Cyber self-defense
In cybersecurity, cyber self-defense refers to self-defense against cyberattack.[1] While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole,[2] such as corporate entities or entire nations.[3][4][5] Surveillance self-defense[6][7][8] is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.
Background
Organizations may conduct a penetration test via internal team or hire a third-party organization to audit the organization's systems. Larger organizations may conduct internal attacker-defender scenarios with a "red team" attacking and a "blue team" defending. The defenders, namely threat hunters, system administrators, and programmers, proactively manage information systems, remediate vulnerabilities, gather cyber threat intelligence, and harden their operating systems, code, connected devices, and networks. Blue teams may include all information and physical security personnel employed by the organization.[9] Physical security may be tested for weaknesses, and all employees may be the target of social engineering attacks and IT security audits. Digital and physical systems may be audited with varying degrees of knowledge of relevant systems to simulate realistic conditions for attackers and for employees, who are frequently trained in security practices and measures. In full-knowledge test scenarios, known as white box tests, the attacking party knows all available information regarding the client's systems. In black box tests, the attacking party is provided with no information regarding the client's systems. Gray box tests provide limited information to the attacking party.
Cybersecurity researcher Jeffrey Carr compares cyber self-defense to martial arts as one's computer and network attack surface may be shrunk to reduce the risk of exploitation.[10]
Measures
Authentication
- Enable multi-factor authentication.[11]
- Minimize authentication risk by limiting the number of people who know one's three common authentication factors, such as "something you are, something you know, or something you have." Unique information is characterized as possessing a particular degree of usefulness to a threat actor in gaining unauthorized access to a person's information.
- Reduce one's social media footprint[12][13] to mitigate risk profile.
- Regularly check one's social media security and privacy settings.[13]
- Create strong and unique passwords for each user account[11][10] and change passwords frequently and after any security incident.
- Use a password manager to avoid storing passwords in physical form. This incurs a greater software risk profile due to potential vulnerabilities in the password management software, but mitigates the risk of breaches if one's password list were stolen or lost and in the case keyloggers were present on machine.
- Pay attention to what information one might accidentally reveal in online posts.[13]
- Change default passwords to programs and services to prevent default credential vulnerability exploitation techniques.
- Appropriately use password brute force attack prevention software such as Fail2ban or an effective equivalent.
- Never give out logins or passwords to anyone unless absolutely necessary and if so, change them immediately thereafter.[14]
- Use security questions and answers that are impossible for anybody else to answer even if they have access to one's social media posts or engage in social engineering.[14]
Anti-social engineering measures
- Do not plug in found external storage devices, such as external hard drives, USB flash drives, and other digital media.
- Beware of social engineering techniques and the six key principles, reciprocity, commitment and consistency, social proof, authority, liking, and scarcity.
- Beware of shoulder surfing, wherein threat actors collect passwords and authentication information by physically observing the target user.
- Beware of piggybacking (tailgating) wherein a threat actor closely follows an authorized personnel into a secure facility.
- Beware of wardriving, wherein threat actors use mobile hacking stations to gain unauthorized access to WiFi. Wardriving might also consist of the use of parabolic microphones to gather acoustic data, such as passwords and personally identifiable data.
- Be cautious when browsing and opening email attachments or links in emails,[10] known as phishing.
- Refrain from interacting with fake phone calls voice fishing, also known as "vishing".
- Scan links to malicious websites with Google Transparency Report to check for known malware.
Preventative software measures
- Use, but do not rely solely on antivirus software,[11] as evading it is trivial for threat actors due to its reliance on an easily altered digital signature, a form of applied hash, of the previously known malicious code.
- Use an antimalware product, such as Malwarebytes Anti-Malware, in conjunction with an antivirus with vulnerability scanning features.
- Update and upgrade all of one's software and programs — including, but not limited to a user's operating system, firmware, software drivers, and device drivers. Use dedicated updating-software and enable automated update features.[11][10]
- Encrypt one's computer and phone.[11]
- Regularly create backups of one's data.[11][15]
- Uninstall insecure software such as Adobe Flash[12][16][17] on one's operating system. Refrain from accessing web pages and related plugins within one's web browser.
- Only run software when necessary to reduce attack surface.
- Refrain from rooting one's phone or internet-facing device.[13]
Network and information security measures
- Using a firewall on Internet-connected devices.[11]
- Not running programs, services, or browsers with a super-user or privileged user account, such as root in Linux and Unix ) or as Administrator (Windows), unless one understands the security risks of such an action.
- Avoiding free WiFi and not logging into any accounts while using it.[10]
- Appropriately using privacy and anonymity software such as Tor (anonymity network) for anonymous web browsing, given that this attracts some attention.
- Appropriately using HTTP and various Internet Protocol proxies and security measures, such as disabling HTTP header fields, filtering, and relaying traffic with proxy servers such as Squid Proxy, proxychains, socks4, and socks5.
- Publishing public keys for PGP authentication for being able to prove one's identity.
- Using the strongest encryption method one's router offers[18] and updating router firmware.
- Using an intrusion detection system(IDS)[19] or a SIEM (Security Information and Event Management System) to alert as to indicators of compromise, such as configuration changes in the operating system, privilege escalation, network security breaches, and unauthorized remote logins. For Mac OS X, the IDS 4Shadow is available on the Apple macOS App Store for $0.99 and other free open source and paid options exist for Linux and Windows. Deciding whether an IDS is alerting false positives requires research and experience.
- Using a demilitarized zone to reduce the number of systems and services openly facing the internet.
- Using a virtual private network with IPsec to secure traffic at the transport layer of the OSI model to harden the IP stack.
Reporting breaches and incidents
- Gather evidence and document security and data breaches (intrusions).
- Contact relevant authorities, administrators or organizations in the case of a cyberattack.[14]
- Beware of website data breaches wherein stored passwords and personally identifiable information are publicized.
- Refer to a state's statute on security breach notification laws.
"Hacking back"
Legal theorists and policy makers are increasingly considering authorizing the private sector to take active measures by "hacking back" (also known as hackbacks).[20][21] In contrast to active attack measures, passive defense measures present a reduced risk of cyberwarfare, legal, political, and economic fallout.
A contemporary topic in debate and research is the question of 'when does a cyber-attack, or the threat thereof, give rise to a right of self-defense?'[22]
In March 2017, Tom Graves proposed the Active Cyber Defense Certainty Act (ACDC) that would enhance the Computer Fraud and Abuse Act (CFAA) to allow individuals and the private sector to use certain tools currently restricted under the CFAA to identify attackers and prevent attacks by hacking them.[20][23][24] This presents a "chicken or the egg" problem, wherein if everyone were allowed to hack anyone, then everyone would hack everyone and only the most skilled and resourced would remain.
Brad Maryman warns of unintended consequences, stating that in his view "the notion that we should legislate and accept a level of undocumented and unmonitored cyber actions by anyone who thinks they have been hacked is unfathomable".[24]
References
- Whitehouse, Sheldon; Mikulski, Barbara; Snowe, Olympia. "Cyber self-defense can help U.S. security - CNN.com". CNN. Retrieved 13 April 2017.
- Jr., Sydney J. Freedberg. "Adm. Zukunft Unveils New Coast Guard Cyber Strategy". Breaking Defense. Retrieved 13 April 2017.
- "Qatari tech helps Hamas in tunnels, rockets: Expert". The Times of Israel. Retrieved 13 April 2017.
- Rella, Christoph. "Neutrales Österreich setzt auf "Cyber"-Selbstverteidigung - Wiener Zeitung Online" (in German). Wiener Zeitung Online. Retrieved 13 April 2017.
- "Cyberattacks could trigger self-defense rule, U.S. official says". Washington Post. Retrieved 13 April 2017.
- Greenberg, Ivan (31 May 2012). Surveillance in America: Critical Analysis of the FBI, 1920 to the Present. Lexington Books. ISBN 9780739172483. Retrieved 13 April 2017.
- Ziccardi, Giovanni (29 September 2012). Resistance, Liberation Technology and Human Rights in the Digital Age. Springer Science & Business Media. ISBN 9789400752757. Retrieved 13 April 2017.
- "EFF Relaunches Surveillance Self-Defense". Electronic Frontier Foundation. 23 October 2014. Retrieved 13 April 2017.
- Miessler, Daniel. "The Difference Between Red, Blue, and Purple Teams". Retrieved 7 May 2019.
- "Cyber Self Defense For Non-Geeks". jeffreycarr.blogspot.de. Retrieved 13 April 2017.
- Thornton, Michael (16 February 2017). "You Can't Depend on Antivirus Software Anymore". Slate. Retrieved 13 April 2017.
- Firewall, The. "Cyber Self Defense: Reduce Your Attack Surface". Forbes. Retrieved 13 April 2017.
- Conn, Richard. "Cybersecurity Expert Gives Tips To Stay Safe Online". Retrieved 13 April 2017.
- Moore, Alexis; Edwards, Laurie (2014). Cyber Self-Defense: Expert Advice to Avoid Online Predators, Identity Theft, and Cyberbullying. Rowman & Littlefield. ISBN 9781493015429.
- Seay, Gary. "4 Keys to Cyber Security Self-Defense". Retrieved 13 April 2017.
- Barrett, Brian. "Flash. Must. Die". WIRED. Retrieved 13 April 2017.
- Whittaker, Zack. "13 new vulnerabilities? You should disable or uninstall Adobe Flash | ZDNet". ZDNet. Retrieved 13 April 2017.
- Stoner, Daniel. "Hackers Love IoT Products: Here's How to Keep Them Out". Safety Detective. Retrieved 2018-11-22.
- Tiwari, Mohit (April 2017). "INTRUSION DETECTION SYSTEM". International Journal of Technical Research and Applications 5(2):2320-8163. Retrieved 22 April 2019.
- Chesney, Robert (29 May 2013). "International Law and Private Actor Active Cyber Defensive Measures". Lawfare. Retrieved 13 April 2017.
- Brown, Megan L. (September 6, 2018). "Authorizing Private Hackback Would Be a Wild West for Cybersecurity". Law.com. Retrieved 7 September 2018.
- Waxman, Matthew C. (19 March 2013). "Self-Defensive Force Against Cyber Attacks: Legal, Strategic and Political Dimensions". SSRN 2235838. Cite journal requires
|journal=
(help) - Hawkins, Garrett. "Rep. Tom Graves Proposes Cyber Self Defense Bill". www.thedallasnewera.com. Retrieved 13 April 2017.
- "'Self-Defense' Bill Would Allow Victims to Hack Back". Retrieved 13 April 2017.
External links
- Cybersecurity self-defense, Slate
- Moore, Alexis; Edwards, Laurie (2014). Cyber Self-Defense: Expert Advice to Avoid Online Predators, Identity Theft, and Cyberbullying. Rowman & Littlefield. ISBN 9781493015429.
- Surveillance Self-Defense, EFF
- Paul Carugati: Cyber Self-Defense, TED talk