Digital Security, an Analogous Overview
Rather than try to scare you with statistics or case histories, I wanted to share a way to think about digital security that should be familiar to you. While this may not be entirely accurate, hopefully, it will be entirely relatable.
So, you’re at work, at the counter helping customers when you get a UPS letter. Just looking at it, you can tell that it’s not just a document as it’s got a square shaped bulge on one side. Looking at the address, it does have your name on it and your work address. When you look to see who sent it, it says Wells Fargo Accounting Department. This is even stranger now as you don’t have an account with Wells Fargo. Maybe the company does? But Why would they send it to you? You don’t work in accounting. You have a decision to make at this point, do I open it or not?
But before we get to the exciting conclusion, you have to forget the fact that UPS has high explosives sniffers (at least, I hope they do!) and this package would never get to you.
OK, back to our story. So, you open the package, and there is indeed a letter that says ‘Now that you’ve armed the bomb, you need to pay us $10,000 to disarm it or boom!’. Well, luckily, you just happen to have 10 grand lying around so you put the money in a trash bag and place it outside per the note. A guy pulls up in a white panel van, the door slides open, another guy jumps out, grabs the money and shouts, “We don’t even know how we built the damn thing, much less how to disarm it. Good luck!”. He slides the door closed and they speed off.
Now when I say boom you may think, OK, it was a small bomb, how much damage could it possibly do? Well, let me tell you, not only did it take out the sales counter, it was so powerful that it caused the whole building to collapse! Over the course of the next year, the company fought with insurance to get paid for the damages, and then they rebuilt the store. They of course mourned the loss of you and all the other workers onsite that day.
OK, so this a dramatization, ala Michael Bay, and most ransomware does not result in loss of life, at least not directly. Not so fun fact, hospitals and medical facilities are one of the most targeted for ransomware attacks. While the encryption of all the medical records doesn’t directly kill anyone, the delay in getting them recovered or restored, can. Most facilities have backups that can be restored (the equivalent of Superman swooping in and taking the bomb into space to explode) but some don’t so they pay the ransom, only to discover that the idiots that built it, can’t get the decryption to work and now those files are worthless.
Let’s rewind back to the package, this time it looks normal. Again, you decide to open it even though you don’t have an account there. There is an official looking notice (it’s got the horse drawn carriage and everything) that reads ’There has been a mistake with your account and we have a check for $5,000 for you. Please come to our offices at 1234 W Nowhere St. So, you go there on your day off and go into what looks like a Wells Fargo branch office. You tell them you got this notice and your there to pick up you check. The suspicious looking receptionist, because of the tentacles, asks you to follow her to the signing room. It’s a dark corridor, lots of strange smells, but hey, it’s five grand so you muscle through. She opens the door and asks you to take a seat while she gets the manager, oh and don’t mind the pod in the room. You fall asleep while waiting and now your alien clone goes back to the office and embezzles money, sells people’s identities and credit card information to the highest bidder all the while using your name. Of course, your paralyzed and encased in goo so...
You’ve just been the victim of a phishing attack! You get an email asking you to go to a website. The really bad part about this, is that they can sometimes spoof email from other people you know, or even people or departments at work. When you get something you weren’t expecting, call or talk with the person that sent it to you to verify before opening.
In this last scenario, your walking through the parking lot to go to work when you see a package outside. You take it inside. Faced with the decision once again, do I open it to see what it is? You’ve done it twice before, why mess with a streak. This time, it doesn’t go boom. There’s no note. Only a faint hissing sound when you break the seal and then nothing. You go about your day. After a few hours, you and everyone else in the building, gone.
You’ve just become the victim of a social engineering attack! Hackers have been known to put thumb drives in parking lots, ‘State Actors’ offer free USB fans and the like, there’s even a USB killer device which, once it’s plugged in, killing the motherboard. All of these types of attacks prey on human nature.
If you only take away one thing from all of these scenarios, it’s BE SUSPISCIOUS! If you get something you know is bogus, you can just delete it. If you get a suspicious email or device that you’re not sure about, have it checked out. Be safe out there!