Kim Crawley - 8 Steps to Better Security

Once we cover all eight steps, we finish with Chapter 9, “Afterword.” I have advice for implementing all eight of these steps. But my knowledge is augmented with tips from some of the world's top business cybersecurity professionals. So, as you prepare to improve the cybersecurity of your organization, you'll benefit from an amalgam of the best advice available.

Congratulations, you're ready to prepare your company for the evolving cyber threat landscape, no matter which country or industry you're in or the size of your business! Pat yourself on the back and then get to work. You can do it. I believe in you.

People generally assume that cybersecurity is a technological area of study and take it for granted that cyber threat actors, called hackers by laypeople, must be computer geniuses. They have to have some mastery of computer programming code and an advanced understanding of how computer networks work. And if you take the Hollywood stereotype really seriously, then you probably believe that the most notorious cyberattackers work from an elaborate computer lab in their mom's basement, wearing a hoodie and typing at 400 words per minute. I imagine something like the movie War Games , but with a more 21 stcentury–style presentation.

So, surely, if you're learning about cybersecurity, it's all about computer science stuff, right? You likely bought this book because you're a businessperson who wants to improve the security posture of your company. So, maybe you expect this book is about hiring the right supernerds for your IT department, and then you just let them do their technical wizardry. Why do you need eight steps for that? Step 1: hire computer experts. Step 2: don't think about cybersecurity ever again.

Actually, it's not that simple. Understanding computer technology is definitely a big part of understanding cybersecurity. But cybersecurity also overlaps with the arts and humanities. To understand cybersecurity properly, you must learn about the psychology of the interactions of people with computers. Then you must also learn the sociology of the interactions of groups of people with computers and how people within those groups influence each other's behavior. Cybersecurity is as much of a human area of study as it is a technological area of study .

The first step to improving your company's security posture is to foster a strong security culture. Culture doesn't manifest in the firmware code on your PC's motherboard. Culture is about the ideas, attitudes, and styles people create and maintain in their interactions with each other. Your company could have the best security policies and the most expensive network security devices. But if the people in your company don't behave in a secure way, improving your security posture will be an uphill battle.

From the balcony of my skyscraper condominium, I can see mighty maple trees thriving near Toronto's lakeshore. Those maple trees evolved over thousands of years to survive harsh Canadian winters. Their genes make them hardy, and they produce a resilient life-form. But if it weren't for the deep nutritious soil and sufficient annual precipitation in their environment, those maple trees wouldn't be able to grow and survive for hundreds of years. That's why you don't see maple trees growing in the desert.

Your company's security culture needs to be the nutritious soil and sufficient precipitation for the seeds and saplings of your computer hardware, software, networking, security policies, and security staff to thrive to become the hardy maple trees of a resilient business with a strong security posture. Even though I don't intend for this to be a cheesy self-help book, I'm not going to stop with the flowery analogies. So, just hang on for the ride!

Before I get further into explaining how to foster a strong security culture, I really need you to understand how important psychology and sociology are to cybersecurity. So, I will start with a really abridged version of the story of Kevin Mitnick, the man who may still be the world's most infamous cyberattacker.

Kevin Mitnick is so notorious that you've likely heard of him, even if you've never taken an interest in cybersecurity. His name was mentioned in news headlines in the 1980s and 1990s.

Mitnick is known for conducting two major cyberattacks. The first one was in the news throughout the 1980s: a penetration of Digital Equipment Corporation's (DEC's) network, called The Ark. DEC was a major manufacturer of computer hardware and developer of computer software from the 1960s to the 1990s, focused on the enterprise market. It was perhaps best known for its PDP line of minicomputers. The minicomputers of the era were definitely not “mini” by today's standards. Early PDP hardware consisted of large boxes the size of a few refrigerators stacked together. Even the later PDP models produced in the 1970s were at least the size of a single refrigerator. They were classified as minicomputers simply because they didn't require the space of multiple rooms of a building. Anyway, I'm going to refrain from rambling on and on about the history of computing. Just understand that PDP computers are very important when it came to large businesses being able to process thousands or millions of customer records, in areas such as the airline industry or public utility companies. This was the most frequent way computers were used in the years before PCs (known as microcomputers ) entered most people's homes.

In late 1979, a teenaged Kevin Mitnick acquired access to DEC's own computer system that he was not permitted to have. This was widely reported in the news during his criminal trial in the 1980s.

Mitnick intended to describe how he maliciously accessed DEC's computer system in his book, The Art of Deception , published by my own book's publisher, John Wiley & Sons, in 2002. This material didn't end up in the first edition of Mitnick's book, but he confirmed to Wired that he wrote this:

Claiming to be Anton Chernoff, one of the (DEC) project's lead developers, I placed a simple phone call to the system manager. I claimed I couldn't log in to one of “my” accounts and was convincing enough to talk the guy into giving me access and allowing me to select a password of my choice.

Something stands out to me here. Without an account name and password, he wouldn't have been able to get in. The way he acquired those credentials was by social engineering. Social engineering in a cybersecurity context is all about fooling human beings into helping you acquire access to computer systems you aren't allowed to have. The specific kind of social engineering Mitnick did is called vishing . Vishing is when someone uses phone calls to pretend to be a trusted party, such as DEC developer Anton Chernoff, to acquire information that you're not entitled to have and that you can use to facilitate a cyberattack. Vishing is a category of phishing, where media such as text messages, web pages, emails, or social media messages are used to impersonate trusted entities to acquire malicious computer access. All kinds of phishing, including vishing, are common types of social engineering attacks. Mitnick exploited human psychology. The Art of Deception , indeed.

Mitnick started to learn social engineering when he was really young. In the mid-1970s when he was 12, he wanted to be able to ride Los Angeles public transit for free. So, he dumpster dived for unused bus transfer slips. He tricked a bus driver into giving him a ticket punch by saying he needed it for a school project. From there, young Kevin Mitnick was able to spoof bus transfers for free rides. But he couldn't do it without social engineering the bus driver.