Cybersecurity: Protect yourselves in 2021
Another Friday – another blog post; we’re following up last week’s topic on Cybersecurity and the common threats you find in the digital world. This time we’re talking specifically prevention and defence.
As Benjamin Franklin used to say, “An ounce of prevention is worth a pound of cure”; Same logic applies to securing your enterprise on the digital front and the potential costs if not done so.
Boy’o’boy are the costs staggering. We’ve already mentioned how Cyberventures calculated the predicted costs of Cybercrime to an astonishing 6$ trillion by 2021.
And they were pretty much on the ball with their calculations.
Do you remember that little COVID-19 pandemic going on for the past year and a half? Think of how bad it hit the economy, well, just to give you a sense of perspective, Global Economic Prospects calculated the total world cost of the pandemic, to this date, to around 10$ trillion US dollars.
Cybercrime has a smaller number you might say, well the new data is in, and by 2025 Cyberventures expects this annual cost to raise to a whooping 10.5$ trillion US dollars.
Pretty much tomorrow…
Hacker-geddon is here
All right, we might be exaggerating. But just a bit, because the reality is – we’re already living in a Digital Era, dominated by IoT, cloud services, online support, and digital infrastructure.
And according to the first Law of Cybersecurity – Everything has a vulnerability; everything is in the potential grasp of ill-intent hackers. Thus, all that infrastructure could crash down in an instant.
Ted Koppel describes the potential fall of the US electrical distribution system in his 2016 New York Times bestseller book – “Lights Out: A Cyberattack, A Nation Unprepared”.
You might be tempted to dismiss this as another Y2K craze, but unlike then, the threat is real. A Cost Benefit Analysis performed by the Systemic Analyser in Network Threats Project (SAINT) with the European Commission supports this notion.
This big of a threat, you can rightly guess the demand for qualified specialists is all time high, and – it’s barely met. According to “The Bureau of Labour” Statistics report, Cybersecurity (or InfoSec) industry will undergo a growth of 31% from 2019 to 2029.
And the job postings have increased by 94% in the past 6 years.
Here’s a Domain overview – We love this diagram so much we’re going to show it to as many people as possible, as much as possible!
All this is to say that specialists all over the world, from big corporations and smaller firms, recognize the threat. So, if you’re undecided on your career path, you can safely bet that InfoSec is growing, is hyper flexible, constantly evolving and always requires people.
But, if you’re not planning on changing careers, what can you do to secure yourself and your enterprise from this mayhem?
We said it before – we’ll say it again: Knowledge is the best tool.
Cybersecurity – Ways to defend yourself
Here’s a list of some of the ways Cybersecurity handles the threat. For a fuller experience we suggest Hugo Hoffman’s Cybersecurity bible, 4 books in 1. Introduction…
This one might be obvious but nonetheless worth mentioning first.
Afterall, one of the leading vulnerabilities resulting in most cyber-attacks – is weak/theft credentials! In other words, weak passwords.
People wrongly assume that their 1-word password made from a few substitutes is secure and uncrackable. It is understandable why we do this, after all who wants to remember unique gibberish passwords for all the platforms they use?
According to statista.com the average global account ownership per person has risen from 4.3 in 2013 to 8.5 in 2018, other sources suggest that an average person would have up to 150 accounts for different platforms.
Hypothetically those people would need to create and memorize 150 unique passwords
Speaking of unique passwords…
A massive problem is the password reuse; it’s estimated that around 65% of all users reuse the same password for multiple platforms.
And then – anything the hacker wants.
What can you do?
First, consider getting a password manager.
Second, create a powerful password, it’s as simple as that.
The English language has 26 letters, with approximately 470,000 words in total – A trivial number for a hybrid dictionary brute force to crack.
Here’s a small list of easy guidelines to create your new password:
- Range your password from 9 to 12 or even 15 characters long!
- Avoid using dictionary words, slang, curses, names, places, or anything real.
- Include unique symbols, uppercase and lower case.
- If you must use words, consider using a combination of 3 or 4.
- Consider using words from another language.
- Memorize your new password using a memorization technique!
Here’s something you can’t steal or forget back home – your biology!
Biometric cybersecurity relies on biological measurements or physical characteristics to identify individuals. Facial recognition, fingerprint mapping, iris/retina scans, behavioural patterns, heart-rate sensors, shape of the ear, body odour, posture, veins in one’s hand, DNA analysis and much more!
It does sound science fiction, especially the further we went down the line, but it’s the reality!
Of course, your personal device is not going to have an on-hand blood sample tester any time soon (but not impossible either!), features like facial recognition, fingerprints and voice recognition are well known to everyone.
Biometric cybersecurity system is a very convenient and largely secure way of keeping your data systems safe! It is of course not without fault.
There are varied concerns relating to privacy invasion, who gets access to that data, where its stored and potential security issues, not to mention the inherent high costs involved in installing these.
The systems involved, from the hardware to software are fascinating, and perhaps we’ll be deconstructing some of them sometime later!
People have their mobiles on themselves, pretty much 24/7, that is the age we live in now. Whether you consider that a good or a sad thing is a topic for another day.
What we can tell you is that having a secondary device to confirm your intentions to access a platform is a powerful tool in Cybersecurity! We’ve harped on how nothing is utterly secured 100% but adding extra layers of security really makes a difference!
Multi-Factor Authentication (MFA) is a process of presenting two or more pieces (factors) of evidence to a security mechanism, in order to access data.
These factors are:
Knowledge – Something only the user knows, typically a Strong Password.
Possession – Something only the user has, normally a personal mobile device (or better yet, a dedicated RSA SecurID token if you want to go hardcore).
Inheritance – Something only the user is, Biometric systems.
Short time codes – Sending a unique code to the user upon request of access. Usually require your email, or a dedicated application.
The MFA market has been steadily growing and for the past years some projections say that the 11$ billion market in 2021 is going to grow to 23.5$ billion in 2026!
Anti-Virus Software in Cybersecurity
Anti-Virus Software is specifically created to help detect, prevent, or remove malware. It’s hard to imagine a device without one, every piece of hardware has some form of protection, firewall or full fledge anti-virus. And there’s a good reason for this.
An ever-raging battle between Ethical Hackers, Software Security Engineers and Hackers keeps forms of viruses ever evolving and creating new strains.
So much so that AV-Test Institute report tells us that there are currently 1231.69 million unique malware registered, with the number rising each day by 350 thousand.
The market is currently priced at around 37$ billion US dollars and it keeps growing.
Although with as much as our brave InfoSec defenders are fighting, the numbers are not in their favour. A 2012 study by Brian Krebs caused mayhem when it showed that the effectiveness of antivirus software was only 25%. Situation has improved, but only so much, that in 2019 studies show effectiveness of 86-92%.
Might sound impressive but think of it as 1 in 10 malware passes unnoticed. Now compare that to the number of malware attacks registered for 2019 – 9.9 billion.
Part of the reason is that an Anti-Virus can detect only things it has seen before, and with 350 thousand new ones each day, the situation is grim.
So as always, the best form of defence is foreknowledge and NOT CLICKING ON UNKNOWN LINKS FROM UNKNOWN SOURCES!
reCAPTCHA and the Turing Test
Much of malware spread, hacker attacks and breaches happen with the help of software, think basic artificial intelligence in this case. And one of the most known and relatively secure ways to protect oneself from Bot-Nets is the Captcha test.
CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart” created by a team of scientists at Carnegie Mellon University in Pittsburgh.
reCAPTCHA is the google owned system that enables web hosts to distinguish human and automated access to their domains. Originally created as a tool to help in digitization of books too illegible to be scanned by the systems at the time.
It has proven to be an effective way to filter malicious software of many kinds and legitimate users, that by today it is active on more than 6 million live websites.
By 2014 google has integrated behavioural pattern recognition in their systems to prompt reCAPTCHA tests only in cases where the system suspects the user of being a bot.
DDoS Protection and Cloud Services
Distributed Denial of Service attacks are among the most prevalent focused attacks known in cybersecurity, they are easy to start, cheap (resource wise) and relatively effective at their goals.
The goals vary from Ideology disputes and something known as “hacktivists” to business feuds, boredom, extortion, or even large scale governmentally approved attacks to bring enemy infrastructures down.
To protect yourself and your website consider to:
- Implement monitoring tools which analyse your traffic, essentially enabling the creation of a baseline that you can compare to later.
- Know the warning signs, understand the symptoms and learn to recognize them, spotty connectivity with intranet, network slowdowns, or selective service shutdowns – the first signs of an impending DDoS attack.
- Prepare a multi-level mitigation strategy and a response plan, understand that this is akin to a fire emergency if your business is under attack. You should have contingencies in case any of your business-critical services fall.
- Practice good Network Hygiene, you and all of your team must know and recognize the types of attacks out there, good passwords, anti-phishing methods and common logic when clicking on random links.
- Secure your Network infrastructure’s defences, implement Firewalls, VPNs, Load balancers, anti-spam and content filtering, as well as more specific frameworks to improve the resilience of your servers.
- Consider outsourcing with cloud-based services, a on premise network or a private one, are very limited in bandwidth by comparison. Cloud services provide many layers of protection, sometimes even outright intercepting any DDoS attack before it reaches its destination.
Outsourcing and using cloud-based services is an increasingly growing practice and for good reason. Why try and spread yourself too thin trying to cover all the bases? When you can hire a company dedicated specifically to this one core goal, thus putting all their resources into improving that service.
System Architecture for your Applications
Employing the correct architecture for your systems, be that web applications or mobile apps is paramount for security.
Though picking a good architecture can be tricky with varying concerns from business propositions and demand, to security, budget reasons and much more.
By separating your application’s infrastructure, malicious code has a harder time to penetrate their defences, and even if it does, the spread can be relatively easy to contain.
Especially if you design your containers in a number of different programming languages and use the full force of proper load balancers, gateways, and other nifty tricks.
Employing the services of Ethical Hackers, for penetration testing (pen tests) is one of the best ways to evaluate your business’s readiness and security.
Ethical Hackers are among the most enticing IT Jobs on the market, it’s a card blanch of sorts to legally break into computer systems, or networks and get paid for it.
It is both extremely challenging, having to constantly follow the technological trends, and evolve, but because of it is similarly incredibly fun.
What’s brilliant about this it has grown as a massive community constantly challenging each other in improving their skills with various Hackathlons and conferences like HackerHalted or more renown Def Cons.
As we’ve mentioned “knowing the threat is already half the victory!” so participating in these, or merely following them, is already a great way to inform yourself in new trends, and thus take appropriate precautions.
As massive and difficult as this topic is, we’ve merely scratched the surface yet again. In order to get a better understanding of this, people have dedicated their entire lives in this “cyber war”. And like it or not, but if you want your business to succeed, know and recognize the threat that hackers present.
We’ll be returning to this topic more than once, with more specificity in the future, dissecting every little term, one at a time and higher detail.
However, our time is up, hope you had as much fun reading this as we’ve had drafting this article!
But before you go, what was the most egregious mistake you or someone else has done when it comes to cybersecurity? I’ll go first!
Remember that one time someone hacked Bill Gate’s twitter?
Stay classy tech and business nerds!