Cyber Security 101: Why and what should you know about it
Most people, technical or not, are not giving adequate attention to their own digital safety, maybe it is because the unfamiliarity with the subject, fear of making things harder for themselves, or just lacking information. In the news, we see major hacks or data breaches that fail to demonstrate the real seriousness of the situation, so it is up to us to share the knowledge and information.
Cyber Security is not an underground and obscure thing anymore and will not stay in the dark corners of the internet, it has become mainstream and crucial to every business. Your digital personal life is also very sensitive and equally targeted, you should have the same care with your digital life as you have in your ‘normal’ offline life, the fact is: There is no online and offline life anymore, just life. If you lock your door, put an alarm in your car, and get health insurance, why do you keep using the same password over and over and clicking on every link you see?
Ok, security, so what is happening?
Well, basically we have the bad guys and the good guys, and our day-to-day work is like a cops and robbers game, bad guys trying to break in and good guys trying to prevent it (or just chasing if could not prevent it).
Bad guys, also known as cybercriminals or threat actors, make a living hacking and breaking stuff. Stealing and selling personal and financial information, company data, and a few other nasty things. Just for fun, recognition, profit, industrial espionage, or even government-sponsored attacks.
On the other side of the coin, we have the security specialists that have the job of keeping those things from happening, increasing security in our systems, researching, working in companies and law enforcement agencies, and most important thing, teaching and creating awareness.
Why should I care?
Probably you already have heard of the chain analogy, saying that the chain is as strong as its weakest link. That is true, and in most cases, the weakest link is people, specifically the ones that are not security acknowledged. So that is the big why, you might be hacked because you have some valuable information, maybe yours, maybe from your company, or something related to you in some way (some examples below).
If you pay close attention to the news, every day a new data breach, cyber attack or high profile compromise happen, personal information from thousands of people falling in the hands of criminals, company data and devices being held hostage and asking for ransom, business closing down due to cyber attack and so on.
The Cyber Security industry is changing and the skill gap to tackle it is increasing, every little device now could be hacked, home speakers and thermostats, connected light switches, heating systems, routers, cars, surveillance cameras, medical devices, and all down to your phone, smartwatch and computer. Large infrastructures such as power grids, water and sewerage distribution, industries and aircraft also are now connected and could be hacked. So more than ever before we need a strong security strategy and awareness because this presents a risk for all of us.
Just trying to show the severity of these risks I will use as an example the Top Five Global Risks from the World Economic Forum (2022). Every year, the World Economic Forum produces a Global Risk Report which contains the risks that are considered worthy of attention. In 2022, 2 out of 5 risks are related to Cyber Security:
The top 5 global risks in terms of likelihood are:
- Extreme weather conditions
- Failure of climate-change mitigation and adaptation
- Natural disasters
- Data fraud or theft
- Cyber-attacks
So that means if you want to go on that road and you really like it you probably will have a job guaranteed for life, there are so many opportunities and things to be done in this industry.
Why are there so many attacks happening?
First of all, because the attack surface grows each day, every connected device could be hacked, from your laptop and smartphone down to your coffee machine or fridge, in the future even your brain could be hacked if technologies like Elon Musk’s Neuralink take off. Every little connected device could present some kind of vulnerability and most of them often don’t receive support or updates making bad things even worse. But this won’t stop in the small devices, large pieces of equipment also could be targeted for example industrial and medical equipment, things that literally keep us alive and provide basic infrastructure to our cities.
The second big why is the fact that cybercrime is highly profitable. Based on a research, a single piece of Personal Identifiable Information is worth $148 (US) and is increasing every year by around 5%, if you grab the amount of personal data leaked in recent breaches and do the calculation you will see that it is a lot of money. And that is not all, ransomware campaigns are also profitable, the malware that encrypts your computer and asks for a ransom, the ransomware market is moving to something like $1 Million each day.
Ready for the bad news? This is just the beginning, there is much more to come in the following years, therefore many security professionals will be needed to supply the demand.
The Committee for Economic Development of Australia estimated in their 2019 report that Australia will need 18,000 more cyber security workers by 2026, however, the current supply is just 500 graduates a year. Are you not from Australia? No problem, a report from Cybersecurity Ventures predicts 3.5 million cybersecurity jobs will go unfilled worldwide by 2021. Job postings for Cyber Security professionals had already grown 3 times faster than any other IT role and 12 times faster than other fields. Salaries are currently ranging from $105k to $300k yearly (AUD, $75k - $216k USD converting directly).
What does an attack actually look like?
Here I will briefly describe what a common attack looks like but first, most people think they will never be targeted, because they might not have anything to hide or it is not worth it if someone tries to hack them but the thing is: it is always worth it for bad guys, you may not be the final target, just another step for a bigger attack, let’s look at an example.
You one day receive an SMS message saying that you won something or someone is looking for you, this message has a link to a website. Most people will not check the dodgy link and click on it to see what is the prize they won just out of curiosity, not even remembering that they never entered in a raffle or any kind of lottery.
The link will take you to a webpage that could grab all your information, ask for your personal and financial information, or any other nefarious action, in this example the page will try to install malware on your mobile device (you too iPhone users).
After the installation is complete the malware could do two things on your phone, send messages to your contacts, similar to the one you received, or scan your network (home or work).
Scanning your network the malware finds a computer without the latest security patch, which means that it could be vulnerable to an attack, the malware goes to the internet, grabs a piece of code that exploits the vulnerability, and tries to run against the computer, and it works.
Now inside your home computer, the malware has access to your entire digital life and can do whatever the attacker wants. If your company computer was hacked instead the problem is even bigger, now your coworkers, customers, and company are at risk of having the same fate as you had.
Like I said, this is just one of the common attacks happening now, do you want to see more complex ones?
- A self-driving car could be hacked and cause an accident, or an ICU (Intensive Care Unit) could be hacked and kill the person relying on this device to stay alive, check this article.
- An entire city could be held hostage because of a malware attack, check this article. Fun fact: When I was googling for this link I typed “Hackers are holding” and Google suggested a huge list of cities, it turns out that all of them were hacked between the time I saw the news article for the first time and the day that I wrote this article.
- Similar to the self-driving car, any other vehicle could be hacked and even remotely controlled, check this article.
- Hackers could steal/destroy your entire life, check this article.
Ok, you got me, how and where do I learn all that?
For starters trust no one. There isn’t a recipe to learn all that, most come with time if you have a security mindset (how can this be misused or broken?). Here is a (not so) small list with some must-have resources to start a security career or just be aware of what is happening.
The General Public section contains introductory resources about security, mostly tips and advice for your personal life. The Business section includes the same introductory topics but focuses more on the business side. The Technical section is about articles, technical guidelines, and recommended best practices, which can be quite dense sometimes. The Blog, News and Podcasts section contains the main news sources about security, podcasts, and interesting things happening. In the Training section, you can find a few courses around security and in the Certification section you can put your knowledge to the test and grab a cert. There are also some Hacking Challenges and CTFs where you can practice and test your skills without risking end up in jail. And if you like to read there is also a section called Books with some great titles, be aware that some are highly technical.
Now you have a bit more information about security I wish you good luck in your future endeavors and I'm sorry if I made you paranoid about it. :)