Cyber self-defense

In cybersecurity, cyber self-defense refers to self-defense against cyberattack.[1] While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole,[2] such as corporate entities or entire nations.[3][4][5] Surveillance self-defense[6][7][8] is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

Background

[edit]

Organizations may conduct a penetration test via internal team or hire a third-party organization to audit the organization's systems. Larger organizations may conduct internal attacker-defender scenarios with a "red team" attacking and a "blue team" defending. The defenders, namely threat hunters, system administrators, and programmers, proactively manage information systems, remediate vulnerabilities, gather cyber threat intelligence, and harden their operating systems, code, connected devices, and networks. Blue teams may include all information and physical security personnel employed by the organization.[9] Physical security may be tested for weaknesses, and all employees may be the target of social engineering attacks and IT security audits. Digital and physical systems may be audited with varying degrees of knowledge of relevant systems to simulate realistic conditions for attackers and for employees, who are frequently trained in security practices and measures. In full-knowledge test scenarios, known as white box tests, the attacking party knows all available information regarding the client's systems. In black box tests, the attacking party is provided with no information regarding the client's systems. Gray box tests provide limited information to the attacking party.

Cybersecurity researcher Jeffrey Carr compares cyber self-defense to martial arts as one's computer and network attack surface may be shrunk to reduce the risk of exploitation.[10]

Measures

[edit]

Authentication

[edit]
  • Enable multi-factor authentication.[11]
  • Minimize authentication risk by limiting the number of people who know one's three common authentication factors, such as "something you are, something you know, or something you have." Unique information is characterized as possessing a particular degree of usefulness to a threat actor in gaining unauthorized access to a person's information.
  • Reduce one's social media footprint[12][13] to mitigate risk profile.
  • Regularly check one's social media security and privacy settings.[13]
  • Create strong and unique passwords for each user account[11][10] and change passwords frequently and after any security incident.
  • Use a password manager to avoid storing passwords in physical form. This incurs a greater software risk profile due to potential vulnerabilities in the password management software, but mitigates the risk of breaches if one's password list were stolen or lost and in the case keyloggers were present on machine.
  • Pay attention to what information one might accidentally reveal in online posts.[13]
  • Change default passwords to programs and services to prevent default credential vulnerability exploitation techniques.
  • Appropriately use password brute force attack prevention software such as Fail2ban or an effective equivalent.
  • Never give out logins or passwords to anyone unless absolutely necessary and if so, change them immediately thereafter.[14]
  • Use security questions and answers that are impossible for anybody else to answer even if they have access to one's social media posts or engage in social engineering.[14]

Anti-social engineering measures

[edit]
  • Do not plug in found external storage devices, such as external hard drives, USB flash drives, and other digital media.
  • Beware of social engineering techniques and the six key principles, reciprocity, commitment and consistency, social proof, authority, liking, and scarcity.
  • Beware of shoulder surfing, wherein threat actors collect passwords and authentication information by physically observing the target user.
  • Beware of piggybacking (tailgating) wherein a threat actor closely follows an authorized personnel into a secure facility.
  • Beware of wardriving, wherein threat actors use mobile hacking stations to gain unauthorized access to WiFi. Wardriving might also consist of the use of parabolic microphones to gather acoustic data, such as passwords and personally identifiable data.
  • Be cautious when browsing and opening email attachments or links in emails,[10] known as phishing.
  • Refrain from interacting with fake phone calls voice fishing, also known as "vishing".
  • Scan links to malicious websites with Google Transparency Report to check for known malware.

Preventative software measures

[edit]

Network and information security measures

[edit]

Reporting breaches and incidents

[edit]
  • Gather evidence and document security and data breaches (intrusions).
  • Contact relevant authorities, administrators or organizations in the case of a cyberattack.[14]
  • Beware of website data breaches wherein stored passwords and personally identifiable information are publicized.
  • Refer to a state's statute on security breach notification laws.

"Hacking back"

[edit]

Legal theorists and policy makers are increasingly considering authorizing the private sector to take active measures by "hacking back" (also known as hackbacks).[20][21] In contrast to active attack measures, passive defense measures present a reduced risk of cyberwarfare, legal, political, and economic fallout.

A contemporary topic in debate and research is the question of 'when does a cyber-attack, or the threat thereof, give rise to a right of self-defense?'[22]

In March 2017, Tom Graves proposed the Active Cyber Defense Certainty Act (ACDC) that would enhance the Computer Fraud and Abuse Act (CFAA) to allow individuals and the private sector to use certain tools currently restricted under the CFAA to identify attackers and prevent attacks by hacking them.[20][23][24] This presents a "chicken or the egg" problem, wherein if everyone were allowed to hack anyone, then everyone would hack everyone and only the most skilled and resourced would remain.
Brad Maryman warns of unintended consequences, stating that in his view "the notion that we should legislate and accept a level of undocumented and unmonitored cyber actions by anyone who thinks they have been hacked is unfathomable".[24]

See also

[edit]

References

[edit]
  1. ^ Whitehouse, Sheldon; Mikulski, Barbara; Snowe, Olympia. "Cyber self-defense can help U.S. security - CNN.com". CNN. Retrieved April 13, 2017.
  2. ^ Freedberg, Sydney J. Jr. (June 17, 2015). "Adm. Zukunft Unveils New Coast Guard Cyber Strategy". Breaking Defense. Retrieved April 13, 2017.
  3. ^ "Qatari tech helps Hamas in tunnels, rockets: Expert". The Times of Israel. Retrieved April 13, 2017.
  4. ^ Rella, Christoph. "Neutrales Österreich setzt auf "Cyber"-Selbstverteidigung - Wiener Zeitung Online" (in German). Wiener Zeitung Online. Retrieved April 13, 2017.
  5. ^ "Cyberattacks could trigger self-defense rule, U.S. official says". Washington Post. Retrieved April 13, 2017.
  6. ^ Greenberg, Ivan (May 31, 2012). Surveillance in America: Critical Analysis of the FBI, 1920 to the Present. Lexington Books. ISBN 9780739172483. Retrieved April 13, 2017.
  7. ^ Ziccardi, Giovanni (September 29, 2012). Resistance, Liberation Technology and Human Rights in the Digital Age. Springer Science & Business Media. ISBN 9789400752757. Retrieved April 13, 2017.
  8. ^ "EFF Relaunches Surveillance Self-Defense". Electronic Frontier Foundation. October 23, 2014. Retrieved April 13, 2017.
  9. ^ Miessler, Daniel. "The Difference Between Red, Blue, and Purple Teams". Retrieved May 7, 2019.
  10. ^ a b c d e "Cyber Self Defense For Non-Geeks". jeffreycarr.blogspot.de. Retrieved April 13, 2017.
  11. ^ a b c d e f g Thornton, Michael (February 16, 2017). "You Can't Depend on Antivirus Software Anymore". Slate. Retrieved April 13, 2017.
  12. ^ a b Firewall, The. "Cyber Self Defense: Reduce Your Attack Surface". Forbes. Retrieved April 13, 2017.
  13. ^ a b c d Conn, Richard (March 15, 2016). "Cybersecurity Expert Gives Tips To Stay Safe Online". Retrieved April 13, 2017.
  14. ^ a b c Moore, Alexis; Edwards, Laurie (2014). Cyber Self-Defense: Expert Advice to Avoid Online Predators, Identity Theft, and Cyberbullying. Rowman & Littlefield. ISBN 9781493015429.
  15. ^ Seay, Gary. "4 Keys to Cyber Security Self-Defense". Retrieved April 13, 2017.
  16. ^ Barrett, Brian. "Flash. Must. Die". WIRED. Retrieved April 13, 2017.
  17. ^ Whittaker, Zack. "13 new vulnerabilities? You should disable or uninstall Adobe Flash". ZDNet. Retrieved April 13, 2017.
  18. ^ Stoner, Daniel. "Hackers Love IoT Products: Here's How to Keep Them Out". Safety Detective. Retrieved November 22, 2018.
  19. ^ Tiwari, Mohit (April 2017). "INTRUSION DETECTION SYSTEM". International Journal of Technical Research and Applications 5(2):2320-8163. Retrieved April 22, 2019.
  20. ^ a b Chesney, Robert (May 29, 2013). "International Law and Private Actor Active Cyber Defensive Measures". Lawfare. Retrieved April 13, 2017.
  21. ^ Brown, Megan L. (September 6, 2018). "Authorizing Private Hackback Would Be a Wild West for Cybersecurity". Law.com. Retrieved September 7, 2018.
  22. ^ Waxman, Matthew C. (March 19, 2013). "Self-Defensive Force Against Cyber Attacks: Legal, Strategic and Political Dimensions". International Law Studies. 89. SSRN 2235838.
  23. ^ Hawkins, Garrett. "Rep. Tom Graves Proposes Cyber Self Defense Bill". www.thedallasnewera.com. Retrieved April 13, 2017.
  24. ^ a b "'Self-Defense' Bill Would Allow Victims to Hack Back". Retrieved April 13, 2017.
[edit]