Key Terms, Vital Concepts, and Why You Need a Policy, Not Just Cool Hackers In Leather Jackets
Please Note: A version of this post originally appeared over at our blog. You should totally go over there, too.
Before you fire up the ol’ outrage engine (for me, the special ergonomic keyboard I dedicate exclusively to strongly worded Yelp reviews), please note that here at Infinite Ranges, Dumdum is a term of endearment.
In fact, my mother’s maiden name is Dumdum.
I come from a long line of Dumdums.
I believe it’s Icelandic — pronounced Doom-doom.
Anyway, it is very clear to us that cybersecurity issues are far too inaccessible to the average person. So, we decided to create this series to hopefully make the whole Internet a little less hacker-friendly.
So let’s start out with the easy stuff.
What is a “hacker” or a “cybercriminal” anyway? Aren’t they the same thing? What are the goals of cybersecurity? What are the concepts behind it? What is a security policy? Why is that even important? Can’t I just get a gun or something?
Easy there, Doc Holliday
Cybersecurity as a field can be defined as the protection of an information system against malicious actions.
There are a metric ton of possible malicious actions out there in the world — particularly in terms of ways to penetrate an information system — so our definition here remains broad for that very reason.
You have stuff. Bad people want to either take that stuff or keep that stuff from you to blackmail you.
What’s ‘An Information System’ anyway?
By “information system,” we mean all the computing, communication, and information infrastructures inside an organization. This includes the computers, the network, the applications, all the data therein, and so forth.
The protection against malicious actions to your Information System. means that cybersecurity has nothing to do with “safety.” Safety considers threats on a given information system that happen as a result of accidents, gltiches, or software bugs.
So while safety issues are like spilling a hot cup of coffee on your lap, cybersecurity issues are like somebody dumping hot coffee on your lap intentionally.
As you might be aware, those two are very different situations and, while they’re both important to avoid for the sake of your lap, they require very different ways of orienting yourself with the world and others.
Also, could somebody get me another mocha latte, but make this one not so hot? That’d be great.
Anyway, it’s important to bear in mind that cybersecurity does not deal with these unintended threats. We’re referring to intentional, bad-guy threats only.
What Kind of Lunatic Would Threaten My Innocent Lil’ Information System?
A fair question. You probably know the answer, too, right?
Say it with us: Hackers!
Well, hold on a second there, Annie Oakley.
While cybercriminals are sometimes known colloquially as “hackers,” before you start remember that episode of Law & Order where the hacker has a black hoodie, a skateboard, and a moody disposition… remember that not all hackers are cut from the same cloth. (By our estimations: That caricature only represents about 98% of hackers, not all of them).
The fact is, some hackers aren’t criminals at all.
Some hackers aren’t even bad people.
Hacking is a skill that’s separate from legality. Just like walking around naked is a perfectly legal thing in the privacy of your own home and much different when you do the same thing in another context: hacking isn’t always bad.
So before we get too far ahead of ourselves: You can hack and be a good guy.
Wait, really? Hackers aren’t all bad?
Nope! Some of our best friends are hackers!
In the early 1980s, hackers were mostly overly-enthusiastic nerds who were only motivated by the technical challenge that lay before them. They hacked into systems without malicious intentions. They were basically cowboys in the new Wild West, even treated nice by the media.
Nowadays, you still find people who hack systems for good or noble reasons. We call these kinds of folks “White Hat hackers” or “White Hats” for short. They use their computer skills to discover vulnerabilities in an information system, and help organizations patch up these vulnerabilities before they become actual threats to the bad guys.
Just a little something to keep that faith in humanity.
If there are White-Hat Hackers, there must be Black-Hat Hackers, too, right?
Absolutely. And these are the kind of folks we’d like to thwart at all costs. They run the gamut from religiously or financially motivated hackers to full-blown cyberterrorists, who oftentimes work for governments or political organizations to subvert or undermine rivals. These Black-Hats mostly target important government databases, infrastructures, and public services.
Just like in crime in the physical world, cyber-criminality has a lot of avenues.
- Break into systems for stealing state or industrial secrets
- Break into systems to rake in illegitimate profits
- Steal sensitive information like passwords or bank account credentials
- Blackmail owners of the data
- Hold private data hostage until they’re paid a ransom.
The list goes on and on and on and on and on and on…
So what you’re saying is the world of cyber-criminality is pretty big…
We’re saying it’s huge.
The cybercrime economy has been growing exponentially in recent years. You may have noticed that nearly every week there’s a new “huge, game-changing” hack of a major business or government. This is mainly for two reasons:
First, there’s a lot of money in it.
Second, it’s a lot easier to hack into information systems than ever before.
There’s a whole underground market for just about everything bad out there. Malware. Bots to storm a website. Trojan horses. Criminals can also buy a credit card number if they so desire. The ease of finding these things means now that to be a cybercriminal you don’t even need to be a computer specialist. You just have to have the will.
If that’s not enough to frighten the pants off of you — oftentimes these attacks come from within your own company. Disgruntled employees look for revenge or financial incentives.
It’s far easier to attack a system from the inside than from the outside — namely because insiders know the weaknesses of the organization they are attacking. They have accounts, giving them legitimate access to the information system of the company.
For these reasons (and more) thwarting all these efforts is important.
What’s the cost of not investing in my own cybersecurity?
So glad you asked! The cost is exceptionally high.
When a company or individual is the victim of a cyberattack, it is almost never without consequences. Think of this way: If somebody goes to the trouble of breaking into your house, what are the odds they’re going to leave everything as they left it?
At the very least, they’re going to eat that birthday cake you left in the fridge. Right? (And you were saving that for lunch!)
Financial loss is the prime result of cybercrime. There’s the obvious loss of money when you lose sensitive secrets, like bank passwords and usernames. There’s also the financial loss that occurs if you’re usually selling something but suddenly aren’t able to carry out transactions because of hackers.
Plus, a cyber-attack can also seriously damage the reputation of your organization after it’s been compromised by cybercriminals.
My money gone … my reputation sullied… Can it get worse than that?
You bet it can.
A cyberattack can also lead to major legal ramifications for the hacked business, too.
If your business is ever penetrated, there are mandatory laws that kick in that lead to some pretty uncomfortable conversations with your customers or clients. But if you don’t abide by these laws, you can be heavily sanctioned by the government.
The credit agency Experian paid out more than half a billion dollars for their part in failing to inform the public that a hack had taken place.
Half a billion dollars is a bit more than coffee money.
I get it! I get it, already! Cybersecurity is important! Yeesh!
Okay good, good. But we can we be a bit more clear about the objectives of cybersecurity for a second?
It’s good to have a goal. It’s even better to have three.
We break them down as C.I.A.
C is for Confidentiality
The objective here is to prevent unauthorized access to sensitive data. This one’s easy to understand: Confidential data should only be made unconfidential when it’s been authorized by informed parties.
I is for Integrity
The objective for integrity can be defined as how to prevent unauthorized changing of data. Data should only be modified when modification is authorized.
A is for Availability
The objective of availability is defined as the prevention of unauthorized denial of access to resources. This objective refers to a situation where a business owner or member of a team is authorized to access a resource, but can’t because the resource is unavailable. Ever been locked out of your own phone? Yeah now imagine that at scale.
So how do I get all three in this C.I.A. framework?
You may notice that each of the three of these definitions each assumes that there is something that determines what is authorized and what is unauthorized. Good eye!
That’s where a security policy comes in.
A security policy simply states what is permitted in a given information system and what is not.
Security policy! I like the sound of that! Sounds strong!
Strong like bull!
Security policy is exceptionally, vitally important to the health of any organization that does business or uses the Internetal. It is at the very heart of what cybersecurity is and does.
We only say that a system is “secure” if and only if a security policy cannot be violated.
The real challenge: is to enforce the security policy at all times.
Just keep in mind that there is a huge difference between a security policy itself and the mechanisms that support a given policy.
There are many different kinds of mechanisms, too: authentication, access control, encryption, and so forth. We’ll get into those a little bit later.
For now, just keep in mind that an information system that doesn’t have a security policy is essentially worthless. No matter how strong your security mechanisms are, if they’re put in place randomly, you’re going to leave blind spots. By setting up security mechanisms without referring to any structured policy, one can easily neglect to protect an important asset that should in fact be protected.
So, for now, if you’ve taken anything from this first post, remember that:
- Cybersecurity is about the protection of an information system against malicious actors;
- Not all hackers are bad;
- The C.I.A. framework is where we start;
- You need a security policy before you do anything else;
- Coffee goes in a cup, not in your lap.