What is Cybersecurity?
Learn how malicious hackers gain unauthorized access to computerized data. Discover how hacks happen and how cybersecurity works to defend your data and devices.
- Dark web
In July 2012, 24-year-old software developer Cody Brocious thought he was doing the world a favor.
He got on stage at the Black Hat hacker conference in Las Vegas and demonstrated a security vulnerability he’d accidentally discovered in a widely used electronic door lock. view citation
The lock, manufactured by a firm named Onity, was installed on millions of hotel-room doors across the United States and around the world. A startup that hoped to compete with Onity had hired Brocious to reverse-engineer Onity’s keycard lock and develop a cheaper alternative.
Brocious discovered, as he no doubt expected, that each Onity lock has a unique cryptographic code that triggers it to open. When a user inserts their keycard in the lock, the key supplies the code that opens it. If a lock’s batteries have died, hotels have “portable programmer” devices that can open the lock by physically connecting to it through a special port and supplying the code that way.
What Brocious didn’t expect to find was that the code to open each lock was stored in the lock’s memory. This meant, in theory, that if you could find a way to access a lock’s memory—perhaps through the lock’s special port—you could retrieve the key code and use it to open the lock without a keycard. And that’s exactly what Brocious did on stage at the conference in front of hundreds of people, using a small portable programmer he had built for less than $50.
Brocious presented his findings and published the code that ran his device in hopes that the public would understand the scope of the threat and that Onity would move quickly to counteract the exploit. The problem was that there was no easy fix for this vulnerability. Onity’s locks were electronic and computerized, but they were not connected to the internet, so there was no way for the company to push out a software patch that would remedy the problem. The only apparent solution was to replace the circuit board in each of the 4 million installed Onity locks worldwide—a massive, costly endeavor that the company at first demonstrated little willingness to undertake.
Onity moved slowly in addressing the problem, but the hacker community worked with its characteristic blazing speed to refine Brocious’ design so the device would work more reliably and fit into ever-smaller form factors. (One group of security researchers managed to create a working device that fit inside a dry-erase marker. view citation ) It only took two months before somebody used the information Brocious had provided to commit a burglary. In September 2012 IT services consultant Janet Wolf entered her room in a Hyatt hotel in Houston to discover that her laptop had been stolen. view citation The theft baffled hotel management and police because there was no sign of forced entry, and the door lock’s memory showed that no housekeepers had entered the room while Wolf was gone.
If managers and detectives were baffled, Wolf was downright frightened by the thought that someone had entered her room without permission. “I had dreams about it for many nights,” she said. “I’d wake up and think I saw someone standing there at my desk.”
As it turned out, Wolf was not the first person to have had that frightening experience; the same hotel had experienced a similar theft four days prior. Nor would she be the last: a string of thefts hit Texas hotels that year, view citation all of them demonstrating the same lack of forced entry or involvement by housekeepers. In all cases, it was eventually determined that the thief or thieves had used Brocious’ technique to steal the lock’s key code and feed it back to itself.
Onity did eventually work with its customers to address the vulnerability, view citation but the entire episode could have been prevented or greatly mitigated if any of the major players had taken a more proactive, holistic approach to cybersecurity.
Cybersecurity refers to the tools and techniques used to protect computerized devices, the data they contain, and the functions they perform from people who want to steal, damage or misuse them. This includes normal features of modern life that you deal with every day, like the passwords that protect your phone, your computer and your various online accounts, as well as practices and technologies you may not know much about, such as firewalls, two-factor authentication and antivirus software.
Why do we need cybersecurity?
The main point of cybersecurity is to protect information systems from hackers—but let’s get some terminology straight up front: Technically speaking, the word “hacker” refers to any computer expert who uses their know-how to creatively solve difficult IT-related problems. There are plenty of brilliant people involved in “hacker culture” who refer to themselves this way. In the cultural mainstream, the term is used mainly to refer to someone focused on cybersecurity issues, either as a criminal trying to subvert security protocols (a “black hat” hacker) or as a security expert who probes systems for weaknesses in order to strengthen them (a “white hat” hacker). There are also “gray hats” who use illegal methods to accomplish ostensibly ethical objectives. Which category you think a given hacker fits into might say more about you than about the hacker.
Most black-hat hackers are motivated by money. For instance, hackers who commit identity theft don’t usually don’t try to steal your entire identity outright; they just want useful facts about you—such as your name, home address, email address, date of birth, phone number or hometown—which they can then use to obtain more valuable information: Social Security number, credit card numbers, account passwords. Once they obtain enough of your identity, they can use that information to apply for loans or buy expensive items that they can then resell.
Whether it’s through identity theft, remotely hijacking your computer and holding it for ransom, or other forms of theft and fraud, the damage such hackers do to your credit rating or your bank account is entirely incidental to them. All they care about is their own financial gain.
Other hackers develop and transmit computer viruses that disable the IT operations of companies, governments, or ordinary users just for fun or perhaps so they can claim bragging rights and boost their cred within the hacker community. This was the case with MyDoom, a 2004 virus that spread so effectively through email that at one point it accounted for 25% of all emails being sent worldwide. The virus coordinated infected computers to mount an attack on Google that crashed the site, rendering the search engine unusable for an entire day. MyDoom caused an estimated $38 billion in damage before it was contained, although savvy computer users take note: As of 2019, MyDoom is still active in the IT ecosystem. view citation
In addition, some “hacktivists” steal data from organizations they believe to be acting unethically so they can reveal those perceived misdeeds to the public. This was the motivation of computer expert Edward Snowden, who stole an estimated 1.7 million files view citation from the U.S. National Security Agency and provided them to journalists so they could expose the scope of the NSA’s domestic spying activities.
And if individuals can use the techniques of hacking to attack governments, guess what: Governments can hack each other too. That’s what happened when the Iranian government started having inexplicable problems with the centrifuges they were using to enrich uranium. It turned out that the computers they were using to control the centrifuges had been infected by a computer “ worm” called Stuxnet, view citation which is widely believed to have been developed by a team of developers working for the U.S. and Israeli governments.
Where does cybersecurity operate?
By now it should be obvious that anywhere there’s a computerized device or system, there might be a hacker who’s looking for a way to misuse or damage it. In our increasingly IT-saturated world, that means cybersecurity countermeasures are in place all around us. Here are the primary domains where cybersecurity plays an important role.
Most of today’s cars and trucks are practically rolling laptops, with a wide array of important vehicle systems controlled by sophisticated onboard computers. Many of them also have the capacity to use Wi-Fi and Bluetooth to communicate with passenger devices, cell networks and the internet, making them also resemble smartphones on wheels.
It’s that wireless connectivity that allowed a team of security researchers to remotely hack into a Jeep Cherokee view citation and take control of functions ranging from the wipers and the radio to the brakes, accelerator and transmission. The researchers sent their findings to Chrysler and gave a presentation on the exploit at the next Black Hat conference (which is actually for white-hat hackers), giving automakers a chance to patch such vulnerabilities.
Firms of every size, from family-owned restaurants to multinational corporations, rely on computers to do business, creating a vulnerability that hackers can exploit. Hackers have an obvious incentive to steal a business’s financial information, such as bank account numbers that could give them access to the company’s cash, but the threats don’t stop there. Companies need to protect their trade secrets from being stolen in acts of corporate espionage, and retail businesses have to safeguard their customers’ payment information from being purloined.
This is the vulnerability that retail giant Target fell prey to in 2013. An HVAC company had legitimate permission credentials that allowed it to access Target’s network so the company could remotely monitor in-store heating and cooling systems. Hackers stole those credentials and used them to access Target’s point-of-sale payment systems, where they recorded information on the more than 40 million credit and debit cards used in Target stores during the 2013 holiday season.
The hackers then sold the stolen credit and debit card information on the dark web. After the hack was discovered, Target’s CEO and CIO both resigned under pressure, and the company eventually paid $18.5 million view citation to settle class-action claims by 47 states and the District of Columbia.
Companies take a wide variety of measures to ensure that their IT assets are defended against hackers:
- Information classification is the process of identifying, categorizing and locating the different kinds of information in the company’s custody. You won’t know what you need to defend until you know what you have and where it is.
- Control measures are the various security controls used to safeguard information, devices and networks, such as card-restricted access to certain computing resources, antivirus software that monitors network activity, password protection for accounts and computers, and special approval procedures for a defined set of high-risk operations.
- Penetration testing is when white-hat hackers attempt to hack into a system in an effort to detect vulnerabilities that a black-hat hacker could exploit. Any security flaws they discover are brought to the attention of company leaders, who decide how best to address the gaps before a bad actor slips through the cracks.
These are the IT devices individuals use every day—the smartphones, tablets, laptops and desktop computers we use for school, work or personal purposes. Every one of these devices constitutes a potential point of entry for hackers, which is why we use passwords, antivirus software, network firewalls and other cybersecurity measures to keep our individual devices safe. Remember, MyDoom spread via email, which means it did $38 billion in damage via the end-user devices that people used to open the infected emails and unwittingly spread the virus.
Energy firms and other utilities
If a government or a terrorist organization wanted to attack a hostile nation from a remote distance, for a minimal cost and without risking any lives, a cyberattack on that nation’s energy grid, water supply or other public utilities would be a great way to do it. Perhaps that’s why the U.S. Department of Homeland Security recorded 79 hacking incidents at energy companies view citation in fiscal year 2014.
The financial sector
Many economists will tell you that if you really want to make money, you need to get into the financial sector: firms that make money in the business of investing money itself, including investment firms, banks, and mortgage lenders. This of course makes such firms attractive targets to hackers. In 2016 and 2017, a single hacker group called MoneyTaker conducted 20 confirmed attacks view citation on financial institutions in the United States, Russia and the United Kingdom, stealing in excess of $11 million from the companies.
At the federal level, IT systems contain valuable state secrets. That’s why hackers likely working for the Chinese government hacked into the U.S. Office of Personnel Management and stole records on 4.2 million people view citation in 2014 and 2015, including the highly confidential forms people filled out to qualify for classified, secret and top-secret security clearances. Federal cybersecurity activities include the following:
- The Computer Fraud and Abuse Act, one of the first federal computer fraud laws passed in the United States, was enacted to penalize hacking. In the thirty-plus years since then it has been amended a number of times to keep pace with technological developments.
- The U.S. Department of Homeland Security includes a number of cybersecurity divisions within its organizational structure, including the Cybersecurity and Infrastructure Security Agency, the Office of Cyber Security and Communications, and the National Cyber Security Division. Each unit has its own mission and scope of authority, but they’re all focused on protecting the nation’s IT assets from foreign attack.
When it comes to protecting their own systems and information, the greatest threats facing federal organizations are malicious outsider hacks and inadvertent breaches caused by negligent employees or contractors.
State governments are taking steps to fend off criminal hackers, but they’re also concerned about the difficulties they face in trying to obtain the personnel and funding they need to fix known vulnerabilities in a timely fashion. Some states are doing a great job of allocating resources to cybersecurity and implementing best practices; others, not so much. view citation
Local governments are facing the same challenges but even more so, which is why a number of city government IT systems have recently fallen prey to costly attacks. For instance, in 2019 hackers infected Baltimore’s IT systems with ransomware. The attack shut most of Baltimore’s city government computers down, view citation affecting everything from email to water bills to phone systems. The city didn’t pay up and was eventually able to expunge the infection and restore full IT service, but the budget office estimates that the attack will cost Baltimore at least $18.2 million view citation in lost or delayed revenue and restoration costs.
The internet of things
As demonstrated by the Jeep and Target hacks described above, more and more of the devices we interact with every day are connected to the internet. The internet of things (IoT) allows us to use a doorbell camera to check on our porch activity from work, or to turn our lights or music on or off by telling the smart home assistant what to do.
You can even use the IoT to track the temperature in an aquarium, as a certain casino once did—until the aquarium’s internet-enabled thermometer got hacked. view citation Attackers took advantage of the thermometer’s weak cybersecurity to gain access to the casino’s network, which they used to steal personal information on all the casino’s high-roller clients.
Vulnerabilities of IT Systems
In the days of medieval warfare, if you wanted to attack a castle, you looked for weaknesses in the castle’s defenses. Maybe you could shoot your arrows through windows or over the tops of the walls, if you could get close enough. Alternatively, in the right tactical situation you could lay a siege, in which case you could try to knock down the front gate with a battering ram. But you wouldn’t bother shooting arrows at the castle’s stone walls or battering a ram against them because that would be a waste of time.
Hackers think the same way. Every IT device and system has weaknesses; successful hackers focus their attacks on those weaknesses and exploit them. All the points at which a hacker could try to gain unauthorized access are together referred to as the “attack surface.” Each attempted or successful hack has its own attack surface, which usually includes one or more known vulnerabilities.
For instance, hackers who are thieves or spies typically try to obtain unauthorized access to a system’s data. This term refers to the valuable information—such as email addresses, credit-card numbers, Social Security numbers and passwords—that is stored on devices and transmitted over networks.
Devices, in turn, are the pieces of IT hardware, such as phones and computers, that we use to create, edit, store and transmit data. As we’ve seen, access to individual devices—via users’ email inboxes—featured significantly in the spread of the MyDoom virus.
Another way to target a system is to try to infect its software. These are the programs we use to operate our devices, such as social-media apps on smartphones and web browsers on laptops and desktop machines. Many pieces of “malware” (malicious software, including viruses and worms) have successfully spread by infecting software. One recent example is Hancitor, a piece of malware that infects Microsoft Word documents view citation so it can deliver ransomware to contaminated machines.
For greater efficiency, hackers often focus their efforts on networks rather than on individual devices. The reason is simple: If you gain access to a network, you may gain access to every device on the network and all the data they contain. The Target hack and the Baltimore city government hack both exploited this principle to gain maximum leverage with minimum effort.
Types of Attacks
Just as physical security violations can happen in many ways—a burglar climbing in through a window, a thief nabbing an item from a store shelf—cybersecurity breaches can, too. Let’s take a look at some of the most common types of cyberattacks:
Malware is an umbrella term referring to a number of different kinds of hacking tools. For example, viruses are programs that embed themselves in another software program. Once embedded, they produce copies of themselves and insert those copies into other programs on the infected computer. When the user runs a piece of virus-infected software, the virus is activated, causing it to perform such actions as corrupting or stealing data, logging the user’s keystrokes or rendering the device useless.
Worms are similar to viruses, but rather than setting up shop inside another software program, they install themselves in a totally separate location. For this reason, a worm doesn’t require the user to activate it by using an infected program. Once the worm is installed on a machine’s hard drive, it can replicate itself and transmit the copies over a network at will.
Ransomware is a type of malware that typically renders a device or its data unusable and then demands that the victim make a ransom payment to an anonymous hacker if they ever want to use their device or see their data again. If you get hit by a ransomware attack, you won’t be asked to meet under a dark bridge at midnight for a handoff; ransomware hackers demand payment in cryptocurrency, which is difficult to track. However, extortionist hackers have a history of not keeping their promises, so cybersecurity experts advise never paying ransom to a hacker.
Phishing involves a hacker sending an email that looks like it’s coming from a trusted source. The phishing email will usually ask you to take some sort of action that requires you to provide personal information. For instance, you may receive an email that looks like it’s from Gmail, asking you to reset your password. If you click the link that purports to direct you to a Gmail page, you’ll instead be sent to a fake webpage carefully crafted to look like a real Gmail page. When you provide the requested information, you’ve just given the hackers your password.
Clickjacking attacks typically feature a webpage that has a button inviting you to click it to win something, such as a free vacation. When you click the button, you’re actually clicking on a hidden button contained in an invisible layer beneath or above the button you can see. The invisible button performs a malicious function, such as downloading malware to your computer.
Backdoors are programs that enable unauthorized remote access to a machine’s software or operating system. One of the things a worm or virus can do on an infected machine is to install a backdoor that would allow hackers to install additional malware (such as a program that monitors keystrokes in order to steal passwords), steal the device’s data or take over the device themselves.
Bots (short for “robots”) are software applications that run automated tasks. Most bots are benign; in fact, more than half of all web traffic is controlled by bots. They fetch and analyze information on the web much faster than humans can. But when hackers use bots, they can be dangerous. Hackers use bots to have fake conversations with unsuspecting people, attempting to get them to hand over personal information. When hackers manage to surreptitiously install bots on a large number of machines, they can use their impromptu bot network (called a “botnet”) to perform a distributed denial of service attack (see below).
Distributed denial of service
Distributed denial of service (DDoS) typically uses thousands of host machines infected with bots to send an overwhelming amount of network traffic, such as email messages or requests for connections, to a target system, such as a company website or online service. The aim is to crash the target and render it unusable by overwhelming its system resources.
Some hackers perform DDoS attacks for political reasons or for the pure destructive joy of it, but others pursue these attacks for more coldly rational motives. From 2015 through 2017, a hacker group called the Armada Collective used threats of DDoS attacks as an extortion tool against a number of firms around the world, including banks in Greece view citation and South Korea. view citation
Social engineering, unlike most other forms of cyberattacks, involves human interaction. This attack is a form of con artistry that plays on people’s helpful or curious nature to get them to hand over personal information. For instance, an attacker can stalk someone on social media to find out exactly what could motivate that person to share personal information. It might be fear, in which case the attacker could write or call and say something like, “This is the IRS. You owe us money. You can solve this problem by giving me your credit card information right now.”
Hackers who use social engineering also can do something as simple as calling your bank or cell phone company and using what little they know about you—plus some skillful deception—to fool the person on the other end into thinking the hacker is you. Then the hacker can gain access to your account and even lock you out of it.
Defenses Against Hacking
We’ve discussed the basics of what cybersecurity is, where the vulnerabilities are and how cyberattacks are happening—along with some hair-raising examples of real-world attacks. Now let’s check in on the white hats. How can cybersecurity measures defend us against attacks?
Cybersecurity relies mainly on three processes: prevention, detection and response.
This includes such technological measures as passwords, antivirus software and firewalls to prevent hackers from gaining unauthorized access to devices, data or networks. Prevention also includes proper security training for customer service representatives so they won’t give out your account information to a hacker using social engineering, and for a company’s employees so they won’t open suspect emails or click suspicious links.
Other prevention measures include the use of software packages called vulnerability scanners to assess computers, networks and applications for known vulnerabilities such as open ports, insecure software and malware susceptibility. In addition, companies often hire security auditors to test systems for vulnerabilities. For example, a bank may hire a white-hat hacker known as a “penetration tester” to try to break into its information system so the firm can discover and remedy any security weaknesses the tester finds.
Perhaps the most effective prevention measure of all is a “security by design” approach. In this approach, computer networks, programs and systems are intentionally designed to minimize the risk of cyberattack. A formalized security infrastructure design automates controls and streamlines auditing. Engineers spend more time up front developing software to control system security consistently, instead of patching servers as issues come up.
Even when good prevention procedures are in place, hacks can happen, which makes detecting the attack crucial. Computer and system activity logs provide clues to how the attack happened and what’s been compromised, enabling the victim to decide what to do next. Good antimalware systems will provide warnings of unusual server or network activity that indicates a system breach.
A response to a digital attack can vary in severity, from upgrading protections to notifying law enforcement to launching counterattacks, depending on the nature of the hack. Unfortunately, companies under attack don’t always respond appropriately—and sometimes they don’t respond at all, at least at first.
This was the case with the Target hack of 2013. The network had a malware detection system in place that raised security alerts when it first detected unusual activity at the beginning of the attack on Nov. 27, but for some reason the company didn’t take action to stop the breach until Dec. 13, when executives met with the U.S. Justice Department and informed them of the hack. Even then it took another two days for Target to remove the malware from its systems and devices. This inexplicably slow response to a successfully detected attack no doubt affected the size of the hefty penalty Target was later obliged to pay.
Cybersecurity’s purpose is clear: to keep people and data safe while saving companies from financial loss. Digital pirates are out there, and we all have to be smart in assessing our digital interactions. But we also expect companies to safeguard the information we so readily share. That’s what makes cybersecurity such an important—and valuable—part of modern life, now and for the foreseeable future.
The Hotel Room Hacker.” Wired. August 2017. View Source
“Hackers Crack Hotel Room Locks With A Tool Disguised As A Dry Erase Marker.” Forbes. October 2012. View Source
“Security Flaw In Common Keycard Locks Exploited In String Of Hotel Room Break-Ins.” Forbes. November 2012. View Source
“Security Flaw In Common Keycard Locks Exploited In String Of Hotel Room Break-Ins.” Forbes. November 2012. View Source
“Lock Firm Onity Starts To Shell Out For Security Fixes To Hotels' Hackable Locks” Forbes. December 2012. View Source
“MyDoom: The 15-year-old malware that's still being used in phishing attacks in 2019.” ZDNet. July 2019. View Source
“Pentagon Says Snowden Took Most U.S. Secrets Ever: Rogers.” Bloomberg News. January 2014. View Source
“The Real Story of Stuxnet.” IEEE Spectrum. February 2013. View Source
“Hackers Remotely Kill a Jeep on the Highway—With Me in It.” Wired. July 2015. View Source
“Target Settles 2013 Hacked Customer Data Breach For $18.5 Million.” NBC News. May 2017. View Source
“Hackers attacked the U.S. energy grid 79 times this year.” CNN Business. December 2014. View Source
“Moneytaker Steals Millions from the Financial Sector.” SBS CyberSecurity. December 2017. View Source
“The OPM hack explained: Bad security practices meet China's Captain America.” CSO. November 2018. View Source
“How state governments are addressing cybersecurity.” Brookings. March 2015. View Source
“Baltimore city government computer network hit by ransomware attack.” The Baltimore Sun. May 2019. View Source
“Baltimore transfers $6 million to pay for ransomware attack; city considers insurance against hacks.” The Baltimore Sun. August 2019. View Source
“Hackers stole a casino's high-roller database through a thermometer in the lobby fish tank.” Business Insider. April 2018. View Source
“macro virus.” TechTarget. January 2018. View Source
“Armada Collective launches DDoS attacks against Greek banks.” welivesecurity. December 2015. View Source
“South Korean banks told to pay $315,000 or suffer DDoS wrath.” Graham Cluley. June 2017. View Source