At TED2009, military analyst P.W. Singer spoke about how drones are changing warfare. It was fascinating — and sobering. This month, Singer directs our attention to a different way technology can intersect with malice in his new book, Cybersecurity and Cyberwar: What Everyone Needs to Know, co-authored by Allan Friedman. Below, an excerpt that asks: What can we do to make the whole system safer?
Mark Burnett is a security consultant who has spent decades examining how to harden computer systems against attack. In one study titled “Perfect Passwords,” he accumulated and analyzed more than two million user passwords (assembled everywhere from hacker list dumps to Google). The most common, unfortunately, showed how far we have to go in our personal approach to cybersecurity. Yes, the most popular password used to protect our computers was “password.” The second most popular? “123456.”
The issues of responsibility in cybersecurity are, in many ways, much like other issues of public and private safety. The government has a role in providing standards and enforcing regulation, and the industry has a responsibility to meet them, but the chain of responsibility does not stop there. The individual citizen must also play their part. Take the example of seat belts. The government created a requirement that all cars have them; many car companies, in fact, go even further and try to separate themselves from competitors with their greater safety features. But, at the end of the day, the individual still has to buckle up.
When it comes to cybersecurity, most people are not being targeted by APTs, Stuxnet, or other high-end threats. We are, however, part of an ecosystem where we have responsibilities both to ourselves and to the broader community. As one cybersecurity expert put it, “Most of us are not dealing with serious national security type issues, but our failure to show good sense can create a lot of noise that bad guys can hide in.” Indeed, even if there are bad guys directly after us, there are still simple measures that can be taken. The Australian Defence Signals Directorate (equivalent of the US National Security Agency) found in one study that just a few key actions — “whitelisting” (i.e., allowing only authorized software to run on a computer or network), very rapid patching of applications and of operating system vulnerabilities, and restricting the number of people with administrator access to a system — would prevent 85 percent of targeted intrusions from succeeding.
The biggest change we can make at the individual level, though, is to change our attitude toward security. The Internet is certainly not the scary, awful place it is often painted by too many cybersecurity reports. But nor is it an innocuous realm. Indeed, one study found that roughly two-thirds of cybercrime victims were simply unaware of the risks in the realm. As the cartoon character Pogo would put it, “We have met the enemy, and he is us.”
A shift in attitude is important not just in our own personal roles but also in the roles we play inside any organizations we belong to, especially when in leadership positions. Steven Bucci, senior research fellow at the Heritage Foundation, illustrates this point with a story of a US Air Force base commander in the 2000s (a period before the military took cybersecurity seriously). The commander forced his IT people to give him a one-digit password for his classified system. He told them he was “too important” to be slowed down by having to type multiple digits. “In five minutes after that happened, everybody on the base knew two things: one, their boss was a complete idiot. Two, that security wasn’t important.”
Accepting that there are risks and threats doesn’t mean there is nothing that we can do. Rather, it emphasizes the second fundamental attitude change, recognizing the need to educate ourselves and then protect ourselves. In many ways, this education is requisite for the twenty-first century and should be taking place within the schools (we teach kids everything from basic hygiene to driver’s education, why not also cyber hygiene to protect themselves?). As technologist Ben Hammersly has written, the general state of cyber education is “shameful,” from the primary school level on up, and helps explain some of the ignorance displayed even at the highest levels of media and government. “How many policy debates have you heard, from security to copyright reform, that have been predicated on technical ignorance? This is a threat to national prosperity itself far more severe than any terrorist organization could ever be. It remains, in too many circles, a matter of pride not to be able to program the video recorder. That’s pathetic.”
In the absence of formal education, it is imperative on all of us to learn the basics and act appropriately. And, just as in other areas, this responsibility is both a personal one and a parental one. If your children are online (and they are!), they too need to know how to act appropriately, recognize risks, and protect themselves. Imparting an ethic of stewardship (that this is their way not only to look after themselves, but also to help keep the Internet safe for others) is a better strategy than trying to convince them through fear factors.
What follows is certainly not the exhaustive list of all that you can do to better your cybersecurity but simply some of the key steps — from entry to equipment to behavior — that any smart and responsible user should be thinking about. Or, as one retired army officer responded when asked what was the most important thing people could do for cybersecurity, “Stop being so damned stupid on computers.”
Access and Passwords: Update passwords regularly and always use “strong” passwords that are both lengthy and mix numbers, letters, and signs. Never use common words and phrases.
As Wired magazine explained of the problem of using passwords like “12345” or “password,” “If you use a dumb password like that, getting into your account is trivial. Free software tools with names like Cain and Abel or John the Ripper automate password-cracking to such an extent that, very literally, any idiot can do it. All you need is an Internet connection and a list of common passwords — which, not coincidentally, are readily available online, often in database-friendly formats.”
Don’t share these passwords and don’t use the same passwords repeatedly across your various accounts (as then a hacker can “daisy chain” to connect across all your online personas). One study of hacked websites found that 49 percent of people had reused usernames and passwords between hacked sites. This is also why many organizations require you to change your password regularly. It not only minimizes risk, in case your password was already compromised, but it minimizes the likelihood that an irresponsible user has used his work password to, say, buy shoes, and now that password is compromised.
At the very least, your e-mail passwords should be strong and unique, since many web applications allow you to reset many account details by e-mail. You may also want to consider a “password manager.” This application generates random, secure passwords for all the sites you need, and enters them automatically. Modern password manager applications work across platforms and devices, requiring you to only have to remember one password for the tool itself — just make sure that’s a good one!
Given how many accounts also allow you to reset a password by answering some personal question, never use any personal information that could be found online to answer these questions. You may think that no one could guess your mother’s maiden name or your first grade teacher, but often that is findable with a quick web search of you and your friends and family’s social media accounts. So-called “socialing” was responsible for 37 percent of the total data stolen in one government study of cybercrime. Indeed, it was through public information that a rather unethical teenager was able to gain access to Sarah Palin’s personal Yahoo! e-mail account. Many suggest using counterintuitive information to confuse a system. What’s your mother’s maiden name? Answer your first pet’s name.
Even after following all this advice, passwords still only offer a single line of defense, vulnerable to a compromised server or a brute-force guessing attack. There is a growing effort to protect more valuable information and accounts with what is known as “multi-factor authentication.”
Multi-factor authentication operates under the idea that entry doesn’t just have to be allowed because of something the user knows, like a password. Their identity can also be verified by something the user has (like a smart card), where the user is, and/or something the user is, such as a biometric characteristic like fingerprints. This seems an onerous requirement, but has actually become the way that banks control access to automated teller machines (ATMs). The bank card is the physical object the customer has, while the code is the second verifying information that the customer knows. Similarly, many e-mail programs like Gmail can restrict access to computers in certain physical locations or require secondary codes pushed out to users’ mobile phones. The security here comes from multiple channels — even if your computer has been compromised, if your cell phone hasn’t, then a text message serves as a second layer of security.
None of these are perfect. Even one of the top multi-factor defenses used by the Pentagon was cracked when hackers broke into the company that manufactured the physical tokens that provided users a random, algorithmically determined secondary password. But that doesn’t mean the effort is not worthwhile. The goal is to shift the password from being the first and last line of defense into part of a multi-layered series of hoops and hurdles far more difficult for a hacker to go through.
Systems and Equipment: Cyberthreats are constantly evolving, but the reality is that many breaches do not happen through new zero days. The Conficker worm, one of the most successful pieces of malware in history, for example, spread to several million computers through a vulnerability in Windows that was widely known and for which patches were available online. Such threats are easily defeated by simply keeping operating systems, browsers, and other critical software constantly up to date. The fact that security updates and patches are freely available from major companies makes it all the easier.
Many of the more targeted cyberthreats utilize wireless access to gain entry, sometimes from within the same building, other times from nearby parking lots, or via crowds, and so on. Restricting unwarranted access is useful, but can only go so far. Indeed, some of the sneakier threats have even utilized remote operated helicopters to get inside buildings to tap their wireless networks. For this reason, it’s also important to secure your wireless network with the best available protection, including encrypting the traffic from your device to the router. Note that many popular wireless encryption schemes have been broken, so be sure to use the most recent. If you are using an unencrypted wireless network in a public place, be careful what you’re doing. Any activity that isn’t encrypted through SSL (the little lock icon in your browser) is easily intercepted by anyone nearby, with free and easy-to-use software.
Finally, given the likely threats, it is important to back up any valuable information, whether it’s your financial statements or those cute pictures of your toddler girl blowing bubbles. This should be done both in external networks, but ideally also in a physical hard drive set aside just for that kind of important information.
A good rule is that if you can’t bear to lose it, then prepare to lose it.
Behavior: Most threats enter through some kind of vulnerability created by the users themselves. Like the three little pigs, don’t open the door before checking. If your system has an option to automatically download attachments, turn it off and instead always use the highest privacy and security settings to limit the exposure of your systems. Never open links that come from users you don’t know or who seem fishy (such as varying in spelling or domain), nor should you open attachments unless you can verify the source. And, just like with candy, never accept hardware from untrusted sources.
Wherever you can, operate in a mentality based on the multi-factor authentication. If you receive a message asking you to send important or personal information, verify the sender through other means, including that antique technique of picking up the phone and calling your mom to know exactly why she wants your bank account number. Even if the e-mail is not from her, she’ll be glad you called, and you’ll save yourself a lot of trouble.
This is even more important as mobile devices become more and more common. Links sent via texts are just as likely a threat as those in an e-mail. Even if you think you know the sender, it is not a good idea to click on unknown links. Similarly, apps should only be downloaded from trusted marketplaces. Social media further compound this threat, where we have become accustomed to shortened link services such as tinyurl.com. As we were preparing the final version of this manuscript, someone we didn’t know commented on a Twitter exchange between the two of us, trying to steer us to a shortened link. Using a URL unshortener that checks the redirect for us, we discovered that the participant in our discussion was keen to share with us a very long string of obfuscated (almost certainly malicious) code. Common sense would also have worked: this Twitter account had zero followers and was not following anyone, but was sharing links with several other high-profile Twitter users with abandon. Bottom line, the best behavior is not to be afraid, but rather wary.
Just as wearing your seat belt doesn’t mean you’ll not be hurt when you enter a car, such steps are no guarantee to cybersecurity. They are, however, recognition that we can all contribute to the solution while better protecting ourselves and the Internet as a whole.
Curious to read more? Check out P.W. Singer’s Cybersecurity and Cyberwar: What Everyone Needs to Know, which Eric Schmidt of Google calls an “essential read.”