Teaching Cybersecurity Students to Maintain Vigilance
In the early days of hacking, nefarious actors honed their social engineering skills to convince unsuspecting people to give them access to data, systems, and facilities simply based on believing they had a need for that access. Someone savvy in these skills could walk into a building and make it past security with a clipboard and a story. Some would even call security ahead of time, pretending to be an employee from the corporate office, to inform them that a technician was on the way. A good social engineer was able to establish false trust and, as a result, gain unfettered physical access to systems they should have never been able to touch. We have done well at teaching the importance of physical security in cybersecurity courses and have greatly lessened the success of these in-person attempts. This was accomplished through vigilance. Frontline security is trained to be suspicious by default, forcing a wide variety of criminals to look for weaker targets or develop more effective methods. One thing we need to continue teaching our students is to maintain vigilance in this space and in the other common methodologies used to gain surreptitious access.
Phishing
We have learned from years of testing that, if a significant number of people in an organization are sent an email with a malicious link, there is a high probability that at least one person will click the link. It is a numbers game, and hackers have figured out that mass emailing large organizations with this methodology can be very effective. The reason phishing is such a lucrative methodology is that it bypasses many of the perimeter devices that stop direct attacks. This is a key piece for students to understand. Clicking on a malicious link establishes an outbound stateful connection, usually to a website, and firewalls allow responses from stateful connections because they are initiated from inside the network. One clicked link could allow a hacker to gain internal access without searching or an unpatched system to be exploited, and without spending hours scanning for potentially vulnerable external devices. Phishing is the shortcut that exploits the human factor. Professors should teach vigilance through user training. Users need to be able to recognize phishing messages and know not to click on suspicious links.
Ransomware
Few exploits cause as much fear as having one’s data held hostage until a ransom fee is paid. Professors should drive home the need for vigilance by showing that a ransom demand for a large organization’s data can easily be millions of dollars. Add to this that the daily loss of revenue from a lack of operational capabilities can put a lot of stress on management to pay the fee. Smaller organizations hit with ransoms of just a few thousand dollars have historically paid off the hackers because it is cheaper than going through a multi-day process of manually restoring the data from backups. Larger organizations typically have large-scale business operations that can quickly be lost if they are not able to restore their operational capabilities. Students need to understand that hackers use this to their advantage, knowing that enough leverage may force the hand of their victim. How does ransomware get installed? It can happen through traditional hacking, but successful phishing is a much easier methodology. Students can learn vigilance through the implementation of great system backups that can be quickly restored if ransomware strikes. Restoring from a good backup will return access to the affected systems and data without paying the criminals any money. An effective restoration process could have systems back up and operational in under a day.
Database Access
One of the most lucrative targets for hackers today is data, and they love to target systems with large databases full of personal information. A database with names, addresses, credit card numbers, passwords, and other personal information can be a treasure trove for anyone wanting to commit identity theft. Exposed passwords are particularly challenging because users often use the same password in many locations, and one good hack could evolve into access to many third-party systems. Professors should teach two specific forms of vigilance here. First, cybersecurity professionals need to maintain good patching of systems. It is easy to become lackadaisical with routine tasks and push patching and updates down the list of priorities. But students need to understand that one vulnerable internet-facing system is enough to create serious problems for companies and their customers. Almost every investigation I have ever conducted involved an unpatched system. The second area of vigilance professors should promote is multi-factor authentication.
MFA
Multi-factor authentication (MFA) has become an excellent secondary method to defeat unauthorized login attempts, even when user passwords are stolen. It has become more common today, but is not yet fully adopted across all sectors. Students should be trained to understand that adding a second step to the login process can stop many hackers in their tracks. MFA typically requires a user to submit a temporary code, which is provided to them through an email, text message, or application. The successful insertion of the code confirms that the user requesting access also has access to the user’s secondary accounts or systems, increasing the likelihood that they are not a hacker. This is also one of the best ways for everyday users to protect themselves against hacking attempts involving organizations they do business with.
Vigilance is not easy. Security is a necessary inconvenience, but when we are willing to be inconvenienced with the process of regular system updates, consistent backups, and multiple steps in the login process, we lessen the possibility of a hacker gaining access to our systems. Cybersecurity students should understand that hackers typically look for easy targets. Even a small amount of hardening can be enough to send them on to an easier target. A portion of the hacking world has now become intertwined with more traditional criminal enterprises, and maintaining vigilance in every area of security is how we will continue to win this battle.