compromise computer systems for their own gain or just out of malice. The good guys are the white hat hackers. The white hats are security experts who make a career out of testing and improving the cyber security of companies and organizations.
The Next Level: Impress Your Friends
Internet Protocol addresses are numbers (like 220.127.116.11) assigned to any device on a computer network that uses the Internet Protocol for communication. Your IP address is like the return address on an envelope. Queries you send out on the web are marked with your IP so the queried site (like Google Search) knows where to send the results. IP addresses are typically location specific–Google can tell you the weather in your area because it knows where you are based on your IP address.
File Transfer Protocol (FTP)
FTP is one of the oldest protocols used in computing and is an easy way to move files. Files live on an FTP server and users access the server to upload or download content as needed. It’s important to know that FTP is not encrypted and can be intercepted by hackers. If you’re using FTP to put sensitive information on a server, consider switching to FTPS, or another encrypted protocol.
Encryption is the process of changing something from plaintext (like most of this blog post, hopefully) to ciphertext (a secret code created with a mathematical algorithm). Encryption disguises sensitive information from people who might intercept it. Only people who have the encryption key can crack the code and see the data. Online shopping and banking require encryption to ensure that sensitive financial data is protected. And most email providers have been encrypting email since 2014.
DoS or DDoS
Denial of service (DoS) or distributed denial of service (DDoS) attacks disrupt the services of a host by flooding the resource with excessive requests. These requests overwhelm the system and delay critical operations–denying legitimate users from getting what they need. DDoS attacks have ground E-commerce to a halt, crippled university operations, and much more. Criminal hackers use DDoS for a variety of reasons, from political activism to blackmail.
Multi-factor Authentication (MFA)
Have you ever logged in (with username and password) to your credit card account to pay your bill and been asked to receive (via email or text) a code that you will then enter in to verify your identity? It feels convoluted, I know. It frustrates me almost every time. But this process is a form of multi-factor authentication that protects your sensitive banking information. The factors in my example are something you know (your password) and something you possess (a code that was sent via a source outside of the current transaction). Whenever you’re asked to enable multi-factor (or two-factor or two-step) authentication, say YES.
The Internet of Things (IoT) is the devices embedded in everyday objects that allows them to send and receive data. IoT includes the fitness tracker on your arm that relays your heart rate to an app on your phone. It’s also your home thermostat that sends an efficiency report to your inbox once a month. IoT is spreading to every aspect of modern life. It has applications from medicine (a CPAP machine will tell your insurance company whether or not you’re using it regularly) to manufacturing (IoT sensors can tell when machinery is developing weakness and either signal for repairs or complete the repairs themselves).
Ransomware is a type of software that blocks access to a computer or network until a fee is paid to the hacker who instigated the attack. It typically arrives via an email that contains a malicious attachment or through a download from an infected website. Ransomware attacks are on the rise in 2019, especially among U.S. city and state governments.
Malware is any code-based malicious entity that seeks to infect a host. Malware includes viruses, worms, and Trojan horses. Worms are like viruses in that they can copy themselves (propagate), but unlike viruses they are not dependent on a host program to be spread. Trojan horses appear to carry out useful functions but are actually hiding something malicious.
Cyber Wise: Expert Level Knowledge
A vulnerability assessment is a good first step for companies who are not aware of their current state of cyber security or who don’t currently have strong security systems in place. A vulnerability assessment is usually synonymous with a vulnerability scan. A vulnerability scan consists of an automated tool connecting to each machine in the environment to test for missing patches and misconfigurations. The vulnerabilities identified are often those that are compromised by attackers, but don’t necessarily show a complete picture of the threat landscape unless paired with manual testing. Vulnerability assessments are typically conducted on a recurring basis.
Once you have completed a vulnerability assessment and the discovered weaknesses have been remediated, your organization is ready to take on a penetration test. The pen test mimics the actions of a black hat (malicious) hacker and exploits any vulnerabilities it finds in your system. Pen tests can be performed on external and internal company networks; wireless networks; and web and mobile applications. They can also test for physical and social engineering liabilities.
Social engineering is the process of tricking someone to either reveal sensitive information or to perform a specific action (like downloading and executing a malicious file). Phishing is a prevalent form of social engineering attack that typically tricks users through fraudulent emails. A phishing email usually comes from a random source. Spear phishing is a targeted attack. An individual is targeted with an email that is tailor made to tempt them to click. These emails can be really convincing–they come from sources that appear to be an entity you can trust. Fraudulent phone calls–vishing–are another form of social attack. Scam callers may impersonate bank, government, or utility company employees and request personal information such as account numbers.
Brute Force Attack
A brute force attack is a method employed by hackers to gain access to password-protected devices. A script or a bot is used to “guess” the required password for a device or account. Way back in 2012, a password-cracking expert revealed a machine that could make 350 billion password guesses per second. That means that any typical 8-digit password would be cracked in less than 6 hours.
In some ways password spraying is the inverse of a brute force password attack. In a spraying attempt, a hacker uses a program to attempt to log in to a large number of accounts with a common or dictionary password (think ‘password123’ or ‘guest789’). Hackers avoid detection and save themselves the trouble of password lock-out policies by “spraying” a common password at many accounts. Single sign-on applications are often the targets of spraying because one success yields access to many related systems.
Defense-in-depth (DiD) is a layered approach to protecting networks and systems. Think of it as the medieval castle approach to security–when one layer fails, another is there to take over. There’s a moat and drawbridge, tall walls, and archers standing in the ramparts. Deep within all those layers is the keep, where all the castle VIPs are protected by another layer of armed security. With network DiD, people and tech work together to create variable barriers across multiple dimensions of an organization. Developing a quality DiD plan is crucial to good cyber security.
Pharming is a method of cyber manipulation in which scammers direct users to websites that look like familiar ones and capture their confidential information when users enter it into the site. Imagine navigating to what you think is your credit card company’s website and logging in with your username and password, only to have a hacker capture your credentials. Pharming is especially worrisome because an individual computer may remain completely virus or malware free but its user can still be a victim.
Still want to learn more? Asylas would love to chat about your infosec needs. Email us at firstname.lastname@example.org or call 615-622-4591.