Read an Excerpt

CHAPTER 1

THE NEW WORLD ORDER

Do you spend more money on coffee and treats at Starbucks than you do on cybersecurity? In the grand scheme of things, which one is more important? When it comes to your and your family's cybersecurity, do you opt for a skinny latte or a double shot of espresso?

In a world that is changing at a pace never before seen in our history, astonishing advances in technology play out before our eyes. With the advent of personal electronics, I often wonder, how did we ever survive without cell phones, tablets, and computers? How did we occupy our days, nights, and weekends?

My teenagers spend most of their time in front of a device, communicating with their friends. And hell hath no fury like a teenager grounded from cell phone privileges. When you take away electronic devices from teenagers or children, it is as if you are taking away their identity and, in fact, their very existence. Today's kids have no idea what to do, or in a scarier sense, how to operate without their electronics.

Whether we realize it or not, and most often kids do not, these devices have us living in a fully connected world in which almost every action we take leaves behind a digital fingerprint. It is easy for us to focus on all the new and enhanced functionality in our inter-connected world, but we also need to consider the new dangers that accompany the technological advances.

Behind every email, every website, every packet that your computer receives, lurks the possibility of a malicious code with the potential to rock your world. Embarrassment, legal implications, financial loss, and even your identity are at stake. There is a new world order, and if you are not prepared, you can wind up on the short end of the stick, the victim of cyber criminal activity.

Organizations in Russia, China, and other locations work 24/7/365 to steal and exploit your digital information. The only question you have to ask: do you want to be a target? If you are not actively addressing online security, your default answer to that question is YES.

Most of us have done little to protect ourselves in a digital world. From experience, I can tell you that the cyber adversary plays a very effective offense. If you're not prepared to respond — or even better — to counter with a comparable effective defense, you are going to lose, and the losses can be significant. This book will teach you the tips and tricks of a vigorous cyber defense.

PERCEPTION OF SECURITY

When I meet people at parties or airports, and they ask what I do, I tell them that I work in cybersecurity. Many people exclaim that it must be the coolest job. But people's responses have not always been so positive. Fifteen years ago, that same career conversation garnered me some weird looks, like I was the smelly kid on the school bus.

Old-school thinking was that cybersecurity existed only for governments with classified information and for large companies with proprietary secrets to protect. Today, everyone — every single individual of any age — needs cybersecurity, and I consider myself blessed to work in an industry that is helping to make the world a safer place.

If you are not convinced that everyone needs cybersecurity, please turn on the television or pick up a newspaper and read the most recent — and the ongoing — reports about cybersecurity breaches. No company or government is immune to today's cyber adversaries; it seems that every aspect of commerce or communication, government or global entity can be compromised. And, are you ready for the scariest information of all? Most breaches pass undetected or unreported, so what you see or read about reflects only a small piece of the problem.

Those of us who work in cybersecurity call this perception the "iceberg effect." What you can see of an iceberg above the waterline represents a small percentage of the overall problem because most of an iceberg hides underwater, invisible and dangerous. The state of cybersecurity looks bad, but like the looming iceberg, the problem is a lot worse than most people realize.

Despite more than twenty years of rapid technological change, the average person only recently began recognizing cybersecurity as a problem to be addressed. The dangers in online interactions have always existed, but the problems are just now unfolding as an epidemic. No matter your age, background, or location in the world, if you use electronic devices, you must be vigilant about cybersecurity, and this book is written for you.

FALSE PERCEPTIONS MAKE YOU A TARGET

Leaked photos from a celebrity smartphone. A presidential candidate's leaked emails. Embarrassing voicemail messages left by a future king. Only celebrities get hacked, right?

WRONG.

Just like celebrities, you own a bank account, carry a credit card, and fill out online shopping forms — creating digital data in a wide variety of other ways. That personally identifiable information, or PII, forms your electronic identity. PII is priceless, regardless to whom it belongs.

Cybersecurity lingo includes the word "harvesting." Think of the cyber adversary as a farmer. Cyber crime is a risky business, and not every seed will sprout into a profit-yielding crop. But, just like in legitimate farming, a bigger harvest usually equals a better profit.

A massive field might be too much for one farmer to handle, and the same holds true for the cyber criminal. Breaking the harvest into smaller parts, and different plants, makes for an easier yield. This strategy, too, works for the hackers.

To be more specific, breaking into one large organization to steal 5,000,000 records works for cyber thieves, but larger companies can deploy tough defenses. On the other hand, most individuals have little-to-no security protecting their online identities and assets, making it much easier for hackers to break into 5,000,000 individual computers to steal personally identifiable information. The net effect remains the same: big profit for cyber criminals and big losses for their victims.

Cyber adversaries also favor so-called "watering hole attacks." Hackers target large sites accessed daily by millions of people, infiltrating cyber defenses for short periods of time. Even when the compromise of a major site lasts for just sixty minutes, it will net a significant harvest for the cyber thieves.

Wherever you go in cyberspace, and whoever you are, evil exists, and you need to be prepared.

And, instead of getting better and safer, the dangers and challenges of cyber defenses multiply every day.

Twenty years ago, I worked a compromise of 10,000 stolen records (i.e. credit cards, personal information), which was considered a large-scale incident. I told a friend that if we ever got to the point when 100,000 records could be stolen, that would signal trouble.

A few years later, working a case with 100,000 stolen records, I insisted that a million stolen records would signal that the situation was out of control. Just a few years later, we reached that million-records breached mark. Still, I would not give up. I contended that tens of millions of records stolen would result in chaos. Sure enough, a few years later it happened, and today we're edging towards a billion stolen records as the new norm.

It might be easy to blame third parties — banks, retail stores, the government — for not protecting your information. Certainly, those institutions and companies should be held accountable. But ultimately, each one of us, each individual, must accept responsibility for keeping our personally identifiable information properly protected.

The bottom line: when your identity and personal information are compromised, you are the one left to deal with the repercussions. Not the credit bureau, the retailer, or the government agency — though they may take steps to support your recovery. Nonetheless, if you want to win in cyberspace, YOU must take responsibility for your own protection and implement security today.

DEFENSE IN DEPTH

No single solution can make you 100 percent secure. That lack of absolute protection fuels a billion-dollar cybersecurity industry, where cyber breaches dominate consumer news.

Long ago, I coined a key phrase, "Prevention is ideal, but detection is a must." Truly, you will not be able to stop all attacks, but you should make it your goal to minimize or control the damage. You can start by implementing a variety of defenses, such as endpoint security, but you must also recognize those measures — all of them — can be bypassed by expert cyber criminals. You must always be alert for signs of an attack. When you notice unusual activity, do not ignore it; take immediate action.

Traveling through an airport, you often see signs imploring, "If you see something, say something." The same philosophy holds for personal protection. If you see strange activity, call the bank or credit card company and investigate the questionable charges. The sooner you detect an intrusion and take action, the more you can control — and perhaps limit — the damage.

"Defense in depth" is another common term in the cyber industry, and the term means to deploy multiple defense measures to protect your system. Defense in depth is all about diversifying your portfolio.

Consider your 401k or other savings: No smart investor puts 100 percent, or even 90 percent, of their assets in one fund; that plan would be way too risky. Instead, investors diversify, so that if one fund fails, the other investments minimize the impact on the total portfolio.

When you think of security, you need to identify multiple levels of protection and never depend on a single mechanism to make you secure. Take a moment and think of the possible layers of physical security for your home: You might live in a gated community, have an alarm system installed, and own a large dog named Fido that roams the halls. You might also sleep with a pistol in your nightstand and possess the martial arts skills of a certified ninja. Think of cybersecurity in the same manner: Be a cyber ninja.

Can you think of at least three different measures that you have put in place to protect your personal information online? If you cannot, this book is for you.

If you can name three measures that you've implemented to protect your PII, continue reading because there is no such thing as too much security. The ultimate question is: how effective is your overall security?

No matter your answer, do not let yourself become complacent. Adversaries are very smart and constantly aggressive, and the moment that you take your online security for granted, you make their job easier.

SECURITY 101

This entire book focuses on security and powerful knowledge to keep you, your family, and your company as safe as possible. Every chapter contains actionable steps that you can take to minimize your chance of compromise. To start, let's look at four basic cybersecurity principles.

1. Always run the latest version of any software you install.

This principle applies to all software, including a device's operating system. Most software vendors, especially Microsoft, constantly improve product security and add new levels of protection.

For example, Microsoft made huge changes and increased security from Windows XP to Windows 10. If you are running Windows XP, and you connect to the Internet, your system is highly vulnerable and probably has been compromised. Outdated software is the greatest gift you can give the adversary. Keep reading to understand why.

2. Do not put off installing patches from software vendors.

Bugs, vulnerabilities, or exposures constantly pop up in software. Vendors release fixes, or patches, to eliminate these problems. A patch is the vendor telling the world that a weakness exists in its software. Adversaries, who recognize that many people do not properly patch their systems, actively develop exploits and try to quickly break into the vulnerable software. The longer it takes you to patch, the greater the chance of compromise.

3. Uninstall any software that you do not use.

Software programs, especially unused and outdated ones, create opportunities for adversaries. Think of each software program like a window in a house. The more windows in a house, the more opportunities an adversary has to break in. It only takes one unlocked window for your house to be vulnerable to a robbery.

A computer is like a house. The more software programs installed, the more points of potential exposure an adversary can try to exploit to break in. Install and use as much software as you need, but get rid of any programs that go unused or are replaced by new or different ones.

4. Never log in using an administrator account for daily activity; always log in as a normal user with limited access or privileges.

An administrator can do anything on a system and can bypass most of the security controls. When (notice I use the word "when," instead of "if") your account gets compromised, the adversary will have the same level of system access you have. If the administrator account gets compromised, the adversary gains total access to everything on your system. On the other hand, if an adversary gains access to your system as a simple "user," there will be some information that cannot be compromised.

You always want to operate with the least amount of privileges. Follow the golden rule of "never, ever surf the web or check email as administrator." Surfing the web as an administrator is like driving a motorcycle without wearing a helmet. You might not get into an accident today, but it is a very risky thing to do. Do not take chances when it comes to your personal protection.

THE TWO MOST DANGEROUS APPLICATIONS

In fact, can you name the two most dangerous applications on planet Earth? What programs have caused more harm, more damage, more identity theft, and more monetary damage than any other applications? Nope, it's not Angry Birds or Candy Crush. The answer: email clients and web browsers.

Yes, email and web browsers are the conduits of most evil and are the tools of choice for the adversary to cause harm. More specifically, the harm and damage lie in opening email attachments and clicking on links to illicit websites.

Many people do not realize that email is not an authenticated method of communication. The source address listed has little to do with who the email came actually from. This information can easily be spoofed, and your mail server does nothing to authenticate the origin of the email. Even though an email might look like it came from a trusted source, do not believe it.

The good news is that receiving a standard email typically does not cause harm directly. Instead, the danger lies in opening an attachment that allows a system to be infected. In fact, users are their own worst enemy, as they are tricked into actions that ultimately cause harm to themselves.

A wide variety of trusted online repositories, like Dropbox, offer a much better way to transfer documents. These sites require both parties to authenticate their identities in order to upload or download documents.

While there is a wide range of attacks that can be done via the web, security advice can be reduced to, "Be careful what links you click on." Adversaries like to send a link (via email) that looks legitimate but when you click it, malicious code activates that can compromise your system or steal your credentials. For any site that you visit on a regular basis, it is much safer to bookmark it rather than click on an embedded link.

I will cover this in more depth later, but here is one of the most critical pieces of advice I can offer: do not click on attachments or web links unless you are 300 percent sure they are legitimate. And here's more essential advice: Never, ever click on a link that looks like it came from your bank or the IRS. If you implement only these two practices, you will be saved a lot of money and heartache.

BUT I HAVE ANTIVIRUS SOFTWARE

After I speak at conferences, people often tell me that they feel safe because they have endpoint security or antivirus software installed on their systems. While a very important thing, installing these programs does not give you permission to be careless — or foolish. Endpoint security and web- filtering programs minimize common types of attacks, but more advanced malware can bypass these mechanisms and infect your system.

To return to our car analogy, wearing a seat belt in a car is a good idea, but it does not mean that you will not get into an accident or get hurt. Even when you wear a seatbelt, you still should be very careful when you are driving. Navigating the complex world of cyberspace is no different: even when you have antivirus software, you need to be careful.

Additionally, remember that adversaries are very clever and very smart — they do not like to get caught. Therefore, they constantly look for ways to get around antivirus and endpoint security protection. The game, often referred to as "attacker leap frog," works like this:

* The bad guys constantly look for ways to bypass current security measures and compromise your system.

* When the adversary is successful, the cyber defenders at security software companies actively work to figure out ways to defend against these attacks and stop the adversary.

* When the cyber good guys successfully stop the attacks, the adversary figures out a different way to bypass the software. And, the game continues indefinitely.

---

Excerpted from "Online Danger"
by .
Copyright © 2018 Dr. Eric Cole (Online Security Expert and Cyber Ninja).
Excerpted by permission of Morgan James Publishing.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---