May 20, 2018

Online threats, risks, and mitigations

Have you wondered exactly how security risks arise on the Internet and what you can do about them? Here is a short summary of the more common threats, the risks that they cause, and mitigations (security measures) for those risks.

This is the "why" and the "what".  For the "how", see my blog generally and my previous blog post in particular.

Notes for the table below:
  • Most of the risks listed below can lead to theft of data, data exposure, data breach, account takeover, identity theft, reputation loss, financial loss, your spouse and/or dog running away, etc. 
  • User security awareness training: Some key tenets are "pay attention!", "look beyond initial appearances", "don't trust without a good reason", etc.
  • Strong, unique passwords: This means that each password is random and at least roughly 20 characters long, and is never used for more than one site. The only viable way to do this is to use a password manager. Use a stand-alone password manager, not one built into your browser. 
  • Two-factor authentication (2FA) / Multi-factor authentication (MFA): For account authentication, this is a second line of defense in case the first line of defense -- your password -- is compromised.  These are the common second-factor options, from most secure to least secure: 
    1. Cryptographically strong, e.g., U2F
    2. Push notification
    3. TOTP (e.g., Google Authenticator, Authy), HOTP
    4. Email
    5. SMS, phone call
  • Be aware that it's possible to phish a TOTP code, although this is a lot harder for an attacker to pull off than phishing a password. 
  • End-to-end encryption (E2EE): A service with E2EE is designed so that your data is encrypted on your device before it leaves the device for the cloud, and the encryption key used is never sent to the cloud. In this way, if your (encrypted) files in the cloud are stolen, they will be unreadable by the attacker.  (Also know as "zero knowledge" services.)

Threat
Risk
Mitigation
Malware, including ransomwareDevice compromise
Destruction of data
Theft/exposure of data (data breach)
Financial loss

 
N.B. Ransomware increasingly exfiltrates data (i.e., copies it to the attacker's server) before encrypting it in place, then the victim is threatened with exposure of the data
  • User security awareness training
  • Email malware and spam filter
  • Device hardening, including antimalware software
  • For recovery: Data backup
  • N.B. There is no technical recovery from a data breach
Phishing to website with similar name to real one; attack vector is often email Account takeover
Credential stuffing
Theft/exposure of data (data breach)
  • User security awareness training
  • Email malware and spam filter
  • Password manager: always fill your credential on a webpage using your password manager (instead of typing them in); it will refuse to fill your credentials into invalid domains
  • Strong, unique passwords
  • MFA
  • Against IDN homograph attack:
    • Firefox browser: about:config: set network.IDN_show_punycode to True
    • Chrome, Brave: already protected by default
Password guessing on weak passwords Account takeover
Credential stuffing
Theft/exposure of data (data breach)
  • User security awareness training
  • Strong, unique passwords
  • MFA
Business email compromise (BEC)Financial loss
Theft/exposure of data (data breach)
  • User security awareness training
  • Strong, unique passwords on email accounts
  • MFA on email accounts
  • Manual verification process on financial transactions, especially out-of-band verification
Theft of credentials from Internet service provider (SP), e.g., via break-in to SP's networkCase 1: SP stores the credentials properly (hashed and salted, etc.). Attacker cracks only some of the passwords used by SP's customers, viz., the weak ones.
Account takeover
Credential stuffing
Theft/exposure of data (data breach)
  • User security awareness training
  • Strong passwords
  • MFA -- although attacker might steal MFA data too (e.g., TOTP seed)
Case 2: SP doesn't store the credentials properly. Attacker access all passwords used by SP's customers.
Account takeover
Credential stuffing
Theft/exposure of data (data breach)
  • User security awareness training
  • Unique passwords
  • MFA -- although attacker might steal MFA data too (e.g., TOTP seed)
Theft of personal data directly from Internet SP providing cloud storage, backup, etc., e.g., via break-in to SP's networkTheft of all data in the cloud service
  • User security awareness training
  • Use cloud services with excellent security
  • Even better: Use E2EE services where possible and feasible
  • Proper initial vetting and ongoing monitoring of all cloud providers (third-party risk)
Various threats above (phishing, password guessing, Theft of credentials from Internet SP, etc.) Takeover of your email account -- then takeover of all accounts that use that email account as the owner/recovery email address
  • User security awareness training
  • Use an email provider with excellent security
  • Use a different (second) email address as the ownership/recovery email address for all your important accounts, instead of using your regular email address
  • Strong, unique passwords
  • MFA
Various threats from browsersMalware in ads, various risks from open networks (e.g., open Wi-Fi), etc.
  • User security awareness training
  • Don't click on ads
  • Use security type browser extensions such as HTTPS Everywhere, uBlock Origin, and Privacy Badger.
  • Consider using a VPN on open Wi-Fi networks
Theft of your device: computer tablet, phone, etc. (A physical threat, not an online threat)Theft of all data on device
  • User security awareness training
  • Full device encryption (full disk encryption)
  • Strong password or PIN 
  • Enable device auto-erase after 10 incorrect guesses

Updated 2021-02-28