Attacking Through Emails

In this post, we’ll discuss phishing (not fishing) and spear phishing as means of attacking through your emails.

Email Scams

I have chosen to include this category because some scams are delivered by email.  They are similar to phishing emails in that they want something.  Many times it is to start a very person correspondence or a series of calls.  Picture a room full of people with computers and they just sent out a scam.  Within MINUTES, someone shouts ‘Got a live one’ and everyone snickers before they begin talking to the person in a very sincere voice.

Think this doesn’t work? Consider that  Nigerian scams, see below, started 20 years ago.  Note the date at the top, when I received it.  IF IT DID NOT WORK, THEY WOULD STOP DOING IT.

This is a lazy one because they just want you to email your bank credentials to them.  Many want you to call or write and then they gradually hook you.  All have a time frame when the wonderful offer will expire if you don’t act.

See the official looking note at the bottom that the email has been scanned by Avast antivirus software.  Ha ha!   Remember, if something is too good to be true, it probably is.

ch 3 - scam


These are sent to all the emails the bad guys can get from buying lists or scraping emails off the web.  Bad Actor: “We hope the potential victim does business with the place of business on the email.  If not, there are lots of other suckers prospective victims just waiting for us.”

I get lots of these, often several times a day.  I present you with some samples herein, minus of course the bad links.  I have made images so the links are not active in this post.  Remember these were NOT sent by the company they appear to be from.

The first one is from Linked In.  Now if the person that gets this is a member of linked in they will be interested.  Note the ‘IMPORTANT MESSAGE’.  Victim: “Dang!  My profile has a situation, I better hurry and click so I won’t miss any of those messages I get from Linked In”.

The mail address at the bottom is a nice touch, don’t you think?

ch 3 - linked in

Coming up is one from Bank of America.  It’s pretty and has their logo and colors and looks very real.  It even has a ‘Security Checkpoint’ on it, whatever that is, so I will believe it is real.    Victim: “Oh man, there’s a multiple IP conflict on my account (whatever that is) and they are going to close it.  I better act fast. Whew!”

Glad to know BOA is an Equal Housing Lender but it makes it look more real.

Oopsie, this is America and the date used in the Security Checkpoint is 18/02 NOT 02/18 as in America.  Still not a bad job.  They are hoping, that when it’s mixed in the 200 other business or personal emails you receive every day you will not think and TAKE ACTION.

ch 3 - boa

Ok, last one.  This one appears to be from the Chase Bank.  This time I have ‘suspicious activity’ on my account.  Victim: “Oh no my account is suspended!  How did… oh they tell me how it got suspended and all I have to do is click on this button to fix it.  How thoughtful.”

The button will take the victim to a website page that looks like a Chase page, complete with logo and asks for them to verify their account by entering their login and password.

This one is a member of FDIC so it MUST be ok.  Bad Actor: “By the time they figure out I got their password, I will have the real bank transfer funds from their accounts to my account in another bank that will only exist temporarily until I can cash out of it, WITH THEIR MONEY.”  This works because they take you to a similar website like  while the REAL bank is at

ch 3 - chase


1) No legitimate company every asks you to click a link and enter your credentials in an email.

2) Pick up the phone and call and verify.  Don’t use ANY number on the suspicious email.

3) Run the cursor over the link and carefully check the lower left of the browser to see if the URL is valid.  Watch for URL’s similar to the real one.

4) Avoid opening attachments until you know the source of the email.

5) Use a different email than your regular email to sign up for things on the Internet.

6) Hire an outside firm to train and test your employees phishing campaign that records who responds to it.

Spear Phishing

Spear phishing is simply targeted phishing.  Whereas phishing is more general, for example, all the Bank of America customers, spear phishing often targets some specific person or organization.  For example, you receive an email with your company’s email and name on it – complete with company logo, i.e. looking just like it came from someone in your organization, possibly your boss.  And who wouldn’t reset their boss’s password and give them another or loan them their login if the boss were in a hurry?  Victim: “Darn, the boss has forgotten his password again. That’s three times this month!”  Real Victim – The Boss: “You gave who my password?

Or it could be from a friend or loved one.  Spear Phishers attempt to make you drop your guard just a little bit.  They may use information you post on Facebook or elsewhere to figure out what to put in the email.  It also could reference a recent purchase you made, for example iTunes, if your Facebook post shows you with an iPhone.  Or how about a photo you posted two years ago with you and another person you tagged.  They, the bad actor, write you and include the photo with some comment like, ‘those were some good times huh?’  They are trying to associate themselves with you to get you to trust them.

Increasingly, the board of directors is the target.22


1) Use a different internal email signature than you use outside the company.

2) Add something extra to any emails that contain a link.

3) Run the cursor over the link and carefully check the lower left of the browser to see if the URL is valid.

4) A company policy to NEVER ask for credentials through an email.

5) Have your friends use your middle initial when they address you or a nickname.

6) Call the person to verify it’s from them before clicking on a link or opening an attachment.

Spear Phishing for a Fund Transfer Scam

There is a variation of spear phishing that goes like this.  Suppose you are the person in charge of funds, say the CFO.  While your CEO is on a trip, you get an email from her that may even sound like her directing you to wire some funds to an account as she is about to go to a meeting and she needs it sent now.  What do you do?

If you think this is small stuff, think again.  The FBI1 reports that between 2013 and mid 2016 that $2 billion was lost to this scheme worldwide with 12,000 reported company victims.  This was just updated to $3.1 billion with over 22,000 victims.24


1) Company policy that all fund transfers over $1000 must be verified by phone call with the requesting individual.

2) Company policy that prevents the CEO from authorizing fund transfers while on a trip.

3) Create a place to request fund transfers after login to the network and only authorize certain individuals to do this.




Attacking Through the Internet of Things (IoT)

The Internet of Things or IoT is the attachment of physical objects, devices, vehicles, and buldings to the Internet either though a hard-wired connection or through Wi-Fi.  A single item on the IoT is known as a “thing”.   Eventually IoT is projected to consist of billions of things.   In this chapter, we will examine some of those things as an attack path or vector for hacking.

Video Cameras

Most computers these days are equipped with a webcam which means video and audio.  Add a little malware and your own camera can spy on you at the behest of someone half a world away.  The smart hacker can even do it without the red light coming on.  You can even buy a Blackshades hacking kit for $40 (estimated sales between 2010 and 2014 of $350,000)  Why oh why don’t the manufacturer’s put a physical OFF switch on these things?

Own a home security system equipped with a webcam?  How about a video baby monitor that is Internet enabled.  Go to the site  You will find at least 6,940 unprotected webcams.  That means without a password or still set to the factory setting for a password.


1) Unplug your video camera when you are not using it or cover the lens with a yellow sticky.

2) Contact your manufacturer of your webcam and learn how to reset the login/ password.

Cell phone Fingerprint Reader

On most of the newer phones a fingerprint reader has been enabled.  It makes logging in much faster and offers some protections.    However, if your fingerprint is on file in any government database, it is possible to 3D print your fingerprint and use the rubber version to fool your phone.  Another downside of using your fingerprint for ID is that when a hacker takes your credit card number, you change it.  When a hacker takes the digital version of your fingerprint, you are done using it for ID.


1) Use the fingerprint reader AND a login for access.

Medical Sensors

Many wonderful devices will be forthcoming to aid in tracking your medical condition and reporting that live to you, a monitoring facility and/or your doctor.  This data will inevitably be stored somewhere and susceptible to hacking.  Do you want your future hiring company to know you have an irregular heart beat?


A wearable could have a medical sensor or it could be an aid to help you with your health goals or running goals.   Smart watches, smart glasses, even high tech headphones would qualify.  Remember if they can be connected to the Internet, they can be hacked.  Eight of the top 10 wearables in 2015 did not even have passwords.  Even your children could hack that.


Won’t it be wonderful when your refrigerator can send a list of what you are out of to your store, ready for pickup?  There has already been a case where an Internet connected TV was used to gain access to the home network and thus all the home computers and hard drives.


Automobiles are discovering the value of being connected to the Internet.  As they use a single network throughout the car and cyber security is not the first concern, cars are vulnerable to hacking.   Hackers, in one example, were able to take over the air conditioning, the radio, windshield wipers, digital display, and transmission of a car.  They also claim the ability to kill the engine, cut the brakes, take over steering at low speeds, and track the vehicle.  This was a controlled test using a Jeep(R) but other brands have vulnerabilities as well.  Any number of these items could distract you into a wreck or outright kill you.

Jeep is a registered trademark of Chrysler and also Fiat, their owner.


Recently a casino was hacked by first hacking it’s Internet-connected aquarium.  Vending machines at a university were hacked and used to mount a denial of service against that university’s web based student services.  What to do?

This is difficult to answer as the “things” connected to the IoT can and will vary so widely.  So this will be a general answer that may not fit every IoT thing.

Think about the data collected or what the “thing” is connected to.  Think about the “thing’s” security and what the risks are if it is breached.  Stay informed by watching news for issues around the “thing” you are using.  If not already, your “thing” will soon be given a security review and a writeup/report.  Think about the potential downside of a breach.  Remember the bad guys have automated tools so the cost of going after your data is very little to them.  Make sure the “thing” you are using has the ability to update it’s software as vulnerabilities are found.

If you are a public figure, a government or military official, or a celebrity your risk is higher than the norm for an IoT breach and you may want to have a cyber security expert consult with you on your individual situation.


Threat Vectors – Part I – Internal

This is the first in a two part series to look at the various threat vectors.  A threat vector is a way that a hacker can get to your computer and it’s data.  This first part of the series will examine INTERNAL ways that the hacker can get in and the 2nd part will examine the EXTERNAL ways they can get into your computer.

To begin, this is an outline of the internal threats.  Each item will be explained in detail below the outline:

Insider Threat

  • Sale of credentials
  • Planted malware
  • Theft of Data, IP etc.
  • Scams

User Error

  • Click on Bad Link
  • Phishing
  • Downloading infected apps
  • Installing plug-ins/modules that have malware
  • Accidental transmission of data/msg to the wrong target

Bad Device

  • BYOD
  • USB

Physical Theft/Loss


Insider Threat

This is someone who works for you and has access to at least one computer and the company network.  This is not accidental.  This is malicious.

Sale of Credentials – The going rate on the market for stolen credentials varies but is mostly less than $200.  Since this is from an insider you will need at a minimum two factor authentication but keep in mind that they could temporarily change the phone to that of the person they sell the credentials to.  The insider may also choose to use the their login for their own gain.

This can be countered via a policy about the use of employee computers and the penalty if found in areas not related directly to their job.  Two factor authentication will help with stolen credentials and access control will limit where in the network the insider or their credentials will take them.

Planted Malware – This is where the insider deliberately plants malware on their computer which may propagate throughout the company.  Remember this person can temporarily disable their virus protection on their computer while they plant the malware.  This is difficult to defend against.  The best defense is to put a camera (working or not) filming each computer or software that snaps a copy of the screen at intervals.  Both these defenses will help catch the perpetrator but will not prevent their actions.

Theft of Data, IP Etc. – This is where the insider downloads copies of company information and exfiltrates (removes) it from the company via email, USB, or upload to a website.  Software that monitors downloads and alarms when over a daily limit will be helpful here.

Scams – This is where the insider uses their inside knowledge of the company to pull a scam on the company via computer, in person, or via the phone.  Training is a good defense against scams.


User Error

Click on Bad Link – The user clicks on a website or a link in an email that downloads malware or attacks their computer through a web page.  This can be prevented by employee training and by white listing sites that are allowed.

Phishing – A compelling email is sent to the user to trick them to click on a link which often asks for their credentials under one guise or another.  Again user training will help with them as well as white listing sites that are allowed.

Downloading Infected Apps – The user downloads and installs an app on their computer which contains malware.  The best prevention are computer policies that prevent the user from installing on their computer.

Installing Plug-ins/Modules that Have Malware – This is the case where the downloaded software is ok but a module to be downloaded to ‘enhance’ it is not.  Again the best prevention are computer policies that prevent the user from downloading and installing anything on their computer.

Accidental Transmission of Data/Msg to the Wrong Target – Even sent an email to the wrong person.  What if it contains important company data which then gets into the wrong hands.  The solution is to limit the amount of data available to a given employee and to have information graded as to level of security.  Don’t allow certain levels to be emailed or emailed out of the company.


Bad Device

BYOD – As a society we are addicted to our phones and tablets.  We bring our device to work and plug it into the wireless network.  The night before we installed a new app which has malware and when it sees a network begins to infect the company.  A variant of this can infect a computer that the device is plugged into just for power to recharge.  The best defense against this is a policy of no BYOD, company phones on each desk and a set of lockers outside the security entrance where an employee can lock away their device for the day.  Expect resistance and withdrawal symptoms.  Some will not want to work at your company if you do this but you have to wonder how much of the day would have been lost to use of a personal device during the company workday.

USB – A computer consultant told me that before he met with the cyber security defending team he would scatter USB devices that looked high-tech in the parking lot.  Each had malware that rang a bell on his website.  He generally got a 20% response before he even got to his meeting with the security people in the company.  The solution is to disable USB ports and to provide company training.  A variation of this ploy is to scatter brightly colored USB devices at your children’s school or the sidewalk in front or even in front of your home.


Physical Theft/Loss

A device is taken off premises and gets stolen.  The best prevention is to have the hard drive encrypt the data so the only loss is the device.


In part TWO, we will examine the various threat vectors from outside your computer.


Why do I Care about Cyber Security?

Good cyber security is tedious and expensive.  The alternative is loss of customer goodwill and potential closing of the business. On the personal side, the inconvenience of identity theft, data loss, invasion of privacy etc. exact a toll both financially and time wise.   The result is an unfair burden on small businesses and individuals.  It is important to recognize this is the way it is, the world we live in, and accept a personal, even if limited, role in being a good data steward and protector.  To that end, this post discusses a select few of the cyber security incidents of the last couple of years in various categories.

By being aware of the targets, attacks, and defensive tools you have, you can diminish the hacker’s perceived relative gain for the time spent.  For example, if a hacker determined that he/she was only making a few cents/hour for the time spent, they would find something more lucrative to do. In time, this will reduce the sheer number of hackers and attacks, and make it easier to track down and defend against the remaining bad guys.


Ransomware is the software that encrypts all the contents of a hard drive and then extorts payment, usually in bitcoins in order to get the unlock code.  Some ransomware will also encrypt any attached backup drives.  Ransomware can and has happened to many individuals and recently to several hospitals.  This a very lucrative area for the bad actors.  Some bad actors (bad guys/gals) even run ransomware help desks.   To pay or not to pay, that will be the dilemma when ransomware strikes you or your company.  Recently Atlanta, Georgia in the US chose not to pay.  The cost of recovery was over $2 million dollars.

Medical Records

Medical records are worth about 10x what credit card numbers are on the black market.  This is because the medical records can be used to file fraudulent claims. It takes much longer to realize your medical records have been compromised than for credit card numbers.  Combine this with the relatively poor cyber security of hospitals and hackers have a very lucrative market.

Note that medical records fall under HIPAA.  HIPPA is the Healthcare Information Privacy Protection Act and you probably signed a form at your doctor’s office acknowledging their collection of data about you.  Health providers are legally obligated to take reasonable steps to protect your healthcare information. Penalties are based on the level of negligence and can range from $100 to $50,000 per violation.  This is capped at $1.5 million per year for violations of each HIPAA provision.

HR Records

The largest HR records breach (break in with theft/manipulation of data) in history occurred in 2015 at the US government Office of Personnel Management or OPM for short.  This involved the theft of 21.5 million records along with 5.6 million fingerprint records.  It is rumored that the Chinese are using the information from these records to put together a “Facebook” of US government and military personnel that can be used to put pressure against them or co-opt them.  Keep in mind that these records contained the contents of the SF-86 which include information about more than the applicant, and include information about their extended families and neighbors.

This was a classic case of risk versus reward.  Enough golden eggs (records) existed in one place with the potential for enough damage that they were highly sought after and justified the expenditure of almost any effort to obtain them.

Access was obtained through a breach of a contractor, with less security, who had access.  Our side failed to encrypt the records, disperse the records, keep non-current records offline, and failed to detect the intrusion for a long period of time.

Customer Records

Target, the major retailer, was hacked on Black Friday in 2013.  Over 40 million debit card accounts were scooped up.  The data was not encrypted.  Groups of target customers filed suit claiming that “Target failed to implement and maintain reasonable security procedures and practices”.  Roll forward to 2015 and Target paid out $10 million to customers as a result of lawsuits.  This does not include the costs to notify, legal costs, and loss of good will among existing customers and their reputation in the marketplace.

US Infrastructure

The chief of the NSA (National Security Agency), Admiral Michael Rogers, said that it was a matter of when, not if a foreign nation-state launches a cyber attack on the US critical infrastructure.  This would include things like the electric grid, water, sewage, and traffic.  Even dams can be hacked.

In December, 2015 Ukraine suffered an electricity blackout of 225,000 customers.  It has been attributed to cyber attack via a Russian group.  In March, 2016 the US Justice Department indicted seven Iranian hackers.  Among their targets was a small dam, the Bowman Avenue Dam in New York.  If a gate had not been disconnected for maintenance, the hackers would have been able to manipulate it, dumping water downstream.

The US Power grid has been hit with an average of one cyber or physical attack every four days between fiscal 2011 and 2014.  The Pentagon estimates that a major cyber attack on the electric grid could take weeks to fix.

Is your business such that you need power from more than one utility?  Perhaps it would be wise to create another company location in another section of the power grid, unlikely to be affected by a regional disruption and able to take over the business should the need arise?


To the kid at the top who is yawning, hackers are stealing children identities because, based on age, they will be valid longer.  Better have your parents lock down your identity for you.  And, I hate to break this to you so early, but you are on the front line of the battle over cyber security — like it or not.



Hackers LOVE Social Media Posts

Suppose I asked you to provide this list of information on social media:

  1. Your Name
  2. Your pet’s names
  3. Your kid’s names and ages
  4. Where your kids go to school
  5. Where you went to school
  6. When your birthday is
  7. When your family member birthdays are
  8. Your gender
  9. Your family member genders
  10. Your race
  11. Your family member’s race
  12. Type of car you drive
  13. Type of car your spouse drives
  14. When you are on vacation
  15. Where you like to go when on vacation
  16. Where your kids catch the bus
  17. When your kids catch the bus
  18. What you like to buy
  19. What shows you like
  20. What books you like
  21. Who your friends are
  22. What type of political views you have
  23. What your house looks like inside
  24. What valuables you have in your house
  25. How old are you and each member of your home
  26. Your approximate household income
  27. Where you work
  28. Where your spouse works
  29. What music you like

Would you give it to me?  Or would you think me up to no good?  Sadly you have most likely given it away already or are in the process drip by drip.  Social Media can be a treasure trove of information for marketers but also hackers and other perps.  Let’s map the number above to actions you might take.

Unless you are up to no good, you probably set up an account using your real name. (1)  You probably also provided your birth date when you setup your account.  This is one piece needed for identity theft.

Let’s say that you post out photos of yourself (8,10).  Suppose a few were from when you are on vacation and you were smart enough to NOT post them until you returned home so as to not advertise you absence.  The GPS coordinates of each shot are imbedded in the photos so the perp knows each place you were while on vacation and when. (14, 15)

Your kids look so cute getting on the bus so you post a photo.  Again, the GPS information is in the photo so the perp knows the where and the when of waiting on a bus.  They can probably infer when they arrive from other posts you make. (16, 17)  From the time of arrival and the bus stop the perp can lookup bus routes and determine which school your kids go to.

You mention your car or post a photo of it while you are driving.  (12)  Eventually you post a shot of the front of you home and by elimination the perp can figure out which is your spouse’s car.

You are careful and never post your kid’s photos online but your family member’s aren’t and post photos of your whole family and then link the photo to you. (9, 11)

Post any photos taken inside your house?  Did you check what is showing in the background in the other room? (23, 24)  Did you post birthday photos of each child? (3, 25)  Don’t forget the pet, they are so cute! (2)

What do you post or share? (22)

Chat with friends from your high school or join a high school group? (5, 21)

Like to click on ads? (18)

From what you like to buy and photos inside your house and your cars and the house itself, your income can be inferred. (26)

To help people decide if they want to connect with you, you can display your favorite movies and books in your profile and even your favorite music. (19, 20, 29)

Every talk about your job or your spouse’s? (27, 28)

The hacker can now figure out how to answer your security questions and get your password.  The robber can now know when you aren’t home and if you have anything worth stealing and even where it is in your home.  The molester even knows how and when to get to your children.

Think you are safe because you only share with friends?  Think again.  Anything marketing firms can purchase, hacker and other perps can also purchase or steal.  I’m sure, you can come up with additional information not on this list that you have disclosed.  Don’t feel badly.  We have all done it.  Just think in the future what the information you provide might be used for.


Think your password is a good one?  We’ll see in this post.

Dictionary Attack

Lots of people use dictionary words for their password.  An example might be “nebraska” or “hamburger”.  These are easy for a computer to guess by running through the words in a dictionary and trying each rapidly as a password until a match is found.

Brute Force

Brute force is just that.  Think of it as instead of picking the lock, we smash through the door.  This is done by trying all possible passwords until a match is found.   Obviously the longer the password and the greater the possible characters to pick from, the harder it is to guess.  This is why a password that uses uppercase and lowercase letters and numbers and special characters is so hard to guess.


This is the use of cleverness in guessing the password.  Lots of times people use their birth date or their children’s birth date or their address as all or part of their password.   Even pet names are used. Or their social security number or part of it and so on.  This makes some passwords easy to guess.

Good and Bad Passwords

A good password is one that is hard to guess.  Without going into the math behind the permutations, suffice it to say, longer is harder to crack.  The more variety in characters, the harder as well.  For example, if each character of your password can only be lower case letters, then in America there would be 26 possible values for each character.  If you add capital letters, this goes to 52.  Add in numbers 0-9 and the possibilities are 62.  Add in special characters like: & * ( ) and the number of possible characters for each position in your password goes to 84.  This is why many places require you use an uppercase letter, a number and at least one special character in your password.

People often forget that their user name functions in a similar way to that of their password as most must be guessed.  Common user names are ‘admin’, the first initial and last name, the last name and first initial,, and guessable email addresses.

Smart Password Usage

Let’s assume your login/password is compromised, meaning a bad actor has it.  Did you use the same password for all your accounts?  Uh-oh, now they will run around trying it on all sorts of accounts where you might have left a credit card on file.  Bad Actor: “Let’s try Amazon and see if they have an account there with an active credit card, summer is coming up and I need some outdoor gear.”


  • 1) Use one password for all accounts that don’t have an associated credit card.
  • 2) Use a different password for each account with a credit card so, in case one is compromised, all aren’t.
  • 3) Use a strong password on the accounts with a credit card.
  • 4) Unless you use an account everyday to make purchases, consider not attaching a credit card and instead enter it at checkout.

Password Do’s and Don’ts

These are some rules to help you discover your passwords that are difficult for a hacker to determine:

  • Don’t use a family name / birthday as a password.
  • Don’t use the family pet name as a password.
  • Don’t use your banking PIN as a password.
  • Don’t use a password so complex that you have to keep it on a yellow sticky note on your screen.
  • Don’t use a dictionary word as your password.
  • Do use a password wallet like RoboFormTM.
  • Don’t share passwords.  If you must, change it afterwards.
  • Do change your password at least every 6 months or if you suspect or are notified of trouble with your account or a beach at the place where your account is.
  • Do use a password phrase you can remember like: snow7beach14!  Where your age is NOT 7 or 14.
  • Use a long password of at least 12 characters if you can.  (The one just above is 13 characters in length.)
  • If possible, don’t pick a user id associated with your name, address and so on.  Remember the user id works just like your password in that is too must be guessed.

RoboForm is a trademark of Siber Systems.


Football and Hacking

Think football.  The hackers are the other team.  The one wanting your data or to do damage to you.    They have different plays they run such as: denial of service (DDos) attacks, phishing / spear phishing, malware, social engineering, software / hardware flaws and/or insider threat.

You or your team (the home team, the good guys) need to stop the offensive or the bad guys win.  These are the things that can be done to prevent a cyber security breach.  They include: training/education, policies, law enforcement agreements, information sharing, threat intelligence, hardware/software, current patches and techniques to improve security, encrypted data and hard drives and phones, and counter intelligence.  Many of these will be covered in future posts. The reason defense is so hard is that the bad guys need to find a single opening while you have to defend hundreds or thousands of points in your network.

After an successful attack (post game), these are the things that must be addressed: forensics, legal, insurance (hopefully purchased before the attack), damage assessment, and target cleanup/validation.  In addition, one must examine policies and defenses to figure out what went wrong and how to do a better job next time.



The Hacker’s Objectives

There are reasons why people hack computer powered devices.  There are many but they all boil down to data.  Steal Data! Change data! Destroy data!  Render the device useless for accessing data.

A hacker’s motivations vary widely.  They range from idle curiosity to criminal intent. Perhaps they want to just brag that they can do it, proving one’s cyber manhood (or womanhood). Perhaps they were paid by a nation state for political and military benefit. Maybe they were hired as an industrial spy for competitive and personal gain.  The objective can be simple as proving that the hacker could “log in” or complex as in stealing information for years without being noticed in someone’s network.  Most of the time, the motivation has nothing to do with you personally, except that your data was valuable enough to merit the risk.

As examples, the objectives may include:

  • Denial of data access (blocking someone from access their storage device)
  • Intellectual Property (IP) theft (such as the top secret formula for a soft drink)
  • Inflicting loss of reputation through exposure of sensitive information (revealing a political candidate’s tax returns)
  • Loss of trust (such as in a bank, or credit card institution)
  • Extortion: Payment of a ransom to get one’s data access restored or to keep sensitive data from becoming public.
  • Kinetic, i.e. to have something happen in the real world such as shutting off a power grid, controlling a patient drug infusion device, or controlling an airplane.
  • Data diddling (changing) to remove trust in the data.
  • Blackmail such as threatening to release stolen videos unless…


Glossary of Cyber Security Terms

Cyber security uses lots of words that you may be unfamiliar with.  To help with blog posts, refer to this list, which will be added to from time to time.  As you read the blog posts, you will see these terms in use.

Access – to be able to utilize a portion of a device and ask it to perform actions on your behalf related most often to data.

Access Control / Access Control List (ACL) – in terms of users of devices, this is a list of what they can access on the device.

Actor State – a nation involved in hacking activities.

Adware – software that displays unwanted ads.

Air Gap – a system that can’t be reached via the Internet or the corporate network or otherwise is said to be “air gapped” from the rest of the network.

Application – a program or programs who functions together to provide a service to the user.

APT – Advanced Persistent Threat – a bad actor with sophisticated levels of expertise and large resources to allow it to achieve its objectives using multiple attack vectors.

Attacker – another name for hacker or it could be a group of hackers or even a nation-state.

Attack Surface – this is the amount of exposure to attack in a system (with system being a computer or a network or a network and one to many computers.)

Backdoor – a means of access to a device that bypasses the normal security mechanisms.

Bad Actor – not a person with poor acting skills.  Rather someone who is attempting to perpetrate “bad” upon your cyber systems.

Biometrics – identity based on fingerprints, iris scans or other body uniqueness used in place of or in addition to passwords.

Bitcoin – a method of payment on the Dark Web.

Black Hat Hacker – a hacker who finds and then exploits computer system weaknesses and does not notify anyone but rather keeps the information for their or their organization’s use.

Blue Team – a group of cyber security experts who are defending a system.  Blue teams are often played against red teams in an effort to tighten security.

Bot – a compromised computer attached to the Internet used remote control to perform activities directed at other computers on the Internet.

Botnet – a network of bot’s often used for DDos attacks.

Breach – can be applied to a network or any device on the network and mean when the bad actor has penetrated that device/network and accesses data contained therein or compromises the function of said device or causes a kinetic side effect.

Container – a way to package up an application and all its dependencies.  Generally not as secure as using virtual servers.

Cryptography – the use of mathematical techniques to provide confidentiality, data integrity, entity authentication and data origin authentication.

Cyber – a word derived from cybernetics and refers to anything related to computers.

Cyber Security – software, configuration, actions, policies, training, and preparation taken to secure one’s cyberspace.

Cyberspace – various networks used in information technology infrastructure that includes devices, the Internet, and data.  It can also be defined as an electronic medium in which communications take place on the Internet.

Cyber Warfare – actions taken by actor states to breach the defenses (cyber security) of the cyberspace of their opposition.  Russia has used this recently in conjunction with regular warfare and hence the term “hybrid warfare”.   Another name for this, in some instances, is ‘Cyber Terrorism’.

Dark Web – sites on the Internet that hide their identity and IP addresses using encryption.  These sites are not accessible from the standard search engines.  Used by hackers and others for nefarious purposes.

Data Diddling – altering some of the contents of data to make the data untrustworthy.

DDos Attack – distributed denial of service attack.  This type of attack is done by sending valid requests to the server in such numbers that the responses overwhelm the server and it does not have enough horsepower (CPU cycles) to respond to legitimate requests.  This renders the server as though it were offline or ineffective.

Decryption – the opposite of encryption.  The use of the encryption key and the encrypted data to extract the original, unencrypted data.

Defense in Depth – multiple layers of defense to make penetration of a system very difficult.

DMZ – Demilitarized Zone – think of this as a network and components between a trusted network and one that is untrusted to protect the trusted network.

DNS (Domain Name System) Servers – translate from a domain name such as ‘’ to the IP address of the server the site is on, such as

Encryption – converting data into a form that is not decipherable.  How good the encryption is determines if it can be decrypted by the wrong person or not.

Exfiltration – a military term applied to data meaning its removal from the system by an attacker.   This indicates that it is one thing to attack and system and get in and another to get the data found off the system.

External PEN Test – penetration testing done from outside the system and without a login.  This attempts to mimic an attacker to see if the system is easy to breach.

Firewall – a group of components (hardware and/or software) that form a barrier between two networks or between a network and a device.

Hacker – one who attempts to circumvent a computer or network’s security.  They can be good or bad, see also Black Hat Hacker and White Hat Hacker.
Honeypot – a server with nothing of value used to measure the types of attacks used.

Incident – something has happened but we aren’t sure so it is called an incident until we determine a breach has occurred.

Incident Response Plan – a written plan of what an organization needs to do in the case of an incident or breach.

Information Assurance – the practice of managing risks related to information.

Insider Threat – the theft of information, sabotage, or theft of credentials by someone who has access to the client’s system.

Internal PEN Test – pen testing from inside using a valid login to see what hacking can be done using the login.

Intrusion Detection – the act of detecting when a computer, server or network has been entered by software not belonging there.

IP Address – the address of your device on the Internet.  The old address standard was IPv4 which has been upgraded to IPv6 because the world was running out of addresses and the expected avalanche of addresses needed for IoT devices.

ISP – Internet Service Provider – one of many companies who provide access to the Internet.   Some example are, but not limited to, Time Warner Cable, AT&T, Google, and Verizon.

Keylogger – software that logs all your keystrokes to a file and then exfiltrates that file to another computer.  A good way to steal logins and passwords.

Layered Defense – see Defense in Depth.

Login or Log In – the action of identifying yourself to the system in a manner that it knows who you are and then allows you to take actions upon it based on its ACL settings for you.

Malware – software that compromises the operation of device or network by performing an unauthorized function.

Malware Signature – a group of bytes of code, a portion of the malware program, that is unique to that malware and becomes its “signature”.

NIST – National Institute of Standards and Technology and keeper of the cyber security standards for FISMA, the government information security standard.

NIST Cyber Security Framework – published in 2014, this framework is short in length (less than 40 pages) and is an attempt to take an organization from where they are in cyber security to the next level.

Password – a unique token known only to you and the computer you are attempting to gain access to.

PEN Testing – penetration testing or simulated attacks on the system to gain entry.

Penetration – gaining entry to a system.

Phishing – the sending of many emails to people, hoping to snag someone who opens the email and clicks on the link or runs the attachment to compromise their system.

Polymorphic Malware – malware that can modify its own signature while running.

Ransomware – software that encrypts a computer or a database and then demands a ransom be paid, often in bitcoins, so that the decryption key is given to the victim.

Red Team – a group of cyber security specialists who are attacking just like the bad guys to test defenses.

Revenge Porn – when text or photos shared (see Sexting below) are released to the general public, using digital means, as a means of revenge.

Risk – the potential for an unwanted outcome to occur.

Risk Management –  management of risk through controlling it to an acceptable level.  There is always a tradeoff between risk and cost of the risk mitigation efforts.

Root Kit – software tools with administrator privileges installed on a device designed to maintain its presence and avoid detection while still being able to function.

Security Hole – this could apply to an application, a server, a workstation, or a network.  It is something not right that could allow a hacker to penetrate the system.

Sexting – sharing of sexually provacative photos or text with another using digital means.

Spear Phishing – a highly target phishing campaign that is directed against a population as small as one person.  Much more research an effort goes into making this email seem real to the reader.

Spoofing –  a situation where a person or program or masquerades as another by falsifying data and gains their permissions or causes the attribution of their actions to be to the other person or program.

Spyware – software that enables spying upon the activities of a user or computer’s activities.  This is done by transmitting information from a computer without being detected.

SSL / TLS – protocols providing data encryption and authentication between a computer (server) and a user’s browser.  SSL has proven vulnerable and is being replaced by TLS.

System – a computer or a network or a network and one to many computers.

Threat – a circumstance or event that claims or has the potential to exploit vulnerabilities and to adversely impact an organization.

Threat Vector – the way the treat attempts to enter a system.  For example, the threat vector for a phishing campaign is initially email and then the malwares deposited on the system via opening a link or executing an attachment.

Trojan – another name for Trojan Horse, which is benign in appearance as in having a useful function but hides within itself another potentially malicious function.

TTP – tactics, techniques and procedures (sometimes tools, techniques, procedures).  It is the signature of the bad actor and their work can often be attributed to them by looking for their TTP.

Two Factor Authentication – the use of more than one medium to login.  For example, the regular login may trigger the sending of a pin to the user’s email or phone which must also be entered to finally login.

VPN – a temporary encrypted link over the Internet between two points which creates a private network of shared resources that are not accessible to the outside world.

Virus – a computer program that can infect a computer and then replicate itself and spread to other computers in a network usually through attachment to a document, program or email.

Virus Checker – a program that is installed on a workstation or server and protects against viruses by looking for their signature and then quarantining the file so it cannot run on the computer.

Vulnerability – a portion of a system that is weak and can be attacked.  This could be a piece of software with a bug in the software that allows attack, or a system whose patches have not been applied and so on.

White Hat Hacker – one of the good guys who hacks systems to find vulnerabilities and then let the owner of the vulnerability know so they can fix it.

Worm – a self-replicating, self-propagating program that uses a network to spread itself.

Zero Day Virus – a virus with a signature not yet recognized  by virus checkers.  Often used with spear phishing to gain access.

What is Cyber Security?

ch 1.jpg

Computer/data security is broadly divided into physical security and logical security. Physical security (sometimes referred to as just ‘security’) includes building and personnel security. Logical security is focused on the data, both in storage and in transit on the network, sometimes called cyber security.  Cyber comes from the word cybernetics which means the science of communications and automatic control systems.  The military uses ‘cyber’ to refer to computers or computer networking.

The perception is that cyber security is a relatively new field or one receiving added emphasis of late, due to media attention to hacking.  In reality, cyber security has existed for years. However, it previously received minimal funding and attention due to costs of cyber defense.  It also lacks visibility as you don’t see attacks that were deflected, nor do organizations want you to be aware of how many times they were attacked.

There are several sub-areas of cyber security, but not all experts classify cyber security the same way.  There is not, as of yet, an agreed upon division or taxonomy of the subject.  But, relax, this blog does NOT cover all these sub-areas and their sub-areas in detail, just enough highlights to make you an informed consumer, employee, or manager.

Cyber security tends to employ military terms like: defense in depth, target, attack, offensive, and defensive.   Tomorrow I will introduce you to a glossary of terms.

The decision of a hacker (or the hacker’s sponsor) to mount an attack is based on the perceived reward versus the risk, in other words, their ability to obtain data without negative consequence. Likewise, a defensive investment in cyber security is also about the value of the data versus the perceived risk of it being stolen, changed, or destroyed. As an example of low cost security, I used to have a great guard dog that was part wolf and very ferocious.  That problem was that my wife wanted the dog to accompany us on trips.  While we were out of town, to create the illusion of high risk, I would leave a two inch chewed-through bone on the front porch while I was gone.  It never failed to work.