With every leap in civilization there comes along with it a new brand of criminal. People adopt new technology to improve their lives, but with new tech comes new vulnerabilities, and it’s up to the individual to keep themselves protected. If you invent guns, you are eventually going to need to invent body armor too.
Now in 2017 we have been dealing with the internet for over 20 years. It’s a field that evolves so fast you could blink and practically be lost in the stone age. In such a rapidly changing environment, it becomes difficult to combat cyber criminals who are so on top of their game.
I spoke with Alex Green, founder of Windsor Security and former U. S. Army Ranger (TSE) on the subject. He said that the most common argument he hears is that, “I won’t get hacked, I’ve got nothing worth stealing!” This couldn’t be further from the truth, but not for reasons that you might expect. He said that, “the vast majority of hacking victims aren’t targeted, the victims generally fall into the adversary’s lap by visiting the wrong website.” And if you think you have nothing of value, you’re probably wrong–if you have a computer or a bank account then you have something of value to these people.
In order to effectively protect yourself, you have to understand today’s adversary. We aren’t dealing with trench coat wearing hackers surrounded by monitors scrolling through code as they hammer away at an unreasonable amount of keyboards. The greatest threats we face are more like multi-tiered organizations that operate a lot like legitimate businesses. Green gave the example: “if an adversary compromises a website, they can set it up to perform drive-by attacks. This, in essence, attacks anyone who visits the site. If you aren’t protected, you become a victim just by visiting the compromised site.”
At this point, their multi-tiered business model starts working your computer. Tier 1 looks through the list of victims (you included) and figures out which ones are “juicy targets,” as Green puts it, like a corporate computer in a bank. If not, they can still use your computer for other tasks–using it as a platform to send spam elsewhere, mining cryptocurrency or simply stealing critical, personal information to use at their discretion. If the computer is a “juicy target” then it escalates to their second tier, where you have an actual team continue exploitation. This is where you get the types of data breaches that hit the news.
Like many regular businesses, “these adversaries perform cost-benefit and ROI analyses to determine what to do with individual systems and what larger targets are worth attacking specifically.”
You also have research-based hacking. They spend time studying and hacking a group, like you have seen with Equifax, Target and Anthem–but there are smaller scale examples that can apply to the average person as well. Let’s say you have a prescription medication. Green says that, “Controlled substances are very well protected at CVS, Walgreens, and other vendors, but what about after the customer picks them up? These attackers look for patient data on who has prescriptions for these drugs, and simply robs them at their home. It is much easier to steal from a home compared to a secured pharmacy.”
His particular service runs under $4 a month, and there are plenty of vendors that run similar rates. It’s an inexpensive service that can protect you from very real threats. “My solution checks every website that your computer talks to, to ensure that none are malicious. If they are malicious, we block the connection and tell you what happened, and how to fix it.”
Featured image courtesy of Pixabay.