Wednesday, April 19, 2017

Financial Cyber Security: #2 The "Safer Than Your Neighbour" Theory

Okay, I know a lot of cyber security experts don't really believe that this is a real thing, but I believe that it is.

Example 1

When I was in the Netherlands (the land of bicycles), I was always told that the safest place to park my bicycle is NOT a well-lit, highly trafficked place.

It is in fact to park it in between bicycles with smaller locks and thinner chains.

If a bicycle theft is going to steal a bunch of bicycles, he is going to go for the easiest ones. The marginal ones. He has a physical real-world limitations of just how many bicycles he can steal and how much time he has to steal them.

So this theory works by not analyzing only what security measure you have taken, but by looking at others and strategically making yourself excluded from being targetted by being comparatively a harder target.

The idea of this can be very easily summed up in this age old story that I am sure you have heard before:


Sometimes different animals are used in the story, like a lion or tiger, but the point is still the same.

For me to be safe, I only need to be a harder target than the rest.

Cyber security experts don't really believe this because a hacker doesn't really have real-life constraints. If he wants YOUR "bicycle", he can send his machines (or network of machines) to run multiple attack vectors to try and get your bicycle. In that sense, it is true that just having slightly better security than the next does not keep you safe.

However, this theory still does work in a general sense.

Example 2

Say for example, if a whole bunch of encrypted credentials were leaked, hackers could work on breaking these encryptions.

Was your encryption done with a 56-bit key? It takes 6 minutes to crack
64-bit key? 8 minutes.

Damn.

But wait, what if I was using a 256-bit key? How long would that take then? The world's fastest supercompuer would have to run for 9 years straight to break that encryption. I would put that as pretty safe and I'm pretty darn certain that after 10 minutes they are just gonna skip yours and continue onto the rest.

Example 3

If you saw a bunch of handphones lying neatly in a row, and I told you that your mission was to access the handphone and search for private information, which of these would you choose to target?

Handphone 1: Fingerprint scanner
Handphone 2: Iris scanner
Handphone 3: Alphanumeric password
Handphone 4: 8 digit PIN
Handphone 5: 6 digit PIN
Handphone 6: 4 digit PIN
Handphone 7: Pattern
Handphone 8: No password

I'm sure that you would go straight for #8, and then choose either #7 or #6 and then just get stuck. You wouldn't even bother to attempt to try any of the rest.

Conclusion

Unless you are a high-profile person or are being specifically targetted to be attacked, understanding and utilizing this "safer than your neighbour" theory can help you stay relatively secure. Using this theory does require you to understand what is the "norm" that people do and to try and keep yourself at least one, if not, several steps ahead of them.

This theory works based on deterrence. If no one decides to attack you (because they have decided to attack other relatively easier targets), you don't even have to worry if your defenses can hold.

Of course, this is not a complete solution by itself. It just helps knowing how attacks select their targets and how to avoid painting yourself as an easy target.

QUIZ TIME! Practical example:

An identity theft is looking at a list of emails to find a good target for his attacks. There are 4 men named John Tan. Who would the identity theft think about attacking first? Who would be last?

1) JohnTan95@yahoo.com
2) John_Tan_Ah_Huat1995@hotmail.com
3) johntanah@gmail.com
4) jtah@protonmail.com

Winner gets... practical understanding of how this theory works!

2 comments:

  1. Replies
    1. That's right!

      (full) First Name
      Last Name
      Year of birth

      Just his email address gives away so much about him!

      1 and 3 are almost just as bad, giving away short name + year of birth or initials.

      4 is the best because it could be a random smattering of words, or just as likely to be the initials of a random Jane Teo Ai Hui.

      Delete

Observe the house rules.