Author: Siggi Bjarnason

Encryption and the CIA Triad

Posted on by Siggi Bjarnason
Reading Time: 11 minutes

Introduction

Encryption is a type of technology that is embedded in all online activities these days and is the fundamental aspect of all privacy and confidentiality in today’s computerized and electronic society. Without encryption we have no privacy nor confidentiality, so to say that it is extremely important is a gross understatement. The equivalence of having no encryption in our electronic world would be like having no locks on anything in the physical world. No door locks, no safes, no pad locks, etc. So you can see why it matters and just how critical strong encryption is.

Just like safes and locks in the physical world, encryption along with something called access control list and authentication, keep people out of places they aren’t supposed to be and keep them from having access to documents and other data they aren’t supposed to have access to or even know existing while allow access to those that have a need to know.

The base concept of all forms of encryption is to apply a formula of some sort to the text to render it unreadable until you reverse the formula. These formulas are called ciphers and can be very simplistic or a highly complex mathematical formula that take immense computational power to solve. The more complex the formula the more secure the encryption is. In other words the complexity of the cipher the stronger the lock. Just like physical locks, ciphers take a key to lock and unlock. These locks can be simple or complex, just like physical keys. More on this later.

Before we dive further into encryption lets touch on something called the CIA triad which is the base concept for all online access models these days.

The CIA triad

No the CIA triad has nothing to do with the USA Central Intelligence Agency. Here it stands for Confidentiality, Integrity and Availability. For any document to be secure and useful it needs to be accessible to those that have the right to use it when they need it and in its original form. If you burn a document, it is very secure, no unauthorized people can read it, neither can authorized people. By burning the document you ensured confidentiality of the document but eliminated both the integrity and the availability of the document.

Let’s break this down

Confidentiality

Can it only be viewed by those that should be viewing it. It’s locked in the safe, so only those who have the combination to the safe can read it.

Integrity

Maintaining integrity of a document is of course always of paramount importance. If you put a document in a safe, and when you go get it again it is all moldy and unusable then it has lost all integrity. If the document has no integrity you might as well burn it and safe you the trouble. In the electronic world, unauthorized changes to a data file violate the integrity of the file.

Availability

Can the file be accessed by those that have right to access it when they need it? Someone puts a document in a safe in a locked room. They give the safe combination to folks that need access to that document, but not everyone has a key to the room. In this case the availability is degraded.

Ciphers

The very first known form of encryption is traced back to Julius Caesar, where he used what we now refer to as the Caesar Cipher to secure his correspondence with his army. The basis of this cipher is to shift each letter by a certain number of positions in the alphabet. To encrypt using the Caesar Cipher using a key of “right 3” you would substitute every A with a D, E with an H, and so on. For example, “RETURN TO ROME” would become “UHWXUA WR URPH.” Knowing that that was encrypted using the Caesar Cipher using a key of “right 3” makes reversing the encryption easy.

If you don’t know what cipher was used or the key, you will need to do some analysis and try to figure that out. This is referred to as cracking the encryption. First you need to figure out what cipher was used, then you need to figure out the key. Knowing “UHWXUA WR URPH” was encrypted with Caesar Cipher doesn’t do you much good until you figure out what the key was. This often is a matter of trial and error or educated guesses. For example the fact that the string seems to be broken into words can lead you to surmise that this is a Caesar Cipher, so you look at the two letter word and start trial and error because there aren’t that many two letter words. You will also note that W and R are 5 positions a part, and you realize that T and O are also 5 positions a part and T and W are 3 position a part. So you conclude that this was Caesar Cipher right 3 and you apply that to the string and get the original text.

People skilled in this area can crack a Caesar Cipher in their head in a matter of minutes if not seconds; modern computers can crack it in a fraction of millisecond. So obviously we need something stronger and harder to crack.

Modern encryption is based on elliptical curve mathematics, which mathematicians tell me is very complex and hard to solve. All I know is that sort of mathematics is way above my head. As I said above the more complex the key is the more secure is the lock. These days the key is a random string of characters, usually thousands of characters long. Kind of like a really long and complex password.

No lock is uncrackable, but the stronger the lock the longer it takes to pick it. For modern encryption with a suitable long key, it could take the fastest computer dozens if not hundred of years to crack it and this is typically more time than most criminals are willing to put into the effort.

Encryption Types and Categories

Encryptions fall into one of two types: synchronous and asynchronous encryptions. Each of those can be in one of two categories. Those categories are encrypting a file or files (aka a thing) or encrypting a connection. Let me dive in and explain further.

Synchronous Encryption

Synchronous encryption is identical to your average physical lock. You have a key to a lock, and you use the same key to lock it and to open it. So if you have the same key or an exact duplication of the key that controls the lock, you can unlock it.

Asynchronous Encryption

The basic concept of asynchronous encryption is a bit more difficult to explain in simple terms as there is no direct equivalent in the physical world, so a certain amount of imagination is going to be required for this. Picture this: someone invented a lock that requires two keys to operate. One key can lock the lock; the other key can only open the lock. The key that locked the lock is not able to unlock it and vice versa. Now let’s call the key that locks the safe the public key and the key that opens the safe the private key. Since the public key is only able to lock the safe, you can hand that key out freely to everyone.

You could even open a network of stores where you can go and pick up a copy of “Joe’s Public Key.” For this analogy to work for those who are more detail-focused, a little suspension of disbelief is needed. Also imagine, if you will, that this imaginary lock I am talking about is in an unlocked state, and it will accept any public key. Once it is locked with a specific public key, only the corresponding private key will open it. That is in essence how asynchronous (or public/private key) encryption works. Just so you know, private and public keys are the actual technical terms in the world of encryption for asynchronous encryption keys. Asynchronous encryption is kind of like a re-usable inter-office envelope. Once it is sealed, it can only be opened by the recipient; once it has been opened, it can be re-used again, and you can put it in the bin of re-usable secure envelopes for anyone to use.

Encrypting Something

If you are encrypting something, you are locking up and making private something on your computer. This could be an entire drive, a folder on the drive, a document, etc. If you don’t know what a drive is, think of it as a storage container on your computer where you store your pictures and documents. You can organize the items on your drive into folders. The analogy here is that the drive is a filing cabinet in your office, and that filing cabinet has hanging folders in it.

You open a drawer in the filing cabinet, pick a folder and either get a piece of paper out or put one in. Whether this drive is built into your computer or a thumb drive is irrelevant. You can also encrypt a USB thumb drive. A USB thumb drive is a little stick you can insert into your computer’s USB port and put documents and pictures on it. If you need the contents of that stick to be private and secret, you need to encrypt it, which will turn that stick into a tiny portable document safe. Encrypting something typically uses synchronous encryption; as the user who encrypted the content is typically the user who un-encrypts it, key exchange isn’t an issue.

The skill set needed to encrypt documents and other items is beyond the skill set I expect the readers of this article to have, so I’m not going to go any deeper into this aspect of encryption. If you have an interest in it or need to use it, you know it exists and can seek training in how to use it.

Encrypted Connections

Before I can explain what an encrypted connection is, I need to explain what a connection is, along with a discussion of what happens when you are using the internet. There is a great free movie on YouTube called “Warriors of the Net” that gives a high-level overview. So if you’re up for some extra credit work, go check it out. Here is the direct link (http://www.youtube.com/watch?v=PBWhzz_Gn10). Please note that this was made in the ’90s and is fairly dated, with some terminology that’s a bit off, but none of that interferes with the explanation of the high-level concepts involved.

So, here are the basic concepts in simple terms. The internet is sometimes called the world wide web because in essence every computer is connected together like one big spiderweb. You purchase your internet service from an internet provider or local phone company, such as Comcast, CenturyLink, AT&T, Cox, Wave, etc. They connect your computer to their computers, which in turn are connected to hundreds of other computers and so on. Another way to think of this is that it is similar to the road system in your location. All roads are ultimately connected. If you need to drive from your house in Seattle WA to some house in Atlanta, GA, you need to figure out which roads connect to the roads that will ultimately get you to GA and to that house in Atlanta.

The internet works in a similar fashion; you need to know your originating address and your destination address, then you figure out the best way to get there. Now let’s get a bit more abstract and change the metaphor a bit. Let’s imagine that instead of wanting to travel to that house in Atlanta, you just want to correspond with them using old-fashioned letters you send through the postal service. You don’t care how the letter gets to Atlanta—you just need to get it there.

So you write your letter, address it, give it to the postal worker, and cross your fingers that the letter gets to its destination. Now let’s imagine that you are writing a really long letter, but to keep the size of the envelopes small, you only put a couple of pages into each envelope and split the letter into multiple envelopes. To help the recipient put everything together in the right order, you put page numbers on each page.

This is pretty much how the internet works at a very simplified level. If you want to read the news from your favorite news site, you pull up that site in your web browser. What happens in the background is that you are in a way sending that site a short letter asking them to send you a list of today’s articles. You will then receive in return a long letter split up among multiple envelopes listing the articles available. You read through that list, pick out an article of interest, and send them another short letter saying, “Please send me article X,” back and forth like that.

This back and forth is called a connection. If a postal worker can pick up one of those envelopes, open it up, and read it, that is called an unsecured connection. If you are just reading the news, who cares, right? However, what if you were doing online banking and one of those letters contained all of your checking account transactions? You might not want some random person who works at the post office to read that. This is where a secure or encrypted connection comes into play.

For an encrypted connection, each one of those envelopes is placed into its own super-secure micro safe before it is packaged, addressed, and given to the post office. Now, unless you know how to unlock that safe, you can’t see what is in it. So each one of these imaginary envelopes becomes a thing you encrypt. In other words, securing a connection is nothing more than a long string of things that are encrypted in an automated and invisible way.

Now the question becomes: do you use synchronous or asynchronous encryption? Either will technically work. Let’s look at the pros and cons of each approach.

Synchronous encryption is fine for a stationary safe example or any case where you can easily and securely exchange the key. If you tried to use synchronous encryption to secure a connection, you would quickly run into the key exchange catch-22 problem. You can’t include the key in your box because what’s the point of locking the lock if you leave your key in the lock? Putting the key in a separate unsecure envelope doesn’t make sense either, because someone could easily steal the key. So how can you get a key to someone securely without being able to lock it? Therefore, asynchronous encryption is the go-to method for securing a connection. This is because anyone can lock one of those asynchronous locks, needing only your public key, which is freely available. You are the only one who can open it, so no need to exchange keys like in the synchronous case.

You could make synchronous encryption work for a connection between, say, Seattle and Atlanta if you had a secure way to do the key exchange. Let’s say the Seattle person and the Atlanta person meet in Dallas and exchange keys in person. Then they go back to their respective locations and now they can securely use synchronous encryption to exchange information long distance, say over the internet. The technical term for this scenario is pre-shared key scenario. For most scenarios, the pre-shared key is not practical, which is why asynchronous encryption is more prevalent for encrypted connections.

There are cases where there is a hybrid implementation. In the hybrid scenario, one of the endpoints randomly generates a long, complex, and secure password that they share with the other party over an asynchronously encrypted connection. Then after they have securely exchanged the key, they will establish a new encrypted connection using synchronous encryption, encrypted with the key shared over the asynchronously encrypted connection.

Hashing

There is one other element of encryption to cover—something called a hash. I lived in Seattle, WA, for 30 years, so I feel compelled to point out that this type of hash has nothing to do with weed, and you can’t smoke this type of hash.

A computer hash is also called one-way encryption; it is a fixed-length string of numbers and letters. A hashing algorithm takes a specific computer file and then generates what’s called a hash from that file. There are multiple algorithms out there for hashing, and they all have several similarities.

  • It is not possible to reverse the encryption of a hash; therefore it is called one-way encryption.
  • For a given algorithm, the output is always the same length. The size or length of the inputted object has no bearing on how long the output is. The algorithm dictates the length of the output. So a hash of a single word is the same length as a hash of 100,000 words.
  • For a given algorithm and a specific input file, the output is always the same. For an identical file, I’m guaranteed the same output.
  • If a file has extra space in it or has been modified in any way, the output will be drastically different. Older and simpler algorithms have been found to fail in this regard in very rare conditions. The technical term for this is a hash collision. If a hash collision is a problem for your personal needs, use a newer collision-free algorithm. I would venture a guess that no one in the core demographic for this article ever intentionally uses a computer hash.

The detail behind each algorithm is beyond the scope of this article. There are two main uses for hashing. First is to validate file integrity. You run a particular algorithm against your file and note the output. Then later, if you want to know if the file has changed, you simply run the same algorithm and compare the results to the results you noted before. If they match, then the file has not changed; otherwise, the file is different. The hash doesn’t reveal what was changed, just that a change occurred.

The second use is for properly storing a password so that it is not possible for the site owner to know what your password is. How this works is that when you first provide your password, the site runs that password through a specific algorithm (or recipe), making sure to use salt and pepper and all the proper spices, then they store the results and discard the actual password. When you go to log in, the site uses the same recipe with the exact same spices in the same amounts, and if the results match the saved result, your login is validated; otherwise you are denied access.

WHAT IS RANSOMWARE

Posted on by Siggi Bjarnason
Reading Time: 4 minutes

Ransomware is type of self-propagating malware that encrypts your files so that you cannot read or use them until you pay a ransom. Yeah, I know, I can feel how you are rolling your eyes at that unhelpful explanation full of incomprehensible technical jargon. So let me explain these terms in more detail.

MALWARE

Malware is a contraction of the term malicious software. This is a piece of software, or application, that is written with the sole purpose of being malicious and doing malicious things. Exactly what malware could do to you is wide ranging and practically anything, it is usually something destructive such as deleting files or something nefarious like stealing your files.

Malware frequently masquerades as something fun or something useful. For example, a simple computer game, while you are having fun playing the game, the game is deleting all your files. I’ve even known of malware masquerading as malware removal software. How this works is through one method or another, frequently email or web page, you are enticed to install this free tool to check for malware on your computer. While the application pretends to be scanning for malware it is scanning for files to steal/destroy. Pretty nasty stuff.

SELF-PROPAGATING

This is any software that will discover other computers nearby and install itself on all of them without any user involvement or knowledge. For example, if you have a self-propagating malware on a laptop that you take home and connect to your home network, it will discover all the other computers in your home and install itself on them. So, your spouse’s laptop, your kids’ computers, etc., all now have the same malware.

This typically happens due to un-patched vulnerability in the operating system of the computer. That is to say, for example, your version of windows might have a flaw in it that the malware is using to distribute itself to other computers with the same flaw. These types of flaws are typically fixed soon after they are discovered. These fixes are known as patches or updates. This is the reason it is important for the security of your computer to install these patches or updates when they come out. Make sure though, that you only install the authentic update from software vendor, i.e. Microsoft, and not malware masquerading as an update. If you need help with this part make sure to reach out to a trusted adviser, someone that can be trusted with the security of your computers.

ENCRYPTION

This is a rather complex topic that will require its own article. What you need to understand here is that by encrypting your file they become locked and unusable until the person or application that encrypted (i.e., locked) it, decrypts (i.e., unlocks) it.

RANSOM PART OF RANSOMWARE

OK now that I’ve explained what malware is and how it distributes itself let’s talk about ransomware itself and what makes it so dangerous.

What makes ransomware so different from other form of malware is how it holds your files (documents, pictures, etc.) hostage until you pay an outrageous amount of money to the author. This is similar to old fashion kidnapping. Bunch of criminals kidnap someone they think is loved and has a lot of money, then they keep them hostage until they are paid a lot of money for their safe return. Same thing happens here. Once the ransomware malware has been installed it starts to scan your computer and all storage devices and storage services it is connected to for files it thinks may be important enough for you to be willing to pay ransom for it, this can be every user generated file. Then they lock the files so you can’t get to them and pop up a message with the ransom demand when you try to access them. The ransom demand promises that once you pay the ransom, you will get an unlock key that will allow you to unlock the documents. Depending on the type of ransomware sometime the criminals maintain a remote connection to your computers and promise to unlock your files remotely once you pay the ransom. Now the topic of whether to pay the ransom or not and whether their promises are to be believed are hotly debated topics. Suffice it say that the prevailing advice regarding ransomware is very similar to prevailing advice regarding paying kidnappers, that is to say don’t do it. The final decision on whether to pay should reside with data owner as they are the only ones who understand the value of the locked data.

If you have made the proper preparations ahead of time the debate of whether to pay or not tends to be moot as you can just recover your files. How all that works is the topic of the next blog in this series.

WHY THIS MATTERS

Ransomware crime is on a sharp increase and projected to become #1 internet crime. According to the US Federal Bureau of Investigation Internet Crime Complain Center, or FBI iC3, 2020 Internet Crime Report available at https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf, ransomware reports have increased from 1493 in 2018 to 2474 in 2020, and aggregate ransom has increased from 3,621,857 USD in 2018 to 29,157,405 USD in 2020. While 2021 numbers won’t be available until sometime in 2022, they are expected to be multiples of 2020 numbers. Therefor it is important to be aware of this threat and be able to protect yourself from it.

Ransomware Protection and Importance of Backups

Posted on by Siggi Bjarnason
Reading Time: 4 minutes

HOW TO PROTECT YOURSELF FROM RANSOMWARE

Protecting yourself from ransomware falls into two main buckets, first is steps to take to avoid getting infected, second is being prepared to recover should you be so unlucky to get infected despite defensive measures. In this article I will touch on defensive measures while deferring detailed coverage on that to a separate article. The focus of this article will be how to set yourself up so that you can recover from infection.

RANSOMWARE DEFENSES

Most ransomware infection these days occurs via email attachments or links in email. Defense against that is twofold

  • Ensure you have a high-quality antivirus/anti-malware software on all computers
    • Ensure it is kept up to date, updates are often daily
    • Ensure it is configured correctly
  • Educate yourself and your users on how to avoid falling for phishing emails
    • Don’t open attachments or click on links in emails that are unexpected, or you aren’t absolutely 100% sure are authentic.
    • Look for other articles from us in the future with more details on this.

If you need help with these steps reach out to a trusted advisor, someone you trust to take good care of your computers and ensure their safety.

RANSOMWARE RECOVERY PREPARATION aka Importance of backups

The best way to prepare to recover from a ransomware event is to ensure you have a solid backup in place. How you do your backups makes a big difference in recoverability.

While backing up to an external hard drive or network share is great for things like failed hard drive or accidental deletion it is useless when it comes to ransomware events or other malicious events as that will get encrypted/deleted along with your local hard drive.

For smaller organizations and individuals, leveraging Microsoft OneDrive built in ransomware protection is often sufficient. Follow this link for more details on how this works.

For larger organizations, they are going to need some additional backup processes, so here are some recommendations for how to set things up for maximum recoverability. Use this guide either for your own setup or when interviewing trusted partners to host your environment to ensure they are thinking about the security of your infrastructure.

  • First step is to select a reliable backup solution that stores the backup off-site and packages the files into archives that are completely separate from files that are being backed up. Additionally, ability to encrypt the backups, is an important security consideration.
  • Storing the backups at a location other than the files being backed up is more important to disaster recovery than ransomware recovery. Since you are going through the effort to back up your files, it makes sense to consider all hazards, not just one. If you store the backup in the same location as the files being backed up, and something happens to that location such as fire, earthquake, tsunami, etc., you’ve lost both the original and the backup. When selecting storage location for the backup don’t pick a location in the same town even, pick a different hazard zone where the same event can’t take out both locations. This typically means storing the backup in a different region, for example if your files are stored in the south, store the backup in the north.
  • Make sure to enable strict separation of duties. The account that has access to the backup system, that can restore backups or even just view or make changes to the backups, should not have access to any of the systems being backed up. Anyone with access to make changes to any documents being backed up, should have no access to the backup systems or the location where the backups are being stored. Backup operator should not be able to access any files in each backup, they can see the file names, paths, and other meta data like that but not the content. Restored system should have the exact same permissions as the backed-up system. For smaller organizations balking at needing a separate backup person note that I am talking about the accounts needed, not persons needed. Backup operator can have other duties, they will just have to use a totally separate account when doing their backup duties.
  • Make sure you test your backup. The backup is not useful unless you know for a fact you can restore it. You do not know for a fact that you can restore a backup until you have in fact restored it. This is the most common failure when it comes to backups.
  • Make sure your backup schedule accounts for the frequency your data is changing. In other words, think about how much work you are willing to lose and backup that frequently.
    • If you only backup once a week, you lose one weeks’ worth of changes if you need to restore a backup. Nightly backups are very common, as that means you only loose few hours’ worth of changes and getting through an entire backup set in a night is typically feasible for most cases.
    • This is usually restricted to how long it takes to perform each backup cycle.
    • Low-cost systems are typically very slow, and fast backup systems are typically very expensive.
    • So, if you are purchasing your own backup system you have to balance how frequently you want to backup with how much you are able to spend on backup systems.

Recovering from Ransomware infection

The single best step in recovering from any sort of infection is something referred to in the industry as flatten and re-image. This consists of completely erasing the infected hard drive of all data to a point where it is squeaky clean with absolutely zero on it. Then reinstalling the operating system and all applications from original installation media, followed by restoring the backup of the data on that computer.

If it is desired to understand how the infection happened, it is important to simply turn off the computer, unplug it and hand it over to a digital forensic specialist as soon as the infection is discovered. This can be a very costly process and not worth it in many cases. For most best course of action is to go straight to flatten and re-image.

Cybersecurity Career and Certification Advice

Posted on by Siggi Bjarnason

Reading Time: 6 minutesI see many posts on social media asking for advice on how to get started in cybersecurity, what certifications to get, etc., so I figured I would write an article with my perspective on those topics.

Cybersecurity as a career

You do not need any formal education, nor any specific certification, to be successful in cybersecurity. Both will help you get noticed by recruiters and passed the so-called HR firewall. Both are artificial barriers to entry controlled by people entirely out of touch and have totally wrong ideas of what is needed. According to some of those folks, you need to have a Ph.D. in cybersecurity and every certification on the planet for an entry-level job. There are many tales about recruiters asking for ten years of experience in technology invented five years ago. I even read a story about a person that was a lead developer in a new field, and the recruiter told them they did not have enough experience in that field and advised them to read blogs on the topic, and pointed them to a blog they wrote.

I have no answer on how to fix this severely broken hiring pipeline. Since the requirements seem totally random, with no basis in reality, I have no one size fits all way to get past this broken system. Therefore, I am going to focus this article on advice assuming this broken pipeline did not exist. Just know that if you see a job posting that seems unreal, it probably is. The problem is not you; it is them.

A thought just occurred to me. I wonder if they are doing this on purpose to test how creative and persistent you can be to get past this block. Both persistence and creative solutions are essential to many cybersecurity jobs. If you need to be spoon-fed the answers, need to have a structured procedure handed to you, etc., there are very few jobs in cybersecurity that would be a good fit for you.

Let me start by giving you a sure-fire way to weed out people dishing out advice but have no idea what they are talking about. These folks advise entry-level folks to get CISSP, OSCP, CISM, or CISA certification. I imagine these folks would go into a high school and advise kids looking for advice on picking a university and field of study, how to write and defend their Ph.D. paper. CISSP, OSCP, CISM, CISA, etc., are not entry-level certifications. These are the pinnacle certifications that are extremely challenging for very seasoned cybersecurity professionals and typically require proof of many years of experience before the certification will be issued, even if you pass the test.

OK, let us switch the tone here, enough negativity. So, what should one do to prepare for a successful career in cybersecurity? The first thing you need to do is figure out which aspect of cybersecurity you are drawn to, as well as what motivates you. Like other aspects of IT, the field of cybersecurity is vast. Here are a couple of pictures to demonstrate just how huge the field is. I borrowed these pictures from the web after doing a web search for “cybersecurity domain mind map” and “cybersecurity color wheel.” There is a ton of information with those search results and variations on them.

Various fields within cybersecurity grouped together into various colored teams.
InfoSec Colour Wheel courtesy https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700

A mind map of all the different disciplines of Cybersecurity
The Map of Cybersecurity Domains courtesy https://www.linkedin.com/pulse/map-cybersecurity-domains-version-20-henry-jiang-ciso-cissp/

As you can see, you cannot just say, “I want to work in cybersecurity”; you need to be more focused than that. What draws you to cybersecurity, which aspect is the most appealing to you. Depending on which area you are most drawn to, different things prepare you. I was once talking to a Lyft driver about what it took to get into cybersecurity. I told him to make sure you knew computers very well, that it was helpful to be good with networking, know how to code, set up servers, etc. He then asked about coding skills, and I told him it was beneficial to know how to do web development and automate things with python. He commented that being a lot to learn. If he needed to know web development, shouldn’t he just become a web developer? I only had a one-word response to that, “sure.”

One of the rumors out there is that cybersecurity is easy money. I find this to be terrible advice. Yes, there is a lot of money to be made in cybersecurity, just like many other high-tech fields, for those that are good at it and manage to be successful. However, I would not say it is generally easy. First, what comes easy to one person is not necessarily easy for another person. Not everyone can be successful in everything. I firmly believe that to be successful in a field, you need to have a drive for that field and find it interesting, if not fun. Second, there is a considerable amount of burn out in seasoned cybersecurity professionals. Depending on your role and the company you work for, the stress level is well above average, and hours are often long. Therefore, I would say that this is not an easy job. It is, though, a job I enjoy very much and something I have always had a passion for.

Here is my take on three of the domains. I am not qualified to speak to any of the others:

  • If you have a passion for rules and regulations but getting into the field of law is not for you, or you are currently in the law field and looking for a change, security governess might be for you.
  • If you like to take things apart to find out how they work, how they behave when used, and finding unusual usages for things, the offensive sector, aka red sector, might be for you. This field requires you to learn things quickly in a very unstructured way. Drive to learn, figure things out on your own, and unsatisfiable curiosity are essential here. If you need to be taught things, always need a user’s manual, etc., this is not the field for you.
  • If you are more of a helper and have a drive for defending people and things, cyber defense and operation might be your field. This is sometimes also called the blue team or defense. Like in the offensive sector, the drive to learn in an unstructured way is very important. You also would need to be very good with computers and know them inside and out. It is tough to defend something you do not understand.

In my opinion, the best foundation for both defensive and offensive cybersecurity is an extensive IT background. IT helpdesk, system administration, and network engineering are all excellent foundation for a successful cybersecurity career. The great thing about cybersecurity, though, is that there is no single or best path. I took the path of IT helpdesk -> data center tech -> network engineering -> cybersecurity vuln mgmt., and I think that is a great path to take. Others have taken entirely different paths and have been extremely successful.

Cybersecurity Certifications

Certification, their need, and usage are hotly debated topics in cybersecurity circles. Most people seem to agree on avoiding EC Council certifications, and CISSP is not an entry-level cert. The only reason to get a cert from EC Council, like, for example, CEH, is if it is mandated by your employer or the academic program you are enrolled in. The only folks that seem to value EC Council are recruiters and HR folks, and I have already made my feelings about their opinions clear.

If you are new to the high-tech workforce and want an edge in job hunting without going the traditional college route, I would start with some CompTIA certifications. I would start with A+, then get both Network+ and Linux+, then go on to Security+. CompTIA offers a lot of great certificates, I would start with those and then add more as time and budget allows.

After working in IT for several years, have some experience in a few of the security domains and are looking to demonstrate your security savviness, at that point, I would look at the certifications offered by ISACA, (ISC)2, and Offensive Security, depending on your specific field of interest. The Cloud Security Alliance also offers a great certification for cloud security, if that is your chosen specialization. When looking at these certifications, make sure you pay close attention to the perquisites to ensure you have the required background and experience. Also, remember these are expert-level certifications.

Password Management

Posted on by Siggi Bjarnason

Reading Time: 3 minutesI am a very sharing kind of guy and firmly believe that sharing is caring. I am happy to share absolutely anything and everything, with literally only two exceptions. I am not big on sharing my toothbrush, and I absolutely do not share my passwords under any circumstances. There are two kinds of password sharing that I am totally against. The first is sharing a password between sites. I make sure every site I have an account on has a totally unique password. This means that my password for Facebook, Gmail, Twitter, my bank, etc., have nothing in common. If there is a single character in common, it would be a random fluke.

The second type of sharing I am against is sharing passwords with anyone else. No one has any of my passwords, not even my spouse, absolutely no one.

Before you start to ask about “but what about …” I will provide a blanket answer. I am just making the rules and providing guidance. Whether you follow them is on you. I will try to explain the reasons, so you understand the risk. You understand your risk model the best and can best judge if taking that risk is worth it to you. If you need help with your risk model, I have another article on that.

You are probably thinking to yourself, that sounds like a lot of passwords to keep track of, and you would be correct in that thinking. I have several hundred passwords in active use. How do I keep track of all those passwords, you ask? Do I have them all memorized? Absolutely not. I am lucky if I can remember two passwords. I use a password manager to keep track of my passwords.

 

A password manager is an application that is specifically designed to track passwords securely. Care needs to be taken when choosing a password manager. Many applications out there that claim to be password managers and may even operate like one, but in reality, are malware design to harvest all your credentials. Make sure to choose one that fits your needs, is well respected, and well known to be highly secure. When looking for a password manager, look for the following:

  • Strong data encryption, ideally using at least AES 256-bit level of encryption or stronger
  • Multifactor Authentication (MFA). The best ones offer multiple options to choose from
  • Is the solution monitored for access, data corruption, and operational issues?
  • Can you access the password manager anytime and everywhere you need to?

One example to look at is a product called LastPass from LogMeIn.

 

I know I promised you details behind my recommendations, so here goes. When you use the same passwords on multiple sites, all the sites that use the same password are compromised if one of those sites is compromised. This can become a massive headache. While maintaining 100’s of passwords is a bit of pain, it is nowhere near the pain of changing passwords across hundreds of sites when one of those sites has a cyber incident. Also, having data from one site in the hands of cybercriminals is bad enough. Enabling them to access ten sites because they all share the same password is ten times as bad.

 

Another thing regarding password management that is important is choosing a good password. In the past, there was a lot of talk about the complexity of the password being essential. Passwords needed to have upper case, lower case, number, and a special character. This ended up everyone choosing something like Fall2020! as their password. This is a horrible password and can be breached in a fraction of a second. The US National Institute of Standards and Technology (US NIST) even recanted earlier advice on this and has totally changed course in their account management standard.

Recent research shows that length is the most important aspect of a password. Do not think of a password as a single word, instead as a phrase that is at least 15 characters long. I try to make all my passwords at least 20 characters long. Many password managers also have a password generator function that will generate just a random string of characters. This is most secure but impossible to remember. Since I am using a password manager, 99% of my passwords are randomly generated and stored in my manager.

For a more memorable phrase, think of a phrase that no one is likely to guess. Avoid site or app name and well-known aspects of you or your life. It is a plus if it is not grammatically correct or even does not makes sense. Something along the lines of “NittingCowDancesMoon!” would be a good password except for the fact that it is published here as an example. It is both strong because of length and matches complex rules for sites that are still stuck on the old advice of password complexities. Feel free to experiment with spacing, punctuation, etc. Sites and applications vary greatly in what they allow in a password. The most secure ones have no restriction, except for not allowing short passwords.

That is it for this installment. As always, feel free to reach out if there are questions.

Let’s go phishing

Posted on by Siggi Bjarnason

Reading Time: 3 minutesThis article was written with companies in mind; most of this applies to individuals as well. Most security incidents happen due to phishing, and I have a sure-fire way to avoid becoming a phishing victim. Just do not click on links in email or open attachments. Yes, I do realize that this advice is about as useful as telling someone to stop smoking or not eat donuts. It is a lot easier said than done. Also, any suggestion that starts with the word “just” tends to be suspect. Hear me out, though, as I explain how this could be implemented.

This needs to start with a culture of not sending unexpected links or attachments around. There needs to be an internal document repository site, which is automatically a part of everyone’s bookmarks. Rather than attaching a file or sending a link to it, in the email, describe where it can be found on the internal site. Something like “the document can be found under documents -> ProjectX -> design.”

This way, people will fall out of the habit of clicking on links or open attachments, and it will start to become abnormal and strange to do so. Emails offering free ice cream and the like will continue to be tempting because human beings love games, contests, and most of all, free stuff. If you set up an internal contest about finding malicious emails and notifying the security team, that could satisfy that urge, especially if free ice cream is the reward.

Rather than training folks in deciphering URLs and determining if the link is valid or not, make the training situational.

  • They are signing up for a service that requires providing their email address, and the sign-up process says a confirmation email is being sent, and you need to click on it to confirm the registration. If you get an email within a few minutes that looks like it is from that organization, then clicking on that link carries a relatively low risk.
  • They are on a conference call. Someone on the call says they are sending a document to everyone. They explain what it is all about and why it needs to be sent around rather than posted to the document repository. When you get an email from that person that matches the description, opening it carries a relatively low risk.
  • If they receive an email with a link or attachment that does not match either of those scenarios, claiming to be from an internal contact or other known contacts, look up their contact information in the internal company contact list and call them up or send them a chat message asking them what this is about and why they choose to send it in an email rather than post it on the document repository. If they get a satisfactory explanation, the risk of opening it is low. Never reply to the email or use other contact information in the email. If alternative contact information is not available outside of that email, consider the email malicious. If the explanation for the email seems off or sketchy or the sender seems sketchy, the safe move is to consider the email malicious.

Additionally, it would be a good idea to train everyone in the hallmarks of phishing attempts, which include:

  • Trying to scare you
  • They are playing on your emotion
  • Play up extreme urgency

Ensure all internal processes specify if there is ever a legitimate internal urgent email, that it does not contain links, and simply direct the recipient to an internal site. All internal announcements should be posted on an internal website as well.

Vulnerability Management

Posted on by Siggi Bjarnason

Reading Time: 3 minutesThis post is going to be more applicable to companies than individuals as it is going over how to manage vulnerabilities across all your computer systems. At a super high-level, the concept of vulnerability management is pretty simple. It is all about managing your vulnerabilities. When you dive deeper, then questions start to surface. Questions such as:

  • What exactly is a vulnerability?
  • How do I know what my vulnerabilities are?
  • Can I management something I do not know about?

Some think that vulnerability management is all about having vulnerability scanners such as Tenable Nessus or Qualys and periodically running scans with them. Others believe it involves periodic penetration testing. Not only is this extremely flawed thinking, but it is also potentially dangerous and increases your exposure instead of reducing it. Sure, those things can add value to an already mature vulnerability management program; at best, they are a small addition to an overall program.

The purpose of a good vulnerability management program is to reduce your exposure and make it easier for you to respond when an issue comes up. To answer the questions from above, you cannot manage something you do not know about. To define the word vulnerability, turn to any English dictionary; it will give a good definition applicable here. The third question will require some discussion.

Since you cannot manage, what you do not know about a good asset and configuration management is the foundation of a good vulnerability management program. If you can only do one thing, just get your hands around what you have. This, of course, starts with knowing what computers and systems you have where, what IP addresses they have, and who is responsible for them. Knowing how big the hard drive is, how much memory it has, and what sort of NIC it has is not critical to vulnerability management, but it is useful information for other programs. Knowing the MAC addresses could come in handy, though, for this discussion. Once you have the basics covered, it is time to dive deeper, this is often called configuration management, but it is just an extension of asset management. In this stage, you collect details about what is installed on each computer. Here you capture things like

  • What Operating system is installed, what version, and when was it last patches?
  • What applications are installed, what version, and when was it last patched?
  • What frameworks are used by what application?
  • Do any of the frameworks or applications rely on external components or modules?
  • Is any of this managed by someone other than the system owner?

Notice a trend there? For good asset and configuration management, all this and more should be documented in excruciating detail. If done correctly, you should be able to pull up all the systems that have a specific version of dotNet Framework, or a particular version of python, etc. You should also be able to detail the exact specs, all installed applications, frameworks, etc., for a given IP address or hostname. Make sure you capture both, along with any aliases and domain names.

Once you have all this documented, it is time to turn to the process side.

  • How will you stay informed with issues that come up in the industry?
  • Who is going to watch announcements from US-CERT, NIST, NVD, etc.?
  • How will you go about remediating issues as they are discovered? Who will have what role? How will information flow?
  • Publish a statement on your website on how a security researcher can notify you of an issue they notice externally. Then have an internal process for handling these notices, who is responsible for what, etc. This is called the responsible disclosure process.

Now you can say you have a vulnerability management program. Notice how there is no tool involved so far. The only tool you might think about so far is a Configuration Management Database (CMDB). If you are small enough org, you can do all of this with nothing more than your standard Office suite that you likely already have. If you are a little larger, a proper database will make a world of difference.

Only after you got both a solid Configuration Management and a firm policy & procedure should you even think about bringing in a vulnerability scanner. At this point, you can start to look at products like Tenable, Qualys, Tripwire IP360, etc., and find a product that suits your needs. Feel free to reach out if you need advice in this space. Then amend your existing Vulnerability program with details around what should get scanned when and who is responsible for what. Make sure you specify who is responsible for making sure scanning happens, who is responsible for disseminating the scanning results, and who is responsible for remediation.

Risk and threat management

Posted on by Siggi Bjarnason

Reading Time: 5 minutesIn this blog post, I want to talk about risk management and the concept of threat modeling. Let’s start with some basic math, then dive into definitions and some examples.

Definition of Risk

Risk is the multiplication of vulnerability and threat. As with all multiplications, to lower the product (risk in this case), you need to reduce the factors (vulnerability and threat in this case). There is no such thing as zero risk because no one is free from vulnerabilities or threat free. Each one of these can be approaching zero, but they can never be zero. So, risk management aims to get it as low as possible, not to eliminate it.

Definition of Vulnerability

Now with the math out of the way, let us dive a little deeper.

For a definition of the term vulnerability, we turn to dictionary.com as the English definition works perfectly here. You could say we are switching from match to English.

adjective

  1. Capable of or susceptible to being wounded or hurt, as by a weapon: a vulnerable part of the body.
  2. Open to moral attack, criticism, temptation, etc.: an argument vulnerable to refutation; He is vulnerable to bribery.
  3. (of a place) open to assault; difficult to defend: a vulnerable bridge.

From this definition, it should be clear why there is no such thing as zero vulnerability.

Definition of Threat

Now let us talk about the concept of threat and threat modeling. From dictionary.com again:

Threat noun

  • an indication or warning of probable trouble: The threat of a storm was in the air.

Threat Model

A threat model is simply a catalog of all the threats that could possibly come up. This is something that can be written down or not. It requires no justification, is very personal and subjective. If you feel something is a threat to you, include it in your catalog. No one else gets a say in what is included in your threat model. A good threat model covers all aspects of someone’s life. It should cover personal aspects, work aspects, and both online and offline threats. A threat model can be done at various levels. You can have a personal threat model, another one for your family, and the third one for a group you are responsible for. When creating a threat model for more than just yourself, it would be appropriate to consult those included in the model. While you may be consulting with others on a threat model for a group, this should be a judgment-free exercise. For more details on threat modeling, check out my book.

Details makeup of a threat

Now let us dive into more details about a threat.

A threat has three components or concepts. Any avid crime mystery fans should be very familiar with these: motive, means, and opportunity. When dealing with threat modeling, it is more commonly referred to as capability, intent, and opportunity.

Capability

The term capability refers to having the ability to do something. This ingredient is present in most of the cases involving threats to our physical wellbeing. Most of us possess the physical ability to do unspeakable harm to another living creature. Luckily, most of us are decent human beings who could never even imagine harming another person.

In other words, we lack the hostile intent to harm others. Going back to capability, when it comes to online threats, this element is frequently missing, as it requires a good deal of technical knowledge for someone to be a menace online. So those without technical knowledge lack the capability to be a threat online. Regardless of how much they desire to be a menace, they can never become a real threat online until they gain the required technical skills.

Opportunity

Opportunity is the concept of having access to something. It’s about being in the right place at the right time and with access to the target. In the physical world, this means having access to the person you wish to harm. Personal bodyguards and diplomatic protection details rely heavily on removing opportunity from the equation to keep the person they are protecting safe from harm. They can’t control a person’s intent, nor can they control a person’s capabilities; however, they can manage opportunities. As we discussed, there is no threat without all three components. By controlling public access to the person they are protecting, they limit the opportunity factor, thus limiting the threat and the risk.

Intent

The last element is the concept of intent, sometimes called motive or desire. If people have no ill will towards you and do not wish you harm, they pose no real threat. Returning to physical protection methods, including bodyguards, the concept of security screening deals in this space. Security screening tries to assess if you hold any ill will towards those who are under security protection.

This can be difficult to determine and can change without any notice or warning. We see this when an initially peaceful place suddenly becomes a hotspot of violence. In most cases, the folks involved didn’t suddenly gain new opportunities or obtain new capabilities. Most of the time, something happens to trigger the mass of people to achieve a newfound desire and motivation to take things into their own hands.

Depending on these ingredients are mixed, you can have four different types of threats:

  • Opportunity + Capability = Potential Threat
  • Opportunity + Hostile Intent = Insubstantial Threat
  • Hostile Intent + Capability = Impending Threat
  • All Three = Actual Threat

For those more visually inclined, here is a venn diagram demonstrating this.

This is written in October 2020 while the whole world is dealing with the Covid-19 pandemic and all discussions are around that. So I find it only fitting that use that as another example.

 

It has been demonstrated that no one is immune to catching Covid-19. How badly it impacts any particular person or for how long seems to vary widely. Everyone is thus vulnerable to Covid-19 but to a varying degree.

At the time of this writing, seven months into this pandemic, there is no cure available. Doctors appear to have gotten better at managing symptoms and increasing survivability, but there is no cure. All we can do is take precautions; this is called implementing compensating controls in the cybersecurity world.

You could completely avoid all human contact, move to a farm in the middle of nowhere, and not have another soul for miles. Just like not connecting a computer to the internet to avoid viruses, this is not a feasible approach for most. Scientists tell us that as long as we avoid being in close proximity to people we don’t know for extended periods, we have minimal risk of getting infected. They define close proximity as less than 6 feet or 2 meters and extended period as 15 min or more. They also advise that wearing a face mask covering both nose and mouth reduces the risk even further, especially when everyone is wearing a mask. So wearing a mask, maintaining distance, and limiting interaction with people you don’t know is a reasonable precaution or compensating controls in geek-speak.

This means skipping going dancing, hanging out in bars, going to the theater, and other places where people congregate for long periods and possibly even extremely close proximity.

Where some people may tripping up with this precaution is how they define what they consider known people. Just because you’ve worked with them for ten years or they are a close cousin of yours doesn’t mean you can treat them as “known people” in this context.

Knowing their favorite food, their favorite movies, how they like to dress, their favorite restaurant might be considered knowing someone well in normal times, but this is useless information in the time of covid-19.

What do you do know about their threat and risk handling? What precautions are they taking? If they aren’t taking any precautions, they could pose a significant threat to you. A family member that is going to all the hot spots, going clubbing on weekends, etc., can have a significant potential risk to you despite you knowing them very well, and it might be wise for you to keep your distance from them. On the other hand, someone you know barely, but you know for a fact that they are taking all the same or more precautions that you are, would be reasonable to lower your guard around them a little.

 

Online Privacy concerns

Posted on by Siggi Bjarnason
Reading Time: 4 minutes

Today I want to talk about online privacy concerns. When it comes to online privacy, I tend to take a slightly different road than many of my cybersecurity colleagues. Many in my industry tend to preach that you should never ever under any circumstances share anything personal online. I understand where they are coming from and respect their perspective; however, I do things a little differently.

Just like in real life (IRL), privacy is not a one size fits all. Some like to live out in the country with not another soul for miles. Others want to live in large cities where you can’t even turn around without hitting another person. Some like to dress very conservatively and show as little skin as possible, always keep their curtain drawn, etc. Others like to test the boundaries of public decencies laws both in the ways they dress as well as their choice in curtains and stuff. To me, I say to each their own.

Similarly, online privacy isn’t one-size-fits-all, so instead of being prescriptive, I like to talk about risks and dangers and then let people make their own decisions.

The most significant danger about oversharing online is it significantly increases your risk of becoming a victim of identity theft. It also gives scammers material they can use to come across as if they know you when trying to scam you. Additionally, if you are sharing a lot about your daily schedule to a point where everyone knows exactly where you are going to be, how long, etc., that could lead to physical attacks against you.

The extend of these risks depends on your threat model (see other blog posts and my book for more details on this).

One way to mitigate these risks is never to share anything online. This does not work for me as I’m an open person and over-sharer. I like who I am, and I do not let the world change me. So instead, I take other precautions. For example, I subscribe to an identity monitoring service to monitor if someone uses my information to impact my identity. I know what information about me is available online, and I am skeptical about anyone trying to use that information to get close to me. I avoid sharing any deeply personal info such as names of friends or family, my SSN, phone number, address, etc. When I’m sharing things about me, I obfuscate location details and names of other participants. This is both for my security as well to protect other people’s privacy.

One key aspect that I think all cybersecurity professionals agree on is that it is each person’s right to control their privacy, what is disclosed to who, etc. Consent is the key here. Never take pictures of people without their consent and never name them in anything without their consent.

One thing that is often overlooked when it comes to security is that there are very few things online that are actually private. Basically, there are two ways to ensure something is private. First is never put it online in any form, don’t put in cloud storage, don’t talk about in chat applications, and, most of all, don’t put on social media. The second method to ensure privacy is to encrypt it. In my book, and in this blog, I give a layman’s explanation of what encryption is and how it works. It is worth mentioning that an encrypted connection does not mean the content is encrypted. Again check out my book for more details on that distinction.
Anything that is in electronic form and not encrypted in a way that ensures that you are the only one able to read it, can be compromised and made public. Now, as with everything else, there are varying levels of risk, and various levels of “does it really matter.” This again depends on your threat model. For example, anything in Gmail or Goggle Drive can probably be read by someone with access to those platforms from within Google. The same goes for Outlook Online and Onedrive from Microsoft.

Now just because they can does not mean they do or that they will. Assuming they can’t does seem rather foolish. If your threat model requires absolute assurances that not even the platform owner can read your email, you need to use ProtonMail, a mail provider in Switzerland that fully encrypts all emails so that you need a password only you have to decrypt it. Before you sign up with then, please read my book errata blog entry on issues that caused me to stop using them. They are working on a fully encrypted cloud storage offering scheduled for public release later in 2020.

Most, if not all, social platforms have a feature they call either private messaging (PM) or direct messaging (DM). I feel the term direct messaging more honest because that feature allows for direct messaging between two people, but they are not private in the strictest sense of the word. Anyone with access to the backend for those platforms can read those DMs. For truly private conversation you need a dedicated chat application guaranteeing end to end encryption, such as Signal or Viber.

Just remember that just because something isn’t blatantly public doesn’t mean it is private. On the topic of social media, I want to remind the reader about the old adage, “there is no such thing as free lunch.” What I mean by that is that any application or service for which you don’t pay for with money, you pay for with your privacy. When you look at companies like Twitter or Facebook that have a large staff and are reasonably profitable, where does that money come from? The answer is that they get paid large sums of money to target advertisements specifically to those who are more likely to purchase. This is done by analyzing what you post, what you share, what you like, and possibly even your DMs, and coming up with a formula describing your likes and dislikes. In other cases, companies are selling all the data they have on you so other companies can aggregate it and creating your marketing profile. In summary, no such thing as a free app. You either pay with money or your privacy.

One final thought to leave you with is the idea that anything you post on social media, blog, etc., never goes away even if you delete it. You never know who might have saved it before you removed it. If that is difficult to grasp you should check out the way back machine at https://archive.org/

Scams, Frauds and other ways to loose your money

Posted on by Siggi Bjarnason

Reading Time: 6 minutesIn this installment, we’re going to look at different ways you could be separated from your money, which you may later regret. Let’s call these all Scams or Fraud, even though some don’t meet the legal or the conventional definition of those terms.

Before I start, I want to mention that to many, these may be obvious, but they aren’t apparent to everyone as many folks fall for these scams.

General Scams

The first type I’m going to dive into is phone scams, particularly impersonation scams. With these, someone will call you claiming to be a government official. They could claim to be law enforcement, IRS, or Social Security Administration (SSA). 

Here are some facts to keep in mind when dealing with these scam artists:

  • Your social security number (SSN) is never canceled, blocked, or frozen. The SSA does not have the ability to do anything of the sort, so even if there was some sort of major issue, they literally couldn’t do any such thing. If there were a major issue with your SSN, they would write you a letter sent through the postal service, not call.
  • Police will never call to demand payment for unpaid fines or anything like that. If some pending payments warranted an arrest, they wouldn’t call to warn you or get you to pay over the phone. They would send a uniformed officer to visit you and escort you to the station or the courthouse where you might get a chance to square your issue.
  • Anyone calling and demanding payments in gift cards is a criminal.
  • Any unexpecting call from Microsoft, Apple, Google, Adobe, etc., claiming to be informing you of a problem with your computer and offering to fix it is a criminal.

In all these cases, the course of action is simple, hang upon them. If you wanted to toy with them or unload a few well-chosen, possibly even harsh words, no one could blame you. I do not recommend that, though; I suggest you simply hang up without saying a word. 

Also, be wary of giving out any information at all to anyone unknown that calls you. The person that initiates the call should bear the responsibility to identify themselves. I wouldn’t even give them my name before I have their name and know why they called. If they want to provide you with information, that’s fine, but I don’t tell them anything without absolute certainty that they are who they claim. 

The best approach is to say to them that you’ll call them back through the company’s main number. Then find the main number online or through directory assistance; ignore any number they may give you. 

If a Nigerian prince, wealthy businessman, or long-lost relative contacts you and asks you to stash their billions in your bank account for a few months in exchange for a cut of the fortune, don’t do it. Best case scenario, you’ll be an accomplice to money laundering, which is a severe crime in most countries. More likely, the criminal running the scam uses this ruse to get your bank details so they can clean it out for you. 

If you get a call or email that you won the lottery or some sort of sweepstakes, but you have to pay taxes and fees before you claiming your winnings, it is a scam. Any taxes or fees are always taken out of your winnings, never paid upfront. If you have never heard of this Lotto or sweepstakes, that should be your first clue. Entering sweepstakes or buying a lotto ticket is kind of the first and critical requirement to winning. If it is something, you believe you did enter or purchased a ticket for, hang up, and call the organization that you registered with to validate your winning and claim your prize.

Romance Scams

These types of scams prey on lonely people desperate for companionship. They start by reaching out via social media, claiming to want to become friends. They often rely heavily on stereotypes when selecting their personas and will use pictures that match their personas. For example, if they target someone they believe is a heterosexual male, they will present themself as an attractive 20 something woman. This sometimes backfires as few men have no interest in women that are half their age. I suppose this works enough times to make it worth it for them. After they’ve chatted you up for a while, they will confess some financial hardship and ask you to help. They talk big about talking on the phone or meeting in person at some future point, but that time never comes. It is always only in text, and there is always a story as to why they can’t talk to you on the phone until next week or month. They tend to get very personal very quickly and sometimes ask questions that could be used to steal your identity. 

If you are lonely enough to be tempted by these types of scams, reach out to us, and we’ll help you find more constructive and fruitful ways to fix your situation, free of charge and without any financial hardship stories on our end.

Scareware

This type of scams tries to scare or embarrass you into paying a ransom. The general premise is that they’ll claim they hacked your computer and found evidence of something they feel you might be embarrassed about, such as visiting an adult entertainment site. They claim they downloaded all your contacts, and if you don’t pay up, they’ll send said evidence to all your contacts. This is usually conducted over email, and they do their best to sound very technical. I see a lot of these, and every single one is completed nonsense. In my book, I take one example and break it down to debunk each and claim they make. I recommend treating this as general spam and delete it.

Borderline scams

Now let’s dive into situations where it might be disputed to call them scams. There is often a very fine line between effective marketing and scams/fraud; they use the same tactics. It basically comes down to how truthful the marketing is and whether you believe you got what you paid for. This naturally is very subjective. If you have buyers’ remorse and do not have the option to reverse the transaction, you end up feeling defrauded. If you feel cheated, then from your perspective, the deal was a fraud, which is why I include it here.

Many marketing campaigns, both in sales and in fundraising, employ emotional manipulation. Sales marketing like to use the principle of scarcity to manipulate you into making a purchase. They will try to convince you that something is about to sell out and that you need to jump now to make sure you can get yours. They often rely on something called FOMO, or fear of missing out, also known as “keeping up with the Jones” or “the rat race.” They try to make you feel inferior if you don’t have the latest whatever, and you can’t be seen around town without it, if you don’t have it, you will be made fun of in your social circles. FOMO can be very self-fulfilling; those that are deep into FOMO will often ostracize those they feel don’t have all the latest whatchamacallit and thus create FOMO in others. 

The advice here is simple, do you actually need it and what will happen if you wait and then the item is sold out. If it does sell out and never comes back in stock, that is a sign it was not a viable product, and you would likely have been unhappy with it. If it is a product that sells so fast that it goes out of stock, it will be back in stock soon. No product owner will let a viable product be unavailable for very long. In every case, the product owner has way more to lose to have the product go out of stock for even an hour than the actual consumer ever does. The only reason to mention scarcity in a marketing campaign is to emotionally manipulate people to create a demand that isn’t there.

Another form this might take is what I call fake sales. They claim they offer something to you for a steep discount, say 60-80% or even 95% off. When in reality, their sale price is the same or higher than comparable products elsewhere. Typically those that use this scheme are offering a product of inferior quality. I’ve fallen for this tactic many times and never received a quality product for less than usual retail. A spin on this is when they claim they are giving away the product, you just have to pay shipping and handling. Then come to find out the shipping and handling cost is more than the regular retail price elsewhere.

I am always extremely wary of product marketing that feel they need to resort to these sort of tactics.

Yet another spin is what I’d call the congratulatory tactic. This is where you get an email along the lines of “Congratulations, you now qualify (or been granted access) to buy our product.” I’m always like, “what sort of privileged elitist crap is this where I have to qualify to give you my money.” I suppose this is a spin on FOMO. On principle, I always ignore those emails as I am actively against elitism and privilege. 

In fundraising marketing, they tend to be even sneakier. They try to pretend that there is a personal connection, that if only you gave x dollars, the issue or campaign would be saved. If you don’t, the cause is lost, and it is all on you. They will try to manipulate your helpfulness, and ask you to just do them this one favor. The thing here to keep in mind is that you never owe anyone anything that you haven’t previously made promises to. This means that you owe some random person or entity on the internet absolutely nothing. If there is a cause, you want to donate either time, goods, or money to, by all means, do that. However, do not under any circumstances let them manipulate you into over-committing.