After completing this unit, you’ll be able to:
- Define cybersecurity and explain why it’s important.
- List types of information hackers want.
- Identify assets that make up the attack surface.
- Define vulnerabilities, threats, and risk.
Cybersecurity Gets Personal
Imagine you just bought a brand-new house. It’s the home you’ve always dreamed of—the perfect place to keep your priceless family heirlooms and treasured knick-knacks.
On the Monday after move-in weekend, you get up, put on the coffee, complete your morning routine, and leave the house for work. You’re all settled in when suddenly panic sets in. You forgot to lock your front door!
Your mind immediately jumps to the worst-case scenario. What will happen to your precious belongings? Can you expect them to stay safe? Probably not.
The same is true of your digital life. You can’t expect your valuable information to stay secure if you don’t lock the proverbial door. This means maintaining personal cybersecurity or protecting your identity, assets, and technology in the cyber world.
Unfortunately, millions of people have learned the importance of cybersecurity the hard way. According to Forbes, the first 6 months of 2019 saw more than 3,800 publicly disclosed breaches, exposing 4.1 billion compromised records. A breach is any moment a hacker successfully exploits a vulnerability in a computer or device, and gains access to its files and network. As our digital footprints continue to grow, we can expect the number of breaches to increase. That is, unless we all brush up on personal cybersecurity basics.
You might be thinking, “Why would anyone care about little old me?” Well, let’s just say you’re more important than you think. You’ve got a ton of information attackers would love to get their hands on! Let’s take a look at the common types of information attackers are out to get from you.
Your Oh-So-Valuable Information
There are three big buckets of info that hackers are digging into (and that you should keep secure).
Personally Identifiable Information (PII)
This is any information that can be used to identify or locate you, including your name, address, phone number, date of birth, government-issued personal identification number, and IP address. Hackers can use this information to steal your identity or use it via social engineering to gain access to even more info, typically for economic gain.
Personal Payment Information (PPI)
Snagging payment information is an easy way for a hacker to make a quick buck. But it’s not only credit card numbers that are at risk. Cybercriminals are also out to get debit card numbers, online banking credentials, checking account numbers, and PIN numbers.
Personal Health Information (PHI)
Health information is one of the most valuable forms of information for a hacker since health records can include a combination of personal identifiable information plus health data.
It can be overwhelming to think about all of the places you store this information across your digital ecosystem. Never fear. We’re going to give you practical ways to keep all of it safe in the next module. But first, let’s talk about where attackers look for your systems and data.
Understanding the Attack Surface
What is the attack surface? It’s any exposed place in our environment that a bad actor can use to gain entry to, or extract something of value from, the places that we want to protect. Think about houses, for example. We created locks to keep unwanted people out. But as soon as the first thief picked a lock, we recognized it was vulnerable. The lock was, in essence, one element of the attack surface.
Our digital landscape is very similar to those first houses, but instead of locks, we have computer systems, servers, mobile devices, cloud services, retailers, social networks, and business platforms. They can all potentially be exploited to gain access to our information.
Understanding the attack surface is important because it is a starting point for evaluating the vulnerabilities on your critical assets and the possible threats against them to form a full picture of your cybersecurity risk. Here are a few categories of the attack surface to consider.
The obvious hardware attack surface is made up of computers, smartphones, and tablets. It also goes beyond devices to include any hardware access points like Wi-Fi networks, USB ports, and Bluetooth connections.
Software is the most commonly exploited piece of the attack surface. An exploit is a malicious application or script that can be used to take advantage of a software vulnerability. Some threat actors can con you into downloading phony software so they can gain access to your system, or they get in through bugs in an existing program.
We can’t forget about the friends, family members, retailers, and business partners who all have some degree of access to our digital information. They do not mean to harm, but they’re prone to making mistakes and can fall victim to social engineering, which can lead to them leaking your data.
After identifying and evaluating all of the aspects of your attack surface, you next need to think about the vulnerabilities and threats associated with them. The examination of assets, their vulnerabilities, and possible threats makes up the total picture of your cyber risk. Let’s take a look.
Assets and Their Vulnerabilities, Threats, and Risks
Just like the steps you take to protect your critical assets at home, your task online is to keep track of your digital assets and protect them from theft and destruction. It’s key to consider the criticality of the assets you own. Your assets are the resources, processes, products and systems that have value to you, and make up your attack surface that must be protected. You should have a good idea of where your sensitive information is stored and processed, and how your data is transmitted and shared between systems and applications. Once you’ve considered all this, it’s time to identify possible vulnerabilities that an attacker could exploit to compromise your critical assets.
Vulnerabilities are a weakness in an information system, procedure, or control that can be exploited by a threat source to compromise your critical assets. For example, if you reuse the same password for your social media and your banking accounts, you’re presenting a weakness a hacker can exploit. If they manage to compromise the password for one account, they now have access to the others. Vendors often issue security patches for vulnerabilities they discover in their applications, systems, or code. It’s crucial that you update your devices and software with these patches in a timely manner, in order to prevent a threat actor from taking advantage of them to compromise your data.
You also need to stay ahead of cyber threats. A threat is any natural or artificial circumstance that can have an adverse impact on an organizational asset. For example, a cybercriminal can deliver malware (malicious software that brings harm to a computer system) to you with a phishing email (a weaponized email that masquerades as reputable, but lures targeted groups into taking an action) that provides the cybercriminal with unauthorized access to a file containing personal information.
Importantly, threats try to exploit vulnerabilities on your most critical assets, so it’s key to consider all three of these aspects (threats, vulnerabilities, and assets) in your daily life. Staying informed about threats helps you get inside the brain of the adversary and think like them, in order to help you better understand what they may find valuable.
New cyber risks and threats arise daily. A cyber risk is the risk of financial loss, disruption, or damage to reputation resulting from the failure of information technology. For example, if an attacker gains unauthorized access to your bank account and steals money from you, you’ve realized a cyber risk in the form of financial loss.
Think carefully about your appetite for risk when assessing your own personal cybersecurity. While downloading a certain application may make a certain task easier or more fun, what security trade-offs come with doing so? Make sure you know how the technology uses and protects your data, and what the risks are. Once you’ve identified the risk of using a certain program or technology, you can take action to protect yourself.
You learn more about protections in the Secure Your Digital Assets module. For now, let’s learn more about the bad actors that might target your data, and the tactics they use to do so.