With news sources reporting novel online threats on a daily basis, in a world of adversaries with seemingly unlimited resources, how could one achieve “cybersecurity nirvana”? What is it, anyway?
I work on a multi-country multi-year multi-million-euro aid project to cybersecurity-protect indy media/journos and rights-defending NGOs/activists.
Besides being an unrealistic goal, perfect cybersecurity is unnecessary. All anyone really needs is sufficient cybersecurity — good enough to ensure cybersecurity “incidents” don’t happen to you. (Perhaps your defences have exceeded your adversary’s offensive capabilities; or maybe you’ve just raised the attacker’s cost (to get through your defences) high enough that she chases other prey.) But how good is good enough? Or to put it differently, what should one prioritise? After all, every decision anyone ever makes (or doesn’t make) takes into account myriad variables and values in terms of prioritising something over something else.
Most of our project’s developing-world beneficiaries would name “the government” as their main concern, but in reality cybercriminals are probably a more pervasive threat, so we aim to defend against both. In cybersecurity our decision-making about what to do (or not do) is couched in terms of threat models, assets (to be protected), vulnerabilities, attack surface (and vectors), IOCs, EDRs, SIEMs, IDSes, SOCs, logging, and pen-testing (to name a few of our favourite buzzwords), but it all still comes down to: since defensive resources are always limited, what’s the highest priority?
In our project, we wanted to settle on “standards” which we would try to help everyone meet. We wanted the components of our set (of standards) to be, as much as possible, …
- easy (for us) to explain,
- essential / non-negotiable,
- assess-able (“do you comply?”),
- non-disruptive (to the end user), and
- “good enough” (in terms of defensive ability).
Our thinking was informed (and is constantly re-informed) by all the information we can (reasonably) gather about the digital-danger environment, including Microsoft’s Security Intelligence Report, Verizon’s Data Breach Investigations Report, Symantec’s Internet Security Threat Report, Citizen Lab’s stellar forensics analyses, and our own (and others’) experience with the incidents faced by those we’re trying to protect. As we mulled this over, we found the highest-priority defences — our baseline standard set — falling into four categories:
- Insecurity of online accounts — 44% of incidents: all important accounts (Google/Gmail/Play, Facebook, Apple/iCloud/iTunes, Microsoft/Skype/Hotmail, Twitter, Yahoo!, your domain and site’s CMS, your password manager, etc.) should be defended with …
- good (long, unique, unguessable) passwords — which therefore can’t all be memorised and thus should be generated by, stored in, and auto-entered by a good password manager (e.g. LastPass, Dashlane)
- multi-factor authentication, using (as a second factor) a backup-able OTP-generating smartphone app like Duo, Authy, or SAASPass (Google Authenticator is harder to back up)
- Insecurity of endpoints (PCs, smartphones, tablets) — 43% of incidents
- eliminate the use of unpatched software, particularly pirate Microsoft Windows and Office and out-of-date Adobe Acrobat Reader, Google Chrome, and Mozilla Firefox, but also your Mac’s OS; i.e. aggressively update, upgrade, patch, and set all your software to auto-self-update
- Insecurity of data at rest — 10% of incidents
- ensure every device requires authentication (password, PIN, swipe, fingerprint, face) to access, and has a “lock timeout” set (to fall back to requiring authentication after ~2 minutes of non-use)
- enable the “whole-drive encryption” built in to your OS — Windows BitLocker, macOS File Vault 2, *nix dm-crypt (modern Android and iOS devices have encryption enabled by default)
- Insecurity of data in transit — 3% of incidents
- stop using POTS and SMS to communicate; instead, use apps like Signal, WhatsApp, Skype, Messenger, Telegram(These percentages are based merely on our own experience and evolve over time.) The above standards apply to literally everyone. A fifth category applies to only some:
- Insecurity of access
- if you have a web site, defend it against DDoS attacks (using Deflect, Galileo, etc.)
- if your access to internet content is cybercensored, cybercircumvent (using a for-fee VPN like WiTopia, TunnelBear, etc., or a free proxy client like Lantern, Psiphon, etc.)
Luckily, nothing in this baseline standard set is rocket science; unlike a decade ago, all these solutions are “off-the-shelf.”
Over the life of our project, we’ve found our baseline standard set evolving, partly by relentlessly narrowing our focus. For instance, some years ago we would’ve included third-party antivirus, but now we don’t. We don’t think antivirus/antimalware is worthless (we use it, ourselves); simply, we think the ROI of us getting someone else meeting our baseline standard set is higher than the ROI of getting anyone beyond the baseline with other useful, but lower-priority, defences.
We’ve also found that merely cybersecurity-training people often fails to get our advice operationalised, so instead of treating training as the goal, we focus on the actual implementation of the baseline standard set, with teaching/learning being a desired side-effect.
Naturally, those we try to protect ask lots of questions, e.g. but …
- which xxx (messenger app, password manager, operating system, antivirus, authentication method …) is best? The difference among them is much less important than ensuring you meet this baseline standard set
- everyone else says I should use additional defence xxx (VPN, PGP, VeraCrypt…) … The more defences you have resources to deploy, the better, but all of the most common incidents would be prevented by this baseline standard set
- what about the cost of getting licensed Microsoft software? If you’re an NGO, use TechSoup to access substantial discounts. If you’re a for-profit, shop around online for the cheapest product keys (e.g. second-hand licenses on eBay Germany)
- what about covid-19? The baseline standard set defends just as well against pandemic-related threats
- what about backup? Good idea, but be sure it’s encrypted; if you use cloud backup, makes sure it’s client-side-encrypted (e.g. SpiderOak, egnyte)
- what about my wifi AP/router? If you comply with the basic standard set, all your important data are (e.g. HTTPS-)encrypted and thus already protected against threats “in the network”
- what about anonymity? A lack of anonymity wasn’t the cause of any of the cybersecurity incidents suffered by those we try to defend. If you want to browse anonymously, use Tor; if you want to chat anonymously, use Ricochet, Briar, or Session; if you want to offer visitors to your web site the ability to anonymously submit reports, stand up a GlobaLeaks or SecureDrop instance
- what about offensive hacking tools like NSO’s Pegasus / HT’s RCS / Gamma’s FinFisher / WWL’s NetWire? Our baseline standard set already defends against almost all these offensive hacking tools’ techniques
- what about phishing? Yes, you shouldn’t enter your password into links you receive via e-mail, SMS, messenger app, etc.; and yes, you shouldn’t run programs (or browser add-ons) of dubious provenance (e.g. downloaded from online or received via e-mail); and yes, you shouldn’t send money to someone who says they’ve been “mugged in Madrid”
- what about zero-days? Focus on the known threats. Are you baseline-standard-set-compliant yet?
- what about Facebook/LinkedIn? If you friend someone or publish something on a social network, you should assume your adversary can see that
- what about Zoom/WebEx/Teams/GoToMeeting/BlueJeans? They’re fine provided you’re baseline-standard-set-compliant. If you want an open-source alternative, try meet.jit.si
- what about internet cafés? If you care about cybersecurity, don’t use them. Seriously; the operator logs everything. You can try using TAILS, but most cybercafés won’t allow it
- what about e-mail? If you’re baseline-standard-set-compliant and you’re using a reputable (e.g. Western-country) mail provider, it’s pretty safe
- what about SIM-jacking? Check out Ainita’s Taya
- what about ransomware? No one who’s baseline-standard-set-compliant has ever fallen victim to ransomware. Hmm … is there a theme here?
- is there anything your baseline standard set can’t defend against? The mobile phone you’re carrying — whether smart, feature, or dumb, and regardless of whether its GPS’s enabled — is a tracking device, the location of which your (government-licensed MNO) knows 24/7/365
- we have all our staff compliant with your baseline digital security standard set — what next? Now, get everyone you communicate with to also become as cybersecurity-baseline-standard-set-compliant as possible. Every single step helps
- what might next be added to your baseline standard set? On all your devices, adopt DNS-over-HTTPS in your OS via Simple DNSCrypt, Intra, or 188.8.131.52
Lest it’s not clear yet, we’ll emphasise: everything in these italicised questions is subsidiary to the importance of complying with our baseline standard set. We’ve never encountered anyone (even the many folks who’ve been through a cybersecurity workshop or three) who (before meeting us) was already compliant with our basic standard set, so we try to be firm that all these additional questions are pointless until you’ve taken care of your core digital hygiene — the basic standard set.
Let’s review: if your cybersecurity-defending resources are limited, prioritise!