From the Winter 2016 Issue

Cyber Literacy in the Age of Attacks

Dr. Jane A. LeClair
President | Washington Center for Cybersecurity Research & Development

  •  
  •  
  •  
  •  
  •  
  •  

Understanding personal computers’ hardware, operating systems, and applications is a good first step towards obtaining the knowledge and skill necessary for cyber literacy. 

Much of the existing cybersecurity literature centers around defending the complex digital systems belonging to large corporations. Much less attention is paid to providing the average user with the basic knowledge and technical skills they should have to defend their personal computers or small business systems.

It is important to determine the level of security awareness that individual users need in order to recognize an attack in progress or avoid being tricked into providing unauthorized access to confidential information or restricted systems. Through comprehensive exposure to the interlocking components of cybersecurity, we can turn ourselves into the first firewall defending our personal systems and our small businesses.

A Natural Progression 

Understanding the basics of personal computers’ hardware, operating systems, and applications or programs is a good first step towards obtaining the knowledge and skill necessary for cyber literacy. Hardware cyber literacy includes understanding how data is created, stored, and accessed, including the use of wired or wireless technologies to access the Internet. Being cyber literate in operating systems requires an understanding of basic operations, security settings, built-in utilities, and the installation and configuration of new applications. One must be familiar with an operating system’s file storage framework, as well as techniques to manage and safeguard information the system stores and uses.

A cyber-literate user should know that routine work should be performed using an ordinary user account, not an administrator account. This reduces the chance that an accidental command will affect the entire system, and will prevent certain types of malware from gaining access to the system’s settings and data.

The user should be able to open a command window or other system utility and enter commands for checking network status, such as whether the computer has a valid IP address and default gateway, or run a ping to test network connectivity. The user should also be able to configure and monitor the software update mechanism to verify whether the operating system is receiving and installing security patches and application updates.

The user should know that when a file is deleted its contents remain stored on disk until they are overwritten by new files or securely wiped via a utility.

The user should understand the difference between encrypting individual files and encrypting an entire disk, as both are needed to safeguard critical information. Whole disk encryption is not enough, as it is transparent to the user and automatically decrypts files the user requests. If a hacker has gained remote access to the computer, files that are not individually encrypted through other means are vulnerable.

 Onward to Networking 

The next progression in our cyber literacy journey is towards computer networking. While the best way to protect a computer is to never connect it to a network or share files with another user, this is not practical. Modern operating systems are network-ready and users must obtain the required knowledge and skills to network safely and securely.

This knowledge includes the types of cabling used to connect computers and other devices to a network, as well as the basic operation and purpose of networking components such as switches, firewalls, intrusion detection systems (IDS), and routers. Cyber-literate users should also understand the differences between personal area networks (PANs), local area networks (LANs), metropolitan area networks (MANs), and wide area networks (WANs). Users should also seek out further knowledge about wireless networking standards such as WiFi and Bluetooth; the operation of and need for wireless access points (WAPs); materials, such as cinderblock walls inside a building, that interfere with wireless signals; and the dangers of operating or using open, non-encrypted wireless networks.

The cyber-literate individual must be aware of performance issues specific to wireless networking, such as how the distance from a WAP affects signal strength and bandwidth limits, and the congestion issues that may occur when there are lots of wireless users on the same network competing for bandwidth. Those seeking cyber literacy should also understand the dangers of rogue access points, which can be used to exfiltrate confidential information or trick users into thinking they are using a valid wireless network, leaving their personal information vulnerable to theft.

It is also essential that a cyber-literate user possess a basic knowledge of network topology, Ethernet operation, and network protocols. While understanding every protocol in the Transmission Control Protocol/ Internet Protocol (TCP/IP) suite is not required, a user should know what a domain name system (DNS) is used for, why TCP is more reliable than User Datagram Protocol, and when each should be used based on the application requirements. Individuals should also possess an understanding of the security provided by virtual private networking (VPN) and how to establish one of these connections. Also important is a familiarity with IP addresses and the way routers forward packets between LANs.

 Branching out to the Internet 

The computers in a house, school, or business make up a LAN. A computer on one LAN communicates with a computer on a different LAN by having its network messages delivered to the second computer through one or more routers. The Internet itself is a complex sea of interconnected LANs and routers, providing many paths for a message to take between the same two LANs. If a router stops working somewhere or gets too clogged with messages, there are plenty of other routers which can deliver the message. The Internet is the ultimate WAN, allowing computers and other networked devices to communicate almost instantly anywhere on the planet.

Being cyber literate with regards to the Internet requires understanding how routers deliver network messages; the structure and use of domain names; the relationships between domain names, DNS, and IP addresses; the client-server model; the operation and purpose of a web browser, including a basic understanding of HyperText Markup Language (HTML) and cookies; knowledge of JavaScript, e-commerce, streaming media, and the need for data compression; and a basic understanding of secure HTTP (HTTPS) communications and certificates.

The average Internet user does not need to spend any time on the Dark Web, where much illegal activity takes place, but should know the basics of browsing anonymously in order to protect their identity. They should also understand the pluses and minuses of social media and cloud services, such as free file storage. They should know to be wary of sites that offer free copyrighted software (Warez), as these are known to distribute malware.

Hoaxes, distributed denial of service attacks, social engineering, and phishing scams via email and phone calls are just as troublesome as an infected operating system, and potentially more threatening. 

Maintaining Attack Consciousness 

Our journey towards being cyber literate requires us to be aware of the many ways in which people, processes, technology, and information can be attacked and compromised.

It’s important to know that attacks can come from inside an organization as well as the outside. Our own coworkers can potentially be the source of mischief, presenting even more threat than outsiders because they already have permission to access our organization’s devices and network. To combat this threat, cyber-literate users should understand access controls, user permissions (including the principle of least privilege), and separation of duties.

Malware comes in many varieties and the cyber-literate user should know the differences between viruses, worms, Trojan downloaders, zero-day threats, and ransomware. Users must also be familiar with malware delivery techniques such as infected email attachments or drive-by downloads; the ways malware spreads; the operation and purpose of botnets; the hard-to-eliminate nature of rootkits; and the purpose and need for security incident response and computer forensics. Users should be wary of “found” flash drives, as they often contain malware that will be loaded on the system upon plugging the drive into a USB port.

Cyber-literate individuals should also be aware that some attacks do not even utilize code. Hoaxes, distributed denial of service (DDoS) attacks, social engineering, and phishing scams via email and phone calls are just as troublesome as an infected operating system, and potentially more threatening.

 Never-Ending Security Awareness Training 

The sophistication and strength of your firewall, intrusion detection systems (IDS), and anti-virus software does not matter if the person using the computer or network services acts irresponsibly. While users may often violate best computing practices unknowingly, deliberate violations cannot be predicted or avoided. If there are good security policies and procedures in place, however, a malicious user can be identified and stopped.

Users who unknowingly violate safe computing practices are much more common, however, making security awareness education a must. Companies will often perform security awareness training upon hiring and during selected times of the year; however, it is important for the cyber-literate individual to continually update his or her knowledge and implementation of proper security measures, as attacks continue to evolve.

A comprehensive security awareness training program should touch on the following areas:

 Portable Media: Taking confidential files offsite using a portable media device such as a USB drive, smartphone, or tablet can leave the company at risk of losing valuable data, as well as the potential introduction of malware to the company network from an outside source.

 Wireless Device Use: Employees bringing their own mobile devices into the workplace can lead to complications for the IT department, as these devices may be set up as wireless hotspots. Safe wireless use also requires that wireless network traffic be encrypted. The strongest wireless encryption available today is Wireless Protected Architecture v.2

Maintaining Attack Consciousness 

Our journey towards being cyber literate requires us to be aware of the many ways in which people, processes, technology, and information can be attacked and compromised.

It’s important to know that attacks can come from inside an organization as well as the outside. Our own coworkers can potentially be the source of mischief, presenting even more threat than outsiders because they already have permission to access our organization’s devices and network. To combat this threat, cyber-literate users should understand access controls, user permissions (including the principle of least privilege), and separation of duties.

Malware comes in many varieties and the cyber-literate user should know the differences between viruses, worms, Trojan downloaders, zero-day threats, and ransomware. Users must also be familiar with malware delivery techniques such as infected email attachments or drive-by downloads; the ways malware spreads; the operation and purpose of botnets; the hard-to-eliminate nature of rootkits; and the purpose and need for security incident response and computer forensics. Users should be wary of “found” flash drives, as they often contain malware that will be loaded on the system upon plugging the drive into a USB port.

Cyber-literate individuals should also be aware that some attacks do not even utilize code. Hoaxes, distributed denial of service (DDoS) attacks, social engineering, and phishing scams via email and phone calls are just as troublesome as an infected operating system, and potentially more threatening.

Never-Ending Security Awareness Training 

The sophistication and strength of your firewall, intrusion detection systems (IDS), and anti-virus software does not matter if the person using the computer or network services acts irresponsibly. While users may often violate best computing practices unknowingly, deliberate violations cannot be predicted or avoided. If there are good security policies and procedures in place, however, a malicious user can be identified and stopped.

Users who unknowingly violate safe computing practices are much more common, however, making security awareness education a must. Companies will often perform security awareness training upon hiring and during selected times of the year; however, it is important for the cyber-literate individual to continually update his or her knowledge and implementation of proper security measures, as attacks continue to evolve.

A comprehensive security awareness training program should touch on the following areas:

Portable Media: Taking confidential files offsite using a portable media device such as a USB drive, smartphone, or tablet can leave the company at risk of losing valuable data, as well as the potential introduction of malware to the company network from an outside source.

Wireless Device Use: Employees bringing their own mobile devices into the workplace can lead to complications for the IT department, as these devices may be set up as wireless hotspots. Safe wireless use also requires that wireless network traffic be encrypted. The strongest wireless encryption available today is Wireless Protected Architecture v.2 (WPA2), which requires the wireless device to provide the appropriate password to gain access to the network. Beware of Internet cafes or other businesses that offer free WiFi, as these networks are open and easily sniffed by malicious users nearby.

Passwords: A good training program should go over techniques for developing and remembering secure passwords, and should explain the risks of writing down or sharing login information.

Social Engineering: Learning to recognize social engineering attempts via phone, email, and in person is essential. A good rule of thumb is to never divulge any information or allow any access without the express permission of a superior.

Social Media Use: Social engineers mine social media sites for information about a target individual or company. Limiting the amount of personal and family information published on social media is an important step to maintaining security.

Email and Browser Use: Being suspicious of emails with attachments, especially those from senders a user does not expect or recognize, is a good approach to safe email behavior. Limiting web browsing to trusted sites is also a good practice.

Desktop Security: Users should always lock their computer’s desktop interface prior to walking away in order to prevent any unauthorized access, as well as to prevent malicious activity on a system from being wrongly attributed.

Office Talk: Employees should be careful not to share confidential information, either in person or on the phone, where others may hear.

Changing the Culture around Cybersecurity 

While it is important to include the knowledge and skills noted above in security awareness training programs, the affective domain must be included in the training if behavioral changes are to take place. Affective domain levels or hierarchies start with basic awareness, grow to attitudes that support the behaviors needed while under observation, and reach the plateau of understanding the importance of security, eventually coming to promote and defend its importance to others.

The possession of knowledge indicates that someone understands what security is about, and the possession of skills indicates they have the tools and the abilities they need to deal with cybersecurity issues. However, unless they have the correct attitudes and values regarding the uses of that knowledge and skill, this learning may go unheeded.

An individual or employee at a small business may know that they shouldn’t open a potentially infected email, but a cavalier attitude may prompt them to do so anyway. Attention to the cognitive, psychomotor, and affective domains during security awareness training will instill in trainees the value of adhering to a strong cybersecurity culture, defending cybersecurity practices with regard to peers whom they see being negligent.

The digital world is a double-edged sword. It can provide great convenience, but a lack of cyber literacy can cause potential problems. No security system is perfect, but with an understanding of cybersecurity dos and don’ts, combined with some basic technical skills, it is possible to avoid many of these threats.

Leave a Comment