I see many posts on social media asking for advice on how to get started in cybersecurity, what certifications to get, etc., so I figured I would write an article with my perspective on those topics.

Cybersecurity as a career

You do not need any formal education, nor any specific certification, to be successful in cybersecurity. Both will help you get noticed by recruiters and passed the so-called HR firewall. Both are artificial barriers to entry controlled by people entirely out of touch and have totally wrong ideas of what is needed. According to some of those folks, you need to have a Ph.D. in cybersecurity and every certification on the planet for an entry-level job. There are many tales about recruiters asking for ten years of experience in technology invented five years ago. I even read a story about a person that was a lead developer in a new field, and the recruiter told them they did not have enough experience in that field and advised them to read blogs on the topic, and pointed them to a blog they wrote.

I have no answer on how to fix this severely broken hiring pipeline. Since the requirements seem totally random, with no basis in reality, I have no one size fits all way to get past this broken system. Therefore, I am going to focus this article on advice assuming this broken pipeline did not exist. Just know that if you see a job posting that seems unreal, it probably is. The problem is not you; it is them.

A thought just occurred to me. I wonder if they are doing this on purpose to test how creative and persistent you can be to get past this block. Both persistence and creative solutions are essential to many cybersecurity jobs. If you need to be spoon-fed the answers, need to have a structured procedure handed to you, etc., there are very few jobs in cybersecurity that would be a good fit for you.

Let me start by giving you a sure-fire way to weed out people dishing out advice but have no idea what they are talking about. These folks advise entry-level folks to get CISSP, OSCP, CISM, or CISA certification. I imagine these folks would go into a high school and advise kids looking for advice on picking a university and field of study, how to write and defend their Ph.D. paper. CISSP, OSCP, CISM, CISA, etc., are not entry-level certifications. These are the pinnacle certifications that are extremely challenging for very seasoned cybersecurity professionals and typically require proof of many years of experience before the certification will be issued, even if you pass the test.

OK, let us switch the tone here, enough negativity. So, what should one do to prepare for a successful career in cybersecurity? The first thing you need to do is figure out which aspect of cybersecurity you are drawn to, as well as what motivates you. Like other aspects of IT, the field of cybersecurity is vast. Here are a couple of pictures to demonstrate just how huge the field is. I borrowed these pictures from the web after doing a web search for “cybersecurity domain mind map” and “cybersecurity color wheel.” There is a ton of information with those search results and variations on them.

Various fields within cybersecurity grouped together into various colored teams.
InfoSec Colour Wheel courtesy https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700
A mind map of all the different disciplines of Cybersecurity
The Map of Cybersecurity Domains courtesy https://www.linkedin.com/pulse/map-cybersecurity-domains-version-20-henry-jiang-ciso-cissp/

As you can see, you cannot just say, “I want to work in cybersecurity”; you need to be more focused than that. What draws you to cybersecurity, which aspect is the most appealing to you. Depending on which area you are most drawn to, different things prepare you. I was once talking to a Lyft driver about what it took to get into cybersecurity. I told him to make sure you knew computers very well, that it was helpful to be good with networking, know how to code, set up servers, etc. He then asked about coding skills, and I told him it was beneficial to know how to do web development and automate things with python. He commented that being a lot to learn. If he needed to know web development, shouldn’t he just become a web developer? I only had a one-word response to that, “sure.”

One of the rumors out there is that cybersecurity is easy money. I find this to be terrible advice. Yes, there is a lot of money to be made in cybersecurity, just like many other high-tech fields, for those that are good at it and manage to be successful. However, I would not say it is generally easy. First, what comes easy to one person is not necessarily easy for another person. Not everyone can be successful in everything. I firmly believe that to be successful in a field, you need to have a drive for that field and find it interesting, if not fun. Second, there is a considerable amount of burn out in seasoned cybersecurity professionals. Depending on your role and the company you work for, the stress level is well above average, and hours are often long. Therefore, I would say that this is not an easy job. It is, though, a job I enjoy very much and something I have always had a passion for.

Here is my take on three of the domains. I am not qualified to speak to any of the others:

  • If you have a passion for rules and regulations but getting into the field of law is not for you, or you are currently in the law field and looking for a change, security governess might be for you.
  • If you like to take things apart to find out how they work, how they behave when used, and finding unusual usages for things, the offensive sector, aka red sector, might be for you. This field requires you to learn things quickly in a very unstructured way. Drive to learn, figure things out on your own, and unsatisfiable curiosity are essential here. If you need to be taught things, always need a user’s manual, etc., this is not the field for you.
  • If you are more of a helper and have a drive for defending people and things, cyber defense and operation might be your field. This is sometimes also called the blue team or defense. Like in the offensive sector, the drive to learn in an unstructured way is very important. You also would need to be very good with computers and know them inside and out. It is tough to defend something you do not understand.

In my opinion, the best foundation for both defensive and offensive cybersecurity is an extensive IT background. IT helpdesk, system administration, and network engineering are all excellent foundation for a successful cybersecurity career. The great thing about cybersecurity, though, is that there is no single or best path. I took the path of IT helpdesk -> data center tech -> network engineering -> cybersecurity vuln mgmt., and I think that is a great path to take. Others have taken entirely different paths and have been extremely successful.

Cybersecurity Certifications

Certification, their need, and usage are hotly debated topics in cybersecurity circles. Most people seem to agree on avoiding EC Council certifications, and CISSP is not an entry-level cert. The only reason to get a cert from EC Council, like, for example, CEH, is if it is mandated by your employer or the academic program you are enrolled in. The only folks that seem to value EC Council are recruiters and HR folks, and I have already made my feelings about their opinions clear.

If you are new to the high-tech workforce and want an edge in job hunting without going the traditional college route, I would start with some CompTIA certifications. I would start with A+, then get both Network+ and Linux+, then go on to Security+. CompTIA offers a lot of great certificates, I would start with those and then add more as time and budget allows.

After working in IT for several years, have some experience in a few of the security domains and are looking to demonstrate your security savviness, at that point, I would look at the certifications offered by ISACA, (ISC)2, and Offensive Security, depending on your specific field of interest. The Cloud Security Alliance also offers a great certification for cloud security, if that is your chosen specialization. When looking at these certifications, make sure you pay close attention to the perquisites to ensure you have the required background and experience. Also, remember these are expert-level certifications.

I am a very sharing kind of guy and firmly believe that sharing is caring. I am happy to share absolutely anything and everything, with literally only two exceptions. I am not big on sharing my toothbrush, and I absolutely do not share my passwords under any circumstances. There are two kinds of password sharing that I am totally against. The first is sharing a password between sites. I make sure every site I have an account on has a totally unique password. This means that my password for Facebook, Gmail, Twitter, my bank, etc., have nothing in common. If there is a single character in common, it would be a random fluke.

The second type of sharing I am against is sharing passwords with anyone else. No one has any of my passwords, not even my spouse, absolutely no one.

Before you start to ask about “but what about …” I will provide a blanket answer. I am just making the rules and providing guidance. Whether you follow them is on you. I will try to explain the reasons, so you understand the risk. You understand your risk model the best and can best judge if taking that risk is worth it to you. If you need help with your risk model, I have another article on that.

You are probably thinking to yourself, that sounds like a lot of passwords to keep track of, and you would be correct in that thinking. I have several hundred passwords in active use. How do I keep track of all those passwords, you ask? Do I have them all memorized? Absolutely not. I am lucky if I can remember two passwords. I use a password manager to keep track of my passwords.

 

A password manager is an application that is specifically designed to track passwords securely. Care needs to be taken when choosing a password manager. Many applications out there that claim to be password managers and may even operate like one, but in reality, are malware design to harvest all your credentials. Make sure to choose one that fits your needs, is well respected, and well known to be highly secure. When looking for a password manager, look for the following:

  • Strong data encryption, ideally using at least AES 256-bit level of encryption or stronger
  • Multifactor Authentication (MFA). The best ones offer multiple options to choose from
  • Is the solution monitored for access, data corruption, and operational issues?
  • Can you access the password manager anytime and everywhere you need to?

One example to look at is a product called LastPass from LogMeIn.

 

I know I promised you details behind my recommendations, so here goes. When you use the same passwords on multiple sites, all the sites that use the same password are compromised if one of those sites is compromised. This can become a massive headache. While maintaining 100’s of passwords is a bit of pain, it is nowhere near the pain of changing passwords across hundreds of sites when one of those sites has a cyber incident. Also, having data from one site in the hands of cybercriminals is bad enough. Enabling them to access ten sites because they all share the same password is ten times as bad.

 

Another thing regarding password management that is important is choosing a good password. In the past, there was a lot of talk about the complexity of the password being essential. Passwords needed to have upper case, lower case, number, and a special character. This ended up everyone choosing something like Fall2020! as their password. This is a horrible password and can be breached in a fraction of a second. The US National Institute of Standards and Technology (US NIST) even recanted earlier advice on this and has totally changed course in their account management standard.

Recent research shows that length is the most important aspect of a password. Do not think of a password as a single word, instead as a phrase that is at least 15 characters long. I try to make all my passwords at least 20 characters long. Many password managers also have a password generator function that will generate just a random string of characters. This is most secure but impossible to remember. Since I am using a password manager, 99% of my passwords are randomly generated and stored in my manager.

For a more memorable phrase, think of a phrase that no one is likely to guess. Avoid site or app name and well-known aspects of you or your life. It is a plus if it is not grammatically correct or even does not makes sense. Something along the lines of “NittingCowDancesMoon!” would be a good password except for the fact that it is published here as an example. It is both strong because of length and matches complex rules for sites that are still stuck on the old advice of password complexities. Feel free to experiment with spacing, punctuation, etc. Sites and applications vary greatly in what they allow in a password. The most secure ones have no restriction, except for not allowing short passwords.

That is it for this installment. As always, feel free to reach out if there are questions.

This article was written with companies in mind; most of this applies to individuals as well. Most security incidents happen due to phishing, and I have a sure-fire way to avoid becoming a phishing victim. Just do not click on links in email or open attachments. Yes, I do realize that this advice is about as useful as telling someone to stop smoking or not eat donuts. It is a lot easier said than done. Also, any suggestion that starts with the word “just” tends to be suspect. Hear me out, though, as I explain how this could be implemented.

 

This needs to start with a culture of not sending unexpected links or attachments around. There needs to be an internal document repository site, which is automatically a part of everyone’s bookmarks. Rather than attaching a file or sending a link to it, in the email, describe where it can be found on the internal site. Something like “the document can be found under documents -> ProjectX -> design.”

This way, people will fall out of the habit of clicking on links or open attachments, and it will start to become abnormal and strange to do so. Emails offering free ice cream and the like will continue to be tempting because human beings love games, contests, and most of all, free stuff. If you set up an internal contest about finding malicious emails and notifying the security team, that could satisfy that urge, especially if free ice cream is the reward.

Rather than training folks in deciphering URLs and determining if the link is valid or not, make the training situational.

  • They are signing up for a service that requires providing their email address, and the sign-up process says a confirmation email is being sent, and you need to click on it to confirm the registration. If you get an email within a few minutes that looks like it is from that organization, then clicking on that link carries a relatively low risk.
  • They are on a conference call. Someone on the call says they are sending a document to everyone. They explain what it is all about and why it needs to be sent around rather than posted to the document repository. When you get an email from that person that matches the description, opening it carries a relatively low risk.
  • If they receive an email with a link or attachment that does not match either of those scenarios, claiming to be from an internal contact or other known contacts, look up their contact information in the internal company contact list and call them up or send them a chat message asking them what this is about and why they choose to send it in an email rather than post it on the document repository. If they get a satisfactory explanation, the risk of opening it is low. Never reply to the email or use other contact information in the email. If alternative contact information is not available outside of that email, consider the email malicious. If the explanation for the email seems off or sketchy or the sender seems sketchy, the safe move is to consider the email malicious.

Additionally, it would be a good idea to train everyone in the hallmarks of phishing attempts, which include:

  • Trying to scare you
  • They are playing on your emotion
  • Play up extreme urgency

Ensure all internal processes specify if there is ever a legitimate internal urgent email, that it does not contain links, and simply direct the recipient to an internal site. All internal announcements should be posted on an internal website as well.

This post is going to be more applicable to companies than individuals as it is going over how to manage vulnerabilities across all your computer systems. At a super high-level, the concept of vulnerability management is pretty simple. It is all about managing your vulnerabilities. When you dive deeper, then questions start to surface. Questions such as:

  • What exactly is a vulnerability?
  • How do I know what my vulnerabilities are?
  • Can I management something I do not know about?

Some think that vulnerability management is all about having vulnerability scanners such as Tenable Nessus or Qualys and periodically running scans with them. Others believe it involves periodic penetration testing. Not only is this extremely flawed thinking, but it is also potentially dangerous and increases your exposure instead of reducing it. Sure, those things can add value to an already mature vulnerability management program; at best, they are a small addition to an overall program.

The purpose of a good vulnerability management program is to reduce your exposure and make it easier for you to respond when an issue comes up. To answer the questions from above, you cannot manage something you do not know about. To define the word vulnerability, turn to any English dictionary; it will give a good definition applicable here. The third question will require some discussion.

Since you cannot manage, what you do not know about a good asset and configuration management is the foundation of a good vulnerability management program. If you can only do one thing, just get your hands around what you have. This, of course, starts with knowing what computers and systems you have where, what IP addresses they have, and who is responsible for them. Knowing how big the hard drive is, how much memory it has, and what sort of NIC it has is not critical to vulnerability management, but it is useful information for other programs. Knowing the MAC addresses could come in handy, though, for this discussion. Once you have the basics covered, it is time to dive deeper, this is often called configuration management, but it is just an extension of asset management. In this stage, you collect details about what is installed on each computer. Here you capture things like

  • What Operating system is installed, what version, and when was it last patches?
  • What applications are installed, what version, and when was it last patched?
  • What frameworks are used by what application?
  • Do any of the frameworks or applications rely on external components or modules?
  • Is any of this managed by someone other than the system owner?

Notice a trend there? For good asset and configuration management, all this and more should be documented in excruciating detail. If done correctly, you should be able to pull up all the systems that have a specific version of dotNet Framework, or a particular version of python, etc. You should also be able to detail the exact specs, all installed applications, frameworks, etc., for a given IP address or hostname. Make sure you capture both, along with any aliases and domain names.

Once you have all this documented, it is time to turn to the process side.

  • How will you stay informed with issues that come up in the industry?
  • Who is going to watch announcements from US-CERT, NIST, NVD, etc.?
  • How will you go about remediating issues as they are discovered? Who will have what role? How will information flow?
  • Publish a statement on your website on how a security researcher can notify you of an issue they notice externally. Then have an internal process for handling these notices, who is responsible for what, etc. This is called the responsible disclosure process.

Now you can say you have a vulnerability management program. Notice how there is no tool involved so far. The only tool you might think about so far is a Configuration Management Database (CMDB). If you are small enough org, you can do all of this with nothing more than your standard Office suite that you likely already have. If you are a little larger, a proper database will make a world of difference.

Only after you got both a solid Configuration Management and a firm policy & procedure should you even think about bringing in a vulnerability scanner. At this point, you can start to look at products like Tenable, Qualys, Tripwire IP360, etc., and find a product that suits your needs. Feel free to reach out if you need advice in this space. Then amend your existing Vulnerability program with details around what should get scanned when and who is responsible for what. Make sure you specify who is responsible for making sure scanning happens, who is responsible for disseminating the scanning results, and who is responsible for remediation.

In this blog post, I want to talk about risk management and the concept of threat modeling. Let’s start with some basic math, then dive into definitions and some examples.

Definition of Risk

Risk is the multiplication of vulnerability and threat. As with all multiplications, to lower the product (risk in this case), you need to reduce the factors (vulnerability and threat in this case). There is no such thing as zero risk because no one is free from vulnerabilities or threat free. Each one of these can be approaching zero, but they can never be zero. So, risk management aims to get it as low as possible, not to eliminate it.

Definition of Vulnerability

Now with the math out of the way, let us dive a little deeper.

For a definition of the term vulnerability, we turn to dictionary.com as the English definition works perfectly here. You could say we are switching from match to English.

adjective

  1. Capable of or susceptible to being wounded or hurt, as by a weapon: a vulnerable part of the body.
  2. Open to moral attack, criticism, temptation, etc.: an argument vulnerable to refutation; He is vulnerable to bribery.
  3. (of a place) open to assault; difficult to defend: a vulnerable bridge.

From this definition, it should be clear why there is no such thing as zero vulnerability.

Definition of Threat

Now let us talk about the concept of threat and threat modeling. From dictionary.com again:

Threat noun

  • an indication or warning of probable trouble: The threat of a storm was in the air.

Threat Model

A threat model is simply a catalog of all the threats that could possibly come up. This is something that can be written down or not. It requires no justification, is very personal and subjective. If you feel something is a threat to you, include it in your catalog. No one else gets a say in what is included in your threat model. A good threat model covers all aspects of someone’s life. It should cover personal aspects, work aspects, and both online and offline threats. A threat model can be done at various levels. You can have a personal threat model, another one for your family, and the third one for a group you are responsible for. When creating a threat model for more than just yourself, it would be appropriate to consult those included in the model. While you may be consulting with others on a threat model for a group, this should be a judgment-free exercise. For more details on threat modeling, check out my book.

Details makeup of a threat

Now let us dive into more details about a threat.

A threat has three components or concepts. Any avid crime mystery fans should be very familiar with these: motive, means, and opportunity. When dealing with threat modeling, it is more commonly referred to as capability, intent, and opportunity.

Capability

The term capability refers to having the ability to do something. This ingredient is present in most of the cases involving threats to our physical wellbeing. Most of us possess the physical ability to do unspeakable harm to another living creature. Luckily, most of us are decent human beings who could never even imagine harming another person.

In other words, we lack the hostile intent to harm others. Going back to capability, when it comes to online threats, this element is frequently missing, as it requires a good deal of technical knowledge for someone to be a menace online. So those without technical knowledge lack the capability to be a threat online. Regardless of how much they desire to be a menace, they can never become a real threat online until they gain the required technical skills.

Opportunity

Opportunity is the concept of having access to something. It’s about being in the right place at the right time and with access to the target. In the physical world, this means having access to the person you wish to harm. Personal bodyguards and diplomatic protection details rely heavily on removing opportunity from the equation to keep the person they are protecting safe from harm. They can’t control a person’s intent, nor can they control a person’s capabilities; however, they can manage opportunities. As we discussed, there is no threat without all three components. By controlling public access to the person they are protecting, they limit the opportunity factor, thus limiting the threat and the risk.

Intent

The last element is the concept of intent, sometimes called motive or desire. If people have no ill will towards you and do not wish you harm, they pose no real threat. Returning to physical protection methods, including bodyguards, the concept of security screening deals in this space. Security screening tries to assess if you hold any ill will towards those who are under security protection.

This can be difficult to determine and can change without any notice or warning. We see this when an initially peaceful place suddenly becomes a hotspot of violence. In most cases, the folks involved didn’t suddenly gain new opportunities or obtain new capabilities. Most of the time, something happens to trigger the mass of people to achieve a newfound desire and motivation to take things into their own hands.

Depending on these ingredients are mixed, you can have four different types of threats:

  • Opportunity + Capability = Potential Threat
  • Opportunity + Hostile Intent = Insubstantial Threat
  • Hostile Intent + Capability = Impending Threat
  • All Three = Actual Threat

For those more visually inclined, here is a venn diagram demonstrating this.

This is written in October 2020 while the whole world is dealing with the Covid-19 pandemic and all discussions are around that. So I find it only fitting that use that as another example.

 

It has been demonstrated that no one is immune to catching Covid-19. How badly it impacts any particular person or for how long seems to vary widely. Everyone is thus vulnerable to Covid-19 but to a varying degree.

At the time of this writing, seven months into this pandemic, there is no cure available. Doctors appear to have gotten better at managing symptoms and increasing survivability, but there is no cure. All we can do is take precautions; this is called implementing compensating controls in the cybersecurity world.

You could completely avoid all human contact, move to a farm in the middle of nowhere, and not have another soul for miles. Just like not connecting a computer to the internet to avoid viruses, this is not a feasible approach for most. Scientists tell us that as long as we avoid being in close proximity to people we don’t know for extended periods, we have minimal risk of getting infected. They define close proximity as less than 6 feet or 2 meters and extended period as 15 min or more. They also advise that wearing a face mask covering both nose and mouth reduces the risk even further, especially when everyone is wearing a mask. So wearing a mask, maintaining distance, and limiting interaction with people you don’t know is a reasonable precaution or compensating controls in geek-speak.

This means skipping going dancing, hanging out in bars, going to the theater, and other places where people congregate for long periods and possibly even extremely close proximity.

Where some people may tripping up with this precaution is how they define what they consider known people. Just because you’ve worked with them for ten years or they are a close cousin of yours doesn’t mean you can treat them as “known people” in this context.

Knowing their favorite food, their favorite movies, how they like to dress, their favorite restaurant might be considered knowing someone well in normal times, but this is useless information in the time of covid-19.

What do you do know about their threat and risk handling? What precautions are they taking? If they aren’t taking any precautions, they could pose a significant threat to you. A family member that is going to all the hot spots, going clubbing on weekends, etc., can have a significant potential risk to you despite you knowing them very well, and it might be wise for you to keep your distance from them. On the other hand, someone you know barely, but you know for a fact that they are taking all the same or more precautions that you are, would be reasonable to lower your guard around them a little.

 

Today I want to talk about online privacy concerns. When it comes to online privacy, I tend to take a slightly different road than many of my cybersecurity colleagues. Many in my industry tend to preach that you should never ever under any circumstances share anything personal online. I understand where they are coming from and respect their perspective; however, I do things a little differently.
Just like in real life (IRL), privacy is not a one size fits all. Some like to live out in the country with not another soul for miles. Others want to live in large cities where you can’t even turn around without hitting another person. Some like to dress very conservatively and show as little skin as possible, always keep their curtain drawn, etc. Others like to test the boundaries of public decencies laws both in the ways they dress as well as their choice in curtains and stuff. To me, I say to each their own.
Similarly, online privacy isn’t one-size-fits-all, so instead of being prescriptive, I like to talk about risks and dangers and then let people make their own decisions.
The most significant danger about oversharing online is it significantly increases your risk of becoming a victim of identity theft. It also gives scammers material to come across as if they know you when trying to scam you. Additionally, if you are sharing a lot about your daily schedule to a point where everyone knows exactly where you are going to be, how long, etc., that could lead to physical attacks against you.
The extend of these risks depends on your threat model (see other blog posts and my book for more details on this).
One way to mitigate these risks is never to share anything online. This does not work for me as I’m an open person and over-sharer. I like who I am, and I do not let the world change me. So instead, I take other precautions. For example, I subscribe to an identity monitoring service to monitor if someone uses my information to impact my identity. I know what information about me is available online, and I am skeptical about anyone trying to use that information to get close to me. I avoid sharing any deeply personal info such as names of friends or family, my SSN, phone number, address, etc. When I’m sharing things about me, I obfuscate location details and names of other participants. This is both for my security as well to protect other people’s privacy.
One key aspect that I think all cybersecurity professionals agree on is that it is each person’s right to control their privacy, what is disclosed to who, etc.
Consent is the key here. Never take pictures of people without their consent and never name them in anything without their consent.
One thing that is often overlooked when it comes to security is that there are very few things online that are actually private. Basically, there are two ways to ensure something is private. First is never put it online in any form, don’t put in cloud storage, don’t talk about in chat applications, and, most of all, don’t put on social media. The second method to ensure privacy is to encrypt it. In my book, I give a layman’s explanation of what encryption is and how it works. It is worth mentioning that an encrypted connection does not mean the content is encrypted. Again check out my book for more details on that distinction.
Anything that is in electronic form and not encrypted in a way that ensures that you are the only one able to read it, can be compromised and made public. Now, as with everything else, there are varying levels of risk, and various levels of “does it really matter.” This again depends on your threat model. For example, anything in Gmail or Goggle Drive can probably be read by someone with access to those platforms from within Google. The same goes for Outlook Online and Onedrive from Microsoft.
Now just because they can does not mean they do or that they will. Assuming they can’t does seem rather foolish. If your threat model requires absolute assurances that not even the platform owner can read your email, you need to use ProtonMail, a mail provider in Switzerland that fully encrypts all emails so that you need a password only you have to decrypt it. Before you sign up with then, please read my book errata blog entry on issues that caused me to stop using them. They are working on a fully encrypted cloud storage offering scheduled for public release later in 2020.
Most, if not all, social platforms have a feature they call either private messaging (PM) or direct messaging (DM). I feel the term direct messaging more honest because that feature allows for direct messaging between two people, but they are not private in the strictest sense of the word. Anyone with access to the backend for those platforms can read those DMs.
Just remember that just because something isn’t blatantly public doesn’t mean it is private.
On the topic of social media, I want to remind the reader about the old adage, “there is no such thing as free lunch.” What I mean by that is that any application or service for which you don’t pay for with money, you pay for with your privacy. When you look at companies like Twitter or Facebook that have a large staff and are reasonably profitable, where does that money come from? The answer is that they get paid large sums of money to target advertisements specifically to those who are more likely to purchase. This is done by analyzing what you post, what you share, what you like, and possibly even your DMs, and coming up with a formula describing your likes and dislikes. In other cases, companies are selling all the data they have on you so other companies can aggregate it and creating your marketing profile. In summary, no such thing as a free app. You either pay with money or your privacy.
One final thought to leave you with is the idea that anything you post on social media, blog, etc., never goes away even if you delete it. You never know who might have saved it before you removed it. If that is difficult to grasp you should check out the way back machine at https://archive.org/

In this installment, we’re going to look at different ways you could be separated from your money, which you may later regret. Let’s call these all Scams or Fraud, even though some don’t meet the legal or the conventional definition of those terms.

Before I start, I want to mention that to many, these may be obvious, but they aren’t apparent to everyone as many folks fall for these scams.

General Scams

The first type I’m going to dive into is phone scams, particularly impersonation scams. With these, someone will call you claiming to be a government official. They could claim to be law enforcement, IRS, or Social Security Administration (SSA). 

Here are some facts to keep in mind when dealing with these scam artists:

  • Your social security number (SSN) is never canceled, blocked, or frozen. The SSA does not have the ability to do anything of the sort, so even if there was some sort of major issue, they literally couldn’t do any such thing. If there were a major issue with your SSN, they would write you a letter sent through the postal service, not call.
  • Police will never call to demand payment for unpaid fines or anything like that. If some pending payments warranted an arrest, they wouldn’t call to warn you or get you to pay over the phone. They would send a uniformed officer to visit you and escort you to the station or the courthouse where you might get a chance to square your issue.
  • Anyone calling and demanding payments in gift cards is a criminal.
  • Any unexpecting call from Microsoft, Apple, Google, Adobe, etc., claiming to be informing you of a problem with your computer and offering to fix it is a criminal.

In all these cases, the course of action is simple, hang upon them. If you wanted to toy with them or unload a few well-chosen, possibly even harsh words, no one could blame you. I do not recommend that, though; I suggest you simply hang up without saying a word. 

Also, be wary of giving out any information at all to anyone unknown that calls you. The person that initiates the call should bear the responsibility to identify themselves. I wouldn’t even give them my name before I have their name and know why they called. If they want to provide you with information, that’s fine, but I don’t tell them anything without absolute certainty that they are who they claim. 

The best approach is to say to them that you’ll call them back through the company’s main number. Then find the main number online or through directory assistance; ignore any number they may give you. 

If a Nigerian prince, wealthy businessman, or long-lost relative contacts you and asks you to stash their billions in your bank account for a few months in exchange for a cut of the fortune, don’t do it. Best case scenario, you’ll be an accomplice to money laundering, which is a severe crime in most countries. More likely, the criminal running the scam uses this ruse to get your bank details so they can clean it out for you. 

If you get a call or email that you won the lottery or some sort of sweepstakes, but you have to pay taxes and fees before you claiming your winnings, it is a scam. Any taxes or fees are always taken out of your winnings, never paid upfront. If you have never heard of this Lotto or sweepstakes, that should be your first clue. Entering sweepstakes or buying a lotto ticket is kind of the first and critical requirement to winning. If it is something, you believe you did enter or purchased a ticket for, hang up, and call the organization that you registered with to validate your winning and claim your prize.

Romance Scams

These types of scams prey on lonely people desperate for companionship. They start by reaching out via social media, claiming to want to become friends. They often rely heavily on stereotypes when selecting their personas and will use pictures that match their personas. For example, if they target someone they believe is a heterosexual male, they will present themself as an attractive 20 something woman. This sometimes backfires as few men have no interest in women that are half their age. I suppose this works enough times to make it worth it for them. After they’ve chatted you up for a while, they will confess some financial hardship and ask you to help. They talk big about talking on the phone or meeting in person at some future point, but that time never comes. It is always only in text, and there is always a story as to why they can’t talk to you on the phone until next week or month. They tend to get very personal very quickly and sometimes ask questions that could be used to steal your identity. 

If you are lonely enough to be tempted by these types of scams, reach out to us, and we’ll help you find more constructive and fruitful ways to fix your situation, free of charge and without any financial hardship stories on our end.

Scareware

This type of scams tries to scare or embarrass you into paying a ransom. The general premise is that they’ll claim they hacked your computer and found evidence of something they feel you might be embarrassed about, such as visiting an adult entertainment site. They claim they downloaded all your contacts, and if you don’t pay up, they’ll send said evidence to all your contacts. This is usually conducted over email, and they do their best to sound very technical. I see a lot of these, and every single one is completed nonsense. In my book, I take one example and break it down to debunk each and claim they make. I recommend treating this as general spam and delete it.

Borderline scams

Now let’s dive into situations where it might be disputed to call them scams. There is often a very fine line between effective marketing and scams/fraud; they use the same tactics. It basically comes down to how truthful the marketing is and whether you believe you got what you paid for. This naturally is very subjective. If you have buyers’ remorse and do not have the option to reverse the transaction, you end up feeling defrauded. If you feel cheated, then from your perspective, the deal was a fraud, which is why I include it here.

Many marketing campaigns, both in sales and in fundraising, employ emotional manipulation. Sales marketing like to use the principle of scarcity to manipulate you into making a purchase. They will try to convince you that something is about to sell out and that you need to jump now to make sure you can get yours. They often rely on something called FOMO, or fear of missing out, also known as “keeping up with the Jones” or “the rat race.” They try to make you feel inferior if you don’t have the latest whatever, and you can’t be seen around town without it, if you don’t have it, you will be made fun of in your social circles. FOMO can be very self-fulfilling; those that are deep into FOMO will often ostracize those they feel don’t have all the latest whatchamacallit and thus create FOMO in others. 

The advice here is simple, do you actually need it and what will happen if you wait and then the item is sold out. If it does sell out and never comes back in stock, that is a sign it was not a viable product, and you would likely have been unhappy with it. If it is a product that sells so fast that it goes out of stock, it will be back in stock soon. No product owner will let a viable product be unavailable for very long. In every case, the product owner has way more to lose to have the product go out of stock for even an hour than the actual consumer ever does. The only reason to mention scarcity in a marketing campaign is to emotionally manipulate people to create a demand that isn’t there.

Another form this might take is what I call fake sales. They claim they offer something to you for a steep discount, say 60-80% or even 95% off. When in reality, their sale price is the same or higher than comparable products elsewhere. Typically those that use this scheme are offering a product of inferior quality. I’ve fallen for this tactic many times and never received a quality product for less than usual retail. A spin on this is when they claim they are giving away the product, you just have to pay shipping and handling. Then come to find out the shipping and handling cost is more than the regular retail price elsewhere.

I am always extremely wary of product marketing that feel they need to resort to these sort of tactics.

Yet another spin is what I’d call the congratulatory tactic. This is where you get an email along the lines of “Congratulations, you now qualify (or been granted access) to buy our product.” I’m always like, “what sort of privileged elitist crap is this where I have to qualify to give you my money.” I suppose this is a spin on FOMO. On principle, I always ignore those emails as I am actively against elitism and privilege. 

In fundraising marketing, they tend to be even sneakier. They try to pretend that there is a personal connection, that if only you gave x dollars, the issue or campaign would be saved. If you don’t, the cause is lost, and it is all on you. They will try to manipulate your helpfulness, and ask you to just do them this one favor. The thing here to keep in mind is that you never owe anyone anything that you haven’t previously made promises to. This means that you owe some random person or entity on the internet absolutely nothing. If there is a cause, you want to donate either time, goods, or money to, by all means, do that. However, do not under any circumstances let them manipulate you into over-committing. 

If there is one magic silver bullet that will help you maintain your online security, it is critical thinking skills. If you read my previous article on the basics of online security, you may recall that I stated there is no single thing that can automatically keep you safe. You will, therefore, recognize the title here and the opening statement as the hyperbole it is meant to be. In other words, there no magic silver bullet that maintains your online security automatically. While there is no single thing that can guarantee 100% online safety automatically, having rock-solid critical thinking skills is the next best thing.
There are probably entire college courses devoted to the acquisition of critical thinking skills, so I won’t be able to do that justice with a single blog post. I will endeavor to at least explain what I mean by critical thinking skills and how it helps you stay safe online.
Somewhere I once heard the advice “treat every day as if it was April 1st,” and I love that advice. On April fools, people do seem to make it a game if not a mission to figure out who is trying to pull a prank online, and they tend not to believe anything online that day. Then every other day, they seem to eat up anything that anyone puts online. If everyone put as much effort into identifying the scams online as they do recognize the April fools pranks, there would be much less crime online.
Critical thinking is about being critical about everything you read online. I know that is a bit of a recursive definition, so let me try to explain more.


To maintain online security, you need to be suspicious about everything you read online, whether it is on Facebook, Twitter, some blog, a News Site, your email, etc. The idea that “I read it online so it must be true” could not be further from the truth. Also, just because something is going viral on Social Media does not make it real. Like the old rumor mill, things don’t become true just because a lot of people are repeating it. Even viral videos don’t prove anything; they are frequently taken entirely out of context, manipulated, or outright fakes. We have fantastic technology these days, and it is often used for evil instead of good. There are a lot of people out there that get their kicks from spinning people up and get them fighting about nothing. Those people spread half-truths and deep fakes for their enjoyment. Some even go so far as setting up automation to help them spread their garbage faster and farther by setting up something called a bot farm. The term bot is derived from the term robot, and it is simple automation that carries out a specific task such as posting to Facebook.
Then, there is a whole class of online criminals that are termed “Social Engineers” in the cybersecurity world. I think the term “scammers” or “fraudsters” are much better terms. These criminals have been around since the dawn of time, and they use their trade to trick you into doing something you shouldn’t, buying something you regret or defrauding you in one way or another. The Play/Movie, “The Music Man,” depicts a man particularly skilled in this area. Many other movies depict similar tactics, but that is the first one to pop into my head.
One particularly prevalent subsection of Social Engineering is called phishing. Phishing typically happens over email and is geared towards tricking you into installing malware on your computer or getting you to click on a link. The goal generally is to either take over your computer so it can be used for criminal activity or to steal your identity. I go into a lot more details about phishing in my book, but I’ll touch on few pointers here. Please note that while email is the most prevalent method, a modified version of phishing also happens via text and voice mail.
In my book, one of the running themes throughout the book is don’t click on links in email or open attachments. If you never click on any links in email or open attachment falling for email phishing attack just became practically impossible.
The general theme of a phishing email is pretending to be a safe email from someone or something you know. This is where critical thinking comes in again. Here being distrustful will save the day. How do you know that email is from who it claims it is from?
One of the hallmarks of a phishing email is urgency; you need to click that link right this very second or face immediate financial ruin. Be extra wary of these emails.
Back to the idea of being distrustful, if you want to maintain online security, you can not trust anything online or take anything at face value. By that, I don’t mean that you can’t trust your buddy online even though you trust them in real life. I mean, don’t believe that really is your buddy.
Time for an analogy. I hope you are a Mission Impossible fan or at least are familiar with what it is all about. Imagine Ethan, the lead character, is using some government level tech to change how he looks and how he sounds so that he can get past security and complete his mission. There is a scene like that at least once per movie, if not more. I don’t know if this is actually possible in real life or if this is pure Hollywood fiction, but this is trivial to do online.
So let’s say for the sake of demonstration that you are a character in a Mission Impossible movie and you have some high-level access that Ethan needs. So Ethan dresses up like your best buddy and uses his tech to create a mask that makes him look and sound like your buddy. He calls you up and invites you out for a drink. At first, you’re glad to see your buddy, but then you start to get this gut feeling that something is off. You see, Ethan may be able to change his voice and create a mask that looks like your buddy, but copying your buddy’s mannerisms and the way they carry a conversation is much harder. What do you do, do you brush off the gut feeling, or do you throw out a curveball to test this person? If you are smart, you test them to show them for the imposter they are. I’m pretty sure there is a scene like this in at least one of the movies 😀
Now translate this to online behavior, if you get a message claiming to be from your buddy, do you just accept it, or do you analyze to see if it sounds like your buddy? The smart and safe approach is to be suspicious.
Again a lot more details about this in my book, so if you are looking for more details on how to maintain online security you should check out my book. If you have any questions, feel free to shoot me a note.

Definitions

Before we dive into the world of online security, let’s start with some definitions.

  • Threat Actor: A criminal that is a threat to either a specific person or a group of people. This is a catch-all term for online criminals. 
  • Hacker: Someone that attempts to use things for purposes they were not intended for. The media likes to use this term interchangeably with a threat actor, which I disagree with. I believe this term is much broader than that. In the original definition of this word, there was no criminal intent involved. 
  • Snake Oil Salesman: According to Wikipedia, this refers to deceptive or fraudulent salespeople.
  • Next-Gen and Military Grade: These are meaningless buzzwords used by snake oil salesmen
  • Fear, Uncertainty, and Doubt (FUD): This is a generic term covering anything or anyone inciting fear. They spread doubt and uncertainty that only spread fear.

Online Security basics

The first thing we need to realize when start talking online security and safety is that security is hard and an inconvenient pain in the butt. It is not possible to achieve 100% online security, and there are convenience trade-offs that have to be made. I talk about these trade-offs in my book. The trade-offs basically come down to a choice between being inconvenienced or being a victim. There are certain things you do so that you don’t get caught in a broad net campaign. If you are targeted by a threat actor that is both advanced and persistent, it is only a matter of time before they breach your security. Regardless of how good your security is, an advanced persistent threat actor (APT) will breach it. 

Think spearfishing vs. fishing with a net or a fishing pole. If you are a fish swimming in a lake and you are paying attention, you can avoid getting caught in a net, or biting that lure on that fishing line. It is, however, very little you can do to prevent having a spear skewer you.

Another analogy for the sports fans out there. If you are playing defense, you have to fend off all offenses. If you are playing offense, only one offensive player needs to get through the defense for the whole team to be successful.

Put another way, an attacker only has to be lucky once, defenders have to be lucky every time.

This is why it is not feasible to have 100% online security. Anyone that tells you otherwise either doesn’t understand security or is a snake oil salesperson (or both). There are several companies out there claiming to sell a comprehensive solution to protect your security. Claiming that once you buy their product, you will be safe online. They may throw buzzwords like “military-grade,” “machine learning,” and “next-generation” in an attempt to impress you. These are meaningless phrases. The salespeople from these companies are merely selling you a bill of goods. The fact is that these solutions are effective anywhere between 5-35% of the time, which in my opinion, is not very effective. 

Now while no security solution will make you bulletproof, it is still essential to have a good virus and malware blocking solution installed. The good news is that Windows 10 has a great one already built-in, so there is nothing else to purchase. Your defense will mostly come from your behavior online, which I will go into in future posts and is covered in-depth in my book. Here is a quick hint, every day is April 1.

Threat Modeling

You may be asking, “but I’m nobody, why should I bother with security?” As I explain in my book, everyone is at risk of becoming a victim of a cybersecurity incident. Everyone has something to lose. You may not care if criminals read your email, but what about using your email account to engage in criminal activity? Or using your email account to send your contacts malware? Threat modeling is something I cover in my book and goes deeper into this topic. As you build out your threat model, you gain a better understanding of what you have to lose and what security trade-off makes sense to you. One thing I feel several security professionals miss is that threat modeling is an individual thing. It is not appropriate for everyone to adopt the security posture of an intelligence agent. Anyone that preaches security as a one size fits all does not understand threat modeling and therefore probably doesn’t understand security. What is more, not only is a security plan an individual thing, it is perfectly acceptable, maybe even desirable, for one person to have multiple security plans. My book goes into a lot more detail here.

FUD and fear-mongering

Another thing to be aware of is all the FUD that is out there. It is hard to say whether those spreading FUD are well-intentioned but misguided, or they have malicious intent. My guess is there is little of both. 

There are a lot of people online with opinions that get spread as if they are facts. It is very critical in today’s world to be able to separate facts from opinions. Having a following does not make them an expert. Before you take anything as a fact, or even expert advice, analyze the author’s credentials. 

I’ve seen a lot of blogs and news about how insecure a particular product is, insinuating that these flaws make the product unusable. When I read their description of what the problem is, it usually comes down to what I might call sub-optimal configuration. What I mean by that is that the user did not leverage all the security features of the product, either intentionally or because they didn’t know better. To me, this is a classic case of FUD. Best case, the article author misconstrued the user’s scenario or use case. Worst case, some user education might be needed. I disagree that a product that defaults to less than secure configuration is an insecure product as long as it can be configured to be more secure.

Another case of frequent FUD is hyping up a use case that is outside most users’ threat models. An example here is when someone writes that because a product does not offer a feature, they think the product has to offer, so it is unsuitable for everyone. Just because the product does not meet the author’s requirement doesn’t mean it is unsuitable for practically everyone else. 

There were a lot of articles lately about security issues in Zoom video conferencing solutions, which I found to be complete FUD. Specifically, when it came to the level of encryption, they did or did not offer. Yes, there are specific use cases and specific threat models where this was an issue. In my opinion, for more than 90% of the Zoom users, whether the level of encryption being discussed was offered or not made absolutely no difference. 

BTW if you want to understand what encryption is and how it works, there is a chapter in my book that breaks that down using everyday language.

Most of the articles piling on Zoom for being insecure were about default meeting configuration. The default configuration did not prevent people from being jerks and joining random Zoom meetings for the sole purpose of being disruptive jerks. New users did not know this or understood how to turn on the features to prevent this. Zoom opted for convenience over security and paid a considerable PR price for it. So they fixed it by making high security the default configuration. 

In closing

That is all for this installment, be on the lookout for future installments on specific online security topics.

INTRO

This post will serve as an ongoing errata page for my book. My plan is to continuously update this post as I discover errors, issues, addendum, or just things I’d like to follow up on.

PUBLIC USB CHARGE STATIONS

First I want to address potential criticism that despite my promise to avoid all FUD that there might a bit of that in the section on public USB charging stations. I can totally see that point although I think calling it FUD is a bit strong. Yes, the likelihood that a public charge station could infect your phone is pretty slim and would require very specific circumstances for it to work. So more than 99% of you should be just fine. I still stand by my recommendation that carrying a power pack is a wise idea for multiple reasons.

TRAVELING MAILBOX

In my book, I mentioned that as I was wrapping up my writing I discovered a new service I thought showed great potential and promised to update all my readers on that service. I am happy to report that they have not disappointed and I plan to do a post dedicated to reviewing my experience with them. So stay tuned for that post.

PROTONMAIL

In my book, I spoke to great length about what a great company Protonmail is and their zealous privacy advocacy. This is all still true, they offer one of the few, if not the only, fully encrypted email service. This means they have a true zero-knowledge system, where even if they were forced to disclose things about their customer they simply couldn’t because everything is encrypted by the customer’s encryption certificate and their password. This means that all they could hand over are encrypted emails, which would take years, if not hundreds of years, to break the encryption on.

What has changed is that I am no longer using Protonmail as my primary email provider. I bet you are asking why did I stop using them if they are so fabulous and what am I using now. The answer to that goes back to thread modeling as discussed in the book. For my threat model encryption and secrecy is not my top requirement. I am satisfied with good privacy practices, I do not require great privacy. What caused me to leave Protonmail was their zero-knowledge encryption model meant there were a lot of features I appreciated were not possible or have not been implemented yet. Their UI is a little clunky, it is not possible to search email content are a couple of the negative aspects of Protonmail experience. What really pushed me over the edge though was lack of reliability. There were several cases where either email I sent or emails sent to me did not arrive. Protonmail support was either unwilling or unable to do anything about this, basically telling me to provide proof in a form of an error message, which I did not have, or go away.

So I took my business to a company in Australia called FastMail. They seem to have a good privacy reputation from what I’ve been able to tell and their feature sets are on par, if not above par, with the leading email providers such as Gmail and Outlook. They do not offer any encryption so if that is a requirement for your threat model then stick with Protonmail. Also, Australia is a member of the Five Eye Intelligence consortium. So if nation-states are part of your threat model you might be better of with Protonmail as Switzerland is not known for cooperating with other nation-states and there is nothing that Protonmail can provide other than heavily encrypted files even if they did. I believe that FastMail would not willingly disclose anything about its customers, however, governments could compel them to do so.

Be on the lookout for a post on my experience migrating all my domains and all my emails from Protonmail to Fastmail, as well as a full review on FastMail.

PRIVACY.COM

This is a site I just discovered this week and if I had known about it while I was writing the book I would have included it. What they are is a site that allows you to create virtual pre-paid credit card funding directly from your bank account, either through direct withdrawal or via a link to your debit card. Look for a post with a full review of privacy.com in the near future.