Let’s start with a simple question: Which one of the following can not be hacked?
- Gas pipeline
- Linkedin mobile app
You probably know the answer with grim inevitability. Yes, none of the above are safe from hacking.*
Cyber security is no longer something your nephew deals with on your PC every three months, or the sole territory of the IT guy in your office. Every second headline these days is a version of “New cyber security threat is greatly concerning governments/SMEs/universities/users”.
A recent hack on software juggernaut Adobe brings more bad news. Adobe develops such software as Abode Reader, Photoshop and InDesign, and a successful hack during the summer led to 38m encrypted user passwords being stolen. Now we’ve learnt that source code was also stolen, making it possible for criminals to hack users’ machines through vulnerabilities in the software, as The Financial Times reported in chilling detail.
So how worried should we be?
“It’s true that attacks are sometimes on a very big scale,” says Marina Cabrini, a computer scientist working for AICA in Italy.
“But in situations like the Adobe attack, or the PlayStation network outage, the single user cannot do much – it’s the big company’s responsibility to take adequate measures for securing their data, and the data of their customers that is stored in their systems. Even if you worry, the only thing you can do is maybe use a pre-paid credit card for online purchases.”
Marina is one of the consultants on the development of the ECDL syllabus, and worked on the creation of the IT Security module, along with other experts in the security field, three years ago.
Back then, growing concern from the public and growing sophistication in malware, led ECDL Foundation to believe a specific course on IT Security was required. Companies in particular were keen that their employees get IT Security certification because, as Marina puts it, “the main threat for the computer is between the chair and the keyboard”.
Symantec lists (at time of writing) 23,904,359 current viruses or threats on its virus definition file. Every month, about 160,000 threats are added to the list. So how could a module devised three years ago protect against malicious threats that haven’t been invented yet?
“Instead of targeting specific vulnerabilities of specific operating systems and/or devices, we focussed on the basic concepts of security”, explains Marina.
“The idea is that people would be trained not only in knowing that a virus can infect a computer via an e-mail, but why a virus would infect a computer, and which information is so valuable that a virus should try to steal it.”
So as well as an awareness of potential threats on a computer, candidates learn how these threats originate. That way, they’ll know instinctively which situations could lead to potential danger.
The situations are countless. From opening emails from unknown senders, to using ATMs, selecting passwords, and posting personal information on social networks. If that sounds a bit paranoid, you might be right. But as Marina puts it, “in some cases paranoia is the only attitude that can help you”.
Attacks almost always involve some social engineering technique used to get the information needed to attack the systems. Protecting personal data is key Marina says; “recognise that what you have that is valuable”.
The module also includes a section on data management and backup techniques, which is even more significant now that data is increasingly saved on the cloud, and the rise of ransomware.
Ransomware (file-encrypting malware) has been around in various incarnations for years, but has intensified in recent months with the devastating CryptoLocker, which attacks Windows computers by encrypting both local and mapped network hard drives. Victims must pay a fee (a real ransom) within three days, or they’ll lose their data.
The cost to businesses can be breath-taking. In the United States, the Kansas Braille Transcription Institute lost 12 years of work and expects to lose many contracts as a result. "You kind of feel like somebody broke into your building and stole everything that you have", manager Randolph Cabral told Kake.com.
This is not an exaggeration – businesses should consider these threats on the same level of a burglary. Failure to prepare and prevent these attacks is like leaving the office window open with gleaming computer hardware packed with sensitive data inside.
“Awareness of the destructive potential of the attacks is quite non-existent among the general public, and sometimes among businesses as well”, Marina says.
The annual cost of viruses to firms is $67.2 billion a year in the US according to the FBI – and shortly after they devised that figure, FBI Director Robert Mueller became a victim of a phishing scam himself.
“Users are led to believe that nothing bad can happen if they make available their personal data on the internet. Why should I create malware to access someone else’s computer to obtain their personal data and their credit card number, when all I have to do is follow the @NeedADebitCard channel on Twitter?”
@NeedADebitCard retweets all the pictures people post on the Internet of their new credit cards. It has to be seen to be believed.
You may not be so concerned that a careless FBI director or snap-happy Twitter user gets their bank details hacked.
But if there’s a gas pipeline running under your house, a plane flying over it, or a medical device in your body, you might care whether the creators had sufficient training to protect these things against hacking.
The colleague who receives emails from you might feel the same way.
*Security consultant Hugo Teso executed remote attack and hijack of commercial aircraft on virtual airplanes in a lab.
Forbes article from June 2012 was titled “Yes you can hack a pacemaker”
At Black Hat and DefCon computer security conference, multiple demonstrations showed how simple it is to hack energy systems.