The human race just turned the wheel over for another year and with it came a new decade. The author is aware that some people say the decade starts in 2021, but the author does not mean to debate that here. Considering the last decade, many things changed: we saw the rise of new attack methods, increasingly complicated attacks, and even the simplifying of some complex attacks into “Malware as a Service”.
Cybercrime became a household, kitchen table topic with the breach of Equifax breach, and many more companies finally adopted a security awareness training program. Alas, with all of these changes, many things have not changed with the march of time, and it is a few of those topics we will discuss.
Passwords are the bane of online existence. They have essentially out-lived their “use by” date, but they are so ingrained in our online lives that we cannot seem to leave them for a better solution. In an attempt to make them more secure we even bolted-on multi-factor authentication, which increased their shelf-life, but was never a viable replacement.
The beauty of the username and password concept is that it is simple. That same simplicity tends to be its weakness. Commonly used simple, weak, and short passwords are easy to guess or brute force. On top of this issue, they have to be stored somewhere. We can hash, salt, and bcrypt passwords all we like, but administrators are still left with the burden of storing all of this sensitive data. It only takes one flaw in an computer ecosystem, which includes the human element, for all of that data to become accessible to those with less-than-ethical intentions.
Efforts have been made to move us beyond the use of passwords, such as the author’s personal favorite of SQRL, Windows Hello, and emailed one-time use codes, but even these have their own struggles. Hopefully, they will gain a foothold in the authentication market, but until then we all have to suffer with technology from the 1970s with modern, secondary authentication methods bolted-on.
Needlessly open ports are what keep a lot of simple attacks in business. Before the prevalence of local area networks in the home, many users connected directly to the Internet. Dial-up modems, cable modems, and DSL modems did not necessarily have all of the same controls we have in place today, so it was not uncommon to do a network scan and find computers with open resources on your network segment from your ISP. Personal, host-based firewalls closed off a lot of those early issues, but it was still one more piece of software to purchase. Then, home local area networks came along, allowing NAT to assist with the issue of unwanted traffic. Most routers also started to come with a simple firewall, which helped those efforts.
With these efforts to secure the home local area network came user frustration: users could not easily share resources they once had with those with which they wanted. This became increasingly frustrating with the XBOX Live service in particular, so the Universal Plug and Play (UPnP) protocol was created. This protocol has led to many easy exploits that we still encounter to this day with different devices that leverage it without an users knowledge. It allows ports on the firewall to open dynamically, stay open without consent, and invites unwanted attention from those that would benefit from exploiting such vulnerabilities that may exist listening on that open port, such as a Chromecast, network printer, smart TV, or other IoT device.
Phishing emails are sadly here to stay. The human is still the simplest point of compromise. It is cheap to send countless emails, databases of known-good email addresses exist and have been compromised, and the method continues to be lucrative. We can discuss different attacks all day, but the driving factor behind cybercrime is profit. Why scan for open ports, banner grab port information, research firewall bypass methods, craft a complex software vulnerability exploit, and then clean up log entries, when one could send 10,000 emails to known-good email addresses with the click of one button from the comfort of a desk chair?
We can only increase our training efforts here, but people will continue to be tricked into clicking links, opening documents, and allowing macros. The human element is the one thing for which we cannot control as reliably as a firewall rule or DNS sinkhole. User awareness training must be done at every point possible. It must be engaging, rewarded, and done often.
Some things may never change, such as phishing attempts. Attacks will always get better, not worse. People will always be curious. As long as we are aware of the challenges we face and look for ways to make our networks safer in the future, we are making worthy progress.
Let this article inspire our efforts for the next decade. Let us clean some of these items off our list before 2030.