How Cybersecurity Really Works: A Hands-On Guide for Total Beginners

How Cybersecurity Really Works

A Hands-on Guide for Total Beginners

by Sam Grubb

San Francisco

HOW CYBERSECURITY REALLY WORKS. Copyright © 2021 by Sam Grubb.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

ISBN-13: 978-1-7185-0128-7 (print)

ISBN-13: 978-1-7185-0129-4 (ebook)

Publisher: William Pollock

Executive Editor: Barbara Yien

Production Manager: Rachel Monaghan

Production Editor: Dapinder Dosanjh

Developmental Editor: Frances Saux

Cover Illustrator: Gina Redman

Interior Design: Octopod Studios

Technical Reviewer: Cliff Janzen

Copyeditor: Anne Marie Walker

Compositor: Craig Woods, Happenstance Type-O-Rama

Proofreader: Rachel Head

For information on book distributors or translations, please contact No Starch Press, Inc. directly:

No Starch Press, Inc.

245 8th Street, San Francisco, CA 94103

phone: 1.415.863.9900; [email protected]

www.nostarch.com

Library of Congress Cataloging-in-Publication Data

Names: Grubb, Sam (Cyber security consultant), author.

Title: How cybersecurity really works : a hands-on guide for total

beginners / Sam Grubb.

Description: San Francisco : No Starch Press, 2021. | Includes index.

Identifiers: LCCN 2021004423 (print) | LCCN 2021004424 (ebook) | ISBN

   9781718501287 (paperback) | ISBN 9781718501294 (ebook)

Subjects: LCSH: Computer security. | Computer crimes--Prevention. |

   Computer networks--Security measures.

Classification: LCC QA76.9.A25 G78 2021 (print) | LCC QA76.9.A25 (ebook)

   | DDC 005.8--dc23

LC record available at https://lccn.loc.gov/2021004423

LC ebook record available at https://lccn.loc.gov/2021004424

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

To Shannon and Elliott, whose love and constant support gives me the confidence to do more than I ever imagined.

About the Author

Sam Grubb is a cybersecurity consultant and education advocate, as well as a former teacher, librarian, sandwich artist, and military helmet researcher. He currently works with companies and healthcare providers to ensure they are meeting both security and compliance needs. He believes nothing is too difficult to learn; you just need the right teacher. He enjoys reading, writing, and staying as far away from arithmetic as possible. He lives in Arkansas with his wife, son, two cats, and two dogs.

About the Technical Reviewer

Since the early days of Commodore PET and VIC-20, technology has been a constant companion to Cliff Janzen—and sometimes an obsession! Cliff is grateful to have the opportunity to work with and learn from some of the best people in the industry, including Sam and the fine people at No Starch Press. Cliff spends a majority of his workday managing and mentoring a great team of security professionals, striving to stay technically relevant by tackling everything from security policy reviews and penetration testing to incident response. He feels lucky to have a career that is also his favorite hobby and a wife who supports him.

Preface

Look at any major news source and you’re bound to find a story or two about recent cyberattacks. Whether it’s a new scam spreading across the internet, hospitals or other organizations targeted with ransomware, or even elections disrupted by other countries, adversaries try to circumvent cybersecurity in many ways. You might find these attacks of interest but think they don’t have much to do with you. However, as cyberattacks become increasingly common, attackers no longer focus exclusively on big corporations. They’ve begun to target everyday individuals. As a result, you can no longer afford to just read about cybersecurity; it’s a daily skill you need to learn and practice.

If you’ve struggled and searched to learn about cybersecurity without first cultivating a deep technical background, look no further: this book is perfect for those who have no background in security, or even computers for that matter.

I created this book to fill a gap. Few resources exist for those who want to understand more than just the basics of computer engineering or administration but aren’t trying to become full-fledged cybersecurity professionals. It’s designed to cover a wide range of topics across the core cybersecurity concepts. Cybersecurity is a vast field with lots of deep valleys that you can easily get lost in. Think of this book as a helicopter tour; you’ll fly over those valleys to get an idea of where you might explore next.

To provide this overview, this book focuses on how black hats operate and the sorts of attacks that exist. At its core, cybersecurity is about defending against threats, both physical and logical, to technical assets. By focusing on what black hats attempt to do, we’ll link threats to the vulnerabilities that cause them and controls that protect against them.

A Note on the Book’s Exercises

The only way to learn cybersecurity concepts is to practice them. To that end, every chapter ends with an exercise that helps you apply the concepts you just learned. These exercises are designed to be completed at home and provide some insight into what you can do to make sure your systems are secure every day. They focus on the core concepts while providing practical knowledge you can use when implementing cybersecurity.

The exercises in this book assume you’re using the Windows or macOS operating system, because of their widespread use by people and organizations worldwide. To follow along, you’ll need at least a Windows 10 or macOS X system.

Many cybersecurity professionals and tools use Linux-based operating systems instead. Although this book doesn’t cover Linux, with a little research you can easily translate many of the concepts explained in the exercises to a Linux system. If you want to pursue cybersecurity further after reading this book, I encourage you to learn about Linux by using resources like Linux Basics for Hackers by OccupyTheWeb (No Starch Press, 2019).

Who This Book Is For

This book is for anyone who’s interested in cybersecurity but isn’t entirely sure what cybersecurity means. That includes people without technical backgrounds, although if you’re just beginning your technical career or are a new computer science student interested in cybersecurity, this book is definitely a great place to start. The intended audience also includes business leaders, account managers, sales and marketing professionals, or any hobbyist who might want to understand why cybersecurity is so important and what it encompasses.

Readers of any age will benefit from reading this book. Although knowledge of some basic concepts about how computers or networking works is helpful, it’s not required to understand the topics in this book. Most of all, this book is for anyone who has ever been curious about how hacking or cybersecurity works in the real world, far beyond what you see in movies or on TV.

What’s in the Book?

The following breakdown of each chapter gives you an idea of the topics we’ll explore:

Chapter 1: An Introduction to Cybersecurity This chapter explains what cybersecurity is and isn’t, the different roles and responsibilities of cybersecurity professionals, and various types of adversaries who attack computer systems. In the chapter’s exercise, you’ll set up threat feeds to learn more about attackers’ activities globally.

Chapter 2: Attack Targets on the Internet This chapter covers how adversaries find you on the internet and includes a primer on how the internet works. You’ll learn what attackers do to find your computer or network using basic information, what attack methodology they often follow, and what you can do to hide from them online. It ends with an exercise that shows you how to use command line tools to discover information about your computer and network.

Chapter 3: Phishing Tactics This chapter focuses on social engineering attacks that exploit human behavior. It covers different types of phishing, how black hats attempt to trick you into thinking they’re someone else, and how you can recognize these types of attacks. As an exercise, you’ll analyze emails to determine whether they’re black hat tricks.

Chapter 4: Malware Infections This chapter describes malware and other kinds of nasty software that black hats use to gain access to your system. I’ll describe different types of malware and what you can do to prevent malware infections. In this chapter’s exercise, you’ll safely analyze files to see whether they contain malware.

Chapter 5: Password Thefts and Other Account Access Tricks This chapter covers authentication: in other words, how you log in to a computer or accounts online. We’ll explore the types of authentication and the kinds of attacks adversaries use to break it. Then we’ll discuss what you can do to make sure your account security remains strong. The chapter’s exercise teaches you how to set up secure authentication for Windows and macOS systems.

Chapter 6: Network Tapping This chapter explores how adversaries attack your network to find data or stop you from using the internet. It explains how wired networks work, how attackers use that knowledge to their advantage, and what you can do to stop these attacks. In the exercise, you’ll set up the default firewall installed on Windows and macOS devices.

Chapter 7: Attacks in the Cloud This chapter discusses what cloud computing means. It then looks at ways that adversaries attack the cloud, including ways that they attack web applications. It also provides methods you can use to secure your cloud accounts against attacks. As an exercise, you’ll practice performing a SQL injection attack to better understand how attackers use these.

Chapter 8: Wireless Network Pirating This chapter covers everything wireless-related: what wireless is, how it works, how adversaries attack the wireless internet, and the best ways to stay safe. It ends with an exercise on how to secure a wireless router from attacks.

Chapter 9: Encryption Cracking This chapter explains encryption, how we use it, and what attackers do to break it. We’ll cover different types of encryption and attacks used to break each. We’ll also discuss how you can ensure your systems use encryption correctly. In the chapter’s exercise, you’ll learn how to encrypt and hash files.

Chapter 10: How to Defeat Black Hats This chapter summarizes the concepts discussed throughout the book in the context of risk management practices. You’ll learn how to manage all the controls and defense measures covered in the book to make sure you have a comprehensive security program. As an exercise, you’ll create a risk management plan to guarantee you have the proper security in place to try to prevent attacks.

By the end of this book, you’ll have a solid idea of what cybersecurity includes, what the core concepts are, how specific attacks work (and what controls you can use to defend your system against them), and how you can implement cybersecurity in practice. You’ll be ready to move on to more advanced topics based on your interests, whether they involve learning how to implement an Active Directory server, create your own encryption cipher, manage vulnerabilities, or run penetration tests. The best part is that you’ll understand how cybersecurity can affect your everyday life and what you can do to secure your devices against increasingly common black hat attacks.

ACKNOWLEDGMENTS

I would like to first thank my family. Without the support and faith of my wife, Shannon, I would never have been able to finish this book, let alone put a single word down. I’d also like to thank my parents and sister, who helped me develop the original idea for this book. Without all of their support, it would still be nothing but a joke about cats hacking the internet.

I would like to thank Bill Pollock, Barbara Yien, and the team at No Starch Press. They took a chance on me and made my dream of writing a book on cybersecurity a reality. For that, I will be eternally grateful. I’d also like to acknowledge Frances Saux and Cliff Janzen. Without their editing and insight, this book would just be a pile of words. Finally, I’d like to acknowledge my fellow consultants at Edafio, whose constant mentoring and teaching make me better at security every day.

1

An Introduction to Cybersecurity

Cybersecurity is a vast and diverse field. Whether you’re setting up a firewall or creating a password policy, your actions impact all levels of an organization, from its technicians and help desk to the CEO. Cybersecurity also affects every piece of technology in an organization: mobile phones, servers, and even devices like industrial control systems. A field this extensive and deep can be a little intimidating when you first enter it. This is especially true if you’re trying to learn about cybersecurity without entering the field. For example, you might be an IT department head who wants to learn more so you can better protect your organization.

This chapter starts slow: we’ll talk about what cybersecurity is and isn’t, as well as the difference between white hat and black hat hackers.

What Is Cybersecurity?

At its core, cybersecurity has one driving purpose: to identify cyber threats in an organization, calculate the risk related to those threats, and handle those threats appropriately. Not every threat that a company experiences is an issue that cybersecurity deals with directly (for example, pandemics or physical damage to a building caused by a tornado or flood). In general, cybersecurity uses the CIA triad model to determine which threats are under its purview.

The CIA triad consists of three categories of security: confidentiality, integrity, and availability. Confidentiality involves how assets and data are exposed to people or processes, and ensures that only the people who are supposed to access a resource can access it. Integrity ensures that assets and data aren’t changed without proper authorization. This not only includes items like entries in a database server, but also adding a user to a network, for example. Availability ensures that data or assets are accessible when needed. For work to continue, you must be able to access data when necessary.

Figure 1-1 shows the elements of the CIA triad positioned in a triangle to demonstrate how you might need to balance each of them to maintain the functionality of the others. For example, if you focus too much on confidentiality, you risk significantly locking down your assets so no one else can use that data for their job, creating an availability issue. Similarly, by placing too much emphasis on integrity, you lose confidentiality, because you must be able to read data to ensure that nothing has changed. By balancing the three triad components, you can achieve equilibrium between the core elements that encompass what cybersecurity does on a regular basis.

Figure 1-1: The CIA triad

Some experts debate the merits of adding elements to the traditional triad to contend with new technologies or priorities within cybersecurity. One element often added is non-repudiation, which is the idea that when a person or entity does something, there must be specific evidence tying them to that action so it’s impossible for them to deny they did it.

Cybersecurity and Privacy

In recent years, there has been an emphasis on the relationship between cybersecurity and privacy. In this situation, privacy means the rights and abilities of a person to control how information about them is stored, shared, and used. Although the topic of privacy extends beyond cybersecurity, cybersecurity still plays a huge role in ensuring that an individual’s data is secured against malicious use. Cybersecurity is also responsible for many of the controls that allow a company to audit its data use, ensuring that it follows any necessary rules or regulations. Going forward, the protection of a user’s privacy will likely become an increasingly integral part of the cybersecurity field.

What Cybersecurity Isn’t

In a field as large as cybersecurity, you’re bound to encounter a few distorted ideas about its scope. To mitigate these misconceptions, it’s best to discuss what cybersecurity isn’t. Doing so will help define the field and what it actually means to do cybersecurity.

First, cybersecurity isn’t synonymous with hacking. The media would have you believe that all cybersecurity professionals do is clack away at a keyboard, trying to break into a system. Although penetration testing—the act of attempting to break into a system you’re authorized to attack, such as your own or a client’s, to discover vulnerabilities from an attacker’s perspective—is a part of cybersecurity, it’s but one section of the field. A vulnerability is a flaw in a system, including how it’s set up or how people use it. For example, having an error in a system’s code can cause a vulnerability. Attackers create exploits to take advantage of vulnerabilities. But just because you don’t know how to execute an exploit using a flaw in a computer’s memory doesn’t mean you can’t be an expert in setting up and maintaining firewalls. This means that you don’t need to understand how every hacking tool works or exactly what the latest exploit does to contribute to the cybersecurity industry.

Second, cybersecurity isn’t switch flipping. Some people use the term switch flipping to describe what they think system engineers or other IT professionals do: they just flip switches or configure systems without understanding the underlying processes that make a system work. It’s true that configuring a system to be secure is vitally important to cybersecurity. But securing a system can’t necessarily be done by following a checklist. It requires looking at the entire system, noting how every component interacts not only with the other components, but also with other systems to fully understand how to secure a system. In addition, professionals need deliberation and critical thinking skills to know how to secure a system in situations where it’s impossible to apply best practices.

Third, cybersecurity doesn’t only require technical skills. Just as important as technical knowledge is the ability to translate that information into tips and resources that everyone can understand when professionals give presentations or write reports. Cybersecurity professionals work with every department in an organization, which means their interpersonal communication skills are essential. The only way your organization will become more secure is if everyone understands their role in maintaining security, which means you must communicate that role effectively.

Black Hats vs. White Hats

When you think of the term hacker, you probably think of someone doing something malicious to or with a computer, such as destroying files or unlocking electronic locks on doors so robbers can break in. The reason you think this way is that the media generally uses the word hacker to describe computer criminals. But not all hackers are hoodie-clad teenagers in basements banging on a keyboard while listening to death metal. In fact, people from all different backgrounds and regions participate in computer crime. The term hacker is also used to describe good cybersecurity experts: the label applies to anyone who asks questions and breaks systems, whether they’re computers or physical devices, to learn more about them, not necessarily just to commit crimes. Many specific expressions, such as bad actor, attacker, and state actor, single out cybercriminals. But in this book, I’ll call them black hats (as well as attackers or adversaries).

As just mentioned, attackers come from different backgrounds and places, but they all share the same intent: to use their technical knowledge to commit a crime. These crimes often revolve around financial gain of some sort, either directly by stealing money or demanding ransom payments, or indirectly by stealing important information, such as social security numbers to sell at a later time. It’s important to note that not every adversary is pursuing money. They could be seeking specific information or trying to disrupt a service. There are many arguments about what constitutes a crime when it comes to malicious computer use. For the purposes of this book, I consider any violation of the current United States Computer Fraud and Abuse Act to fit the definition of cybercrime.

On the other side of the spectrum are the white hats. White hats are cybersecurity experts who apply their technical knowledge to making systems more secure. They not only include people who work for a company’s security department, but also independent professionals who conduct security research, such as analyzing malware or discovering zero-day vulnerabilities (brand-new, never-before-seen vulnerabilities in a system or software). These people work tirelessly to try to stay one step ahead of black hats.

In a gray area in the middle are gray hats. The activities of a gray hat aren’t necessarily malicious, but they’re not honorable either. For example, attacking a system without permission to find vulnerabilities that you then disclose to the system’s owner is a gray area, because typically white hats don’t perform any attacks without permission. Which side a gray hat falls on depends on a person’s perspective. If someone uses their skills to get past a government filter on the internet, they might look like an attacker to the government but a white hat to everyone trying to exercise freedom of speech.

Types of Black Hats

Although a wide variety of people fit the role of a black hat, you can still group them into categories. These categories are not meant to be exhaustive but should give you a general idea of the motivations behind black hat activity.

Script Kiddies

Script kiddies are adversaries who have no inherent skill and follow instructions found on