Thinking of Cyber Security in Relative Terms
Rather than covering a current event, we will use this briefing to highlight a common mistake people make when thinking about cyber security: The abstraction into absolute terms. As technology evolves, the question is becoming less “have I been hacked?” and more “to what degree have I been hacked?”.
Language is what we use to break down the complexity of our life into simplified chunks that we can easily communicate to others. “The sun set at 6:30pm today” foregoes information about what location the speaker is in, the color of the sky, the exact date of ‘today’ and thousands of other details that are not relevant to the conversation of two people. However while that sentence is perfectly sufficient if the two people are discussing the level of daylight outside before going for a run in the evening, it would be completely insufficient for two astronomers discussing planetary patterns.
In general, the more complex a topic is, the more detailed the language used to describe it becomes. And the last few years have seen the number of information security topics, that the average person is concerned with, explode. This in turn means that terms like “hacked”, “leaked” or “secure” are often no longer enough to adequately communicate the level of a cyber security incident.
“How much” matters
Let’s look at a hypothetical example. The most common metric in recent cyber incidents is “user data leaked” and it will serve us well to illustrate this point.
When a news article or press release states that a hack led to user data being leaked, there are a number of important qualifying questions you should seek answers to.
The first is what unity the leak is described in. When the number is given in “user records”, it usually at least roughly describes how many people were affected. If the number is given in gigabytes or terabytes however, use caution. While this number is technically correct (and a great metric for professionals performing forensics), it tells us relatively little about the impact of the breach. A compressed archive of credit card numbers, names and expiry dates sized one megabyte can contain hundreds of thousands of records which in turn would be a catastrophic leak despite the small file size. A leak of someone’s private collection of Hollywood movies on the other hand may consist of several terabytes of data but have no major security relevance.
Similar rules apply to user records. A leak of a million user names with no further information is likely meaningless. On most sites, user names are public anyway. A leak of usernames and passwords opens the door for password re-use attacks. A leak of usernames, passwords and email addresses puts a significant share of the affected users at significant risk. A leak of photo ID scans and social security numbers all but guarantees that the affected users will suffer significant consequences. What is leaked, matters.
One of the first and most popular websites used to track if a user has been affected by a security breach is aptly named haveibeenpwned.com (‘pwned’ is hacking slang for ‘hacked’). The name illustrates how most people think of their online security. They have either been hacked or they have not. However, this distinction is becoming more and more meaningless. If you are an average citizen of any first world country with average internet habits, the answer to “have I been hacked” will always almost be “yes”. It is overwhelmingly likely that at least one of the many accounts you are required to own with various businesses, social media sites or government services has at some point experienced a breach. Whether that breach has been made public or not and whether the breach was the fault of the site’s operator or yourself is besides the point.
The vast majority of users have been affected by a breach at least once. So a much better question would be “When was the last time I got breached, what information was breached and how much of that information is still accurate?” (Reflare concedes that this is a much less catchy question - we are an infosec company, not a marketing firm.)
If your passwords leaked 3 years ago but you have since changed them everywhere, then you are probably fine. If your social security number was leaked just yesterday, then you are most definitely not fine. The nuances matter.
Incidentally, if you are not aware if, when and how you were affected by past breaches, you are most likely not fine.
As information security continues to move from a niche subject discussed by experts to a daily topic in average people’s lives, language must evolve to correctly convey the significance and impact of events. Unfortunately, there is and likely always will be a disconnect between experts, reporters and users when discussing breaches. By reading what is reported or disclosed carefully, you can gain a much better understanding of how incidents may affect you.