Network Security

Technology is an amazing thing that has led to many advancements of humankind. The status of today’s level of technology has made it possible to communicate via written and video messages, as well as audio, in real time. The advent and popularization of the Internet also has brought mountains of information to the fingertips of anyone that can access a computer, mobile or otherwise, and the largest network we have. Unfortunately, with all these amazing capabilities, there also comes a significant risk, both to the individual person and businesses around the world.  

As previously covered, a network is the connections between all the devices and their routers, over which packets of information are sent. One can learn the pathways the information can take by pinging a website. Ping commands can be used by a network of computers that are infected by some virus to make them do some other function, usually unbeknownst to the user. This network of infected devices is called a botnet. Botnets can be used to repeatedly send commands for requesting information to targeted websites to overload the servers and result in a Distributed Denial of Service (or DDoS) for others trying to legitimately access the site. Any computer that is in any way connected to the network that is targeted is vulnerable, simply because it is a pathway that can be used to access said target. The reasons an instigator of a DDoS attack chooses its target are varied. Some of these goals can be to install a virus, deny the site legitimate business traffic, damage equipment, financial theft, or even stealing of intellectual property (Vahid, 2017). Most DDoS attacks have a high-profile target and are not interested in the individual past using their machine to flood the intended site. To organizations, however, DDoS attacks are very important to defend against as best they can due to the sheer magnitude of damage that can be done, both monetarily and not, such as by breaking client trust. In 2017, a DDoS attack cost a company an average of $3.62 million around the world (Gupta, 2018). The most obvious symptom of a DDoS attack is the slowing down of a network, causing a noticeable delay in information packets being sent and received by the machines that are a part of the botnet involved in the attack. DDoS attackers are constantly changing the ways that they use and access other machines to use as a botnet, which makes defending against them more difficult. A couple of ways to try to deter them, though, are through Two Factor Authentication (2FA) and a Public Key Infrastructure (PKI). Two Factor Authentication is when another way to verify the right user must be used in addition to the regular sign-in information, such as a PIN or thumbprint. A PKI uses a third party to utilize certificates that can help authenticate individual parties on the Internet. Adding these extra layers can deter the basest of attacks, but they are certainly no guarantee. 

One of the many ways that a computer can be made vulnerable to being used in a DDoS scenario is by something known as “phishing”. Phishing is an attack that can devastate both individuals and businesses alike. The perpetrator of the scam creates a website or email that looks legitimate. Oftentimes, it is in the guise of an often-trusted website, such as Amazon, or even the user’s personal banking institution. Once the link is clicked and the victim enters personal information, such as login names and passwords, or bank account numbers, the scammer then has access to the information to rob their victim blind. Businesses are also made vulnerable to these scams when their employees click on such links while on their work computers, which gives the thieves access to a network they otherwise were shut out of. Generally, victims of phishers do not realize what has happened to them until it is too late, and they are missing thousands of dollars (or more!) (McCray, 2017). Over the years, scammers have gotten increasingly more convincing with their faux pages, using public domain images to copy and make their own, and can even rely on AI to gather data from the victim’s social media to get a feel for places they frequent to know what companies to pose as (Fisher, 2019). These kinds of targeted attacks lead to many people falling for the scheme and losing their livelihoods, with no discrimination on who they go after. The strongest defense against phishing is to educate the users of the network. Teaching them what to look for in fraudulent e-mails and the like will help keep them from falling prey (Chaudry, 2016). Also, Two Factor Authentication is, again, a good resource to help mitigate these occurrences. 

As the current generation has grown up with computers, fewer of them are as quick to fall for phishing scams as the older generations, though most people are still likely to click on a link that they shouldn’t, and in a 2019 report, it was found that 72% of security breaches were caused by similar kinds of human errors (Borkovich, 2019). Social engineering attacks have a broader reach, in which phishing is included, and is the perpetrator capitalizes on the emotions of humans to manipulate them in order to gain knowledge that allows them access to confidential information.   Because computers are used today for everything from banking, to conducting business, to personal communications, any access forcibly gained is a threat. When social engineering is used by building a false relationship to someone, all it takes is learning simple things like the name of a pet, or the date of an important anniversary to be able to crack passwords or answer security questions to garner access. This holds true for secure information on both the personal and business levels. When pursuing an individual, the cyber-criminal is usually after money, and the victim will not be aware until they either contact their bank, or as is often a safeguard these days, their bank contacts them over suspicious activity, The damage can be devastating, and if the user is not savvy enough to know to change their login information and security questions, the problem can be ongoing. For a business, there are no immediate tell-tale symptoms to know that their system has been breached by utilizing social engineering, but it would become evident once the loss of money, sensitive information, or reputation becomes public. Unfortunately, with social engineers constantly adapting to new defenses, there is no “one size fits all” answer to stumping them (Chukwudebe, 2015). The most effective way to prevent a breach from the social engineering front is all about user education. Both in their personal and business lives, the users need to be educated in how to keep their accounts secure, such as not using the same password across all of their accounts and creating a password that is far more secure than a pet’s name or the word “password”. In addition to those precautions, the user also needs to have training on what to do in situations that social engineers frequently try to employ, such as calling and saying they need a secure login information because the server is on fire, or some other scare tactic. Learning the basics of how to recognize a false e-mail is also extremely beneficial. Another step to take is to ensure that one’s anti-virus or malware software is kept up to date. Without those updates, the new attacks will not be flagged or defended against.  

 

            The use of technology will not be going away any time soon, so unless people are willing to take the necessary precautions to protect themselves, they are likely to be the next to fall victim to the cyber-criminals that stalk the uneducated. To keep utilizing the amazing tools at hand with computers and the Internet in a safe and effective manner, continued education and frequently refreshed practices against cyber-attacks are the most reliable way to keep these predators at bay.

References:

Borkovich, D. J., & Skovira, R. J. (2019). Cybersecurity Inertia and Social Engineering: Who's Worse, Employees or Hackers? Issues in Information Systems, 20(3), 139-150. 

Chaudry A., Chaudry A., & Rittenhouse G. (2016). Phishing Attacks and Defenses. International Journal of Security and Its Applications, 10(1), 247-256. Retrieved July 10, 2020, from https://www.researchgate.net/profile/Robert_Rittenhouse/publication/296916234_Phishing_attacks_and_defenses/links/573e7afb08ae9f741b300e23.pdf. 

Chukwudebe, G. A., Salihu, T., Chukwudebe, V. N., & Osuagwu, E. U. (2015). Mitigating social engineering for improved cybersecurity. 2015 International Conference on Cyberspace (CYBER-Abuja). doi:10.1109/cyber-abuja.2015.7360515 

Fisher, S. (2019, December 25). Cybersecurity 2020: Phishing, ransomware and 'things'. The Idaho Business Review. 

Gupta, R. (2018). Hands-on cybersecurity WITH blockchain: Implement ddos protection, pki-based identity, 2fa, and dns security using blockchain. Birmingham, UK: Packt Publishing. 

McCray, V. (2017, October 4). CYBERSECURITY: Phishing scam hits another district: Fulton County Schools confirms 46 employees had their pay stolen. Atlanta Journal-Constitution. 

Vahid, F., & Lysecky, S. (2017). Security. In Computing Technology for All (pp. 8.1-8.6). Zyante.