There's lots & lots of misinformation, propaganda, sales pitches, and just plain ol' BS floating around when it comes to PC or cyber security. Some of it is caused by ignorance, some of it is someone(s) pushing an agenda, some of it is someone(s) trying to get rich on your dime, and then there are scams. Doesn't help in the least that since last year politics may also be involved.
I've been trying to write this for a while, with several rewrites to date. Several times stuff has happened in the world that made me say I've got to get this posted now, but I was either unhappy with what I wrote, or it seemed my concerns of the moment might have been overblown. That changed today with an article on Windows Central. I tagged my take on this at the end because that's where it fit best I think.
Things to know 1st...
Cyber criminals have been stealing billions of dollars from banks & other businesses for many years. Yes, it is possible to successfully attack utilities [e.g. the electrical grid] and industrial plants, but the difficulties & resources & motivations needed probably mean that it would only be carried out by a nation state, which would also probably be an act of war. While high level cyber spying, theft, & attacks take more resources than most criminal groups are likely to spend, it does take less than more conventional military build up & development, so it can serve as an equalizer of sorts.
While many nation states do have quite large efforts when it comes to cyber spying, preparing for attacks etc. [it's been published that the CIA for example has thousands of people working on this stuff every day], it seems [according to published info] that most current activity is carried out by smaller groups, that may or may not have different levels of government ties. The equivalent of IRL [In Real Life] crime syndicates also probably exist.
There's a sort of hidden economy, with goods and services actively being sold. A would-be cyber criminal can buy the tools needed, e.g. software kits, complete with training & support. There's the equivalent of IRL fences, to turn stolen loot into cash. Out in the open there are several cyber arms dealers -- many likely stay in biz by saying they'll only sell to nation states. There are similar companies with services tailored for big business, e.g. corporate spying.
People are, well, people, and human nature is human nature, online or IRL. Most cyber crime mirrors crime IRL, the major exception being the long reach of criminals -- the cops may catch the thief down the street & put them in jail, but there's not much they can do when the culprit lives in an unfriendly country. It's been published that in some countries the golden rule among cyber criminals is to only go after victims in other countries, to encourage law enforcement where they live to look the other way.
IRL scams & cons have existed forever because human nature is so constant & predictable -- online it's more so. Easier & simpler is better, regardless a criminal's resources &/or skills -- phishing & similar scams dominate the landscape. In a close 2nd place is exploiting weaknesses like laziness & incompetence.
Software engineers can ignore best practices including security concerns... all sorts of devices, from network routers to cell phones & smart watches to IoT [Internet of Things -- e.g. so-called Smart devices & appliances] too often have easily exploitable vulnerabilities that cyber criminals can take advantage of.
Businesses often don't want to spend resources on IT, & they tend to not promote IT managers to higher positions outside IT. In many cases IT departments do not tend to attract talented, highly competent, hard workers, and when they do manage to get them, they're often stifled [i.e. the backstory of Wally in the cartoon strip "Dilbert"]. That often means updates & upgrades are not performed, along with hardware & software that are not properly setup, and those sorts of things are very actively exploited by cyber criminals. It's common for explanations & proof of concept code to be released with security advisories & patches, and they can make for excellent tutorials on how to compromise systems & networks that don't apply those patches etc.
On malware...
It's usually only in rare cases that malware is destructive, e.g. the disk wiping code used against Sony in California a while back, & continuing attacks against the Saudi oil industry. There are also fake ransomware campaigns, where data is deleted, & the victim never gets anything back, whether they pay or not. In more usual cases ransomware encrypts files, with the cyber criminals selling victims the key necessary to decrypt their stuff & get it back.
When theft is the cyber criminal's purpose, they try to make sure that their malware code is undetectable, and if it is detected, that security researchers &/or experts can't reverse engineer it to see how their operations work. Part of being undetectable is not effecting how anything works, so there are no easily identifiable signs that something's amiss. One method that's starting to become more common uses snippets of code, none of which are easily identifiable, that are assembled into malware only in the device's memory -- so-called fileless malware. Apps & services that are part of Windows may be used as much as possible at the same time, since their existence and operation are considered normal.
In any case, the 1st step for the cyber criminal is to establish communications with the target system, device, or network. The more something talks to other devices over the internet, the bigger the attack surface [the more options an attacker has at their disposal]. A home PC might not do much of this sort of talking at all -- you can easily have it configured so that the only communications it has are with Microsoft's servers for updates & such. So to talk to a home PC a cyber criminal most often has to trick the user into running malware that will talk to them, and they'll often instruct it to download more malware that can do more.
For a PC or laptop that 1st step malware might be in an email attachment, or part of something the cyber criminal enticed the user to download, or they might try to get the user to visit a web page with malicious scripting, or buy ad space from an ad network, putting the same sort of scripting in their ads. For something that normally talks to other things over the network or internet [as above], a cyber criminal might exploit a vulnerability [or a chain of vulnerabilities] to get access.
A exploitable vulnerability is something that doesn't work the way that it ideally should, that an attacker can use to gain unauthorized access to a device, system or network. Vulnerabilities can be an absence of any security measures -- one brand of database was recently heavily attacked because many users never enabled it's security features. Or the default login & password might have never been changed -- cyber criminals have long lists of default login credentials. Or login credentials may have been re-used -- software can run through huge lists of login credentials stolen from compromised web sites etc. Or there may be a *hidden* login name & password intended to be used by the manufacturer before the device or software was sold. Or there may be a web page interface that's directly accessible, bypassing the normal login screen. Other times a cyber criminal might exploit a bug or bugs in the software [or firmware] running on the target device. The list goes on...
In any case, once a cyber criminal does get access, they'll often download & install additional malware, e.g. larger, more specialized malicious apps or modules. Especially with an organization with many PCs & servers, they'll try to move laterally, establishing a presence on everything connected to the network(s). They'll also try to set up some means of persistence -- they want to maintain their access capabilities for as long as possible... with a large network it may be almost impossible to track down every one of the back doors cyber criminals put in place. In a home setting, cyber criminals can try to use their access to a IoT device as a stepping stone to infect every other PC or device on that same network.
On security software...
I like to use the site av-test[.]org for ratings. Note that individual brands can move up or down in the ratings from one test to the next, so it's worthwhile to check more than one round of test results. This is one area where I've never found actual user reviews to be of much use. There's also always the possibility that whatever brand simply won't work with your hardware or software, so I suggest looking at the ratings 1st, then looking to see if that brand has a removal tool 2nd, and then 3rd, installing & running a trial to check compatibility.
People come in all shapes & sizes, and their individual abilities & capabilities vary from nonexistent to top-rated expert, but everyone's fallible... the same can be said for cyber criminals, & for that matter, security software. There are older, less sophisticated & more widely known malware apps still in play, so pattern matching files against known malware samples continues to be worthwhile. At the same time, watching the behavior of apps is more & more necessary, because that may be the only way to catch the more advanced stuff. That last part is tricky...
Windows has a set number of things or behaviors that any software can potentially do -- security software has the impossible task of deciding whether it should allow what software to do what. All it can go on is averages. And it has to hide from the user while it's doing it -- a great security app is useless if no one will use it because it's too intrusive or slows them down too much. False positives -- detecting innocent apps as malware -- are inevitable.
Don't only rely on file scanning -- don't take security software's decisions, particularly those based on behavior analysis, as gospel. And use your head... there's a recent article about a presentation at a security conference.
threatpost[.]com/malware-scanning-services-containers-for-sensitive-business-information/124802/
There are apparently a lot of idgits sending EVERY file to VirusTotal to be scanned, and that includes sensitive data that should not be posted online for anyone & everyone to see. Yet that's exactly what happens in this case with VirusTotal. It might also effect innocent folks using the cloud for storage, if/when the company selling & maintaining that cloud storage sends everything they receive through VirusTotal.
Do you need to use security software? If you run Windows 10 you have no choice -- if you run 7 or 8 the only person that can answer that is you. It's a matter of risk vs. cost vs. benefit calculation that only you can make, because only you can determine your behavior, which contributes to total risk, and only you can figure what you're risking [the costs of disaster], and only you can decide if the potential benefits from not running security software outweigh the risks. There are people saying that you must & others saying that you really shouldn't & a 3rd bunch saying: "Why bother?" There are however no "One Size Fits All" people, so do the calculations if you haven't all ready made up your mind, and try to ignore the fussbudgets.
On spying...
It's possible to include malware &/or back doors etc. in the minimal software that's embedded in different components & devices, just like it's possible to embed it in software. If you want to be really paranoid, there's no hardware or software that you can completely trust, but then the same can be said for people IRL. It's been published that the NSA, CIA, & likely their equivalents in other countries can add those sorts of things before the user even opens the sealed box on their new device. Cell phones and things like credit card readers have been found to contain malware &/or back door access before they hit US or EU shores.
Government spy agencies not only have, but are constantly trying to develop new tools to compromise anything that can be compromised. Government sponsored or allied cyber criminal [or warfare, or spying] groups may be given access to these tools, and because their criminal nature you can't assume that they've never been shared or sold to others. And it can't be guaranteed that government agencies can keep their tools from getting out -- the recent Shadowbroker & Wikileaks releases seem to prove that re: the US. Nor can government agencies say their systems are secure so that nothing could be stolen -- that's proven by known, published US military & FBI network compromises. Cyber arms dealers can, & have had their networks compromised as well, with their wares stolen.
Which brings up an ongoing controversy... At what point and in what amounts do security companies keep quiet in their respective government's interest, assuming they have some choice. And regarding government agencies, how many of the vulnerabilities &/or exploits that they discover should they keep to themselves, and which ones should they report so they can be patched, and when?
Most all of this sort of thing is kept as secret as possible... The FBI reportedly paid somewhere around 1 million dollars to an Israeli cyber arms dealer for an exploit that got into the iPhone involved in their court case against Apple last year. The recent Wikileaks release seems to indicate the CIA already had that capability, and last year it was said that the NSA did too. The FBI recently bowed out of a case where the judge ordered them to provide details on the malware they had used to gather their evidence -- secrecy was more important then the conviction.
In books & movies we're used to spy agencies dealing with crime lords, drug lords, warlords, and generally all sorts of bad people. This seems to be the case with cyber spying as well. There's been a fair amount of activity attributed to government allied [controlled?] groups in China & Russia. While these groups *may* also engage in purely criminal enterprise, North Korea has reportedly taken this to the extreme... they're said to have a segment of their cyber warfare agency devoted to bank robbery.
On attribution...
Typically, compromised servers are used to host a criminal group's main activities, with one or many additional servers filling the role of Command And Control [also C&C or C2] for their malware -- these C2 servers receive data from malware & issue instructions. While there are lists of thousands of compromised servers for sale or as a benefit of ransomware as a service for example, sometimes they'll also rent space, including from Amazon, often using stolen credit cards etc. to pay the bills. New C2 domains may be almost constantly generated & set up in some campaigns, to make tracking &/or blocking their activities harder. Malware has been known to have secondary channels of communication, e.g. peer to peer along with their main C&C. It's also been known to communicate via Twitter, specially crafted web pages, online images using steganography, even satellite communications normally used for ocean going shipping.
By monitoring malware & cyber crime activities, &/or by reverse engineering malware, &/or via logs, the ip address of one or more C2 servers can often be discovered. Taking over & monitoring the activities of one [or more] of those C2 servers might provide added data. Logs and malware reverse engineering or disassembly can provide additional clues, as well as be used as a sort of digital fingerprinting -- people tend to always write things the same way, use the same phrases etc., so the methods used in the code, along with any comments, might be used to match or tie separate activities to one another. And there's also old fashioned criminal investigative work, going through things like forum posts that can be tied to the malware author. Monitoring cash flows, bank accounts, surveillance etc. to a great extent depends on where the cyber criminal is living, along with where the physical aspects of their criminal activity take place, e.g. going after the money mules when a criminal group uses them.
That said, while security experts, security software companies, & security researchers might say that they suspect one person or another, and frequently nickname otherwise anonymous groups, actual attribution is left to government agencies -- they've traditionally reserved that role for themselves. [It was interesting therefor during the recent US election when a security company went further, matching actual code used in the well known DNC compromise with code used in an Android-based cyber attack against Ukrainian troops. I suspect it was an attempt to bolster their credibility after it was attacked by politicians.]
On politics & the media...
Don't believe Anything regarding cyber anything you haven't checked out yourself through known good sources, and even then keep an open mind because you could still be wrong.
When a politician says some company or organization or agency should spend more money on security, maybe. Or maybe they just need their employees to do a competent job?... hiring 30 idgits to repair the damage done by the 30 you already employ will probably not make your IT any more secure. What matters 1st is how the money already being spent is being spent -- throwing good money after bad has never been a good idea unless you were catching some of it. ;) And in any case, IT & network security have absolutely nothing to do with people giving away the keys to the kingdom, e.g. falling for a phishing scam. People that know better still do it -- a cure has not been invented.
When a politician says the gov has to do more to protect the country from cyber crime, it sounds good, but how would/could they? There are things that they can do, such as require biz to report breaches, which is something the biggest tech companies have been calling for, for years. You probably don't want the gov inside your systems monitoring for signs of compromise. Having the FBI expand their small cadre of experts in cyber crime would likely be a good thing, though that would be more defensive rather than enforcement -- there's not much that they can do when a criminal lives in an unfriendly country. Some factions in the gov & military allegedly believe in the same sort of offensive capability as deterrent thinking that dominated the cold war [I'm not saying that they're right or wrong].
A current TV ad for military recruitment may embrace that deterrent theory [or it may just be BS]... it talks about how military cyber security specialists protect the US, NOT just the military's operations, from cyber threats. Since they can't be inside the IT operations of civilian companies & utilities etc., where cyber attack prevention, defense, & mitigation have to take place, either the ad is based on deterring nation state attacks by threatening an overwhelming offensive response, or it's an example of highly inaccurate misinformation.
When a politician says some organization or company or agency hasn't been compromised, odds are unfortunately that they either don't have full knowledge, or they are lying. AFAIK none of the giant tech companies, with loads of resources tasked with security, ever make such general boasts or claims.
When some company says that they have some device or software that will keep you secure, investigate before doing anything with their product(s). Lots of businesses have installed appliances that, despite manufacturer claims, actually made their networks &/or IT operations Much More insecure & vulnerable. There's nothing easy about defending against or mitigating the results of successful cyber attacks.
When it comes to online media, many are paid by the word, & just knock off what they can to make a buck. Many writers have some computer-related knowledge, except re: security. Many are beholden [or at least biased] to companies that they write about. And of course ignore most all of what you see on TV... one show we watched this week had a few outright impossibilities, one extreme rarity, and featured a glaring contradiction to widely accepted tech industry & government policy.
There is what would seem to be an unrelated debate going on re: encryption. I bring it up because many of the players that might be involved in laws or regs concerning one, are likely also present when it comes to laws & regs concerning the other -- if there is a proposed law or reg targeting one [e.g. security], something concerning the other [e.g. encryption], is more likely to be included in there somewhere. Many of the politicians calling for more government involvement re: security, are the same ones calling for backdoors in software, or even banning encryption all together.
[My thoughts, FWIW, are that the innocent would most likely suffer more than bad people, e.g. criminals & terrorists, but that's me. That's based on my thinking that those with the most to lose [i.e. their freedom or their life], would just avoid using things that were government monitored or controlled, the same way that many Afghan terrorists stopped using cell phones.]
