Cover Page

Cyber Smart

 

 

Five habits to protect your family, money, and identity from cyber criminals

 

Bart R. McDonough

 

 

 

 

 

 

 

 

Wiley Logo

I dedicate this book to my mother, Kaye “Gigi” McDonough. My intelligent, thoughtful, caring, and beautiful mother—your unconditional love and encouragement coupled with your unwavering demand of excellence propelled me forward in my life and career. THANK YOU, Momma!

About the Author

Bart R. McDonough is CEO and founder of Agio, a hybrid managed IT and cybersecurity services provider specializing in the financial services, healthcare, and payments industries. Bart has deep institutional knowledge of the investment world, with more than 20 years of experience working in cybersecurity, business development, and IT management within the hedge fund industry. His core strengths are assessing, defining, advocating, and driving the adoption of risk management strategies, controls, and models, which enable organizations to advance cybersecurity resiliency while successfully complying with evolving regulatory requirements and behavioral transformations.

Harnessing his expertise in alternative investments, Bart and his team of more than 240 employees have developed cybersecurity and managed IT tools tailored to protect financial businesses' most precious assets: money and reputation. Just one example of Agio's industry-changing work included finding and repairing a Bloomberg Professional Services setting that could have compromised more than 300,000 subscribers. As CEO, Bart has grown Agio's roster of clients to exceed 300, spanning hedge funds, private equity firms, asset managers, investment banks, and healthcare providers.

Bart is a board member of several cybersecurity companies. Prior to founding Agio, he worked at SAC Capital Advisors, BlueStone Capital Partners, OptiMark Technologies, Sanford Bernstein, and American Express. Bart attended the University of Oklahoma and received his undergraduate degree from the University of Connecticut. He is married to the two-time Emmy Award–winning television producer Cheryl McDonough, and he has three incredible children: Russell, Ava, and Kya.

Credits

Associate Publisher
Jim Minatel

Project Editor
Gary Schwartz

Production Editor
Barath Kumar Rajasekaran

Copy Editor
Kim Wimpsett

Production Manager
Katie Wisor

Content Enablement and Operations Manager
Pete Gaughan

Marketing Manager
Christie Hilbrich

Business Manager
Amy Knies

Project Coordinator, Cover
Brent Savage

Proofreader
Nancy Bell

Indexer
Johnna VanHoose Dinse

Cover Designer
Marina Mirchevskaya

Cover Image

© blackred/Getty Images-Gold Skeleton Key, © monsitj/Getty Images-Background

Acknowledgments

I'd like to start by thanking the team that helped me get this book published and ultimately distributed: Jim Minatel, Gary Schwartz, and Barath Kumar Rajasekaran at Wiley.

I'd also like to thank the thousands of Agio clients who kept asking me questions at my Cybersecurity Awareness Seminars, which led me to writing this book. I can't wait to share it with all of you.

A huge thank-you to my researcher, Kelly Eley, for all of your valuable time on this project—you were simply a delight to work with, and I can't wait to collaborate with you again. In addition, I'd like to thank Kimberly Peticolas for all of her coaching and advice on getting this idea into a published book.

Next, I have to thank so many of my amazing colleagues at Agio (https://agio.com/) for refining so much about what I know about cybersecurity, management, and life. I have to give a big personal shout-out to Ray Hillen for coining the phrase “Brilliance in the Basics.” A special thanks to Lori Rabin for her amazing editing capabilities. Others I want to thank personally include Chris Harper, Mark Fitzner, Miten Marvania, Garvin McKee, Kate Wood, Nick Mancini, Jessica Golle, Heather Matthews, Josh Bentley, Greg Blattner, Marina Mirchevskaya, Kaitlin Boydston, Jason Price, Andrew Werking, Eva Lorenz, Laurie Leigh, Emily Ellis, Carrie Bowers, Donato Lalla, Tim Steiner, Steve Foster, Joe McCusker, and the rest of the amazing organization at Agio (#OneAgio).

A few clients and colleagues I'd like to thank are David Berger, Danny Moore, Avi Gesser, Barry Ko, Ramin Safai, and especially Chris Corrado.

I have to thank my lawyer and great friend Kevin Malek (well, at least I think we are friends) for all of his assistance in this project and so many others in my life.

I have to thank so many of my “brothers” for all their candid (and, yes, sometimes dumb) questions: Troy Bailey, Neil Berkeley, Travis Warford (no Travis, it's not cheese), Johnny O'Fallon, Brendhan Fritts, Chris Nichols, and Ryan Ball. Troy and Neil, I'd especially like to thank you for yelling at me one night over drinks to just “write the damn book” and giving me the courage to fail.

Everyone who knows me knows Gina Peterson is the engine who keeps me going, and without her, none of the meetings that took place to get this book published would have been possible. A huge thank-you to Gina, and her husband Nate, for allowing our family to interrupt hers constantly. Andrea Duarte, while joining us late, has been amazing at helping to smooth out our days and lives and giving this book its final polish.

I've been fortunate to have the most loving and caring parents in the world who have always encouraged me to do more and be better and have always supported me along the way. Education, especially the ability to read and write, were always valued in our home. My father has always been such a rock and a great example of hard work. Your work ethic and your devotion to your family continues to inspire me, Poppy! While I didn't appreciate it at the time and it may have led to some tears, I can't thank my wonderful mother enough for never taking the easy way out and letting me turn in terrible writing. Thanks for always pushing back on me (with your red pen!) and making me better, Momma.

Finally, my immediate family. Thank you for supporting me in everything I do. Kya, thank you for always asking the hard, right questions. You always get to the heart of the matter and helped me clarify and simplify my recommendations in the book. Ava, thank you for first calling me “Tech God”—flattery will get you everywhere. Seriously, thank you for allowing me to understand better the teen viewpoint in using the Internet. Russell, you don't know how much your calm demeanor helps me in life. Thank you for insisting on using correct grammar in texts, thank you for putting up with all the test devices I install and use at the house, and thank you for always being so patient and helpful. You are the rock of this family and occasionally are funny too.

Cheryl, my love and my talented superstar, thank you for being patient with me while I took the time to put this book together. Thank you for working tirelessly to keep our lives running while personally working so hard to make the world a better place through your documentaries and not take life too seriously. Thank you for being my best friend—always making me laugh and not to take life too seriously. Finally, thank you for being the audience to all my ridiculous cybersecurity stories; for always perfectly playing the part of the “normal person” (while we know you aren’t really normal!), and keeping me in check. And yes, love, you do have to update your computer and phone now.

Foreword

Statement of Purpose

Cybersecurity is one of the most important, and most disregarded, aspects of our daily responsibilities. Technology has overtaken our lives—the pervasiveness of the Internet has affected how we do almost everything—from communicating to banking. Drawing on his extensive work with hedge funds, private equity firms, celebrities, hospitals, and more, Bart McDonough accurately and thoroughly describes the cybersecurity threat landscape—the who, what, when, where, why, and how—and then helps readers understand how to perform proper “use, care, and feeding” of accounts and devices to avoid exposure in many areas of daily life. Just as people must tend themselves to maintain their health, so too should they practice proper “cyber hygiene” with websites, software, and devices to protect themselves and their families in a world of cyber threats.

As an expert in the cybersecurity field, McDonough has traveled around the world speaking at conferences for the FBI, Goldman Sachs, JP Morgan, Morgan Stanley, Citibank, Credit Suisse, Jefferies, Bank of America, and others, where he addresses crucial cybersecurity recommendations for businesses. However, the most common question he receives from the attendees at these conferences is “How can I protect myself at home, on a personal level, away from the office?” Addressing this very question in this book, McDonough combines his extensive industry knowledge with real-world examples of cyberattacks and how to prevent them as well as how to recover from them.

The idea of identity theft and other forms of cyberattacks can be daunting to the average person in today's society; however, it does not have to be that way. With the proper knowledge, outlined as the five “Brilliance in the Basics” habits in this book, everyone can learn better practices to help prevent bad actors from taking advantage of their money, personal information, and devices. Moreover, the more people who protect themselves, the better off everyone is. While there are several books out there that address the topic of cybersecurity, the majority of these focus on security for businesses and corporations. Few are intended to teach individuals in the general public how properly to protect their money, identities, personal information, devices, networks, and online experiences.

Cyber Smart focuses exclusively on this audience. Written in plain English and using everyday relatable examples, McDonough helps readers easily understand how they can personally update their approaches to Internet and device safety, and he does this through a positive, proactive style. While other comparable titles focus on fear-based conditioning, Cyber Smart focuses instead on maintaining the idea that while these technological advances have risks, there is no reason not to take advantage of them as long as you do it with open eyes and an awareness of how to keep your information safe.

Introduction

As technology advances and we adopt new cloud-based services, wearables, fitness trackers, smart home appliances, and cars, we need to balance our rapid consumption of technology with vital knowledge of how safely to use, maintain, and protect these Internet-connected products.

Protecting our identities from the onslaught of endless cyber scams and hackers has become an exhausting effort. It can feel like we need a technical degree to defend ourselves and our families from cybersecurity attacks and ensure we're secure in our day-to-day personal and professional lives. Since we don't hear these cyberattacks knocking at our door or receive real-time evidence of our sensitive information circulating the underbelly of the Web, it's hard to grasp how vulnerable we are at any given moment. In this book you learn how to find your exposed information on the Internet—and discover you've been breached—it can feel like there's nothing you can do to protect your and your family's leaked Social Security numbers, passwords, and more. I am here to tell you there is hope. In this book, you'll learn to practice the essential cybersecurity habits to protect your family from bad actors.

Technology advancement brings opportunities, but it also creates risk, making it necessary to teach ourselves proper “use, care, and feeding” of our devices. If we don't, we risk significant exposure in many areas of our life. Similar to caring for ourselves, we must practice proper “cyber hygiene” with websites, software, and devices.

We know we spend a ton of time online, but we may not realize how our heavy Internet usage can increase our risk of falling victim to cybercriminals. It's as easy as visiting a website with infected ads that harvest our computer's CPU power, so bad actors can “mine” highly profitable Bitcoin cryptocurrency, typing credit card numbers into legitimate-looking, spoofed websites, or accidentally downloading ransomware from a linked “Funny Cat Video” our “friend” sent us. We devote a lot of time and energy to these online interactions. If we neglect the “use, care, and feeding” of technology and our presence in cyberspace, we risk letting bad actors run rampant—infecting and sabotaging our cyber comforts, wiping out years of family photos and personal files to ransomware demands in the thousands of dollars, or repeatedly using and abusing our identity.

If we lived in a “bad” neighborhood with a high level of crime, we would take the necessary precautions to protect ourselves, our family, and our belongings. We are mindful of our surroundings—we lock our doors, install extra locks, don't carry loads of cash on us, and so forth. However, when we are in a good neighborhood with low crime, we tend to be more relaxed around our physical safety precautions.

When it comes to our cyber lives—we all live in a bad neighborhood. And we all need to practice essential cyberhygiene precautions, or else we play a risky game of cyber roulette to see how much we think we can get away with before the neighborhood bad actors succeed in their cyberattacks against us. Then it's game over—or, at the least, we experience a lot of unnecessary frustration, embarrassment, expense, and cleanup.

This is not said to scare you—it is to help prepare you to have the right mind-set when you are online. My primary goal is to share real stories of people like you—victims of common cyberattacks—and then provide specific recommendations you can use to protect yourself against cyberattacks and scams. The secret to practicing cybersecurity is what I call “Brilliance in the Basics”—five crucial cybersecurity habits that I recommend you perform regularly.

Brilliance in the Basics habits

  1. Update Your Devices
  2. Enable Two-Factor Authentication
  3. Use a Password Manager
  4. Install and Update Antivirus
  5. Back Up Your Data

Performing these five basic, recurring cyberhygiene principles will work to prevent cyberattacks and serve as a cure for prevalent cybersecurity issues. I will show you how to manage your Internet presence safely, as well as your technology usage, so you can continue to enjoy the pleasures and opportunities that come with the cyberspace you love. You'll discover more about the “Brilliance in the Basics” cyberhygiene habits in Chapter 7.

Debunking Cybersecurity Myths

I will also address and dispel popular cybersecurity myths throughout the book. Recognize any of these?

Hacking Myths

  • “Why bother doing anything? If a hacker wants to get me, they will. I mean huge companies and the U.S. government get hacked. I can't do anything to protect myself—it's a lost cause.”
  • “Bad actors aren't interested in my data. I'm not a celebrity or public figure. I don't have anything of value to them.”
  • “Websites wouldn't steal my computer's CPU power to ‘mine’ cryptocurrency, like Bitcoin, just by visiting them.”
  • “The applications in the Apple App Store or Google Play store are safe. I can't download ‘bank account–stealing’ malware from a simple crossword puzzle app, can I?”
  • “I'm not worried about ransomware. Law enforcement will catch the adversary and get my files back, right?”

File Storage and the Cloud Myths

  • “I don't store my information in the cloud because it's not safe.”
  • “I store my files in the cloud already, using Apple iCloud and Google Drive. They back up my files, right?”
  • “I perform backups to an external hard drive that's always plugged into my computer. My files are protected.”

Password Management Myths

  • “Remembering and keeping up with fancy passwords is too difficult. There's no way I can do it for every site I use.”
  • “Two-factor authentication takes too long. As long as I have a strong, unique password for each account, I am secure.”
  • “Cloud-based password managers aren't secure.”

Web Browsing Myths

  • “Websites with the lock symbol in the URL are safe to use.”
  • “Public Wi-Fi is secure if it requires a password.”

Email Account Myths

  • “It's not necessary for me to create a separate email just for banking if I have a strong password for my bank account, even if I use the same password for my email account too.”
  • “I don't have anything of interest to the adversary in my email account. Good luck reading all my boring emails.”
  • “Email providers like Google or Yahoo aren't making money from my email conversation with my spouse.”

Identity Theft Myths

  • “Credit monitoring and fraud alerts will protect me from identity theft. I don't need to activate a security freeze.”
  • “My child doesn't have a credit history. Their identity won't get stolen, and their credit score won't be damaged.”
  • “I don't shred sensitive documents when I throw them out. No one would sift through my garbage to steal my identity.”
  • “I connect with anyone who sends me a friend request on LinkedIn. We're all professionals here, not scammers.”
  • “I trust my doctor's office with my Social Security number when they request it. They need it for vital reasons, right?”
  • “I can't be denied critical medication at a hospital just because someone stole my identity and tampered with my medical files, can I?”
  • “I trust retailers and gas stations to protect their card swipe, or dip, machines from skimmers that steal card numbers.”

By learning the facts, you can set the record straight and safeguard yourself and your family. Cyber awareness will be like second nature.

In fact, let's dive in and dispel one myth right now.

  • Myth   “Why bother doing anything? If a hacker wants to get me, they will. I mean huge companies and the U.S. government get hacked. I can't do anything to protect myself—it's a lost cause.”
  • Fact   You can safeguard yourself from the vast majority of threats. It takes only a few steps, which I list in the ensuing chapters. By learning to protect yourself, you will take a “bite” out of cybercrime. You'll emerge a newfound “Brilliance in the Basics” expert and be ready to share your learned cybersecurity hygiene basics with others.

    We need to work together to defend our privacy, security, money, and peace of mind. It's our right to enjoy what technology and the Internet have to offer. The last thing we should do is to admit defeat and compromise these fundamental liberties by surrendering our security and, along with it, our personal information, assets, and identity.

Protecting our security does not necessarily mean we have something to hide; it's the preservation of our identities and those of our loved ones. This includes our money, medical records, credit files, devices, online presence, and more. Cyber threats influence every part of our lives. We must implement proper cyberhygiene habits accordingly. And that starts here.

How to Use This Book to Outsmart Bad Actors

This book gives a detailed portrayal of the current cybersecurity landscape and its threats, and it explores how we, as adult professionals, can protect ourselves and our families as more of our life duties move online via Internet-connected devices.

Throughout my experience providing cybersecurity training to thousands of business professionals, I observed a growing need among the participants to learn how they can secure themselves on a personal level in addition to safeguarding business operations. It became apparent the cybersecurity community was focusing primarily on business executives and overall business security, leaving a shortage of cybersecurity guidance made available to us as individuals. We are the fabric making up a business, and we are the ones sitting on the other side of the company computer. The focus in this book will be on closing the personal cybersecurity guidance gap. I will share the basic cybersecurity habits you need to protect your and your family's online assets and identity—personally and professionally.

I designed this book in two parts: Part I, “Setting the Stage,” and Part II, “Specific Recommendations.”

Part I: Setting the Stage

In this part, I define some common cybersecurity terms and provide an overview of cyber risk that poses a threat to our families and ourselves. After that, we learn more about who is the adversary, their main goals and targets, and their attack methods and weapons of choice.

Next, I cover the “Brilliance in the Basics”—the five core habits that serve as an ounce of cyberattack prevention worth a pound of cybersecurity cure.

Finally, I touch on some grave mistakes we can make without realizing we've made them, like an accidental data breach. I conclude Part I with detailed incident response steps you can take if you encounter the unfortunate—ransomware, spam, email compromise, and more.

Part II: Specific Recommendations

In this part, you'll find helpful, straightforward steps to begin protecting your identity, money, email, files, social media, website access, passwords, computers, mobile devices, home network, Internet of Things (IoT) devices, as well as your information while traveling.

Throughout each chapter, you will notice a few features: accounts of cyberattack and scam victims, segments on popular cybersecurity myths, and straightforward and practical cybersecurity recommendations.

These accounts are real stories about attacks, scams, or methods of defense. While I include quite a few, they are just the tip of the iceberg. Many dangers are lurking in cyberspace, waiting to pounce on unsuspecting targets who don't know how to protect themselves adequately.

In addition to these real-world stories, I include specific, actionable recommendations outlining how you can stay safe in the midst of frequent and severe cybersecurity attacks. By actively applying the handful of key, learned, defense techniques to your day-to-day personal and professional life, you will be practicing what some of the most secure people in the world do.

I also address popular cybersecurity myths to which we've all fallen prey, believing at one time or another. We've already tackled the first of these myths in this introduction. Going beyond just addressing these myths, in this book I provide the facts on which you'll need to focus to protect yourself and your loved ones with clarity and efficiency so you can continue enjoying all that the Internet has to offer.

How to Contact the Author

You can contact Bart McDonough by visiting his personal website—www.Bartmcd.com—where you will find his latest thoughts and links to the most current social media posts.

Download

Go to www.wiley.com/go/cybersmart to download a brief reminder of “Brilliance in the Basics” habits you can keep with you everywhere.

I
Setting the Stage

  • Chapter 1: Overview of Cyber Risks
  • Chapter 2: Attackers
  • Chapter 3: Attack Targets and Goals
  • Chapter 4: Attack Methods
  • Chapter 5: Attack Chain
  • Chapter 6: Attack Vectors
  • Chapter 7: Brilliance in the Basics
  • Chapter 8: Mistakes
  • Chapter 9: Incident Response

1
Overview of Cyber Risks

William and Nancy Skog had cherry-picked an impeccable, perfect, river-front residence in Wilmington, Illinois. Exhilarated by the thought of moving into their dream home, the Skogs could practically see their new lives—watching the tranquil riverboats cruise by and listening to the water birds sing. There was one final step needed to finalize their purchase—wire $307,000 in closing costs to their real estate attorneys. Having received an email with payment instructions sent from what looked like a legal assistant at the firm, William and Nancy wired over their entire life savings—$307,000. Their new life was about to begin. Days later, however, the couple sat across from their lawyer at the closing table and learned their payment never arrived. The Skogs immediately panicked. If their attorneys didn't get the money, who did?

Let's take a closer look at the details of the wire transfer scam. All $307,000 of the Skogs' hard-earned cash had vanished without a trace. Fraudsters, impersonating their real estate attorneys, had pocketed the entire wire transfer. Almost everything in the closing cost email the Skogs had received looked genuine. The email signatures appeared authentic (because the bad actor copied and pasted the real one), the file attachment had the attorney's actual letterhead, and the details of the real estate transaction were accurate.

How could a bad actor obtain all of this information? A variety of attack methods and vectors could have been used: including compromising one or more email accounts of those involved in the transaction, pretending to be a prospective client and emailing the firm to obtain a response and thus an email signature, or finding the attorneys' letterhead via an Internet search.

Bad actors use automated hacking software that scans data breach dumps for email addresses of people working in a specific industry, such as real estate. Once they collect a list of email addresses, they send phishing emails (an email-based, social engineering attack) to obtain the victim's email account password fraudulently. Once they have the password and successfully gain access, they research and monitor real estate transactions in flux. When the timing is right, bad actors send an email to home buyers with “new” wire transfer instructions.1 It can be easy for victims to believe the malicious email is legitimate, since it can actually be sent from the authentic (hacked) account of one of the real parties involved.

Despite the scam's convincing elements, there were indicators something was wrong. The fraudulent email used unorthodox sentence structure, such as “… and have us set ready your closing.” Notice anything yet? But beyond suspicious grammar, what could have tipped the Skogs off to the fake email sent by the bad actor? The sender's email address and links might have contained clues. Hovering over any links in the email could have produced red flags, like different or similar-looking URL addresses (for example, RealEstate.com versus the malicious URL RealEstate-co.com).

Next, the circumstances themselves were reason enough to be wary. Cyberattackers and scammers target their victims in moments of heightened emotion. People are often distracted and/or overwhelmed when scared or elated. In the case of the Skogs, the adversary recognized an opportunity when the Skogs were buying their dream home—a scary and thrilling life event. It was the perfect storm of emotions to render the Skogs vulnerable and allow the scammers to steal the couple's hard-earned life savings successfully when they least expected it. The couple's only saving grace was their daughter, who purchased the home for them.

The Skogs' tremendous loss to real estate wire transfer fraud is indicative of a growing epidemic. In 2016, the FBI found that $19 million in real estate transactions were “diverted or attempted to be diverted” by bad actors, and that amount increased to practically $1 billion in 2017—a 5,163 percent increase in just one year.2 The cruelest part of real estate wire transfer fraud is the rare chance of ever recovering stolen funds. According to James Barnacle, chief of the FBI's Money Laundering Unit, “I don't want to set false expectations for consumers. The chance of recovery here is slim.”3

Real Estate Wire Transfer Fraud Prevention Steps

Now that you've learned the life-shattering reality of real estate wire transfer fraud, here are some essential prevention steps:

  • Before performing a wire transfer, confirm the exact closing instructions with your real estate broker, attorney, or both, in-person, over video or on the phone. (Remember to validate their phone number first.)
  • Verify all emails received are genuine. Look out for red flags indicating a phishing email attack, and be suspicious of clicking any email links or opening any file attachments. (You will learn more about phishing email attacks in Chapter 4 and Chapter 5, as well as how to protect your email in Chapter 12.)
  • Review other payment options that can potentially provide more protection than a wire transfer, like a cashier's check.
  • Initiate a test wire transfer for $100 and confirm the intended receipent received the wire transfer.
  • Don't use insecure Wi-Fi to access or send email communications about sensitive transactions. (See Chapter 15 for safe web browsing practices when using public Wi-Fi.)
  • Secure your email account with two-factor authentication, and use a strong and unique password for each of your accounts. (See Chapter 15 for details on protecting web access and passwords.)
  • Consider using a secure method of file transfer and storage. Use a paid version of Box.com or similar trusted cloud environment. This will allow you to transfer files securely and control which email addresses can access the files.
  • Check to see whether your financial institution has insurance available for purchase to protect you from wire transfer fraud liability. Banks are just starting to sell policies for wire transfer fraud protection up to a certain amount. Because there's no standardized, one-size-fits-all policy, check the fine print for variations among banks.4

If You're a Victim of Wire Transfer Fraud

If you've fallen victim to a real estate wire transfer scam, here are immediate incident response recommendations:

  • Call the bank that sent the transfer to discuss your options.
  • Alert the bank on the receiving end to discuss your options.
  • Notify local law enforcement, and file a police report.
  • Notify your local FBI field office, and file a complaint.
  • Visit the FBI Internet Crime Complaint Center (IC3) and file a complaint online at https://www.ic3.gov/default.aspx.

Real estate wire transfer fraud is just one example of the many common and devastating cyber risks we face. Cyberattacks are growing and evolving at a staggering rate, but by continually practicing the handful of basic protection techniques you'll soon learn, you can strengthen your cybersecurity with ease.

Cyber-Risk Statistics

Serving as a testament to the increase in cyber risk and the need for easy-to-understand, personal, cybersecurity guidance, Verizon published the following statistics in its 2017 “Data Breach Investigations Report,” sourced from 65 organizations:5

  • 51 percent of data breaches involved organized crime groups.
  • 1 in 14 people were tricked into clicking a malicious link or email attachment.
  • 66 percent of malware was installed by opening malicious email attachments.
  • 43 percent of all data breaches used social media attacks.
  • 81 percent of hacking-related breaches used stolen and/or weak passwords to gain access.
  • 93 percent of social engineering used phishing techniques.
  • 14 percent of breaches were caused by mistake.

Why do attackers have such a high success rate in wreaking havoc and causing breaches? One possible explanation is that people rely solely on technology to protect them. In reality, antivirus and firewalls can only do so much, and they don't provide any protection against “legit” emails from compromised counterparties, such as your lawyer, real estate agent, or banker. It takes individual awareness and implementation of proper cyberhygiene practices to defend oneself holistically.

Throughout the book, you will learn about how to defend yourself against the vast majority of threats. There are a set of fundamentals, which when practiced together will dramatically increase your cybersecurity posture. I simply call this collection of activities and technology “Brilliance in the Basics.”

Brian Krebs, a well-known cybersecurity researcher and investigative reporter, put together a “Cybercriminal Code of Ethics,” to convey “immutable truths” depicting how bad actors benefit from a lack of investment in personal cybersecurity.6

  • If you hook it up to the Internet, we'll hack at it.
  • If what you put on the Internet is worth anything, one of us is going to try to steal it.
  • Even if we can't use what we stole, it's no big deal. There's no hurry to sell it, and we know people.
  • We can't promise to get top dollar for what we took from you, but hey—it's a buyer's market. Be glad we didn't just publish it all online.
  • If you can't or won't invest a fraction of what your stuff is worth to protect it from the likes of us, don't worry: you're our favorite type of customer!

Another reason cyberattackers are successful is individuals don't necessarily have the proper cybersecurity knowledge to detect cyber threats. (You will obtain that knowledge reading this book!) Scotland Yard found in every month London citizens lose $36 million and report around 3,500 cases of cyber fraud. The most common offenses include phishing emails and malware such as ransomware. Bad actors are aware of this lack of understanding when it comes to cyberattacks. Instead of attempting to compromise a company's firewall directly, these scammers target individuals via their personal lives. The hope is this approach will provide a path to a company's network and thus multiple victims. From here, these bad actors can steal personal information, money, and computing resources.7

Breaches, Cyberattacks, and Hacks—Oh My!

Now you've read a bunch of statistics about breaches, cyberattacks, and hacks—what do they actually mean, and what's the difference between the three?

A breach is an incident where sensitive, private, or confidential information is accessed or leaked without authorization. The types of information valued by bad actors include Social Security numbers, credit card and bank account numbers, billing addresses, tax returns, medical information, usernames and passwords, and more.

A breach can be a result from a cyberattack, a hack, or simply a mistake. Each week, bad actors break into networks and systems and steal people's information, sometimes amounting to tens of millions of data elements or more. Most of the time, this stolen data is used to commit fraud. At other times, it can be used as blackmail, such as the case with the Ashley Madison breach, which leaked names and credit card numbers of customers of the extramarital affair website. Bad actors got ahold of the leaked information and threatened Ashley Madison customers into paying a fee; or else they would divulge their activities to their spouses and the general public.

Companies nowadays store massive amounts of personal information about their users for the purposes of its services, ease of access, data analysis, or the convenience of automated payments. Data can be seen as a toxic asset—the more it's accumulated and the longer it sits in storage, the higher the stakes if the information gets into the wrong hands.8

A cyberattack is when attackers (that is, individuals, criminal organizations, nation states, terrorist organizations, and so on) carry out malicious attacks, such as social engineering against people with the primary objective of accessing, modifying, disclosing, or selling stolen information. Cyberattack targets can include individuals, businesses, government agencies, national infrastructure, and more. A cyberattack doesn't necessarily involve the act of hacking or even the direct use of computers.

A hack is a simple or complex act of malicious intent that involves using automated or manual technology to crack a code or break into a target's computer systems or network. It is simply digital trespassing.

Hacking can be a component of a cyberattack, which can lead to a data breach, but a cyberattack doesn't necessarily require hacking skills or computers at all. A data breach can occur without a cyberattack or a hack. A data breach can happen by mistake; as an example, someone sends an email to the wrong person or list of people, resulting in a data breach. Have you ever written an email, attached a sensitive file, and then accidentally sent it to the wrong person? Yep—we've all done it. This is considered a data breach since you didn't intend to send the information to those recipients.

Now that you've read about the main differences between a breach, a cyberattack, and a hack, in the next chapter you will learn who the adversary is, what they want from you, and how you can protect yourself and your family from their cyberattacks and scams.

Notes