Before we dive into the world of online security, let’s start with some definitions.
- Threat Actor: A criminal that is a threat to either a specific person or a group of people. This is a catch-all term for online criminals.
- Hacker: Someone that attempts to use things for purposes they were not intended for. The media likes to use this term interchangeably with a threat actor, which I disagree with. I believe this term is much broader than that. In the original definition of this word, there was no criminal intent involved.
- Snake Oil Salesman: According to Wikipedia, this refers to deceptive or fraudulent salespeople.
- Next-Gen and Military Grade: These are meaningless buzzwords used by snake oil salesmen
- Fear, Uncertainty, and Doubt (FUD): This is a generic term covering anything or anyone inciting fear. They spread doubt and uncertainty that only spread fear.
Online Security basics
The first thing we need to realize when start talking online security and safety is that security is hard and an inconvenient pain in the butt. It is not possible to achieve 100% online security, and there are convenience trade-offs that have to be made. I talk about these trade-offs in my book. The trade-offs basically come down to a choice between being inconvenienced or being a victim. There are certain things you do so that you don’t get caught in a broad net campaign. If you are targeted by a threat actor that is both advanced and persistent, it is only a matter of time before they breach your security. Regardless of how good your security is, an advanced persistent threat actor (APT) will breach it.
Think spearfishing vs. fishing with a net or a fishing pole. If you are a fish swimming in a lake and you are paying attention, you can avoid getting caught in a net, or biting that lure on that fishing line. It is, however, very little you can do to prevent having a spear skewer you.
Another analogy for the sports fans out there. If you are playing defense, you have to fend off all offenses. If you are playing offense, only one offensive player needs to get through the defense for the whole team to be successful.
Put another way, an attacker only has to be lucky once, defenders have to be lucky every time.
This is why it is not feasible to have 100% online security. Anyone that tells you otherwise either doesn’t understand security or is a snake oil salesperson (or both). There are several companies out there claiming to sell a comprehensive solution to protect your security. Claiming that once you buy their product, you will be safe online. They may throw buzzwords like “military-grade,” “machine learning,” and “next-generation” in an attempt to impress you. These are meaningless phrases. The salespeople from these companies are merely selling you a bill of goods. The fact is that these solutions are effective anywhere between 5-35% of the time, which in my opinion, is not very effective.
Now while no security solution will make you bulletproof, it is still essential to have a good virus and malware blocking solution installed. The good news is that Windows 10 has a great one already built-in, so there is nothing else to purchase. Your defense will mostly come from your behavior online, which I will go into in future posts and is covered in-depth in my book. Here is a quick hint, every day is April 1.
You may be asking, “but I’m nobody, why should I bother with security?” As I explain in my book, everyone is at risk of becoming a victim of a cybersecurity incident. Everyone has something to lose. You may not care if criminals read your email, but what about using your email account to engage in criminal activity? Or using your email account to send your contacts malware? Threat modeling is something I cover in my book and goes deeper into this topic. As you build out your threat model, you gain a better understanding of what you have to lose and what security trade-off makes sense to you. One thing I feel several security professionals miss is that threat modeling is an individual thing. It is not appropriate for everyone to adopt the security posture of an intelligence agent. Anyone that preaches security as a one size fits all does not understand threat modeling and therefore probably doesn’t understand security. What is more, not only is a security plan an individual thing, it is perfectly acceptable, maybe even desirable, for one person to have multiple security plans. My book goes into a lot more detail here.
FUD and fear-mongering
Another thing to be aware of is all the FUD that is out there. It is hard to say whether those spreading FUD are well-intentioned but misguided, or they have malicious intent. My guess is there is little of both.
There are a lot of people online with opinions that get spread as if they are facts. It is very critical in today’s world to be able to separate facts from opinions. Having a following does not make them an expert. Before you take anything as a fact, or even expert advice, analyze the author’s credentials.
I’ve seen a lot of blogs and news about how insecure a particular product is, insinuating that these flaws make the product unusable. When I read their description of what the problem is, it usually comes down to what I might call sub-optimal configuration. What I mean by that is that the user did not leverage all the security features of the product, either intentionally or because they didn’t know better. To me, this is a classic case of FUD. Best case, the article author misconstrued the user’s scenario or use case. Worst case, some user education might be needed. I disagree that a product that defaults to less than secure configuration is an insecure product as long as it can be configured to be more secure.
Another case of frequent FUD is hyping up a use case that is outside most users’ threat models. An example here is when someone writes that because a product does not offer a feature, they think the product has to offer, so it is unsuitable for everyone. Just because the product does not meet the author’s requirement doesn’t mean it is unsuitable for practically everyone else.
There were a lot of articles lately about security issues in Zoom video conferencing solutions, which I found to be complete FUD. Specifically, when it came to the level of encryption, they did or did not offer. Yes, there are specific use cases and specific threat models where this was an issue. In my opinion, for more than 90% of the Zoom users, whether the level of encryption being discussed was offered or not made absolutely no difference.
BTW if you want to understand what encryption is and how it works, there is a chapter in my book that breaks that down using everyday language.
Most of the articles piling on Zoom for being insecure were about default meeting configuration. The default configuration did not prevent people from being jerks and joining random Zoom meetings for the sole purpose of being disruptive jerks. New users did not know this or understood how to turn on the features to prevent this. Zoom opted for convenience over security and paid a considerable PR price for it. So they fixed it by making high security the default configuration.
That is all for this installment, be on the lookout for future installments on specific online security topics.