Miller Mike - Cybersecurity for Beginners: How to prevent Phishing & Social Engineering Attacks

Cybersecurity for Beginners

How to prevent

Phishing & Social Engineering Attacks

Volume 1

Mike Miller

Copyright

All rights reserved. No part of this book may be reproduced in any form or by any electronic, print or mechanical means, including information storage and retrieval systems, without permission in writing from the publisher.

Copyright 2020 Mike Miller

Disclaimer

This book is produced with the goal of providing information that is as accurate and reliable as possible. Professionals should be consulted as needed before undertaking any of the action endorsed herein. Under no circumstances will any legal responsibility or blame be held against the publisher for any reparation, damages, or monetary loss due to the information herein, either directly or indirectly. This declaration is deemed fair and valid by both the American Bar Association and the Committee of Publishers Association and is legally binding throughout the United States. The information in the following pages are considered to be a truthful and accurate account of facts, and as such any inattention, use or misuse of the information in question by the reader will render any resulting actions solely under their purview.

Table of Contents

Introduction

There are always news reports about cyber-attacks and while they're providing a lot of information; still many people not sure how it impacts them, their business or the company that they work for. You're perhaps not too sure what you're supposed to do about cyber-attacks? Partly because of all the confusing vocabulary or the types of attacks, and perhaps unsure what this mean to you? Well, that's precisely what we are going to cover in this book. We are going to focus on the basic concepts of security and the terminology used for cyber-attacks. At first, let's get started with the vocabulary. We are going to take a look at why this is so important, what's the impact of having better knowledge of security and what the challenges are that your business faces when dealing with cyber-attacks. We are trying to prevent the loss or corruption of confidential data and that directly impacts your business. If there's a loss of customer data, this can impact not only the operations of the business, but its future financial outlook and there's going to be a personal impact from cyber-attacks that can affect you such as loss of your identify, loss of money or loss of property that might be an impact as well. This is an important concept. Security is everybody responsibility. It's a phrase that you hear all the time, but it's not often practiced. The more active you are in doing this, the better you can improve everyone's security, not just your personal security, but the security of your business too. Your business needs to try to prevent attacks from happening. That's to protect that corporate confidential information and they also have to be able to respond to attacks when they occur and most likely they'll have specialized security professionals who will do that. Also as part of that is to educate the employees or help you out as well because it helps the business. If you notice something that is wrong and you can report it, is great. That might be a great way to get started on responding to a possible attack. Notifications about data loss or corruption if it occurs can help the business to make sure that it's doing everything it can to prevent an attack. The term Cybersecurity is a common term used by the government, but there are a couple of other terms I just want you to be familiar with. I'll use the term Cybersecurity as We are talking about the different types of attacks, but there's also a common term used in the private sector called information security or just known as InfoSec. These are general terms and I will switch between them from time to time. But something else I want you to keep in mind is that you'll hear other term like computer security or network security or software security. The idea is that there are people in place that are trying to make sure that if something were to fall under attack, they could help prevent it, then respond to the attack. There might be very specialized categories that each person follows through, but in general, people refer to it as Cybersecurity or InfoSec. First of all, we are going to take a look at what are you have to protect, what information some malicious person might want to get hold off, and who is going to help you do this protection. Then we want to dive into the different types of attacks, threats, exploits and risks that these are all means to you. This is whats most important and understanding the definitions which will give you a general idea of what you're looking for when something might happen. And what is a proactive approach, both; what your business should do to proactively fight against these attacks and what you can do to help and how to report an attack. We will also discuss who you should report an attack including both; at your business and in your own personal life. This is important but there are many challenges because we want to protect both the business and our own personal information. If you are ready, lets get started.

Chapter 1 The Ultimate Goal of Cybersecurity

Cybercriminals are going to try a variety of attacks. Those are the malicious people. They're going to try to attack you and your business to gain information or just steal money. They're going to use creative ways. They're going to use all kinds of different communication methods to try to cheat you out of providing information you shouldnt. They'll use emails, they'll use websites that you may have clicked on and you get malicious software. They might even use phone calls. There are all sorts of attacks they're going to use, but first of all, what are we trying to protect in the first place? Well, that's what our focus is. What is it in our business that someone would want to take from us and also personally what is it that they want to take from us and where might some of that information be stored. We want to take a look at what the challenge is for the business in protecting this information and what the fix might be. Let's get started with data in your business. Your business wants to ensure that whats confidential stays confidential. In other words, no unauthorized users, no cybercriminals, not even you can see what you're not supposed to see and you that's going to be a lot of customer information. For example what orders your customers have placed, or their intellectual property or any business dealings that are going on. If you work at a medical institution for example then there are certain requirements for patient records that must be followed. All of this is very important and this is going to be stored in things like databases and files. These are going to be stored on computers referred to as servers, your desktop computer or your laptop, but also keep in mind that this information could be on tablets and phones too if they're used for the business. Things like USB drives, USB sticks, in backups that may contain this information that you don't want to share to someone else. This is very similar to your personal information. All the data that you want to have confidential, you don't want somebody else to get a hold of, such as your bank information, your medical records, anything that is personally identifiable to you like your Social Security number. Not everything needs to be confidential, but quite a bit of it does to protect your identity and that's what you're focused on both with the business and yourself. What's interesting about this is that where's this data going to be stored in your home. It's going to be stored in databases, in files. It's going to be stored on your desktop computer, your laptop, your tablets or your phones. It's pretty much the same list, very similar to what your business is storing these data on and many times when you learn about how to protect yourself, you're also learning about what the business needs to protect itself and vice versa; the protection your business need, you also probably need as well. Part of what makes this so challenging is that new weaknesses and later I'll define this as vulnerabilities, are discovered all the time. While you build a better safe, there's a better safe cracker who learns a new way into that safe. Then there are old weaknesses that still haven't been prevented. One of the main reasons for that is that the computer systems such as your tablet or mobile phone didnt get updated. You're preventing it from getting updated or someone's preventing it from getting updated, which means that the security patches that are coming out aren't fixing some of those old weaknesses. More commonly, some businesses don't focus on security until after they've had their first major breach. In fact, a study was done recently where most companies didn't even know that they had been attacked for six to eight months after the attack, while many had insufficient security policies. In other words, things like the length of your password or the system's logging connections. Also, are we doing any end user training? Are we helping employees understand what they can do to provide better security? Those things are part of the challenge. How you fix those issues? Well, it comes down to you. One of the phrases you're going to hear quite often is that humans are the weakest link. Well, I like to think as humans as also possibly the best solution because you can have an impact. Everyone is responsible for security. The more you know about this, the more you understand what attacks you can have. The more you understand the terminology, the better you can report it if you notice something happening. Humans have made all of this possible. We have made all of the hardware and all of the software. Humans wrote the code, humans administered all the security tools to protect the data, humans can make mistakes, but they can also make the difference, so keep in mind this knowledge. You'll be able to spot it when something is wrong. Both, at your business and report it appropriately and in your personal life. Not only is part of the challenge understanding what confidential data you want to protect, but all of the locations where it might be such as your tablet device or phone. Maybe a tablet you haven't used in two years may contain that information and that's what you want to start thinking about, not only for yourself, but for your business. People have to think about those very same things and the challenges that we go through are numerous. But together we can fix those and we can help both; your business to improve its security and yourself to improve your security to prevent things such as identity theft. Once you learn the basic concepts, you will have a better understanding of who is trying to attack us and what are some of the countermeasures that we can take. The idea of my personal information being attacked and stolen or at the business site losing customer information is a pretty frightening aspect to think about. However, you're not alone in this and this is what we are going to talk about is some of the people around you that can help you and how they think about the basic concepts of security. We are going to take a look at how your business can provide assistance in this and what a security professional starts to think about when they think about protecting data. Something called the CIA security triad and those are going to have concepts doing with confidentiality, integrity, and availability. When you think about both data that you're storing at the office or at home we are also using another concept called defense in depth, where we layer multiple defensive mechanisms. Your business and the security professionals that work in it often rely upon industry organizations to give guidance when needed such as the National Institute of Standards and Technology known as NIST. You're going to see more about NIST later on, but they provide policies and procedures and guidance and terminology to the industry overall. Most organizations, most companies are going to have security experts that are going to follow these standards and try to secure the business as best they can. These security professionals may be part of several different teams. You might hear of somebody responsible for network security or computer security, server security or application security. They're all part of security working together as a common goal to protect confidential information. At your business, if you have a security department, they often offer employee training. The reason they're doing this is that they want to know more about what's going on to protect both yourself and the actions that you take in the business and be alerted when things might go wrong. This comes back down to you and how much you can affect the overall security profile of your business. Just by being alert and by reporting something might have gone wrong might just be enough to save the day.