As people who’ve been around and interested in technology all our lives, we’ve done a lot of research over the years about cyber-security – a somewhat controversial topic.
In our opinion, cyber-security isn’t what people seem to think it is – it certainly isn’t what we thought it was before we started our research.
The simple fact is, nothing on the internet is ever truly secure – regardless of what it is or who made it. We would summarise the core principles of cyber-security as follows:
- The potential reward from a successful attack
- The risk involved in conducting an attack
- The time required to complete an attack
Thus, for example, if the reward is too low, or the the time required to complete an attack is too long, a potential assailant is less likely to attempt an attack. This is what you must understand to be secure online – don’t try to make your accounts impenetrable, make it so that the attack isn’t worth it to an assailant. That is the best way to be secure online, and it’s certainly worked for us up to now.
The reality of cyber-security is that you don’t have to worry about what is referred to as ‘script kiddies’ – inexperienced hackers. Basic security measures will thwart them – for example with common accounts like social media etc, 2-factor authentication, obscure answers to security questions and a password that DOES NOT use common knowledge like pet names, street names, family or maiden names, etc.
The only people you need to worry about are ‘Black Hat’ hackers – people who are looking to sell private information for a profit, leak controversial information to throw you into disrepute, create, post or share hazardous material on your behalf, etc. They usually target several people simultaneously, or at least in quick succession.
These people don’t usually target individuals specifically, they’ll normally use social engineering (more on that in a moment!) or attack a service you happen to use to target batches of people. However, of course – sometimes if you upset the wrong person, they can target you! Just be careful who you upset…
More on that social engineering concept: this is where consumers should be worried – imagine a simple conversation at a bar or restaurant, I could strike up a conversation about my first pet, I could take some digs at my mother’s maiden name, talk about my school experience and casually mention which school I went to, my first house, my birth city, and so on… All of a sudden I know information about you that websites could ask you as security questions and you might not be any-the-wiser.
That is Social Engineering in it’s most basic form. Somebody who used to be your best friend in school or an ex-lover or anyone you were close to in the past could have this information even without confronting you – in this case, they already have all the information they need to crack your account. They simply need to click that “forgotten password” link, answer your security questions and they’re in! Luckily, though, most modern services don’t make use of this type of password reset mechanism anymore – but some still do exist.
In a similar vein, you should protect your email account(s) as if your life depends on it – because your digital life just might! If an attacker gets access to your emails, they can reset almost any password you have on the internet thanks to those ‘password reset’ emails, which is a double-edged sword. They can simultaneously take control of your account and lock you out of it. If they happen to reset your email password while they’re at it, you’re going to have some serious trouble getting your accounts back.
A final thing we’re going to mention, applies mostly to commercial environments but can also apply to consumers – security through obscurity (STO).
We see a lot of online articles saying that STO is really bad and you should never use it – which we just can’t wrap our heads around. Yes, if this is your only security measure, frankly you shouldn’t have access to the internet. But as an additional layer of security, it shouldn’t be underestimated.
Let us consider an example: You want to create a cheap and simple blog – but you don’t want to use an online company, as they charge high prices. One of the ways to do this is to use an old computer as a server in your own house. We’re not going to detail the entire process as that’s an article in of itself, but let’s assume your using a computer with a processor like an AMD FX processor and a motherboard that doesn’t have integrated graphics, but you don’t want to buy an expensive graphics card – you’re going to need some kind of way to access your server (not your website) remotely to apply updates.
Enter Secure Shell (SSH) – the bane of the existence of server administrators the world over. It’s most secure when it’s simply off – the approach of most administrators in the world. However, under some circumstances it’s a necessary, or even required tool. You could secure it by creating security keys and disabling the password authentications all together, which again, is an article in of itself, but ultimately, it’s still open to the internet.
Yes, they can’t gain access due to the security measures, so your server is technically still secure – enter the Distributed Denial of Service (DDoS) attack. Reading the submitted security key and denying access due to it being improper still uses your server’s resources. If they can do it enough times in a short enough space of time, they’ll use up your server’s available resources for genuine customers, essentially knocking it out until the attack ends – if your server doesn’t freeze or crash before then.
This is where STO comes in handy. Changing the SSH port to something other than the standard port 22, your attacker now needs another layer of information to crack your security. They may not even be able to begin attacking or guessing your security key until they find out what port your SSH service uses.
Furthermore, consider the bar conversation from earlier in this post – by answering those security questions with obscure statements, that conversation now doesn’t help your assailant. Hence, security through obscurity.
Besides which, if we apply a little logic, choosing an obscure password that is difficult to guess IS security through obscurity, in it’s most basic form. This is why articles saying STO is a bad thing completely tie our heads in knots.
In conclusion when it comes to cyber security the best antivirus and evasive measures at your disposal is your brain ( E.G. Banks would never ask you to email a password )