M I T M Read This

Remember all that follows is my view of it all. I am NOT a cyber tech, but I have to work with all these things to be in business - and so do you whether you are aware of it or not. Can you imagine running a business and not being aware of all that follows? Most do.

Another expression or two are “attack vector” and “attack surface”.
When all’s said and done those are really a bit vague unless you are a cyber specialist. However, jargon has its place because it facilitates communications between those who know. Like a different language. So we can pick up a few of the terms to help us along. I am going to copy the list of common attack vectors from the wikipedia attack surface entry below.

Attack vectors include user input fields, protocols, interfaces, and services. There are over 100 attack vectors and breach methods that hackers can use. Here are some of the most common attack vectors: https://en.wikipedia.org/wiki/Attack_vector

Some common attack vectors:

exploiting buffer overflows; this is how the Blaster worm was able to propagate.

exploiting webpages and email supporting the loading and subsequent execution of JavaScript or other types of scripts without properly limiting their powers.

exploiting networking protocol flaws to perform unauthorized actions at the other end of a network connection.

phishing: sending deceptive messages to end users to entice them to reveal confidential information, such as passwords.

I have split them into two types, and initially put “misconfiguration” in both lists and then changed my mind. Then I will/have add my own take (attempt) on who or what needs our attention for each. All general of course, for example anyone can suffer a DDoS attack.

HUMAN weakness

Compromised credentials - user attitude and attention

Weak and stolen passwords - user haveIbeenpwned.com

Malicious insiders - beware traitors

Missing or poor encryption - owner and users

Misconfiguration - owner and users (byod)

Ransomware - owner and user training

Phishing - user training, “don’t click links!”

Trust relationships - beware MITM attacks.

COMPUTER weakness

Javascript Threats (Magecart) - web site owners

Distributed Denial of Service (DDoS) - enterprise service providers

Brute force attack - server admins

Zero-day vulnerabilities - software developers

Misconfiguration - once set, system issues.

That’s a long list, yet short in so far as it gives us the context of what we have to be aware of as regards “common” ones. Elsewhere in my pages here you can see I have a narrow focus on ransomeware, which is because there is no real time (that means right now, immediate, instant) defence yet. Zero-day is a bit worrying, but we have to rely on our confidence in our suppliers - which means that also needs our attention.

ok so that’s what “vectors” look like and now also copied from the wikipedia entry for Attack surface entry:

An attack surface ^[4] composition can range widely between various organizations, yet often identify many of the same elements, including:

Autonomous System Numbers (ASNs) - vast numbers of i p addresses are managed by typical ASNs, as in hundreds of thousands and they supply the suppliers that supply us.

IP Address and IP Blocks - still huge blocks of i p addresses, but managed by our direct suppliers, such as Heart Internet or 123-Reg.

Domains and Sub-Domains (direct and third-parties) - The registrant (i.e. you) so we manage registration details and maybe DNS.

SSL Certificates and Attribution - We validate and buy from them.

WHOIS Records, Contacts, and History - We manage these.

Host and Host Pair Services and Relationship unknown.

Internet Ports and Services - Firewall manager, me/you.

NetFlow - I think this is above our pay grade, i.e. an enterprise matter.

Web Frameworks (PHP, Apache, Java, etc.) - Web server manager.

Web Server Services (email, database, applications) - ditto esp email

Public and Private Cloud - Again us, but typically at the level of dropbox, gdrive and onedrive type of things, running your own cloud is out of my scope here.

I have not split the above because they are I think all computer matters, not human. However, we do of course have a human role that is usually responsible so I will have a crack at adding what I think these are, by reference to who is “hands on” as opposed to carries responsibiity, as that’s the IT director or similar name or maybe just you with that hat on.

So, from that list the ones where we interact directly in our “one-person non i.t. tech” business I draw out the following:

Domain registration management

Whois management

Firewall management

Email

Cloud storage

And more technical not for the feint hearted:
Server management PHP, Java, Apache, databases and applications.

Yes, and the most obvious is Google’s gmail and associated array of apps and services. However, it is possible to engage with them and fail to understand what you are buying, thinking there is no need to think - all perfectly normal. By way of an example if you are one of these go check their application of “DKIM” and how that affects your email security as in is it good, better or best. For multiple email accounts the issue with Google is cost-per-user so there is a temptation to share for example “sales” email between all sales staff, which is a cyber security risk - see Attack Vectors.

So as above it is possible to find service providers who offer to provide all of these things. Let us say you do that.

What that leaves is my (cut down wikipedia list) list of HUMAN weaknesses listed above. There really isn’t a dodge for those. You have to be aware of them and behave appropriately. For example never use the same password twice and preferably never use a login email more than once. Be aware that password strength is determined by length not complexity. The received wisdom is to use a “password manager” of which there are several.