Cybersecurity Victim Blame Game

August 07, 2020 — Jt Spratley

After reading "It's Time to Stop the Victim Blame Game" on DarkReading.com, I had to rethink some of my personal shopping rules. This part stuck out to me:

We can ask whether the victim was properly protecting the data, spending enough on cybersecurity, properly emphasizing the importance of protecting data, ensuring proper configurations, and deploying the right technologies, processes, and policies. Even if they can't answer "yes" to each of these questions, we must still wonder whether it had an impact on the breach in question. More problematic, still, the reality is that even if they can answer "yes" to each of these questions, the company is still not immune to a data breach. Now, who do we blame?

This reminded me of the fact that cyber attacks can only be mitigated, not completely negated, regardless of the security measures put in place. There's always residual risk. Necessary security measures, technical and physical, are partially determined by how hard and often malicious users work to attack your data. And major corporations, especially e-commerce stores and medical companies, have a lot of valuable data worth the effort for a determined cyber criminal.

Last year, I wrote two guest blogs on free server security tools and how to learn more about cybersecurity with a lot of advice on hardening websites and web servers. Even if we focus only on web servers, it's nowhere near enough between those two 1,000+ word pieces. And it's more than the fact that I'm not a cybersecurity expert. A lot of your security risks are related to external factors you have no control over.

Here's a list of examples that should relate to security-conscious webmasters, system administrators (sysadmins), and IT support specialists:

Password strength, expiration, and reuse policies are a must if your website/app allows user logins. But they do nothing if an user shares the password purposely or via sticky note in a crowded office.

DNS Security Extensions (DNSsec) is a good (and easy to configure if you're using Cloudflare or a cPanel VPS) domain security function to protect visitors against DNS-related man-in-the-middle (MITM) attacks. But website visitors must use a DNS resolver, or virtual private network (VPN), that authenticates DNSsec. Then, DNS related MITM attacks can result in no website showing at all, protecting the user from the malicious code. Without both requirements, if a domain registrar, DNS resolver, or local computer's hosts file gets infected, people trying to visit your website could be redirected to a malicious clone of your website. This doesn't require infecting your site. But it can trick someone into putting in some user login credentials or other personal identifiable information (PII). That doesn't directly affect your website but it can hurt your reputation and stolen admin user credentials can lead to more, ongoing issues.

Subresource integrity (SRI) gives similar protection against code injection when using external packages in websites. SRI forces the browser to check the SHA hash of the requested package(s) against what's in the code as an integrity check. Bootstrap is the best example I can offer. They add a SHA checksum in their "Getting Started" code. JQuery also does it. This means nothing if the web developer doesn't use it. Takes seconds to get a checksum from a website or command-line interface (CLI):

Linux: sha512sum filename

Windows: Get-FileHash filename -Algorithm SHA512

MacOS: shasum -a 512 filename

HTTP Strict Transport Security (HSTS) forces web browsers to display your website only using HTTPS. If the website's SSL certificate expired, you can't view the page. The exception: the user wants to see something bad enough that they disable the setting in the browser configuration file. It's not hard to do this in Firefox. I will say I was surprised to see how many domains were already in the file.

I could list more but it would turn this blog into a newer security features you should be using, plus how to bypass them listacle. My point is user awareness training, an administrative control, is as important as technical controls like those listed above. That's why phishing was a top 3 most popular breach method in the last 5 years, according to Verizon's Data Breach Investigation Report (DBIR) 2020.

That brings me to another quote in the same article:

Rather than adding to the noise of what a company probably did wrong, we can offer helpful suggestions for what others can do today.

Basically, apply and share lessons learned in a way that tech users at every level can understand. It takes a lot of effort to stay on top of new security protocols to defeat new cyber attack trends. This is my first attempt on this blog in a long while to share my knowledge on information security (InfoSec). I also published a YouTube video talking about cybersecurity for a bit.

Since I'm doing less with newer Linux apps and more with music production, I covered all three topics in the same episode. I'll probably separate them in the future.

Everyday users need to at least be trained on basic cybersecurity skills like how to detect, prevent, report, and recover from:

  1. Phishing
  2. Disgruntled users
  3. Social engineering
  4. Suspicious activity

There are people assuming they're safe just because they use Apple products or a Linux distro (OS. This leads to blissful ignorance toward current cyber threats and reckless behavior online. A lot of malware is targeted towards Windows because it's the most commonly used OS on PCs. But cyber attackers are realizing that people think this way and have changed their strategy accordingly. Migrating from Windows isn't good enough anymore. You still need:

  1. Full, verified backups
  2. Firewalls on the system and router
  3. Antivirus (AV) scanner
  4. Nothing you don't use

Seriously, if you don't use the application, uninstall it. If you only need it for one particular feature, you should see what other apps you use regularly that could probably do that one task. I used to use Master PDF Editor for everything PDF. Then, I learned how to sign PDFs with Libre Draw and merge PDFs with terminal applications. I no longer need Master PDF Editor.

Denial-of-service (DoS) botnets don't care what OS you're using. Websites that want to steal your personal information don't care either. Secure your gear... as in find ways to add security to your tech.

Since this blog actually became a "newer security features you should be using" rant, I'll recap my thoughts on the initial topic.

Be cautious about punishing a business for falling victim to a cyber attack. Remember when we were told Target got hacked? It wasn't them specifically but a vendor they worked with. Was your website with a web hosting provider hacked? You should figure out if you were the only victim on that server node and whether you followed recommended security advice that could've stopped it.

  • Use multifactor authentication (MFA/TFA) when possible
  • Don't give your info to companies when unnecessary
  • Ask the companies you work with what security mesaures they have available
  • Check if your email addresses were involved in any data breaches with HaveiBeenPwned.com

I'm not sure how likely those who need to read this are likely to actually see it, but I feel better after writing it. Stay safe.

Tags: cybersecurity, IT, privacy

Comments? Tweet