The Need for Life Long Learning in Cyber Security
Learning in cyber security – I devote a few hours of each day trying to stay abreast of the latest developments in cyber security by listening to technical podcasts and visiting online cyber security news sites. The world of computing is fast moving and is especially true with regards security. I often day dream that my role of providing comment to media outlets would come to a crashing end if I was to fall into a coma for even a short time.
That is why I cringe when some news outlets reuse parts of earlier interviews I have done and stated ‘facts’ but best practice may have moved on since the time I made the initial comment.
For instance, the common mantra in security best practice was to enforce regular compulsory password changes on users but of late, it is now not recognised as best practice (apart from specific use cases). I do sometimes stress in my talks to only take my recommendations on security issues & safe practice to be correct on the day that I voice them.
Multi-factor authentication is a welcome method in the fact against the dark forces. It provides an extra security layer which can be implemented via something that a user knows, possesses or is inseparable from that particular user. The most common method is to use a mobile phone to serve as something that the user possesses so if the user wishes to authenticate themselves on a service, they will be sent a one-time-valid, dynamic passcode usually consisting of digits via SMS. Sounds fool proof?
However, in 2017 the security community issue guidelines to stop using this ‘trusted method’ due its reliance on the SMS channel as hackers had demonstrated attacks on the mobile phone networks by exploiting the underlying SS7 signalling protocol to spoof a change to a user’s phone number. This allowed them to intercept calls and text messages.
Multi-factor authentication is still a valid methodology but now it is seen as safer to use tools like Google Authenticator or an RSA token which can also prove possession. These avoid the weak GSM communication channel which can be more easily eavesdropped upon. It is worth pointing out that the SMS attack does have to target an individual and requires quite a high level of skill and dedicated hardware.
So, there are a myriad of other attack vectors to be more worried about but of course we know that attacks never get worse as there is always someone improving the ease of use of the hardware/software so it becomes more feasible for the lesser skilled attackers to use. The Metasploit framework is a case in point where early sophisticated proof of concept attacks are integrated and become so much easy to reuse.
Unfortunately, the easiest method for attackers to gain a foothold on people’s computers and install keyboard loggers, viruses or ransomware is to get people to click on links which lead to their nasty files. This is achieved via placing malicious files online and tricking people into downloading them or more commonly, by sending people ‘phishing emails‘.
Phishing emails are simply emails which can look legitimate either containing attachments or links which then lead people to clicking on them and installing the destructive software. Firewalls, anti-virus software and intrusion detection systems can help but there is just as important element which is non-technical.
And this is the focus of my post. It is crucial that we simply educate people about the dangers of clicking on links. Only a fraction however will listen and learn. It generally takes people to make a mistake before they learn. That can be too late however.
A recent cool initiative in cyber training is where security teams send phishing emails to employees which when activated (in other words, that user was fooled and clicked on a link they should not have), the link will simply bring them to a page informing them about their mistake and educating them on the dangers of what they did. Simple, but it just might make a crucial difference to that users attitude the next time they see a similar email.
The popular cyber security investigator Brian Krebs came up with a simple 3-point rule
- If you didn’t go looking for it, don’t install it.
- If you installed it, update it and
- If you no longer need it, remove it.
To elaborate, “If you didn’t go looking for it, don’t install it” relates to the tricks which attempt to get us to click on links such as a fake anti-virus popup telling us our computer is infected or a video which complains that you need to install a special codec to view the content. Only install software or browser add-ons if you went looking for them in the first place.
The second rule “If you installed it, update it” refers to the importance of keeping our software up-to-date with the latest patches. We have to be aware that the OS giants e.g. Microsoft, Apple and Google have top security researchers as well which are constantly trying to patch any exploits that they become aware of.
They have a vested interest in ensuring their products, apps and operating systems are secure. You do not have to love them or trust them, but just know that most security geeks apply the patches when they get released.
Finally, the last rule (3) “If you no longer need it, remove it.” points out that any software residing on your device which you no longer use could be the very software which you fail to update (or the developers fail to release a patch for) which provides the vulnerability for the attackers to exploit. So, there should be no reason to keep it installed if you no longer use it. At the very least, it may be using memory.
There is a concept of lifelong learning which was introduced in Denmark in the 70’s which is the “ongoing, voluntary, and self-motivated” pursuit of knowledge for either personal or professional reasons. It not only enhances social inclusion and personal development, but also self-sustainability, as well as competitiveness and employability. This is a concept we need to apply in our quest to remain safe online.
Company management would also do well not to ignore this concept. They can help by developing training programmes, offering staff bursaries to attend external cyber security training workshops, offering free company wide access to sites like Pluralsight, Lynda.com and simply fostering a culture of continuous learning.
In the era of GDPR, ignorance is no longer a valid defence, so the money spent on cyber security training may be a large saving in the long run.