A Simple (yet Comprehensive) Introduction to Cybersecurity

A Simple (yet Comprehensive) Introduction to Cybersecurity

The Beginner's Handbook to Cyber Safety

Introduction

If your Facebook or Instagram account has ever been hacked, this article is definitely for you! If you’ve never been scammed of money online, well, this article is still for you.

The Internet is fun and the best place for you to socialize and get cooking tips or decoration ideas, however, it can also be dangerous when used incorrectly. The practice of staying safe online is known as Cybersecurity.

Cybersecurity refers to all processes (and activities) involved in securing people, information, and computer systems from evildoers and malicious attacks on the internet.

Hackers

Meme Wojak Hacker Image

No, not all hackers are bad people. A hacker is a person equipped with computer and networking skills to find vulnerabilities (loopholes) in a system.

Hackers are divided into many categories, depending on the work they do and how they react to vulnerabilities; some of these include:

  • Black-Hat Hackers: These are the typical bad guys. They hack systems and exploit loopholes, mostly for money and sometimes for fun.
  • White-Hat Hackers: They uphold the “hammer” of justice. They might not recover your stolen Facebook accounts but, they ensure your favorite company or bank doesn’t get hacked.
  • Gray-Hat Hackers: Black + White = Gray. The gray-hats sit on the fence. They hack systems without permission but do not usually have any malicious intentions in mind.

Some other categories of hackers include:

  • Script Kiddies: These are beginner cybersecurity enthusiasts that use ready-made tools to perform simple tasks, like connecting to your wifi.
  • Blue Teamers: The Blue Teamers work together with White-hats to secure a company’s defenses.
  • Red Teamers: Red Teamers try to find and exploit weaknesses in a company’s defenses like the bad guys, but with permission.
  • Hacktivists: They hack into systems (usually unlawfully) to push a certain agenda.
  • And lots more!

Scammers

Yes, all scammers are bad people. A scammer is a person that defrauds people or companies of their money.

Over the years, the number of scammers and scam victims has increased exponentially in all countries. This is because the perpetrators know how to play on human emotions – compassion, love, fear, greed, etc.

Some countries with the highest number of scammers, statistically are Nigeria, India, Brazil, Indonesia, the United Kingdom, and South Africa. India ranks way up on the list, with a lot of scam call centers all over the country.

How Scammers Operate

Unarguably, one of the most common fraud agendas is the ‘Nigerian Prince’ scam. This is one where a scammer messages an unsuspecting, soon-to-be victim with a story of how he is an heir to a throne, with a lot of fortune locked away somewhere and simply needs a bit of money to settle some things or travel down to the victim’s country, with the promise to reimburse the person, a hundredfold.

That’s a very obvious scam, nowadays. However, some modern scams are:

  1. Someone calling as a company’s customer care representative (e.g. Amazon, Youtube, etc.), trying to rectify a bill for you, or settling unresolved credit complaints. During the interaction, you can get their viruses on your computer, your screen goes blank and your money disappears.
  2. Romance scams: Scammers tend to prey on single/divorced people on social platforms (like Facebook) or dating sites like Tinder. These scammers tend to use images of other people and thus, start a relationship to defraud their victims of money once, or continuously.
  3. Business Email Compromise Scams (BECs): A hacker poses as company ABC and sends an invoice email to company XYZ, asking for a certain payment. XYZ pays to the designated account, thinking it is a legitimate transaction; thus, losing huge amounts of money. Facebook, Google, Ubiquiti, the Puerto Rican Government, Toyota, and even St. Ambrose Catholic Parish (Jesus!) in the US have fallen for BEC scams.
  4. Someone calling about a code that mistakenly got delivered to your number by SMS and asking you to send them the code; then suddenly, you lose your favorite Facebook account. The code is a One-Time Password (OTP) usually sent by the company when someone tries to log in to your account or change your password. This code confirms that you’re the one acting and should never, ever be shared with strangers.

How people get hacked

Hacked Meme Image

Every day, hackers invent new ways to break into systems and/or steal information. Understanding how these attacks work goes a long way in avoiding them. One very common form of hacking is Social Engineering which involves deceiving people to get information.

The list of cyberattacks available worldwide is extensive. However, some of the most common cyberattacks are listed below.

As an Individual:

  1. Phishing: This is one of the most common cyberattacks globally. Generally, a malicious hacker sends a link (via Email, SMS, WhatsApp, etc.) to a lot of random people. The website requires them to fill in a bunch of personal information (name, gender, address) in return for some false benefits.
    • Phishing Site.png
  2. Voice Phishing (Vishing): Ever gotten a call from someone claiming to be from your bank? Your account got “hacked” and you need to give him the numbers on your debit card and your ATM pin? Well, this is it. Vishing is a form of phishing over phone calls. It commonly involves asking for bank information for an “urgent” matter.
  3. Typosquatting: This type of cyberattack relies on human error. It involves creating a malicious website with a URL (link) that is very similar to that of a legitimate website. For example, a hacker might create a lookalike login page for netflix.com and register it as netfilx.com or netflix-movies.com. Unsuspecting users visit the fake website, fill in their login details, and can thus be hacked.
  4. Malware Attacks: Malware refers to Malicious Software which is essentially a virus attack. They come in different forms, some of which include:
    1. Hacker sending an email with a malicious attachment (document, app, etc.). When a user downloads and/or opens the attachment, the virus loads up and begins work on their computer or mobile device.
    2. Hacker sending a malicious website link to a user. When the unsuspecting user visits the website, an automatic virus download starts, thus infecting the user’s device. This type of attack is also known as a Drive-by Download.
  5. Brute Force Attacks: In this type of cyberattack, a hacker uses automated tools and a trial-and-error method to bombard a system with different combinations of passwords to try and get into a user’s account. Modern computers can crack weak, short passwords very easily. For example, it’ll take a computer about 2 seconds to crack ‘andrew88’, 1 month to crack ‘jjk-password-059’, and centuries to crack ‘Pjpd4AAL9sIIm3’.

As an Organization:

Companies run a greater risk of being targeted by hackers. Over the years, organizations of all sizes (billion-dollar companies, commercial banks, government bodies, schools, etc.) have been hacked repeatedly. Some recent, notable hacks are:

  • In September 2022, Optus (A company in Australia with 10+ million customers) was hacked, leaking the personal information of its customers. [Source]
  • In September 2022, Uber Inc. was hacked by a teenager. [Source]
  • In July 2022, the YouTube and Twitter accounts of the British Army were hacked. [Source]
  • In April 2022, hackers stole ₦523 million from an undisclosed bank in Nigeria. [Source]
  • In April 2021, the personal information of 500 million Facebook users was leaked online. [Source]
  • In 2015, a man scammed Facebook and Google for over $120 million. [Source]

Yes, your favorite tech giant company has probably been hacked many times in the past. Some of the ways these companies have gotten hacked include:

  1. Spear Phishing: This is a type of phishing aimed at a specific group of people. Examples include the Board of Directors, the Finance department, etc. It has a higher percentage of success as it is usually tailored to fit a particular narrative.
  2. Software Hacks: Hackers discover loopholes in company websites or apps and thus penetrate the systems or servers to wreak havoc ranging from data theft to ransomware attacks.
  3. Ransomware Attacks: In this type of cyberattack, hackers take over a company’s network and infect it with viruses (holding it ransom), forcing the company to pay huge sums of money to recover its systems.
  4. Distributed Denial of Service (DDoS) Attacks: Here, hackers overload a company’s website or server with requests, forcefully shutting it down or making it unavailable to legitimate users for some time. This leads to a loss in revenue for companies, amongst other terrible consequences.

How to Avoid Cyberattacks

Meme.png

You now understand how some of these attacks come, well done! That’s the first step to avoiding them. We’ve seen that in most cyberattacks, hackers are always sending stuff - links, apps, documents, emails, etc. Hence,

  1. By default, suspect any message from an unknown person, they might want to steal your money.
  2. Most hackers don’t put in work to their phishing content. Look out for any email that has grammar errors or poor capitalization. Legit companies don’t make mistakes like that.
  3. Always check the sender’s email address on your emails. Anybody can buy a domain name (website link) that looks like your bank’s.

    • Screenshot of a phishing email.png
  4. Do not fill in your personal information on a site that is not secure. A secure site uses the HTTPS protocol. For example, https://google.com, https://netflix.com, https://glo.ng, etc. Sites without the HTTPS ‘tag’ can be easily infiltrated by hackers.
  5. Hackers operate on human ignorance and greed. No stranger gives you stuff for free. If an offer looks too good to be true, then it probably is.
  6. Most times, websites send you a One-Time Password (OTP) when hackers try to change your password and steal your account. Never share this code with anyone who calls you.
  7. Always update the software on your computer and phone. Updates usually come with security patches and bug fixes to prevent hackers from taking over your systems.
  8. Do not download apps, music, or movies from funny sites. These files may contain malware that can have disastrous consequences.
  9. Invest in quality antivirus software for your devices. Some popular choices are Norton360, BitDefender, McAfee, and Kaspersky.
  10. Do not use the same password for all your internet and banking accounts. If a hacker steals your data from Facebook, they can try to use that password for your bank account.
  11. Do not use predictable information in your passwords like your names, year of birth, children’s names, etc.
  12. Create passwords with a mix of uppercase letters (ABCDE…), lowercase letters (vwxyz…), numbers (12345…), and special characters (@, #, $, %, &, *, -, etc.). To check how strong your current password is, visit https://bitwarden.com/password-strength/
  13. Finding it too difficult to remember plenty passwords? Use a password manager. Some popular choices are 1Password, RoboForm, and Bitwarden. Password managers create and manage strong passwords for your internet accounts.

For Companies,

  1. Invest in the IT and Security departments. Hire ethical hackers or contract a security consulting firm. It’s always worth it.
  2. Organize training workshops regularly for all employees and sensitize them on the dangers of cyberattacks in the workplace.
  3. Kickstart bug bounty programs on platforms like HackerOne and Bugcrowd. A bug bounty program is an efficient way for ethical hackers to find and report vulnerabilities in your software, without exploiting them.
  4. Use secure protocols like HTTPS on your websites.
  5. Encrypt users’ passwords better to prevent malicious hackers from cracking them.
  6. Enable captcha on your websites. Captcha is an added security feature that prevents bots from working on your website and carrying out brute-force attacks. Some popular choices are Google’s reCaptcha and hCaptcha.

Starting a Career in Cybersecurity

If you made it this far, congratulations! You’re not likely to get hacked again. There are thousands of cyberattacks and thus, thousands of ways to prevent them.

The world of cybersecurity has infinite career paths that are diverse and interconnected. Some popular choices are Offensive Security, Governance, Risk and Compliance (GRC), Security Operations Center (SOC), Cryptography, and Threat Intelligence.

Not all fields require a Computer Science degree or programming knowledge. However, to make the most of any field in cybersecurity, a knowledge of how computers operate is advisable.

Offensive Security

“Attack is the secret of defense” - Sun Tzu, Art of War.

Cybersecurity is a war against terrible hackers. Breaking your systems and fixing errors is the best way to prevent malicious hackers from doing it.

A popular job title is the Pentester, which stands for Penetration Tester.

Penetration Testing involves simulating real-world threat scenarios to test the security of a company’s network of systems. Simply, pentesters get paid by the company to act like the bad guys. Red Teamers are pentesters and they practice Offensive security.

Governance, Risk, and Compliance (GRC)

Companies are required to follow a lot of security regulations and industry best practices. A GRC Specialist ensures that the company stays on track with these mandatory standards.

Their role involves learning and implementing security strategies that detect and respond to cyber threats. It is a path in cybersecurity that requires little to no coding exercises at all.

Security Operations Center (SOC)

Meme Security Center

The SOC is the brain where all of a company’s security structures are managed. The job of a SOC (pronounced sock) Analyst is to prevent, detect, respond to and manage security threats.

It can be a consuming path as the infrastructures need to be managed 24/7, around the clock.

Getting started in cybersecurity can be difficult, as there are so many concepts and topics to learn. On the flip side, there are lots of resources – websites, books, training courses – available on the internet. A good place to start is Google’s IT Fundamentals Program on Coursera, supported by websites like tryhackme.com, cybrary.it, and dedicated channels on YouTube.

Conclusion

Whoosh, this was quite a journey. Across 6 sections, we discussed what cybersecurity is, who hackers are and aren’t, how scammers and hackers do what they do, how to stay safe on the massive internet, and how to start a career in cybersecurity (and make lots of money too)!

This is not a definite resource, but a general overview to introduce you to the world of hooded men (and women), badass computer systems, green screens, and the FBI. It was definitely enjoyable for me, as it should be for you.

For more on how scammers operate, visit the Scammer Payback YouTube channel and watch how they get exposed.

It’s Cybersecurity Awareness Month, so share this article with a friend, family member, co-worker, or enemy.

Other fun things you can do right now:

  • Like this article,
  • Subscribe to get more articles,
  • Message me on Twitter: @b6rav0,
  • Order a Pizza.