Cybersecurity program with your own hands

25 May 2024 Author: Maria Ohnivchuk

How current and correct is your security knowledge? 

We all have smartphones, payment cards, electronic IDs, social media accounts and other resources that are targets for attackers. However, not all users give cybersecurity the importance it deserves until they face a real threat. Not only users, but also IT companies and IT professionals need to constantly raise awareness of information security. How to make this process not only correct, but also interesting, and motivating, and giving not only theoretical knowledge, but also practical skills? How to understand who is cooler — hackers or security experts?

We help everyone, including information security professionals as well as managers and executives interested in securing data and networks, with this challenging but important task. 

We’ve prepared this article to help you not only refresh your information security knowledge and learn current information security best practices, but also to create your own user awareness program and information security policy for your organization. Our goal is to provide you with the information and tools you need to improve the security of your organization, customers, partners and their data, and to prevent potential cyberattacks.

Lifehacks for building effective security programs

specialists are working

Many people have misconceptions about hackers and cybercrime. In mainstream movie culture, a computer genius hacks into bank accounts, complex cyber systems, mines classified data, and can even access the codes to launch nuclear missiles in seconds.   

It is important to convey to users that cybercrime has many manifestations. It is not a distant movie or spy concept, but a real threat primarily to a user’s personal finances and other resources. By teaching users about cyber hygiene, protecting their own resources, and mitigating cyber risks, you gain allies in the fight for the security of corporate, public, and even government resources. That’s the key life hack to build today’s effective security awareness programs. 

The most common type of cybercrime worldwide is cyber fraud. Criminals often use fairly primitive methods to get their hands on your personal data or take your money. 

For example, special scripts and viruses are created to steal the data the hacker wants. Phishing websites are created where gullible users themselves enter the information needed by fraudsters. Other methods of social engineering — an indispensable tool of hackers — are also used. It is the human factor, trust and ordinary ignorance of the danger that become the main weakness of any company or ordinary user.

Besides financial gain, cybercrime can have political or ideological goals. Most often such hackers or entire groups of cybercriminals attack government websites, trying to seize important information or discredit the state. The very fact that hackers were able to successfully attack state registries or other important resources damages the reputation of the state and its individual services.

Finally, hackers sometimes act purely for fun. The first hackers did not have the goal of enrichment. They wanted to improve their self-esteem by showing off their technical skills, having fun and experimenting. The first computer viruses most often had one goal — to show the superiority of its author over ordinary users and professional developers. Time passed, and pretty soon the vast majority of hackers started to engage in illegal activities for their own material gain. 

Thus, when developing awareness programs, it is important to first show that anyone can become a victim of cyber fraud, and then to inform users about all major forms of cybercrime that can affect users’ personal resources and interests not only directly but also indirectly: 

  • cyberbullying and hacktivism;
  • cyber fraud (social engineering, etc.);
  • cyber extortion (ransomware);
  • identity theft;
  • hacking of systems and resources (unauthorized access); 
  • cyber espionage; 
  • cyberterrorism. 

We recommend reading our Cyber Incident Overview, Analysis and Forecast to improve your understanding of cybercrime and to gain additional material for cybersecurity awareness programs.

Who is ahead — cybercrime or cybersecurity?

struggle

Cybercrime has become a global problem. Many companies have begun to realize the scale of the threat and are turning to certified information security professionals. Significant funds are being invested in developing the most secure systems that are beyond the reach of hackers. Or are they still within their grasp? This is a complex question.

When creating and using software and other IT, it is important to realize that there is no such thing as a perfectly secure system. Developers, owners, and users of modern systems balance security, convenience, and the cost of security measures. Improving any one factor of these three simultaneously worsens the other two. 

Many people believe that cybercriminals are always one step ahead of cybersecurity professionals — developers of antivirus software, other security systems, security managers, incident investigators and other experts. 

The reality is that some hackers are occasionally smarter than some security professionals, and vice versa. Criminals create new computer viruses, hacking and theft techniques, and the job of security professionals is to identify these viruses and techniques as quickly as possible, and find ways to combat them. Often, new viruses, spam campaigns, botnets, or malicious websites only live for a few minutes or hours until an antivirus or online security company identifies the new threat and releases an automatic update to users. 

Cybersecurity professionals who design, implement, and especially test comprehensive defense systems must stay at least one step ahead of hackers to prevent threats. Therefore, such specialists must also think like hackers. Such people are called “white-hat” or ethical hackers because their goal is similar to that of a cybercriminal or black-hat — to find vulnerabilities, but their motivation and next steps are different — to close those vulnerabilities or to apply the right defense against the threat in time.

The issue is further complicated by a specific irony of cybersecurity, the third group, the “gray-hat” hackers. They may use their information security skills for both useful and unethical purposes, depending on the circumstances and their personal motivations. Unlike “black-hat” hackers, “gray-hat” hackers in most cases do not engage in criminal activity and do not intend to harm systems or data. They tend to be ethical and often conduct their activities within the bounds of legality. At the same time, they may use their skills to test security and discover vulnerabilities in systems, for example, without prior authorization from the owners of those systems. And while they may then report security problems to the “victim” and offer their services, such activities are illegal in some jurisdictions.  

The race between hackers and security professionals could be compared to that of conventional criminals on one side, and conventional police and the physical security industry on the other. However, cybercrime is growing much faster than conventional crime, with the constant invention of new criminal methods and the involvement in IT of a careless part of the world’s population that believes they will not be affected until the first unfortunate incident occurs.

Why you need to stay one step ahead of hackers

hacking activities

As with conventional crime, it is important not only to deal with the consequences and look for a hacker who has already committed a crime, but to be able to prevent the very fact and even the earliest preconditions of an attack, and to minimize vulnerabilities and threats.

When creating your own information security awareness program, it is important to provide real-life examples of how hackers can affect information systems. As we mentioned above, when teaching, it is always beneficial to start with examples that are closest to people — personal finances and personal physical security.

Anyone uses banks, payment systems, payment gateways, and other financial institutions. There are many examples of these organizations’ systems and databases being hacked and compromised. Even if you don’t have mobile banking apps or make online payments, banks and other financial organizations contain information about you and your accounts on their servers. They need to be protected from hackers. Even if an attacker finds a way to get to only customer information and not their finances, the financial organization is discredited. This is a major blow to reputation, and many people will abandon the services of a particular financial organization that has failed to reliably defend itself against hackers. 

Another major cybersecurity issue is related to the Internet of Things. Take a closer look at the home appliances that surround you. Whether you have a smart kettle, robot vacuum cleaner, refrigerator, washing machine and other devices that can be controlled remotely. These devices often succumb to hacking attacks. First of all, attackers need such devices to form botnets. That is, for example, the computing power of a smart kettle or refrigerator can be used for DDoS attacks. Then many infected devices start sending requests en masse to the server that was chosen by the hacker as the target of the attack. An overload occurs, causing the server to stop responding to requests from real people. This can paralyze the work of even a very large organization for some time. Some hackers use the computing power of infected machines to mine cryptocurrencies.

Technology has a big role to play in healthcare. Special heart valves, smart pumps for insulin regulation and body monitoring, ventilators and much more all require special protection against possible attacks. Risks cannot be excluded, and there are already individual cases of hackers interfering with the operation of these important devices. People’s lives depend on such risks. Therefore, modern medical equipment must meet the strictest cybersecurity standards. The largest manufacturers of medical equipment make it as secure as possible. 

Mass cyberattacks on devices using encryption programs are common. Computers get infected and users lose access to their hard drive information because it is encrypted. In order to decrypt and gain access, hackers require money to be transferred to their crypto wallets. Many large companies have agreed to the hackers’ terms, as the downtime or loss of important information caused a greater loss than the amount of the ransom. These attacks affect not only regular users but also many businesses, logistics companies, businesses and even government agencies. It can cause serious damage and paralyze many work processes.    

Government agencies and businesses are also being targeted by hackers. Criminals are not necessarily looking to get their hands on sensitive data and documents. More often, personal data of citizens become their target. For example, many government agencies due to the specifics of their work have information about a lot of people — names, surnames, ages, phone numbers, places of residence, digitized identity cards and much more. Such databases are very valuable and are in demand in the DarkNet — the criminal part of the Internet. Among other things, criminals can use this information to arrange loans and other types of credit in the name of unsuspecting victims. Some more or less law-abiding companies are also willing to pay for such databases, as they contain useful information and contacts of people, which can be used, for example, in targeted advertising.

As for intelligence and defense-related agencies, they are regularly targeted by cybercriminals and the intelligence services of enemy states. Sometimes hackers manage to disable large systems for some time. There are major cases of information leakage. That is why large units of information security specialists work to ensure the cybersecurity of countries engaged in physical or economic wars.   

We can give dozens of examples of cyber threats and incidents that hackers create. Unfortunately, these are not theoretical, but real problems that arise every day and affect not only the personal security of citizens, but also the economic security of enterprises and the national security of countries.

What vulnerabilities hackers exploit

vulnerabilities

The majority of successful cyberattacks are accomplished by exploiting vulnerabilities in systems. Vulnerabilities are the very doors that cybercriminals use. These vulnerabilities can be related to the hardware or software part of the system. 

Some threats are related to problems at the hardware level. Some processors may contain vulnerabilities that allow attackers to gain unauthorized access to sensitive data. Attacks directed at the device itself are possible, such as bypassing security, reading memory, manipulating electronic components, and others. 

Incorrectly designed, manufactured or assembled hardware components may have hidden vulnerabilities or flaws that are exploited by attackers. Such vulnerabilities are quite difficult to fix, as they are often related to the peculiarities of the device itself. Quite often, fixing such vulnerabilities, such as the recent GoFetch vulnerability in Apple’s M processors, slows down devices significantly. There is even an opinion that device manufacturers secretly create such vulnerabilities to motivate users to splurge on new, faster devices from time to time.

Software vulnerabilities are most often related to the operating system. It doesn’t matter how robust the system is, or what family it belongs to. Problems and vulnerabilities are regularly identified in Windows, macOS, Linux and other operating systems. Developers fix them promptly with updates. It is very good if the vulnerability, which can be used for cyberattacks, was first identified by developers or security experts themselves, not by hackers. 

Some system programs and additional software that are relatively secure on their own can, in certain combinations, be a “doorway” for a hacker to exploit a mistake by programmers or system administrators.

Hackers can attack data transfer protocols such as TCP/IP, DNS, HTTP, FTP, and others. Vulnerabilities in these protocols can be exploited for data interception, denial of service, traffic spoofing, and other attacks. Therefore, it is not necessarily the case that attackers will attack a user’s computer. Sometimes it is enough to intercept data packets at different transmission levels. 

Last but not least are the vulnerabilities of the human mind and failure to observe basic cyber hygiene. This includes the use of counterfeit and other unreliable software, indiscriminate communications, naivety, fears, pity and many other psychological vulnerabilities that fraudsters use to deceive users.

How to protect yourself from threats

laptops

Make users aware that there is a constant war between “good” and “evil” in cyberspace. Hackers with different goals and expertise threaten information systems. Security professionals include:

  • cybersecurity service companies;
  • developers of antivirus and other solutions;
  • security departments in various organizations;
  • law enforcement agencies, etc.

They are fighting cybercliminals. At the same time, ordinary users should keep hyberhygiene — the basic rules of their cybersecurity. 

First and foremost is regular operating system (OS) updates. Do you frequently update the OS on your computer, laptop or smartphone? Many people do it quite rarely or basically disable this feature. This is a very dangerous mistake. Although after the next update you may not see any changes visually, they are still there “under the hood”, and most often they relate to security. As we said above, operating systems have vulnerabilities. When they are identified, you need to get rid of them right away. An ordinary user will not be able to find the problem and its solution on his own. This is done for him by operating system developers, who send regular updates. 

Many threats are created by computer viruses and other malicious software. Most often the user himself gives it the opportunity to run on his device. Hackers often create Trojans, which are applications that have both overt and covert malicious functions. You download a useful program, install it, and it performs its functions quite well. At the same time, a Trojan can access your files, collect information about you, use your device’s resources for its own purposes, and more. Often, viruses, Trojans, ransomware, worms, spyware and many other malicious features are combined in one program in one way or another. 

To avoid accidentally infecting your device, it is better to install programs only from official websites and marketplaces. You should not look for pirated versions of programs, as you are very likely to install a dangerous application on your device and become vulnerable to hackers. 

Don’t forget to remind users about security rules on web pages. Users should not go to suspicious sites, open obscure links sent to them by a stranger, and even more so, they should not enter their data there. If in doubt, users should consult a specialist. 

Use two-factor authentication — additional confirmation when entering a password. This is a powerful security measure that stops most attackers.

Finally, set up automatic backups of all your important information to the cloud or other devices. This is the strongest defense against ransomware and more.

These simple rules help protect against more than 95% of cyber threats. At its simplest, you can build a basic security policy for your organization that mitigates its most significant risks. In addition to security rules, include in the policy a description of security responsibilities and its lifecycle — from design and implementation to maintenance and performance monitoring. The international standard ISO 27001 is a valuable resource for developing a security policy.

To combat cyber threats, commercial companies, government and public organizations are developing comprehensive regulations, standards, frameworks and security policies. These are a set of measures to protect not only against hackers, viruses, spyware, and ransomware, but also against accidental errors, man-made accidents, and natural disasters. These measures start with risk calculations, designing multiple layers of protection and separation of access rights, and end with the implementation of special software and hardware defenses, as well as incident investigations, damage compensation, and learning from past mistakes.

Conclusion

friendly

Using our materials and tips, you can try to develop your own information security awareness program and information security policy for your company and users. 

Once you feel that your own efforts are not enough, you can ask for help from our experts to create the most effective and rich program, taking into account the current level of knowledge of your users and the risks they may face, as well as an effective security policy tailored for your organization, taking into account the latest international standards. 

The effectiveness of a corporate security awareness policy and program can be significantly increased through penetration testing, Red Team exercises, and the introduction of new methods of training and testing employees to recognize social engineering techniques commonly used by hackers and cybercriminals. 

Human gullibility, inattention and ignorance remain the main reasons for successful attacks, giving attackers access to valuable data and systems. Our authoring approach will help your staff and users develop critical thinking, improve threat and vulnerability identification skills, and learn effective modern techniques and tools to prevent attacks and mitigate risks.

Contact us for help! Our team of experts is ready to provide you with the support and advice you need.

Follow the latest news and updates on our blog, and subscribe to our social media channels linked at the bottom of this page.

Other posts

08/08/2024
Cyber Warfare Lessons from Ukraine
22/06/2024
The battle for cybersecurity: who is better — CISO or vCISO?