“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
-Niccolo Machiavelli, The Prince
While I may not agree with all of Niccolo Machiavelli’s ideas, this quote sums up cybersecurity nicely; if you have knowledge of what to look out for, coupled with knowledge of how to defend yourself, then cybersecurity doesn’t need to be something to fear.
Did you know the NSA data center in Utah undergoes approximately 300,000,000 hacking attempts per day? Per day! That is nearly as many hacking attempts every day as there are people in the United States. Some major insurance companies estimate that if their cybersecurity measures failed, their servers would be compromised in minutes. What was once a campy trope in tech-oriented action movies is now reality: The internet is the Wild West, and cackling mustachioed villains in black hats abound.
My purpose in this series is to turn out their pockets, but before we get too far into the nitty-gritty details, there are three concepts that we need to cover to ensure that we are on the same page: Assets, Vulnerabilities, and Controls.
These three concepts are the core of cybersecurity thought, and the three questions you need to ask yourself in relation are:
Assets: What do I need to protect?
Vulnerabilities: Where are my weaknesses?
Controls: How am I going to mitigate those weaknesses?
Assets
Assets are defined as “property owned by a person or company, regarded as having value and available to meet debts, commitments, or legacies.” In business, an asset is any portion of the operation that is designated as important to the continuance of that operation. CERT generally divides assets into four categories: people to perform and monitor the operation, information and data to both feed and be produced by the operation, technology to automate and support the operation, and facilities in which to perform the operation. These are the portions of your business that must be protected!
Vulnerabilities
In cybersecurity, a vulnerability is a weakness within established systems, controls, or processes that can be used by cybercriminals to infiltrate, exfiltrate, vandalize, or take control of those systems or data contained within them. Vulnerabilities are closely associated with avenues of attack, and will be mostly what are focused on in this series of blogs. It is important to realize that a vulnerability does not have to be within a computer system; employees who are careless with data or credentials count as well!
Controls
Simply put, controls are the mitigations put in place to prevent or curb cyber-attacks. These can be anything from firewalls, obfuscated credentials, and abstracted code to training employees on data protection standards and distributing permissions, to minimalist access. Just like vulnerabilities, these are only partially digital; the behavior and training of those handling the data is just as important!
Next Time: Cookie Spoofs, Explained and Prevented!
Excellent article, Michael! I’m looking forward to learning more about cookie spoofing.