Something About Everything—CompTIA Security+ SY0-601
The Quickest Reference Book for Every Single Item on the Exam Objectives
- Type Paperback
- Pages 619
What's the worst that could happen and how prepared are we for the sinister possibilities of midair cyberattacks?
How the pros of homeschooling could outweigh the cons, and why every parent should explore the idea at least once.
Could over-reliance on CahtGPT decline the optimal engagement of our brains? Does Edward Tian's invention hold a solution for concerned schools?
Setting up mentorship roundtables with the next generation. Could I possibly change the future at a coffee shop?
Why can't we do in 2023, with insane technology, what we did in 1969 with rudimentary technology? Is there something we're not being told?
With social media becoming an integral addon to normal life, what parts of our brains (AND LIVES!) could we be destroying one click at a time?
The Quickest Reference Book for Every Single Item on the Exam Objectives
A key to passing cybersecurity exams as broad in scope as the Security+ is to get a good grasp of cardinal concepts, and to generally ensure that you know something central about everything on the exam objectives. With this learning method, candidates are not blindsided by any aspect of the exams, and the trickiness of the questions are easily straightened out. With this book you will:
Indeed, with the Security+, and of course with cybersecurity in general, the most prepared people are not those who know everything about something, but those who know something about everything.
21 Amazing Recipes to go from Novice to AWS Master Chef
The Beginner Cookbook You’ve Been Searching For!
◆21 full recipes!
◆Powerful skills interestingly presented!
◆Zero CLI!
◆100% Management Console!
◆Core AWS Services
In a desire to garner practical skills, AWS beginners often find themselves combing through stacks of instructional videos, blogs and documentation, that run through confusing lines of commands and codes which leave them wondering if AWS is really as simple as they say it is.
This recipe book contains 21 thorough recipes that are all deliberately cooked through the AWS Management Console, in order to spare you the frustration of copying and pasting commands that are to you, at this stage, incomprehensible jargons which give you the finished product but still leave you clueless on the real process.
In this book, you will fix recipes with a wide range of AWS services including DynamoDB, AWS Lambda, EC2, Amplify, S3, IAM, VPC, Transfer Family, API Gateway, RDS, EFS, Route 53 and more. Each recipe is carefully designed to stand independent of the rest while remaining somewhat connected, thus achieving the effect of both building the skills you’ve acquired from other recipes, and at the same introducing you to new concepts, methods and skills as you go along.
The end product of this book is that, not only will you no longer be in a position where you have theoretical cloud knowledge without practical cloud skills, you will have 21 defendable and repeatable real world projects under your belt!
When you’re done with this book, you would have become one with the process, and like a real Master Chef, you will be able to light the fire anywhere and fix the meals without opening the book.
Bypassing the Gatekeepers in Cybersecurity
Backdoor is a 360-day strategy to help get anyone from any field into cybersecurity without the seemingly inevitable teeth marks of ferocious gatekeepers. It reveals another path that bypasses the heavily guarded gates and meanders through several unmanned doors that lead you right into the centre of the industry.
We really don’t want you to break into cybersecurity; we want you to walk in.
Why awareness trainings are plateaueing and how a different approach can change everything!
The intensity of data breaches and ransomware attacks has been unprecedented. Barely midway into the year 2021 we had recorded over 1000 ransomware attacks, far exceeding what has ever been seen in previous years. Millions of dollars have been paid in ransom and there have been thousands of reported data breaches affecting organizations of various sizes. Depending on whose report you’re reading, 80% to 95% of these breaches are caused by human error in the workplace—someone downloaded something she shouldn’t have, someone else forgot to download something he should have. This proliferation of fatal errors has driven organizations to increase their spending on employee cybersecurity awareness trainings, in hopes that this will save the situation and exempt them from the fast-growing list of cyberattack victims. However, this increase in awareness trainings does not seem to have changed much in the grand scheme of things. The curve of employee awareness trainings and corporate data breaches resulting from human error, when plotted on a simple time graph, both progress upward and to the right simultaneously. Recently it has been discovered that, while awareness trainings produce immediate results, there are certain limitations in them that make those results short-lived and the approach unsustainable. This book was born from a careful evaluation of those limitations in a bid to remedy the situation and provide enduring results. It is a self-led boot camp that does not merely educate employees and employers with cybersecurity best practices for the workplace, but goes much further to practically equip them with strategic tactics for effective combat in cyberwarefare within and outside the organization. If cyberspace is at war, and indeed it is, then this book in your hands is a conscription plan.
This book provides very actionable principles and techniques that can be used to learn new skills amidst your busy schedule.
THOSE WHO LEARN NEW SKILLS DON’T DO SO BECAUSE THEY HAVE THE TIME; THEY DO SO BECAUSE THEY HAVE THE TECHNIQUE
This book provides very actionable principles and techniques that can be used to learn new skills amidst your busy schedule. In today’s fast-paced world, learning new skills is an essential part of personal and professional growth. However, many people, though painfully aware of their need, struggle to find the time to learn these skills that they have identified as crucial to the overall improvement of their lives and careers. The reality we must confront as we try to deal with this situation, however, is that we would never have more time than we presently do; this is because, often times, what we call “more time” comes as a result of learning certain skills that put us in a position where we can do the things we want to do with our time, but these are often the very skills we currently don’t have the time to learn. This book was written to address this situation by teaching a very simple concept which readers can apply to learn new skills more efficiently and effectively when they simply don’t have the time.
Whether you’re a busy professional wanting to acquire new job skills, or a student wanting to learn an important subject, or a busy stay-at-home mom desiring to attend to your personal development, SPARTAN FOCUS AND THE FEYNMAN TECHNIQUE will help you learn faster, better, and more efficiently in an interesting way, even when you don’t have the time.
This book provides very actionable principles and techniques that can be used to learn new skills amidst your busy schedule.
2-IN-1: ⚠ Serious Productivity ♥ Exciting Activity
Are you tired of having difficulty concentrating on important tasks and solving complex problems? If so, this book is just perfect for you! Cybersecurity researcher and author Femi Reis explains the concept of Randomized Attention Dispersal which is on the spread in this digital age; he presents some carefully developed Brückenbau exercises to help improve attention span, while also providing an interesting application of the Feynman Technique Algorithm for developing logical solutions to practical problems.
Whether your attention span is strong, weak, or somewhere in-between, you will find these focus-building exercises and problem-solving techniques both helpful and exciting.
Benefits of Reading This Book:
– Develop your cognitive focus and increase your attention span
– Learn to solve complex problems with ease and logic
– Enjoy an exciting range of Brückenbau exercises to improve your cognitive abilities
What’s Included:
– Introduction to the concept of Randomized Attention Dispersal
– Extensive range of Brückenbau exercises for focus-building
– Unique application of the Feynman Technique Algorithm using Cognitive Transfer
– Self-developed framework for tackling practical problems
REWIRED presents a simple and compelling counterplan, developed and implemented by the reader to suit their unique circumstances. Here you will get to understand the hidden impacts of technology on your wellbeing, and use the actions worksheets to develop a very practical action plan to help you cultivate solitude, regain focus, and reclaim time.
Draw your own guided plan to:
◆Reclaim your solitude
◆Regain you focus
◆Take back your time
◆Break free from the drain of self-depleting technologies that are part of our work and life
In the midst of an ever-advancing digital landscape, we find ourselves ensnared in the web of technologies and tools that permeate our daily lives. Our mental and emotional space have been invaded by platforms that are constantly sapping our solitude, focus and time without us realizing the full extent of their damage. If this drain goes unabated, our mental health will be adversely affected, and a breakdown will be the ultimate inevitable outcome. This is something we can’t afford.
REWIRED presents a simple and compelling counterplan, developed and implemented by the reader to suit their unique circumstances. Here you will get to understand the hidden impacts of technology on your wellbeing, and use the actions worksheets to develop a very practical action plan to help you cultivate solitude, regain focus, and reclaim time.
REWIRED is not just another self-help book; it’s a call to action, a manual for resistance against the pervasive hold of self-depleting technologies.
This book is not about rejecting technology but about reshaping our relationship with it. It is a guide for those who seek a balanced digital life—one that enhances creativity, deepens real connections, and fosters peace of mind and personal growth.
A Team of Robots is a simple guide to introduce you to various automation possibilities you can explore using available AI tools and platforms to make your work easier and more effective. With its simple step-by-step micro-projects, this book lays a foundation on which you can build and explore more areas of application in using available AI tools and platforms to expand your Team of Robots.
Anyone who has ever run a small business knows how it feels to wear many hats—CEO, Designer, Marketer, Accountant, Lawyer, and more. Swiftly changing multiple hats as you work, you end the day running on fumes, wondering if you really did anything well. You wish you could hire a team that could take some things off your plate, but you are still bootstrapping and don’t yet have the financial resources to employ others to do some of the things you currently do.
But what if you could build a Team of Robots and deploy them to work full-time with you? They won’t get tired like you and I, they won’t take vacations, they won’t call in sick, nor would they experience other limitations that are common with us. The truth is this, there are several tools out there to help you build such.
A Team of Robots is a simple guide to introduce you to various automation possibilities you can explore using available AI tools and platforms to make your work easier and more effective. With its simple step-by-step micro-projects, this book lays a foundation on which you can build and explore more areas of application in using available AI tools and platforms to expand your Team of Robots.
The training provided by universities in order to prepare people to work in various sectors of the economy or areas of culture.
Higher education is tertiary education leading to award of an academic degree. Higher education, also called post-secondary education.
Secondary education or post-primary education covers two phases on the International Standard Classification of Education scale.
Google’s hiring process is an important part of our culture. Googlers care deeply about their teams and the people who make them up.
A popular destination with a growing number of highly qualified homegrown graduates, it's true that securing a role in Malaysia isn't easy.
The India economy has grown strongly over recent years, having transformed itself from a producer and innovation-based economy.
Google’s hiring process is an important part of our culture. Googlers care deeply about their teams and the people who make them up.
A popular destination with a growing number of highly qualified homegrown graduates, it's true that securing a role in Malaysia isn't easy.
The India economy has grown strongly over recent years, having transformed itself from a producer and innovation-based economy.
The training provided by universities in order to prepare people to work in various sectors of the economy or areas of culture.
Higher education is tertiary education leading to award of an academic degree. Higher education, also called post-secondary education.
Secondary education or post-primary education covers two phases on the International Standard Classification of Education scale.
The education should be very interactual. Ut tincidunt est ac dolor aliquam sodales. Phasellus sed mauris hendrerit, laoreet sem in, lobortis mauris hendrerit ante.
The education should be very interactual. Ut tincidunt est ac dolor aliquam sodales. Phasellus sed mauris hendrerit, laoreet sem in, lobortis mauris hendrerit ante.
The education should be very interactual. Ut tincidunt est ac dolor aliquam sodales. Phasellus sed mauris hendrerit, laoreet sem in, lobortis mauris hendrerit ante.
The education should be very interactual. Ut tincidunt est ac dolor aliquam sodales. Phasellus sed mauris hendrerit, laoreet sem in, lobortis mauris hendrerit ante.
The education should be very interactual. Ut tincidunt est ac dolor aliquam sodales. Phasellus sed mauris hendrerit, laoreet sem in, lobortis mauris hendrerit ante.
The education should be very interactual. Ut tincidunt est ac dolor aliquam sodales. Phasellus sed mauris hendrerit, laoreet sem in, lobortis mauris hendrerit ante.
The challenge for leaders who are uniters by instinct is to know when a chasm has become unbridgeable and it is necessary to take a stand on one side or the other.
I experienced failure and learned to buck up so I could rally those who'd put their trust in me. I suffered rejections and insults often enough to stop fearing them.
All the Lorem Ipsum generators on the Internet tend to repeat predefined chunks as necessary
1 Page with Elementor
Design Customization
Responsive Design
Content Upload
Design Customization
2 Plugins/Extensions
Multipage Elementor
Design Figma
MAintaine Design
Content Upload
Design With XD
8 Plugins/Extensions
All the Lorem Ipsum generators on the Internet tend to repeat predefined chunks as necessary
5 Page with Elementor
Design Customization
Responsive Design
Content Upload
Design Customization
5 Plugins/Extensions
Multipage Elementor
Design Figma
MAintaine Design
Content Upload
Design With XD
50 Plugins/Extensions
All the Lorem Ipsum generators on the Internet tend to repeat predefined chunks as necessary
10 Page with Elementor
Design Customization
Responsive Design
Content Upload
Design Customization
20 Plugins/Extensions
Multipage Elementor
Design Figma
MAintaine Design
Content Upload
Design With XD
100 Plugins/Extensions
You shouldn’t be any more comfortable with public WiFis than you are with public toilets.
If you turn on the WiFi on your device right now, depending on where you are, you will find somewhere between three and perhaps a hundred available connections. Each of those connections acts as both mouths and ears, and there’s no telling the number of ears that could be plugged into them.
If you’re reading this blog, say at an airport, waiting to board a flight, you will find an open WiFi connection that travellers can use without requiring a password. If you’re at a hotel, you might find one for guests. Let’s look at the airport WiFi; you have hundreds, or even thousands, of people connected to it, some are checking their mails, some are watching movies, some are catching up with office work en route their destinations, some are running financial transactions, and some are simply…listening. They are harvesting as much information as possible, to do as much damage as possible in as little time as possible. The boarding announcement for a flight is made and a few hundred people shutdown their devices and proceed for boarding, looking around to be sure they are leaving nothing behind, yet not knowing that the “invisible” that they have left behind is worth far more than the visible that they have taken with them. Some have left behind passwords to the corporate networks of the companies where they work, some have left behind access information to their bank accounts, some have left behind proprietary information on the next product they are working on, some have left behind very private information that was meant for only their spouses. They have boarded the plane and are airborne; the rest of the story will be on the news—a ransomware attack with payment demanded in bitcoins.
Now this was possible, not because it was an airport WiFi, but because it was a WiFi, and the users had little or no understanding of how wireless bullets are fired in cyberwarfare, which is what we’re going to see now—how attackers use WiFi to fire their shots (again we might go just a bit technical here).
Man-in-the-Middle Attack: This is very common with unsecure (open) or poorly secured WiFi connections. All the attacker has to do here is plug into the network and find vulnerabilities which he can exploit to deploy tools to intercept users’ communications. If these communications are encrypted, he simply decrypts them using other cheap tools, and at the end he has a bag full of login credentials, banking information and other personal data.
Evil Twin: Here an attacker sits in a public place and transmits his own free wireless signal, but gives it the same name with a known WiFi network in that place. So if you’re at the airport, for example, you could see two WiFis bearing the name “Airport Guest”, however, what you wouldn’t know is that one of them is an evil twin. Of course your most natural tendency would be to connect to the one with the strongest signal, which most likely would be the attacker’s, who is seated just a few metres away. So you connect to this network and believe you’re on the airport’s WiFi, but you are right in the centre of his palm, and everything you do he both sees and keeps.
Packet Sniffing: Packets are “capsules” in which the information you send over the internet travel. When this communication is done over a WiFi connection, these packets can be captured by anyone on the network using very simple tools. An attacker capturing the packets can decrypt them if they are encrypted and have everything in plain text for his use—usernames, passwords and all.
Session Hijacking: An attacker on the same WiFi network with you can “clone” your device by changing his device ID (called a MAC address) to the same as yours, then get into an active session that you have running and act as you from that point on—except he will be acting much faster than you. (See the chapter on Hijacked for more on this).
Other Random Attacks: Malwares, spywares and a cocktail of viruses could be dropped on your device by an attacker sharing the same network. Of course these malwares have been programmed to execute malicious codes that will achieve the objectives of the attacker, whether it is simply to spy on you persistently, or to spread itself across your corporate network when you get back to the office, or to encrypt your files and demand a ransom; the malware, once safely deployed, would take its place and do its job. In this case, unlike other naïve WiFi users at the airport who left behind the invisible, you are not leaving anything behind, but you’re taking with you the invisible. Again we will watch the news for the rest of the story.
Marching Orders
It is not an unusual sight to see a full-grown man, face buried in his device, happily clicking away like a child let loose in a toy store on Christmas Eve. Each new click adds to the excitement, and the cyclical arrangement of the internet ensures that his clicking won’t be ending any time soon. Perhaps this is you online, in a virtual world where one click leads to another. The first click is always the easiest, the last click is always the hardest.
Let’s repaint this picture in the context of war, which is what this really is. You’re in a field with landmines buried inches beneath the ground; they are out of sight and sprawl across the entire field. You take your first step into the field and nothing happens, you take the next and nothing happens, then the next, and the next, and the next. Six steps away from where you started, everything is fine. But you’re still extremely cautious and sweaty with each step you take because you don’t know what the next step will cost you, you are fully aware that it could be Step 7, right foot, left foot and Boom!
Online advertisers estimate the average cost per click across industries to be $2.3—that’s what it costs them, not you. The truth is, you don’t know what the next click will cost you. It could be Step 3, right click, left click and Boom! The internet is a field of landmines, and each time you get on it, every click you make is a step deeper into it; very few things will help you like having a sporadic click restraint. Companies have lost millions of dollars because one man ran out in the field and never got to run back in, he stepped on a landmine and that was it!
The wise online are slow to click.
Marching Orders
For reasons that should be obvious, the staccato of gunfire is usually an unexpected interruption of the calm tunes of Silent Night, Holy Night or Kol Nidre, especially in areas that are hot for attacks or counterattacks. Timing is crucial in launching a successful surprise attack; the choice of time is as important as the choice of weapons and tactics. This is why most military attacks are carried out at night; the posture of the target by day is certainly different from the posture by night, and such nocturnal attacks give little time to marshal whatever forces there be.
Holidays have been a choice time for surprise attacks in warfare, from the Battle of Trenton in 1776 to the Tet Offensive of 1968 and the Yom Kippur war of 1973. Again the reason for this is obvious—the overall security posture of an army on a national holiday is quite different from its posture on other days. The mental conditioning of a people on a religious holiday is very different from other days. When you’re getting dressed for church on Christmas morning, the last thing on your mind is a bomb falling from the sky; the aroma from the kitchen, the lights on the tree and the Christmas tunes playing at the background makes it almost impossible for your mind to accommodate any thought that isn’t blissful. The invading army knows this, and so they haven’t spent the days leading up to Christmas shopping; they’ve spent it fine tuning their plans for a Christmas morning strike.
Attackers in cyberwarfare seem to have bought into this as well, choosing holiday seasons as prime time to launch surprise attacks, especially against companies and businesses. On Christmas Eve, everyone is out of office, the Chief Information Security Officer of your company is out of the country with his family, every member of your Incident Response Team is scattered around the globe, and the last thing they are expecting is a call from work. Apparently, if anything goes wrong, your response time wouldn’t be optimal. The attackers know this, and they choose it as the best time to launch their attack.
Now, there are two general means by which attackers launch a holiday attack. The first is to spend sufficient time prior to the holiday planning the attack, deploying the various methods we’ve seen in this book, yet without launching an offensive. They check for vulnerabilities, gather open source intelligence, look for watering holes, and do all they can to fine tune the plan. Then on the eve, or the day, of the holiday they launch the offensive, the goal being to move in, act fast and take over your infrastructure before you can be alerted that you’re under attack and appropriately respond to it.
The second is to spend sufficient time prior to the holiday seeking to gain access into your network and place what is called a Logic Bomb in it. A logic bomb is a ticking time bomb that is placed unnoticed in your network and detonates at a set time, or when a preconfigured condition is met. Like a regular time bomb, it does absolutely nothing destructive until it explodes, and this often makes it hard to detect; your network could function as normal, there might be no unusual processes running, your computers might work with no noticeable drop in performance, everything could be just fine…until Christmas day. Again, this logic bomb could be dropped in your network by several methods—a mercenary within the organization could work with the attackers to drop the bomb, a casual insider could click a link, or any other means could be used by the attacker to get it in. However, whether they choose to drop a ticking time bomb that detonates on Christmas morning, or they choose to move in with their tanks on Christmas Eve, the fact remains that it will be a Christmas to remember, and not for the food and hearty conversations around the table, but for the crack of gunfire in cyberspace that changed everything in an instance.
Marching Orders
Remote wipe is a functionality that enables you wipe off every shred of information on your device from a remote location. Typically, if your device gets stolen, some of the first things the new possessor would do would be to check for banking apps and other apps that can be used to perform financial transactions on the device, check emails, messages and other communication apps for information that can be used for malicious activities including initiating or progressing with certain conversations on your behalf or forwarding certain information to other destinations for next steps, and a long list of other things that would advance his malicious intentions. If you do not have a self-destruct plan for that device, you are toast! With remote wipe, all you will do is login from another device, establish connection with your stolen device and blow it up to high heavens, pulverizing everything you have on it. You sure might not get your device back, but you would have minimized the exploits and systematic attacks that would have followed your losing possession of it.
The goal of this short chapter is to get you comfortable with the idea of blowing up your own things, and here’s how to go about it.
Marching Orders
It’s a sad picture in war-torn countries to see 10-year-olds holding riffles. As a matter of fact, in some of these countries, children could gather live ammos just playing on the streets. These armed children are meant to join in the defence of territories, mainly territories under the control of rebel groups. Whatever the narrative of a country, and however deplorable the war situation might be, nothing justifies an AK47 in the hands of a 10-year-old. As a matter of fact, a gun in the hands of a 10-year-old doesn’t make the territory more secure, it only makes it more dangerous.
Now, in the heat of cyberwarfare, I see a lot of children with smart mobile devices—phones and tablets. As it is, every internet enabled device is a gateway into the battlefield where no one is 100% safe. To have a child own one of these is to grant her unhindered access into the war zone. We might argue and explain that we have active parental controls on these devices—blacklists, whitelists, firewalls, and other features the manufacturers have put in place. How about giving your 5-year-old daughter a loaded pistol and be at ease because it’s on safety? It doesn’t make sense. And it doesn’t make sense to give your 5-year-old an access point into a terrain where bullets and bombs are flying around, believing that you have an impregnable firewall around her. Remember what we said at the beginning of this book? We’re at war and there’s no DMZ. In a war situation where we can’t evacuate children, the wisest thing to do is to equip them, not to arm them. Equip them with knowledge of what to do if they find themselves in certain scenarios; equip them with knowledge of the attack methods of the enemy and how to escape unscratched. But once you get them an internet enabled device, with parental controls, you have moved away from equipping them to arming them.
Another angle to this is that when you give a kid a device to connect to the internet, you are actually sharing your network with a 5-year-old who knows nothing about the dangers of sporadic clicking. The same way your child could open the door to strangers at home, she could also open the doors to strangers in cyberspace. You shouldn’t be at ease sharing the network with a 5-year-old. So at what age would it be appropriate to give a child an access point to the battlefield? That’s a whole debate on its own, and we are not going into it here; right now we are too busy conscripting that we can’t pause for family debates. Whatever the case, the bottom line is this, you don’t want your 5-year-old out there in the midst of the dust and chaos of war; if she’s hit by a stray bullet, you would have yourself to blame, and at that point your much-trusted parental controls would release some updates to patch their vulnerabilities, but there will be no updates to patch her wounds.
In light of this, what must you do?
Marching Orders
When terrains get more and more unsafe, security checks will of necessity be multiplied. As I drive around certain regions in Sub-Saharan Africa, I encounter military checkpoints almost at every 3 miles. There are dos and don’ts at these checkpoints that guarantee the security of whoever it is that seeks passage. As cyberwarfare gets more intense, such checkpoints are also being multiplied, and thankfully so. If you’ve had to do anything of medium to high importance online today, you must have passed through one or two of these checkpoints, they are called login forms. Like physical gates, the most basic function of login forms is to keep the bad guys out and let the good guys in (just like we saw with passwords), and there are certain protocols that will improve your security as you seek to gain access at these gates.
A Day in the Life of a Surfer
Monday morning, just after coffee.
You need to get some transactions done—send some money to your mom, pay some bills and wire some funds to your suppliers—so you go online and “drive” up to your bank. As you approach the bank you meet the gates locked, and that’s a good thing, it will be unsafe to have it otherwise; so you’re greeted by a login form asking you to identify yourself. You pull out your ID and password (hopefully the classified ID, as we saw in a previous chapter), then they ask you what year your grandmother died and you tell them, and within seconds you’re in and attending to the things you came to do.
Next, you need to check on a few friends who live on Facebook, so you drive up there to say hi and again you’re greeted by locked gates. You enter your ID and password (hopefully not the same ID you used at the bank), but you consider a few things—you visit here quite often and wouldn’t want to keep doing this each time you come, so you tell the guys at the gates to keep them open and not border asking questions whenever you come visiting in the future with this particular vehicle (aka your device); you do this by clicking on “Keep me signed in” as you proceed to see your friends.
When you’re done, you decide to go to the bookstore and get yourself some copies of that good book on equipping every employee for cyberwarfare, so you drive up to Amazon and, as expected, the gates are locked and your ID and password is needed. With all the cyberwars going on, you’re already used to these checkpoints. You again supply your ID and password and are granted access. But as soon as you drive in, your browser throws up something interesting—“Save username and password for this site.” That sounds like a stress saver, you click Save.
Finally you decide to go to school and turn in your overdue assignments, so you drive up to Coursera, and yet again you are greeted by locked gates. But then you see this little button that says “Sign in with Gmail”. Looks like this will save you a lot of stress typing in your email and password, so you click on it and voilà! You’re in. You submit your assignments and you’re done for the day, it’s time to go back home.
Now let’s evaluate everything that happened at each gate.
At the bank
We don’t see any additional information being requested apart from your ID, password and the answer to a security question. That is all you used to gain access. You have your life’s savings in there, and you feel just an email and a password plus the year your grandma died is good enough to keep the bad guys out and let you in? The protocol at such gates should have an extra layer of security; you should enable what is called a Multifactor Authentication (MFA), either by having a one-time password sent to your phone or by generating it from a virtual or hardware token. In times of war, the eyes of rebel groups are where the money is, and you can be sure they are hitting harder on those gates than on any other.
At Facebook
By checking the “Keep me signed in” box, you told the guys at the gates to always let you in and never ask questions whenever you come around with that particular car (in this case the particular device you are surfing with). Now the danger in doing that is this: what happens when you hand over your car to someone else and she decides to drive to Facebook? Or what if a friend (or foe) finds your car keys and drives up to Facebook with it? If, for any reason, someone else is on your computer, the guys at the gates will see the car coming from afar, smile like happy storekeepers and let him in without asking questions, just as they have been instructed, and the intruder will have full access to act as you on that platform.
At Amazon
You told your browser to save your username and password. What you actually did was instruct the guys at the gate to keep a copy of it for future use. The implication of this is that if anyone else uses that browser to visit that site on that device, the guys at the gates will bring out a copy of your credentials and say, “Here, we already have what you need to get in.” That’s what happens when you visit a site and your email and password is already filled out on the form, just waiting for you to hit Enter. Not only will the intruder have full access to your account, she could also click the “Show Password” button at the gates if it’s available and then copy it out for future access on other browsers and devices.
At Coursera
You clicked on the button that said “Sign in with Gmail”. That is called Federated Identity, and it really takes off the stress of reaching down for your ID and password to gain access. But by using that button, what you are saying to the guys at the gates is, “Hey, the folks at Google know me, you can check with them and they’ll confirm.” So guys at the gates check with the folks at Google and the folks at Google say, “Yes, yes, we know him, we trust him.” Then they come back to you at the gates and say, “Boy! You sure are something! If they trust you at Google, then we trust you too. Go on in and enjoy your stay.” While this might not be altogether bad in itself, the issue is that at every point you do this, you are widening the circle of trust. So when you keep clicking this button at different gates in different places, the circle of trust keeps getting wider and wider. However, in the time of war, trust is a luxury you should be slow to share. No one needs a wide circle of trust at war; it only increases the odds of betrayal. Different platforms have their various levels of compliance to federated identity security standards, and your circle of trust would only be as strong as the weakest link in that circle; once that weak link is broken, there is no telling the level of lateral damage.
At Every Place You Visited
Finally, did you notice one common omission at all the places you visited? You didn’t logout from any of them; you left the gates wide open and drove away! Who in the world does that! Well, over half the world does that. Not locking your gates behind you in war-torn cyberspace is certainly dangerous practice, and you wouldn’t want to expose yourself by such act of neglect.
Now let’s wrap this up. There are battle protocols at the gates that you must be aware of as one who is unavoidably and inescapably involved in the ongoing war at cyberspace. Compliance with these protocols will make you more effective at dealing with the enemies at the gates who are trying to force their way in right after you. Apply these principles and your defence will be heightened. Let’s take our orders.
Marching Orders
February: A2A4ixmargatsni+FEB
March: A2A4ixmargatsni+MAR and so on.
Do this only for your most sensitive platforms, lest it becomes too cumbersome to manage. Finally, as always sound the battle cry to those around you—“You stand or fall by what you do or fail to do at the gates.”
While we are still on gates and access, it would be good to look at the possibilities of being hijacked after you’ve made it through the gates. Normally, when you drive past the gates, your assumption is that you are safe; you don’t keep looking over your shoulders as you go about your business. Since everything was fine at the gates, you become more relaxed and lower your suspicion as you freely run your transactions, purchase your book and submit your assignments. But the fact that the check was solid at the gates doesn’t mean the terrain is completely safe; checkpoints don’t end the war, they simply provide checks while the war persists, and an attack can take place on either side of the gates—your activities within the gates can literally be hijacked! How does this happen? Let’s back track a little. You are driving up to your bank to run some transactions and you are greeted by locked gates (the login form). You provide your credentials, the guards look through them and confirm that they are legit, so they print you a visitor’s tag with a unique visitor’s ID and other information that allow you go in without being kicked out by other guards within the premises in the middle of your transaction. This visitor’s tag is what we call a Session Token. Now, picture that by some clandestine means, a malicious adversary was able to get a copy of your visitor’s tag, say he was not too far away with his high focus camera zooming in and taking snapshots of the tag as it was being printed out and handed over to you (of course the actual methods of getting this information are more technical than this, but that’s not our focus here). Now he has the same tag you have that lets him go about your business without being kicked out too. He hijacks your session and goes to work, gathering the spoils of war—either transferring funds or stealing information or running other transactions. Note that you might be done before him and leave (especially by simply closing the tab without logging out), but he’s still in there executing operations on your behalf; by the time you realize what has happened, he would have been long gone, leaving behind the ruins of his attack.
Session hijacking is a very common form of attack in cyberwarfare, and there are several ways that an adversary could steal session tokens; he could exploit some vulnerabilities in the destination site and drop a script there that copies the tokens when you come in, he could also intercept communications in your browser using certain tools and gain access to your session information. Whichever method he uses, yours is to be aware of this possibility beyond the gates, and to establish counter measures to avert its occurrence.
As a Conscripted soldier, here is what you must do.
Marching Orders
From: [email protected]
To: Femi Reis
Dear User,
You just requested a password change at PayPal.com. Please use the link below to reset your password. If this wasn’t you, please click here to report this activity and update your password immediately to avoid any possible compromise.
Thank you for using PayPal.
Such emails drop in my box often; I am sure they aren’t strange to you either. I thought we should start from where all awareness trainings start and most awareness trainings end—Phishing.
There’s a concept in warfare called Information Warfare, it’s a type of Military Deception (MILDEC) where the target is disinformed to make decisions that are to his own detriment. History is filled with battles in which victory and defeat were exclusively determined by MILDEC. It is what attackers in cyberwarfare seek to achieve with phishing (pronounced fishing). Phishing emails contain information that generally appear to be in your best interest, but with the goal of getting you to make a decision and take an action to your own detriment. In cyberwarfare, a staggering three billion phishing emails are fired daily, some of these are random shots while some are fired with pinpoint precision to very specific targets (this is called spear phishing). Picture you receive an email from “PayPal” notifying you that you just successfully logged in to your account from EL Paso. El Paso?! No way! You are in faraway Nairobi and haven’t even made any attempt to login to your PayPal account. This sure is an indicator of compromise, you think to yourself. At this point your palms are sweaty, there’s $5,087.42 in your PayPal wallet; you must stop this activity before a cent of it disappears! Thankfully, PayPal has provided a link in the mail for you to immediately arrest the situation; you can change your password promptly to lock the intruder out, and then report the case to enable them investigate further. So you click on the link and it brings you to a password reset page, you enter your old password and your new password and successfully perform the reset. “Phew! That was close,” you whisper under your breath, but on the other side of the globe, in a little room with five men on their laptops, one of them jumps up, throws his fist in the air and shouts, “Yes! That was spot on!” The other four keep phishing without breaking focus. A few minutes later you receive a transaction invoice from PayPal for $5,000; your wallet balance is now $87.42. You’ve just been drowned by a phisherman! Like in the battles fought in Arab deserts and African jungles, MILDEC has once again delivered in cyberspace.
Phishing is a common attack method in cyberwarfare. Here the attacker sends an email with the aim of getting you to take an action that will appear to be in your best interest, but will actually be tantamount to unplugging the pin of a grenade right in your own house. The question then is, how can you tell when this is happening to you? Let’s go back to the email we started with.
From: [email protected]
To: Femi Reis
Dear User,
You just requested a password change at PayPal.com. Please use the link below to reset your password. If this wasn’t you, please click here to report to activity and update your password immediately to avoid any possible compromise.
Thank you for using PayPal.
The first thing you should check here is the sender’s email address. In this case it is from [email protected][1]. The root domain is the actual sender. Let me explain. The root domain is the last word, or group of words, that comes just before “.com”. So in this case the root domain is a compound word (two words joined together with a dash to form one word), which is security-paypal. That is the actual sender. This email is not from PayPal; it is from security-paypal (security dash paypal)—whoever that is. Many times this dash is introduced to trick you into believing it is a subdomain of PayPal. Again let me explain what a subdomain is. If we had [email protected], the root domain here is paypal, which is the singular word that comes just before “.com”. The subdomain is security, which is always separated from the root domain with a dot, not a dash. Subdomains are not separated with dashes, they are separated with dots; if you have a dash, it is still one word and it forms the root domain. So if you have [email protected], it is not coming from you.com, it is coming from me-you.com; if you have [email protected], this is coming from you.com; the last singular or compound word before the “.com” is the actual sender.
Now attackers, however, sometimes find a way to manipulate this and actually spoof a proper email address, spelt with the actual root domain to launch the attack, so another thing you should look out for is the greeting. Are you greeted by name? If this mail is coming from a company with which you have a valid account, you shouldn’t be addressed as “Dear user”; you should be addressed by name. But then again, that’s not an automatic green light that confirms everything is fine; phishing could be targeted with precision such that it bears the name of the intended recipient, as was the case with Podesta. You could be greeted by name and still be dealing with a phisherman, so there must be other things to look out for. How about the grammar and spellings? Most phishermen are given to silly typos and errors in grammar, so looking out for this could be a good indicator; an email from PayPal shouldn’t be muddled with typos. But yet again, this phisherman could be an Ivy League graduate and have his mail well worded and his hook well baited; it thus means there must be other things to look out for beyond the wording, and here’s a final one. Every phishing email wants you to take an action—either click on something or reply with something. If there are links or buttons in the mail on which you are advised to click, those links will not be pointing to paypal.com; they will be pointing to the attacker’s den. The Reset Password button wouldn’t point to paypal.com, it would point to death, and here’s how you will know. Without clicking on the link or button, simply hover your mouse over it, if you’re working on a computer, and the link will be revealed at the bottom left corner of your screen; you will see that it doesn’t point to paypal.com but to a different domain. If you’re working on a mobile device, press and hold the button or link (DO NOT CLICK ON IT) and select the option that says “Copy link address” (or however it is worded on your device), you can then go open a writing environment such as a blank compose environment and paste the copied address there, you would see where the link points to. There are, however, cases were links are rewritten in emails such that they don’t show the actual domain spelt out plainly when hovered on. If you are in doubt whether this is the case, you can copy the link and scan it using any online URL scanner. Simply run a search for “online URL scanner” to find one.
Now, if you look out for all the indicators we have walked through and none of them exists—in other words the sender email appears legitimate and there is absolutely nothing in the mail that suggests it isn’t coming from PayPal—still DO NOT CLICK THE LINK. Whatever secure action the mail recommends you take, go to your browser or app, login to your account and take the action from there—in this case resetting your supposedly compromised password. As long as it wasn’t initiated by you, never take an action from a mail even if you are convinced it is from a legitimate source; close the mail, go to your account and perform the action from there.
If the email is requesting that you reply with information or execute an action or financial transaction which is in your line of duty, adopt what I call an MFC policy—Multifactor Confirmation. Never supply information or carry out any sensitive action or transaction based on an email without reaching the sender through a second means—especially via phone call—to confirm the mail. If it’s not from a known sender, do your due diligence; be sure not to send any sensitive information in response to a mail from out of the blues that you know nothing about. You can never be too suspicious at the peak of warfare. There are about 4.6 billion active internet users worldwide; with 3 billion phishing emails fired each day (21 billion each week), the odds are high that some of those bullets will come your way. To treat every unsolicited mail with suspicion is thus a wise approach in warfare.
Note, however, that all the actions we have seen here are simply meant to keep you from drowning, but that’s not our ultimate goal; you shouldn’t be content with sailing away to safety when you can as well drown the phisherman before you leave. So how do you do that?
Marching Orders
[1] As at the time of this writing www.security-paypal.com is not a registered domain name.
Soldiers never have to guess about what to do at war; hundreds of hours of drills at peacetime have not only carved what they are to do in every situation into their minds, it has committed it to muscle memory such that they default to it without much vacillation. In many cases, the heat of battle doesn’t give you the luxury of time to ponder, deliberate and decide; seconds could spell the difference between life and death, and you must know exactly what to do way ahead of time. This level of ultra high proactiveness can only come by developing a plan and walking through it prior to the sounds of shelling and gunfire.
In cyberwarfare this is also critical, and one plan that is crucial in achieving this is what is called an Incident Response Plan. The IRP, in its simplest form, tells you what to do when things get ugly. While every troop goes into battle with the preparation that should keep them from being hit, they also take with them the plan that should keep them moving if they get hit, and thus minimize the resulting disaster. That is the IRP. While a disaster might be unplanned, your response to it must always be planned. And that is why I advocate that every individual—not just organizations, but every individual—should have a Personal Incident Response Plan (PIRP) that they are very familiar with. Now let’s see what this plan looks like in plain battlefield language.
Developing Your PIRP
Marching Orders
From time to time, it is helpful to disappear from the scene for a day or two or more. The chaos of battle could be mind numbing if it is never interrupted by seasons of calm. The sustained noise of war has such an effect on the mind that isn’t good for your wellbeing. It helps to block out this noise from time to time in order to preserve your sanity. Aside that, it also helps to be untraceable for a while, to lose your tail, to vanish from the scene and leave more questions than answers. You achieve this through the power of offline. We have over-explored the power of the internet to the exclusion of the power of not being on it. In warfare, there could be as much power in your absence as there is in your presence; not being seen is as much a strategy as being seen.
Take a day off cyberspace, take all your personal devices offline and quieten your mind, pull your thoughts together and sharpen your focus. If you have a dumb phone, this could be a good time to use it, otherwise just turn of all your connections on your smart devices—WiFi, hotspots, mobile data—for the duration of your offline period. In cyberspace, to varying degrees, you double as both the hunter and the hunted; in whatever capacity you disappear from the scene it keeps the other side guessing, if you disappear as the hunted, it gets the hunter wondering, and if you disappear as the hunter, it gives the hunted a false sense of safety—it works either way. The more randomness you can add to your offline practice, the more unpredictability it adds to your pattern and strategy, and all this is in addition to the fact that when you get back online you return with more focus and clarity for effective warfare.
Now if you’re an adept internet user, one of the things that will keep you from exploring the power of offline is FOMO—Fear of Missing Out. You would consider a thousand and one things that you would miss out on if you go offline for 24 hours, but what I discovered is that many of the FOMO considerations are not mission-essential; they are mostly the 80% distractions that have occupied the engagement time and space of average users. I have discovered that when you schedule an offline, the vital organs hardly surfer, the 20% non-negotiable mission-essential functions are hardly ever hit by the blow. But if you still struggle with FOMO, then I would recommend a staggered implementation. Schedule an offline for just 3 hours and then come back and check your vital organs; has any been damaged? On a different day schedule a 6-hour offline and then come back and check your vital organs; any damaged? Do it again for 10 hours on a different day, and then 12, and go on that way till you hit a 24-hour offline. I bet you will find your vital organs intact, and the exercise will give you better control of your engagement on the battlefield, it will heighten your focus and give you the power to ignore more CATs that prowl around. Commit to applying this strategy and you will be amazed at the enormous benefits that are locked in the power of offline.
Marching Orders
Knowing that he will have to carry his gear everywhere he goes, the soldier ensures that every single item he packs in it is mission-essential; he can’t afford any ounce of weight that isn’t critical to his survival on the battlefield. Literarily, every item in his gear can save his life at some point; those things that can’t will have to stay off, because in wartime, needs are defined by absolute necessities.
Unfortunately, we have not packed our devices for smart warfare, we have stuffed them with nice little things that not only have no bearing on the mission, but even have tendencies to get us hit. When it comes to installing applications on your device, you must realize that you are packing your gear for war. Every additional app you install, no matter what it does, actually broadens your attack surface. Let me explain. Picture a phone that has zero applications installed on it, all it has is its operating system; any exploit that an attacker will carryout on that phone must come from a vulnerability that he finds on the operating system—that’s the only window he has. Now let’s install a communication app on the phone; the attacker can launch an attack by seeking and exploiting vulnerabilities on the operating system and the communication app. He now has two windows—the attack surface has broadened. Add a third app, three windows. A fourth app, four windows. Every additional app actually broadens the potential attack surface. Thus a device with no app on it is technically safer than one with five, and that with five is technically safer than that with ten, all other things being equal. In battlefield language, your behind is potentially further exposed with each additional app you install. But you certainly will not carry a phone with no application on it any more than a soldier will carry a gear with no item in it. So how must you then pack your device? Two principles come to play here—the Principle of Least Functionalities and the Principle of Least Privileges.
The Principle of Least Functionalities
Like I said, you must choose your apps the same way a soldier will choose items for his backpack, and the question to ask is this: “Is this application mission-essential? On a scale of 0 to 10—10 being the highest—how critical is this app to my overall mission?” The Principle of Least Functionalities demands that you install only the least amount of apps necessary to perform mission-essential functions—whatever your mission is. If the answer to the essentiality question is No, Low, or Maybe, then the app is best left in the app store.
The Principle of Least Privileges
This demands that after you have installed the least amount of apps you need for mission-essential functions, you go a step further to give these apps the least amount of privileges or permissions they need to carryout those functions. Typically, by default, apps will request all the permissions in the world, including permission to control your life—which is hardly ever listed but almost always granted. But note that there’s a difference between the permissions an app requests and the permissions an app requires. Almost in all cases, the requested permissions are usually far more than the required permissions. The Principle of Least Privileges implies that you will only grant that app the permission it needs to perform the function you need it to perform, every other permission must be denied.
You can always tell when an app shouldn’t need a requested permission to function by simply assessing what the app is meant to do. How many times have you downloaded an app, say a calculator app, and when you run it it tells you, “Calculator needs permission to make and manage phone calls”? No way! What in the world does Calculator have to do with making and managing phone calls! Such permission is completely disconnected from the task the calculator is meant to perform and thus should not be granted. Some apps stubbornly insist that you grant such unrelated permissions before you can use them; there’s only one thing to do with such apps—delete them! Get rid of them and look for alternatives that would perform the required function without requesting unreasonable permissions.
Now, before we wrap this up, another thing you might want to check when downloading an app is the app’s size-to-function ratio. For instance, an app that is meant to function as a basic calculator shouldn’t be anything larger than 20MB in the app store, as a matter of fact it should be much smaller. If an app has a very high size-to-function ratio, then that app is doing more than advertised. If our Calculator app is 80MB, then you wouldn’t want to know the other things it is calculating! Don’t download such apps; if the size is significantly out of proportion with the intended function based on your commonsense assessment, leave the app alone, it’s safer in the store than on your phone.
Marching Orders
A good password, like a good door lock, is meant to perform at least two functions—let you in, and keep others out. If it performs one of both functions effectively and fails to perform the other, it’s not a good password. Have a look at this.
Username: Conscripted
Password: xaw24bQ#!@3bZv~9-Cd7_rJq$90*+k!00#&`~0
This password is extremely good at keeping others out—others including Mr. Conscripted himself! If it were my door lock, I would be sleeping outside tonight. But then, on the other hand, let’s have a look at this.
Username: Conscripted
Password: abc123
This password will certainly have no problem letting me in, but it would let the rest of the world in right after me, or even before! If it were my door lock, I wouldn’t have anything left in my house. A good password, like a good door lock, must let you in and keep others out. In the heat of battle, break-ins are common occurrences, and your passwords are the minimum defense you have against them.
6 Degrees of Separation: How safe is Mr. President with a Password like Yours?
You might have heard of the concept of 6 degrees of separation, it states that the maximum social distance between you and any other human on earth is six people. In other words, there are a maximum of six steps in your social network between you and any other person in the world. What this means is that you know somebody who knows somebody who knows somebody who knows somebody who knows somebody who knows the Pope. And if you want to pass a personal message directly to the Pope, all you have to do is find this chain, and your message will get to him in person—from the lips of his personal friend. Now the dark side of this is, what if that message wasn’t actually coming from you but from someone with malicious intentions who successfully acted as you and followed that chain? When I first learnt about the 6 degrees of separation, I decided to investigate it personally and see if I could trace a 6-degree connection between me and the president of America at that time. Interestingly, I found it without much difficulty. If an email comes from me and follows that path, it will get to Mr. President, and it won’t be coming to him from me but from someone he knows personally and perhaps trusts greatly.
There’s a 6-degree connection between you and Joe Biden or Donald Trump or Barack Obama or George W. Bush. An email coming from you, going through the right path, will get to any of these people. So how safe is the President with a password like yours? It might seem a bit exaggerated, but your password could actually be the entry point to a national disaster. Your weak password could bring down an entire institution or cripple an entire industry! Your password could spell the difference between victims and survivors in cyberwarfare.
Another dangerous thing about having weak passwords is that an attacker could break into your email, scroll through your inbox to see the various services you are subscribed to, then go to the login portal of any of these services and request a password reset. The password reset link will be sent to your email, the attacker will come back to your inbox, click on the link, reset your password, and gain entry to the portal to operate fully as you.
As it is, you already have assets on the battlefield, your personal information are there, your health records are there, your intellectual properties are there, even your money is there. None of these things is absolutely safe at war, any of them could be stolen in a successful attack. The very least—and by very least I mean the barest minimum—you can do to secure them is to use strong passwords. Other things might be out of your control, your bank’s cybersecurity infrastructure could be broken, your email service providers could be breached, many other things could happen that are out of your control, but one tiny thing that is within your control in securing yourself and your assets in cyberwarfare is your password, and you must get it perfectly right.
Never Repeat, Always Remember: Developing a Password Generating Framework
Passwords require a measure of complexity to do their jobs well. Creating strong, complex passwords that you can always remember without ever having to repeat on any two platforms is not an easy feat, you’d have to have a memory like Boris Konrad to pull that, yet this is the basic requirement in using passwords—make them complex, don’t reuse them across platforms, don’t write them down, and make sure you never forget them. The only way you can do that with ease is to develop a password generating framework. Complex passwords are generally required to have a combination of uppercase letters, lowercase letters, numbers and symbols, and a stipulated minimum length. I created a simple password generating framework specifically to help people get through this (Note: It might look difficult at the beginning, but it soon becomes a piece of cake). Here’s an example of a password generated to meet all the requirements above with this framework.
Username: Conscripted
Password: A2Z4ixkoobecaf+
This password is built with a 3-component framework. The first component is A2Z4ix which is the constant password initializer. The second component is koobecaf which is the reversed name of the platform for which you are creating the password (in this case facebook). The third component is the special character or symbol. With this framework you only have to remember two things: your password initializer at the beginning, which should contain at least one uppercase letter and a number, and the special character at the end, which could be any symbol of your choice. These two things are constants and don’t have to be changed; the only variable is what’s in the middle.
So if you’re creating passwords on several platforms with this framework, they would look something like this:
Instagram: A2Z4ixmargatsni+
Twitter: A2Z4ixrettiwt+
Quora: A2Z4ixarouq+
Reddit: A2Z4ixtidder+
You will never have to repeat passwords on any two platforms, and you can have a hundred different passwords that you will never forget!
We need you to do this for the sake of all of us; you can’t be Conscripted and do otherwise. From the last data breach we had, we already are concerned about how safe we are with a password like yours. Is this something you would do?
Marching Orders