Why Does it Matter?
It's the practice of protecting systems, networks, programs, and data from malicious attacks. We're going to cover a lot of topics. We'll start off with, why does security matter in the first place and why are there attacks. We'll cover cyber warfare, the types of threats you can expect, and why we can stop them. We'll also cover some best offensive techniques and take a quick look into the cybersecurity market. Why does security matter and why do we care? Consumers and businesses are all at risk. Attacks have huge financial impacts. We could see how our modern-day cell phone and smartphone are interconnected. With so many micro services and our day to day lives, including our home appliances, our vehicles, and our banking infrastructure. The Internet wasn't built with security in mind. Essentially, it was built as a simple way to check inventory, but it's blossomed into something much bigger. There's lots of interesting loopholes to exploit and as the technology matures, so do the attacks.
This is my favorite representation of the internet; it's made out of Swiss cheese. Look at all these attack vectors that hackers can exploit.
Here, we can take a look at the landscape of how many network devices are currently present. In the early 90s, we barely had a million connected devices. Fast forward to 2020. We're looking at 50 billion network devices, there's 10 billion humans on this planet. That means five network devices per person. So, that means that the attack scale is huge. In 1988, the Morris worm was the first recorded networking attack and back then, there were basically about 60,000 network servers. In 2017. The WannaCry virus infected hundreds of thousands of computers causing millions in damages in just a couple of days.
In 2018, the BlueBourne attack was known to be where it affected 5.3 billion devices. That's almost every device ever that shipped out with the Bluetooth protocol. These attacks are only going to get bigger and worse as we move forward. Unauthorized network access allows important data to be stolen and we've seen so many examples of these attacks. Just a couple years ago, the giant Equifax data breach affected 143 million people and it caused a lot of problems because they're the ones who decide our credit scores. Essentially, a lot of personal information was stolen.
Malicious apps constantly tracked personal data. Sophisticated surveillance malwares are spotted on both Android and iOS phones. In a lot of these cases, all they want to do is steal as much data as possible and leverage that for identity theft. 60% of small companies that suffer a cyberattack are out of business within just six months, and a lot of cases just simple steps could have helped avoid the hack completely. In many of these cases, private details or leaked bank credentials, social security numbers, and credit card info all lead to identity theft. These critical attacks can bankrupt both individuals and businesses, fixing these issues takes up a lot of time and money. These are valuable resources. The threat landscape is evolving fast and constantly introducing new risks. Let's take a glimpse into the future. You're sitting in an autonomous vehicle on your way to work. casually reading Harry Potter. Everything is amazing, right? Wrong. The truth is hackers can remotely kill a Jeep on the highway with unsuspecting passengers and in this situation, there's at least a steering wheel and a brake to override the malicious commands and an autonomous vehicle you wouldn't even have that chance. So, safety is of paramount.
Let's take a quick look at a high-level architecture for autonomous vehicles. You're seeing LIDAR sensors, radar sensors, multiple cameras, these redundancies are built in so that you have backups. Every single one of these has possible exploits. When an autonomous vehicle enters an intersection, look at how much data it has ingested. You have pedestrians, people on bicycles, other vehicles and physical objects. That's a lot of processing that's done in seconds and hackers can use this to spoof a lot of data and cause panic. Just this week, a Fortnite hack warning was issued for 250 million players, a simple payload that was meant to help you track and aim better, was actually malicious and ended up locking up your computer and forcing you to pay a ransom. What are all these attacks showing us? Essentially, it could be your banking services, it could be your automobile, and it could be even video games. Any service that's connected to the internet is susceptible to an attack.
Why Are There Attacks?
We've covered a couple of attacks now we have to start asking ourselves, why are there attacks and why does this keep happening? In most of these cases, these attacks are all financially motivated. Sometimes they're done just for the fame and the recognition, and they do it for the lulz, and because they can. Breaking something is far more fun than building something and as a hacker you get to think outside of the box. So, they come up with very interesting and fun threats. Hackers typically go for easy low hanging fruit, they love to hit and run, especially in high volume. An example of this is an SMS premium message hack, where they spoof your phone and they have you pay $10 per message at some premium line. In fact, something simple like this actually generates millions of dollars per month, you can't really blame them. They're going for the easy money and they're often contracted for work on high value targets. As the saying goes, if you're really good at something, you're not going to do it for free. Another growing trend is nation states using far more sophisticated attacks, the most infamous one being Stuxnet developed by the American and Israeli Defense Forces. This is a growing concern because it leads us into the topic of cyber warfare.
Cyberwarfare
Why is this important? Well, the next world war will be a cyber war first, and a shooting war second. Cyber warfare essentially digital attacks used by one nation state to disrupt the vital computer systems of another. They essentially attack enemy infrastructure with code rather than missiles. Banking, energy, health industries are all at risk, and it's done very silently. A nation wouldn't even know it's under attack until it's been crippled, and this is all done without firing a single bullet. America is woefully unprepared for cyber warfare, especially our energy infrastructure, which is why the Department of Defense is spending so much money ramping up security efforts in this particular area.
Types of Threats
We saw a couple of examples of threats. Let's look at different types of threats that you can expect in this landscape. Ransomware, malware, phishing, and social engineering are all types of threats you can expect. We'll take a look at each one of these and find an example.
- Ransomware is a type of attack designed to restrict access to files and systems until a ransom is paid. Basically, the hackers find a way to restrict access or block you from using your own computer or device until you meet their demands. Typically, they find some type of exploit, and they're able to lock up your devices in this manner. The problem with this is, you know paying a ransom, it never guarantees that anything will ever be recovered, your device might stay locked, and your data might be lost forever. This is a situation because it provides an incentive for them to continue this in the future again, like you could pay off this week and next week, they might hit you again. There's never any guarantee with this and because of this, it's becoming highly popular. Just this year ransomware attacks have more than doubled, especially the file encrypting malware attacks. The hackers are loving this because it gains them so much money in such a little time. They just have to develop this product once and then they distribute it out in mass and play the numbers game. Specifically in Texas 22 cities and towns were hit and hackers have demanded millions and payment. They love to hit the rural areas because they know that there is no security infrastructure in place for them to defend it. Again, states are bracing for a ransomware assault on voter registries. We see this to be a common theme as of recently. This is a carryover from the last 2016 elections. We're still seeing that maybe other nation states are getting involved with anything relating to our nation's election system and this is four years later, and we still have not come to grips with this. It's still the most exposed part of our election system and we don't really have any security in place, that's something definitely to watch out for.
- Malware is software designed to cause harm to your computer. It can perform a variety of different functions, anything from stealing, altering, or deleting data. They typically come in the form of a virus, worm, or Trojan. Some people like to argue that ransomware is actually a subset of malware. The distinction between the two is that ransomware typically does not alter your data, it just locks it up, so you can't use it. They restrict your access, but your data is intact. Malware is different, its main purpose is to actually cause harm to your data. They specifically want to alter and delete it, hence the difference between the two. In some cases, ransomware and malware can actually be combined. They'll lock your computer up and if you don't pay, they'll delete it, it can go either way. There's a distinction between the two. Botnets are very popular with malware. Essentially, what they do is they figure out a way to exploit your computer and they turn it into a zombie. You don't even have control over your own processes, and they can run their own programs and software and commands. Typically, they like to do this in bulk numbers. Malicious websites have been used secretly to hack into iPhones for years. Every year we're finding out that there's certain zero-day exploits that have not been discovered before, and that various organizations are using them to gain control of your mobile devices. This is a problem with Android phones. Also, it's very popular for nation states to use these zero-day exploits to specifically track maybe dissidents, or anyone who says anything bad about them. So, this is another growing concern.
- Phishing is by far the most popular type of attack and it's an attack meant to steal sensitive information by pretending to be a trustworthy source. Everybody has gotten this famous email and you have definitely been part of a phishing attack. This particular one is where an individual pretends to be a Nigerian prince and they tell you that if you help them out, then they will give you a commission to a huge sum of money. Now, obviously, this is all false and it's a lie. The end goal is to steal certain data from you either your credentials or your banking information, things like that. Again, it's the most common method of attack because it's highly successful. They played the numbers game with this, there's a lot of gullible people out there, you'll get emails such as, hey, click this link and you could win a free hundred dollar amazon gift card. You end up clicking it and it becomes a malicious website. Let's take a quick look into what actually happens in a phishing attack.
So, you have an attacker, and he sends an email to the victim. Again, the email comes in all different forms and shapes, you know, they could just be a text email saying, hey, they're a Nigerian prince. Or two, it could be an email with a link to a free amazon gift card, whatever it might be, their goal is to have the victim click on the link. They'll use different stories for that. The victim goes and clicks on the email and it ends up redirecting them to the phishing website. Now again, there's different tactics here, the phishing website is typically a fake. It could pretend to be a Facebook login page, or it can pretend to be the Amazon homepage. It never is. They spoof it and duplicate it just to fool the user. Now, on that website, it'll, you know, give you a prompt to login. When you log in, the attacker, you know, will collect your login and your password credentials. Then what the attacker does is he takes this credential information they have gotten from you and he then uses it on the legitimate website. In this form, he didn't even need to do a sophisticated attack, you pretty much supply them with all the information that he needs. That's just a basic look at what happens in a phishing attack. Again, it's very popular and it works a lot of times.
Let's take a look at this one. Would you be able to tell which one is fake just looking at these screenshots? One is actually a legitimate login for iTunes Store, and one is a fake. The fake one is actually the one on the right, number two, visually inspecting it, you cannot tell the difference between the two. With some search apps, you can actually prompt the app to give you a login prompt and in this particular one, they designed the login prompt to look like the iTunes Store one. You have to be vigilant, and you have to make sure if this prompt comes from a random app, you know, you need to ask yourself, why is it asking for these credentials, and it's really tough just visually expecting it.
- Social Engineering is by far my most favorite one, I actually like to call these James Bond tactics, mainly because you don't need to do these online or on a network. You can actually do these attacks in real life. In a social engineering attack, it's meant to manipulate people into giving up confidential information. In organizations, people tend to be the weakest link. It doesn't matter if you have the best security in place. If a human in the organization gives up the credentials, it does you no good. Let's take a quick example at a social engineering attack. In this situation, a pen tester decided he wanted to fish for an unlisted email address of a CFO at a company. How would you go about this if it's unlisted? Well, he directly calls a CFOs, administrative assistant. He calls her up and then she goes, you know, Hi, this is Acme products. This is Madison, how can I help you? At this point, the pen tester goes, hi, Linda. This is Jesse, a fake name. By the way, I'm a new hire in budgets. I'm trying to update some contact lists. Do you have Mr. Charles email address for our records? The assistant follows protocol. I do, but that's not given out. Why don't you just use my address, and I can forward it to him. This is where the pentester uses the typical type of human tactics. I know that, but I'm just being put through the wringer down here. I was supposed to have this on my manager's desk over an hour ago and he keeps checking up on me and I just started this job. He's playing the victim game and as a human, you feel bad. The assistant goes, alright, I understand, calm down. This is the address. In this situation, he just pretended to be someone he wasn’t, and he was able to spoof the assistant who at first was following protocol, but after a little bit more pressure cracked. So, let's take a look at another one. This is also a very common one that red teams do. It's trying to gain access to an area which you don't have access or credentials for. Here, the pentester wants to enter the building and so what he does is he just tailgates in, so he recognizes someone that's been going in and out and he just goes up to him and starts making small talk. It's been a hell of a week, huh? Man goes, yeah, I guess it has. The pentester says, I left my ID in the car and my car's in the shop. I guess you really should get an oil change every 3000 miles, make the man feel comfortable, start doing small talk and as the man's walking inside, he ends up opening the door for the pentester. He just allows him in himself. This is the type of situation again, where you manipulate someone, you make them feel comfortable and you just gain access to somewhere that you shouldn't. A very popular attack that happened was a T-Mobile website bug that occurred a couple years ago. It actually got a lot of celebrities and high-profile people involved. Basically, what happened was, there was some JavaScript misconfiguration on the app on T-Mobile website, so you can enter anyone's number in, and it would pop out with their name, their actual home ID, phone number, their IMEI number for their sim and their phone, and a bunch of other very interesting and confidential information. The hackers would take this new information they gained, and they'd call a T-Mobile directly pretending to be with them. So again, when you call a phone service, they typically ask you a couple screener questions. Well, all those answers were in that leak. They were able to just pretend that they were these celebrities, or these high-profile characters and they were able to get another SIM card sent to them. You might be wondering, what's the big deal if they got access to your sim? Well, nowadays, two factor authentication is tied to your phone. If someone has your SIM card, they basically can gain access to all your accounts, since it's tied to your phone number. It ended up being very expensive and very time consuming for people to get fixed. They lost a lot of personal logins, for example, like Facebook, banking, anything and everything you could think of was stolen in those situations. We know all the different types of threats. We've seen what's happened in the past.
Why Can’t We Stop These Threats?
Well, to solve that, we have to start from the top. Let's look at it from the product development cycle. Typically, when you're designing a product, you're looking at usability, technology, and the business use case, when you find the intersection of all three, you're hitting that sweet spot for a great product. Now, let's take a look at this again and try to figure out where security fits in this usability, technology, or business. The truth is security doesn't touch any of these. Usability and security are completely independent from each other, which makes it very tough when you're in the design phase. Here's a great example, I want to figure out the best way to secure your laptop. You have to completely disconnect it from the internet. That does you no good, right? Essentially, you end up with a digital typewriter, and nothing else, but it's secure. Your call, good security is tough. Nothing is ever 100% secure and as you can see, usability and security are completely counterintuitive to each other. Security is expensive and it slows down the pace of product development. If you're a company trying to push a product out, you're more worried about the time to market and you're rushing yourself to finish the product. You're not going to sit there and worry about possible risk assessments and a possible hack when you're still worrying about finishing a product. Typically, this isn't really thought of when you're first developing the product, and security prior’s constant vigilance, it's not something you just do once it's a process, you have to constantly be at it and the rate of return is not linear to spending, meaning it's chain link security, you could spend a billion dollars getting the best and baddest security devices, but if there's an attack somewhere up in the supply chain, it doesn't matter. If they're hacked and you're using their products, then you're susceptible to an attack also and security is a cat and mouse game, you're always on your toes, and it ends up being an arms race. For example, you start using stronger encryption, well, the bad guys are going to use stronger hardware to crack it.
The Best Offense is a Defense
Let's take a look at a couple examples on how we can create a secure framework. The best offense is a defense meaning security, you have to be proactive. You need constant security awareness; you need a policy in place to know and have a playbook when an attack happens. Technology and vigilance with those four pillars, you'll have a much more secure landscape.
A case study at a bank hack that happened. Basically, this happened very recently when hackers pulled off a $20 million Mexican bank heist. The method of attack they used was not even that sophisticated. They were just very ingenious with the way that they carried it out. Based on the threats that we had discussed earlier; you'll see how they used a mixed bag of them to make their mission successful. One, they actually launched a phishing attack first on specific bank employees to gain their account credentials. This is very common. For example, they'll send someone in the finance department, they'll be like, hey, check out this Excel sheet, this has this year's budget. They make it in such a way that you're very likely to click on it. So, they probably play the numbers game, they get the access to the emails, somehow, and they just spam those employees until they can get the account credentials. Once they get the credentials, they realized that there was improper network segmentation, meaning there weren't proper access controls. Hackers were initially able to get access into the system. Then they realized they had way more access than they should have. They were able to dive deeper into the code bases and see a lot of confidential files and this escalated their privilege. So, they started off with something really basic, just random employee accounts and then they were able to escalate it further. They were able to see a lot of information that probably should not have even been accessible. Now, that they were able to escalate their privilege, they use specific flaws in the payment system the bank was using to do a high volume of micro transactions. For example, in the United States, any transaction over 10,000 US dollars gets flagged. This is a large amount of money we need to understand why this transfer is taking place. So, they start asking questions. Well, they were able to use a specific amount that was not flagging the servers at all and they were able to prove these payments based on that. The bank actually had tools to detect malicious activity in this case, but here's the problem, it was misconfigured. So, it didn't matter that they have a system in place because it wasn't set up properly and it did not catch anything. Another example of this is, for example, you have a house, and you have a lock on the front door. Is having a lock enough to prevent intruders? No, you have to make sure to lock the door every single day as you're leaving, only then is it secure. In this case, they had the lock, but they just forgot to lock it when they left the house. That's what happens when you misconfigure your security tools, it does you no good and then what they did was they used hundreds of cash mules to withdraw so they physically sent in people and they would withdraw small amounts either from the ATM or tellers. This completely flew under the radar, a typical bank does thousands of transactions per day. Over the course of weeks, they sent hundreds of people just doing small amounts of transactions that would fly under the radar and it eventually added up to being $20 million. This is just one type of strategy that criminals have used to hack into banks. There are actually multiple case studies from different areas and there's lots of interesting ways that they go about this.
Cybersecurity Market
With all these attacks we can see that the cybersecurity market is blossoming. In fact, it's set to eclipse 300 billion by 2024, which makes it a great career choice. Here's some examples of some career paths. Typically, you start off as an information security analyst. That's a fairly general role, but you'll get to touch a lot of the tools in the security domain. Moving forward, there's penetration testing, forensic computer analysts, security systems administrator, and security architects. These are a bit more specific and require more experience, but once you have the basics it's pretty easy to get into those. The final one is actually the CISO, the Chief Information Systems officer, who typically acts like the general for the entire security domain in a company. With all these career paths, there's a lot of companies hiring in this area, the top 10 companies hiring for cyber security professionals are all actually really well known. Apple, Federal Reserve Bank of New York patient first, Lockheed Martin, General Motors, Capital One, Cisco, Intel, Northrop Grumman, and Boeing, all higher in this area. They're all from completely different sectors. It shows that even though they have a widespread, the common factor is that if you are a company that has services involved with the internet, then you're gonna require a cybersecurity team.
Conclusion
We covered a lot of topics, starting with why does security matter in the first place and why you as a consumer or business should care why there's attacks that happen, and the growing threat of cyber warfare. We also covered the types of threats and what you can expect in this landscape, and also why we can't even begin to stop them at this moment and what makes security so difficult. We covered some good offensive strategies, and we touched the cyber security market, and how you can have your place in it. It was just a quick intro into cyber security, and we've got a lot of great content coming soon.