This topic took me a graduate degree in MS to master, so I am going to stick to some high level items here and what may be relevant to most of my readers who are in the FinTwit/gold/silver sectors.
About me -50,000 ft view. It’s not hard to find me if you stalk me on LinkedIn, but there are things here I’m not going to spell out for the bots of the world. I have 26 years working in IT, and the last 9 or so I’ve been a full time manager over large contracts. My managers run networking, cyber security, systems administration, and desktop support, amongst other things. For years prior to being a manager, I was what is called an SCCM architect at the enterprise level (SCCM is System Center Configuration Manager from Microsoft). This is an enterprise tool (top level of large organizations) used to deploy software, patches, operating systems, and endpoint security solutions. I am certified on Retina/Nessus and learned to use about 60 IT security tools during my MS degree which had a lot of labs. Basically, my job was to “harden” systems from attack. Think of it as being a security guard that guards a warehouse of 6 million windows and 1 million doors. To have to walk around several times a day to secure all of this stuff and put eyes on it would be near impossible for 1 person, and cost prohibitive for hundreds of people to do it. So you need tools to automate the window and door locks, then potentially use tools to monitor the state of those doors/windows. Anyway, I have industry leading certifications such as CISSP, PMP, and MCSE amongst 8 others. I have 2 master’s degrees and had my first college class at 11 years old.
If you’d like to insult me, call me a glorified security guard years ago. Don’t really care.
That all being said, for a lot of reasons I can not nor will I ever talk about work stuff. Everything you will see below is in textbooks to some varying degree, and I’d like to focus on educating you on a few things – what is cyber, what the problem is, how to protect yourself, and how to protect your organization.
What is cybersecurity?
I had my first intro to what security really was in about 2003 or so. I was just hired into a new job, and someone was walking around the server room – on the screens were all kinds of problems. I “challenged” the guy. “Who are you, and what are you doing here”? He was a penetration tester, or “pen tester” hired by the organization above me to find problems. These guys are called WHITE HAT HACKERS. I asked him about the stuff, then asked him how long it will take him to fix it. He said, “no, I think you don’t understand. My job is to find the problems, your job is to fix them”. My jaw dropped. I just inherited a shit storm from someone else. The first thing I noticed were none of the machines were updating. They were all set to pull windows updates from Microsoft, and the idea was that when a tech went to visit them, they would do the updates then. WHAT??? Big picture was there was a lot of work to do, and it was my first real experience with IT security.
Cybersecurity is a rather new-ish type of term which essentially replaced IT security, but covers a bit more. Think about securing broadband communication. Satellites. Power generation stations. Airlines. Emergency response centers. Hydro dams. Hospitals. The military. Privacy. Identity. The list goes on…and on…and on.
Around this time I started to “harden” systems. More on that below, but with all of this you are looking at THREATS and VULNERABILITIES. Now imagine those windows in a warehouse, and some are open. It’s a vulnerability. A THREAT may be evidence of a burglar who may come and steal data in those filing cabinets. Patents, perhaps? Coca Cola recipe?
So just because something is vulnerable, doesn’t mean it’s going to blow up. And, just because there’s a threat, doesn’t mean it’s active. What are the goals of these bad actors?
The cyber triad is known as “confidentiality, integrity, and availability”.
During my classes, they also talked of “non-repudiation”. I’ll discuss these concepts below.
Confidentiality – if you pick up the phone to talk to someone, you want to make sure no one is listening in on your conversation. You can have things like man in the middle attacks (MITM) which can listen in on your conversation. For this, you might use encryption to mask this communication. Either way – you want your systems to have confidentiality from the outside. Those that are not authorized should not be able to listen in.
Integrity – Imagine I email you and send you an email that says “we should meet at the restaurant at 6PM”. You get the email, and it says, “we should meet tomorrow at 7PM”. This message was changed. It was not the message you were supposed to get, and was altered en route. What about data stored? What if I went into your employee database and changed around a bunch of stuff for salary? You want to make sure the data integrity is as you say it is. Often, you may see things like “hashing” to verify a set of data. That is, you run a mathematical function against a set of data, and a long hash is output. IF the data is altered in ANY way, when the math formula is run on it again, it will be different hash outcome. So this is one way to verify data integrity.
Availability – let’s assume you want to get gas and you go to pay with a credit card and nothing is connecting. Your bank appears to be down. You might have an IT system down there, or it might be a “denial of service” attack. Meaning – there is an IT system you need access to, and you cannot get to it. Think about controlling dams, power grids, banking, flight controls, emergency systems, telephone networks.
Who does this? Why? Many times the big issues with the above are “attribution”. Meaning, lots of this stuff can happen and you cannot trace it back to someone. Often, you may see things like a DDos (distributed denial of service) attack on a bank or website. The problem is, you may have a million machines trying to access this service, and it clogs up the highway. Think about a million cars in a small town trying to drive on a 2-lane road. What USUALLY happens with this type of stuff is grandma clicks on a link from a nice Nigerian prince to get his $1m he left for her and when she opened that link, it installed “malware” on her machine. Her machine then can become a “zombie” and “phone home” to a command and control network. So grandma is playing solitaire and has no idea her machine in the background is sending millions of packets of information to try and access a resource – being controlled by a “botnet”. These are for sale on the black market – and often many different types of people would buy this. Corporate espionage. Activist (think anonymous). Criminal trying to extort. Government attacking. Lots of different reasons – and attribution is near impossible a lot of the times. Often – these are made possible due to a LOT of machines like grandmom who just never update their systems.
I talked above about WHITE HAT Hackers. These are the good guys. They may also use the SAME TOOLS as the BLACK HAT hackers – but the white hats are trying to find the vulnerabilities that the black hats would use to EXPLOIT a vulnerability. The idea is if the good guys find it, their team can patch the issue before the bad guys see it. What makes a difference between the white hats and black hats is AUTHORIZATION to do those pen tests.
This is a rather boring subject for those who did not geek out on this, so I will keep this brief and high level. Imagine some of those open windows you discovered were to the executive offices and research and development. This might be a much bigger threat than if you had Bob from accounting’s window open. But what about the janitor’s window? Hmmm…doesn’t he have ALL the keys to ALL the offices? That might be high risk too. So you might look to identify a lot of high risk targets.
When looking at risk on things – you have some decisions about what to do. I first did a risk analysis matrix when working for EDS when I was at the Vanguard Group in 1998. That risk analysis was for all of IT. For example – you might list a risk item as a hurricane. Well, how often did we have hurricanes? Not much. What was the impact if a hurricane hit us? What options did we have to plan for it?
With each item – you can identify the security risks of an organization, and then with that – determine how likely the item is, what the impact is – and what to do about it. The options are – AATM. Accept, Avoid, Transfer, or Mitigate.
Luckily, they made it a little easier these days with listing out common risks – AND giving you their risk score. Check this out to look at CVE. This site gives you an idea of what it looks like. And – a tool like Nessus might be able to run to find some of these common items.
Big picture? If you have limited resources and your scan finds 300 windows open in your 10m window warehouse, you may use those limited resources to determine what to do about each of those 300 windows.
- 200 of them are in non-crucial offices and the windows are broken, and each may cost $300 to repair.
- 50 of them are in crucial offices and need a special tool to close them and one person has this tool
- 50 of them are broken and there are some valuables in there worth some money.
Using the ATM above, 200 of them you ACCEPT the risk – as it might cost too much to repair right now. 50 of them are in important areas and could take a resource a few weeks to work, but you MITIGATE this. The last one you TRANSFER and INSURE the contents. Here, I did not use AVOID but this might be a way to deal with risk as well. How do you AVOID the risk of sky diving? Don’t jump out of a plane.
So with risks here, many IT departments are fundamentally understaffed, under budgeted, and with this, many organizations have literally no idea the problems they have because they did not pay for the tools or expertise to do so.
Security can be expensive. Cybersecurity can be ridiculously expensive. I have had a few interviews for CISO positions, and they could not meet my salary demands. To me, if they cannot meet that salary, they also have skimped on the rest of the organization and I didn’t want that job anyhow. Why? Imagine you are an owner of an NFL team and try and hire the cheapest coaches out there. Then, you are on a budget to hire the cheapest assistant coaches. Then, you see the facilities are run down, nothing new. Everything is broken. You quickly realize any free agents you can attract there quickly leave because they don’t have the tools to do their job and get that 7 year pay day contract.
I bring this up because security is expensive – depending on what you want to secure. I used this analogy a lot. This can speak to the gold and silver guys out there. Imagine you had a baseball glove you used when you were a kid and it had sentimental value to you. You want to keep it. What do you do with it? You throw it in the back of a closet and lock your front door at night. Now imagine you have a monster box of silver. How do you secure that? You probably have a safe and believe very much in the second amendment while having a security system with a “shoot first, ask questions later” sign on your window.
What is the difference there? Mostly, replacement value. You didn’t feel the need to hire a former SEAL to stand guard on your rooftop with an M50 to secure your baseball glove. Likewise – you didn’t spring for that SEAL for your silver either. Now imagine, you are worth a billion dollars and have a home vault with millions in gold and silver. Perhaps you have an entire security staff hired of former Spec Ops.
The point is, your budget and security needs tend to increase with the value of the item. So maybe a ma and pa ice cream shop that deals with cash owns a cash box and a small safe where a pharm company may have a team of 50 dedicated IT professionals to dealing with all aspects of security. Meaning – every solution is unique.
So, how do you defend? Now, let’s take defenses on a simplistic level – in my textbooks, they all talk about the physical military model of security. That is, GATES, GUNS, AND GUARDS.
Separation of duties – you may have IT staff that are meant to FIND problems and those meant to FIX problems. Remember my example above about the pen tester? If he was supposed to find and fix problems, he could lie and say he found all of these problems and cleared them up. What if it was just me and I didn’t know there was an issue – I could just tell my boss all is well. You need the separation of duties in order to ensure problems are found, problems are fixed, then the fixes are VERIFIED.
Layers of defenses – let me tell you something. There’s a LOT of smart people out there who can write some ninja-like shit and do very, very bad things. Anyone that works in IT should be EXTREMELY humble because they can get baptized at any moment by this group of people. The best thing that can be done is layers of defense. Remember that moat above? Followed by the guards shooting arrows at you? Yeah, then you have 30 foot high walls, and I’m going to dump hot tar on you as you scale the wall. IF you do make it up the wall, I have people with swords standing by. Oh, and for good measure, I’m going to lop off the heads of the guys that made it to the top of the wall and I’m going to use a catapult to send those heads to the rest of the soldiers to psychologically devastate them from attacking. That last one I think I stole from Kubla Khan, but mehh. If you can buy that option from McAfee, I highly recommend it.
MOST of the “black hat” hackers out there are “script kiddies”. You can download metasploit (or whatever the hell it is called now – Red Hat?) and use something like that to test your home network. You can create virtual machines in your home labs and practice attacking them and patching them to secure them. Most of these types of tools are the ones used by those who are younger who want to brag they hacked something. Maybe they grow up to be ethical white hat hackers, who knows. The point is, the people who CREATE the tools at the root level – there’s not a ton of THOSE people out there. One book I read in 2009 called “The Art of Intrusion” by Kevin Mitnick talks about a lot of different ways companies were hacked. One company he walked right into, like a piggyback, then went to a conference room, plugged in a laptop, and off he went undisturbed for hours. Simple port security could have mitigated that. Or badges. Or guards challenging. Or company policies. Anyway – there’s a million creative ways these guys can get access to your home, your office, etc. And – you cannot protect against everything, so layers of security can help with this.
This is the big one that might affect all of you here. It happened to me in 2008, but it wasn’t my fault. My discover card was used in Japan. My GUESS is that Discover data was stolen and the card number/info was then sold on the black market for $x and then used fraudulently to get goods there. This was a CARD problem. Why? This was before the chip on your cards. It’s before they had the CVV. So if ANYONE knew your credit card number, they could phone in an order and get it sent somewhere. This cost companies like Discover millions of dollars.
When I was going through my master’s for this, it was something like $389b per year was being lost in cyber crimes. Now, the Discover Card is one thing, but imagine taking a whole company down for a day – and with this, the salary for each of them is paid to them, but there was a loss of productivity. It adds up.
Over the course of years, security got better with the chips and the CVV to the point where the card number itself may not be of much use without the chip and/or PIN.
I wrote something about digital ID the other day and no one read it. All they saw was RED at the Canadian government. Can’t blame them. But none of them understood what the guy was talking about. What they heard was “blah blah blah security…blah blah trust us….blah blah…financial”. And that guy got tuned out quick. At issue here is anyone who put their hands on their ears and closed their eyes and screamed may have been justified in doing so, but have no comprehension of the bigger problem that’s facing everyone.
When I talked with you above about “there’s few people in the world” that do certain things. Well, in the book “Cyber War” by Richard C Clarke I read as a pre-cursor to getting my MS in cybersecurity, he discussed what capabilities countries have. He mentioned the Chinese had a tall office building and 700 of their top hackers work in it. Section something. Forget the number. They seemed to be good with stealing corporate secrets/patents. Imagine being Pfizer and spending $10b on research and China just takes all of it and reproduces your product for 1/1000th the cost. That’s kind of what they did. In fact, the company I started working at above that had all of those problems? The year before I worked there, they caught two Chinese nationals sending secrets to China – hint – it was a hydroelectric company circa 2002. The Russians were famous for allowing their gangs to do identify theft and phishing attacks – malware/botnets – as long as no one in Russia was affected, they turned a blind eye. All of these countries had different capabilities – as he wrote.
This brings us to today, where identity theft is real. I mean like ruin your life real. And the Russians are well known for this type of thing. I ask you – how many times do you think you gave out your PII (personally identifiable information) to companies who were hiring you, healthcare providers, pharm companies, credit card companies, banks – over the last 20 years? You think your data is secure with them? Yeah. Hilarious.
One of the things they told us in grad school was it was very common for things like ransomware (sic) to hit a company and they pay up. Maybe a ransom comes in for $1m. However, if it ever got out that they were breached, it may cost them millions in sales. Doing a cost benefit analysis, a company may just pay up.
Here’s something 99% of you have no idea of. Let’s say I have a billion dollar pharm company. Who is protecting my data? Your data? Steve and Brian in IT. That’s who. And guess what? The Chinese military, according to Clarke, had 700 highly trained and specialized hackers going after US corporations. So your billion dollar pharm company is being protected by Steve and Brian, against one of the most elite forces in the world. And in salary negotiations last year, you let Steve walk because you offered him a 3% raise. And, what’s worse, is Brian and Steve had no idea hundreds of millions of dollars of research was stolen from them over years using a remote access trojan. Check out Dimitri’s write up here.
So – perhaps over the last 20 years, you have maybe given out your PII to 200-400 entities? And you trust Steve and Brian at all of those countries against elite Russian Hackers who compromised countless high value targets?
Now, if ANYONE gets your info from any of those 200-400 entities, they can potentially open up new lines of credit in your name. Sell your house. Steal from your trading account. Empty your bank account. Takeover your email address – because you know how strong your password of “cuddlemaster123” is.
The way to defeat that is a digital ID. You know how your bank debit card was a credit card looking thing? You know how they now have a chip? Well, it’s sort of like that. While you have a driver’s license now issued by the state, you could have a digital ID issued by a bank. As in you store your money in a vault, why wouldn’t you store your ID there? I get it, people are really pissed right now, but imagine a scenario where an attacker tried to open a new line of credit – and the last line for the new line of credit was your authorization – and you dip a card into a card reader, and heavy encryption works behind the scenes with your bank, and asks you to put in a PIN, which is verified by your bank. Meaning, any loan you ever go for, any line of credit you want, VOTING, anything you want to do to PROVE it is you – you used your digital ID. That in IT security is called “non-repudiation”. So, would I trust the bank with the PKI (encryption) under a vault, or Steve and Brian at 200 organizations? It’s a matter of understanding the problem. Remember – this digital ID is NOT CBDC, but most likely IS a pre-cursor for it. So if you do not want a CBDC, it would make sense for you to fight against a digital ID.
So until a digital ID comes along which does not cause someone to burn down shit, here’s what you can do to protect your identity.
- Patch your computer/phone operating system and applications. This is low hanging fruit, and how most of those “script kiddies” get easy access. If you are targeted by an elite nation state, there’s not a whole lot you can do an individual.
- Shred documents with personally identifiable information (PII).
- Use something like “life lock” to put a freeze on your accounts until you want to apply for something.
- Don’t click on links from people you don’t know. IF someone does send you a weird looking link – verify they meant to send it to you.
- Don’t fall for Nigerian prince scams. Easier said than done for most of the elderly who may not have a good grasp on scams
- Use very long passwords. The digital ID uses a chip reader and a PIN (two factor authentication, something you have, and something you know). A username and password can be relatively easy to crack with a tool I used back in the day called l0phtcrack. Longer passwords with complexity take longer to crack. Problem is, given enough computer horsepower and enough time, and any password can be cracked.
- Do not store passwords under your keyboard. If you have to write them down somewhere, perhaps write partial passwords or hints down. Store them in a safe. Maybe once a month when you go to do bills you take them out of the safe and use them and put them back.
- Understand physical security as well – lights, cameras, safes, motion sensors, locks – layers of security here. ANYTHING can be cracked given enough time and enough intel.
- Use disk-based encryption, if possible. Possibly use BIOS passwords as well. Use VPNs to encrypt traffic. File-based encryption can also help.
- Have two different logins to your computer – one is a regular user and one is elevated. When you are just doing email, do not make yourself an administrator. If you have a new app you want to install, force it to ask you for admin credentials – this prevents your 12 year old from installing anything.
- Other tools like an anti-virus or anti-malware tool may add another layer of protection.
None of the above themselves can stop an attacker, but enough layers can perhaps slow them down.
I’m not going to go deep at all here – the article is getting long, and it’s also not really something I want to get into here more than skin deep as I could write a book just on this. The BIG takeaway you need to understand is that in the last 15 years, you have been hacked. And, if you don’t know you have been hacked, you probably need to fire your IT security team. At issue again – is nation states are going after your companies. No, the DoD or DHS are not protecting you. Steve and Brian are. Against the most elite hackers in the world.
And you got Steve and Brian must cheaper than Ryan and Bill wanted. Now, be worried.
Let me reiterate that. IF you work under the DHS, you are protected by them. IF you work under the DoD, you are protected by them. Staples is all alone. Dick’s sporting goods is all alone. Many items like Critical Infrastructure has been moved under DHS – think nuclear plants, power grids, water systems, stock markets – but there’s a lot out there that is not covered.
The low hanging fruit here is that when I was going through the program, it was reported that 48% of all issues were caused by insiders. Meaning, perhaps you need to run the credit scores of those being hired – and monitor them. Perhaps your admins left a username/password laying out. Perhaps you had a disgruntled employee who left and you never cut off their access. So getting the right people also….costs money. You want to hire the best – AND you want to send them to conferences and invest in their education/training. You want to pay them retention bonuses. You want them to feel that they are important in your organization. And you need to audit them. And separate out their duties. It’s a lot of complexity here.
Did I mention this isn’t cheap?
Target’s data breach cost them about $250m and got them hauled in front of congress. Think about all of the people who didn’t shop there for a few years because people lost trust in them. Now let’s see what happens if a bank is taken down?
What I wanted you to take from this section is that security needs to be designed into every business process you have. It starts with who you hire, and it ends with who leaves. It contains how you do your business, from authorization to access a scope of items, to records being in secured areas, with servers being stored in secured areas behind many layers – with the properly trained personnel to do the job.
When you are hacked (notice I didn’t say IF) – you need proper incident response protocols and people experienced with this kind of thing. When do you call the FBI? Are you supposed to call them? What if anything can your local police do? How are your backup facilities? Do you have that stored encrypted?
MAJOR CYBER THREATS
This section here I wanted to cover some of the MAJOR threats out there you and I may face given the political situation – and how to handle them
- Banking hack – keep your gas tanks topped off. Get maybe 1-2 months of food at home in case banks are down for days, this might be a security problem going to super markets. Keep $500 in cash per person in your home.
- Power grid hack – these could be from a flicker to a logic bomb to take out a grid to an EMP attack that would take our critical grid items. a hydro dam could be hacked as well and flood an area downstream. Nuke plants are usually air gapped, but we were able to hack with Stuxnet on an air-gapped network. With this, try keeping cash again – but you want ready to eat food if possible for 1-2 months for your family. Bottled water. I got solar (with batteries) but a cheaper way may be, for short periods – a generator.
- Identity theft – while this isn’t a MAJOR concern with the other two items above, I think it needs some attention because Russian gangsters could be sitting on hundreds of millions of PII records and this could be weaponized. When you think of cyber attacks, think asymmetric warfare. See items above I mentioned.
- GPS – If Russia has hypersonic weapons, I heard one application could be to shoot down satellites. While this would not affect most people on a day to day basis, imagine you are 300 miles from home and GPS goes down. It might make sense to keep an old fashioned map in your car to help you out.
- DDoS – I believe we may be in an era where DDoS might be something we see more of. Not much you can do about it other than to make sure grandma is no longer on Windows 95. If we can reduce the bots out there, we can reduce the botnet attacks. Keep things patched at all times.
- Ransomware – this I believe might be the most crucial issue. Where a condition may have been bitcoin to unlock the colonial pipeline, they could potentially takeover a nuke plant and make an unconditional surrender a condition for unlocking things. Patching systems are effective, but there may be a more costly way of designing a system with maybe a hot site or failover system where disruptions can happen, but not nuclear disasters. Patching machines very quickly is optimal. Not much you can do against a zero day exploit other than to have many layers of protection.
I can write more of these if you guys want, but I wanted to cover some key elements relative to what’s going on today. I’m short for time, so if you have any questions, make some comments and I can do a Q&A follow up.