![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
estirose"Look, Mr. Roberts sent me a file, I wasn't expecting it but you know how he is," Jim shifted the phone as he waited on the train platform. "Yeah, it is an odd time, but I'm on my phone. It's safe."
This was based on a true event that I heard about secondhand. The sender's email account had been compromised and was being used to send out phishing emails. Because of the fact that both sender and receiver were in the same industry and that the receiver knew the sender's hours, they thought it was weird. This is less obvious the industry that Jim works in, thus the fact he wouldn't think to check.
"Actually, it may not be," a voice came from one side of him. Had there been an armchair there a minute ago? With a hatstand next to it? The man inhabiting the chair was in a suit jacket and tie at least, but he seemed way too happy for his own good. "Smartphones aren't always safer than PCs. In fact, attacks on mobile devices are increasing. Phishing attacks alone hit over 50% of personal smartphone owners in the last quarter of 2022.”
This is the only time I use stats, and only after my beta reminded me to put stats in somewhere! Whether smartphones or PCs are safer than the other is a subject of much debate. The general consensus is that they're both vulnerable, though mostly in different ways. Phishing is one of the attacks that is common to both.
"Who's that?" Lis asked. Jim could imagine her closing out her files for the evening before going home. At least his official day was done, but he still had a train to catch before he himself could collapse into his very own bed in his very own apartment.
I wanted a reminder that Jim had a life before getting thrown into Adam's wacky education segment here.
"Hi, I'm Adam," the man in the suit said, "And this is Adam Ruins Everything!"
I'd originally forgotten the 'Adam Ruins Everything!' line and my beta reminded me.
"Gotta go," Jim said, quickly tapping the button to end the call so that he could focus on the pest. He turned to the man, who had unfortunately not disappeared as suddenly as he'd appeared. "Ruins what?" he was about to ask, but the sound of an incoming train distracted him.
His train.
But the train didn’t slow down, didn’t stop. It was as if he was invisible, despite him yelling and flailing after it.
Originally, I forgot to explain why Jim was so irritated at Adam, until my beta suggested that it's because Adam caused him to miss his train. I incorporated the suggestion and my fic was so much the better for it. As to why the train couldn't see him, it's because of Adam's magic.
"Oh, don’t worry," Adam said conversationally when he returned. "That train was just really late. Your actual train should be coming shortly.” He paused, as if to take a breath. "By the way, you might not want to click on that link - I mean, you could if you wanted to, but you might not like the results."
The implication that Adam is making is that it's a phishing email trying to get Jim's account credentials, just like the attacker got Mr. Roberts', but I felt that leaving it at that fit Adam's patter more.
"This is a known client that I've worked with for years," Jim said, maybe gritting his teeth a little - partly because of Adam, partly because of the situation. "Why wouldn't I trust him?"
"There's nothing wrong with trust," Adam said, and he smiled as if Jim hadn’t just missed his train and everything was right in the world. "In fact, the Internet was built on trust - trust between networks and users. That trust is still built into the system today. Which is good and bad."
I researched a lot of history of the internet and when encryption became a thing, but I couldn't fit it in without disrupting the way a typical Adam Ruins Everything episode went, so this is the remaining fragment. It doesn't have a cite because it's based partly on my own experience - when I got onto the internet in the early 1990s it wasn't uncommon to have unencrypted FTP (file transfer protocol) and anonymous ftp logins in order to download software, along with unencrypted telnet (remote command line logins), a practice unimaginable today. In retrospect, I should have probably included a cite for all this but I forgot.
"Right. But I've got antivirus on this phone, and I've got strong passwords." Corporate IT had made sure of that. He personally thought their requirements were pretty silly, but IT was being paid to do things like that and it wasn't his place to argue. At least with them. "Our IT people make absolutely sure that nobody can get into trouble on our work phones."
"At least with them" refers to being more able to argue with Adam, not that he gets a chance. The rest of this paragraph is drawn from some of the business cybersecurity myth articles I linked at the bottom of the fic.
Adam laughed. "Maybe. Cybersecurity sales are a big industry - but their products depend on people, usually your IT security staff, being able to sort out actual threats from noise, which can be hard to do."
Every IT person I know gets absolutely bombarded with cybersecurity pitches, even if their position has absolutely nothing to do with cybersecurity. Like every other field that Adam's deconstructed, cybersecurity companies also play a lot on fear. The thing is that the alerts need to be 'tuned' by the company that buys the software so that common known false alarms are removed, which requires a lot of work.
"Alert fatigue," a female voice added. Jim looked around, but he didn't see anyone nearby - just Adam and the hatstand. Jim realized for the first time that there was a white fedora hanging on the hatstand, probably Adam's.
Why a fedora? Because I like fedoras and they're also associated with spies/espionage/computers. Usually the expert doesn't speak up before Adam introduces them - apart from a few instances - but Mirinda does here to give Adam something to work off of.
"Right! Alert fatigue is where staff get so many alerts that they might miss something important. It's a huge issue. Sure, your local IT security can also engineer the network so it’s safer, and set up policies on what you should and shouldn’t be doing, but for the people who monitor for issues can really suffer from alert fatigue, which makes it harder to catch threats."
Alert fatigue is a really huge issue in several fields, not just cybersecurity. Any field which requires a professional to sort out true alerts from a large amount of noise has issues with alert fatigue. Also, cybersecurity is a huge career field and this fic got a bit Security Operations Center-centric (which is what most people think of when they think cybersecurity), so I wanted to acknowledge other parts of the field such as Governance Risk and Compliance (GRC) that play crucial roles.
"In other words, I... don't have any protection?" Jim asked, staring at his phone. He looked up at Adam.
"Well, you do, but some of the most common attacks just need common sense to avoid." Adam shrugged. He motioned at the white fedora on the hat stand. "Here, this is Mirinda Falken - expert on cybercrime, director of the Layer Eight Foundation, and werehat, to talk more about that."
'Layer 8' in cybersecurity refers to the human factor and is unfortunately not used in the nicest way ("Layer 8 issues" is a common term to describe politics or human laziness in not securing new technology properly). It's a reference to a common computer networking model called the OSI model, which has 7 layers. Mirinda's surname, Falken, is a reference to the 1983 American movie Wargames, which is still held in reverence (though not as much as later movies) by cybersecurity professionals.
"Hi Jim! I hope you don't mind me just hanging here for the moment," the hat said cheerfully.
I couldn't resist the pun!
Jim tried to get his head around the concept of a werehat, and then gave up and just stared at the fedora.
Mirinda being a werehat was because I was lazy and didn't want to describe Mirinda - also because I thought the idea of a werehat sounded delightfully absurd.
"Software can do a lot to help us cybersecurity folk pick out threats," Mirinda said, "But it can't always account for the human factor that cybercriminals - mostly gangs, a lot of which are sponsored by countries - like to exploit. Cybercriminals have a lot in common with scammers and even marketers in that they're trying to convince you to do something by playing on your emotions. In our field, we call this social engineering."
The line between scammers and cybercriminals is actually very blurry at times! Also, marketing does have a lot in common with scamming, as Adam has pointed out (indirectly) multiple times in episodes. Social engineering is not merely a cybersecurity problem, but the term is commonly associated with the field.
“Like what?” Jim asked, though he had a good idea.
The hat seemed to shrug. Could a hat shrug? She gave the impression of shrugging, anyway. "Fool you into clicking on a link and typing in a password by making you think your password is expiring. Get you to click on an ad which downloads malicious software onto your computer by telling you something is dangerously out of date. Maybe even convince you to give them access to something that you shouldn’t, because you want to be helpful - that’s what happened with the MGM hack. Oh, you should also watch out for people trying to tailgate into sensitive areas, but that’s more physical than virtual."
I realized too late I used two cases of victims being driven by fear and one/two of them being helpful. Whoops! Scammers, cybercriminals, and marketers use some of the same emotion-based appeals - fear of being out of compliance, a desire to help someone, laziness, even curiosity! The MGM attack used a variant of phishing called 'vishing' (voice phishing) to convince someone to reset something they shouldn't have. Another variant is 'smishing' (sms/text phishing), which is commonly seen on mobile phones. Tailgating is another form of social engineering that also plays into a desire to be helpful and let someone through.
Her voice was surprisingly soothing, that being said, and Jim found himself relaxing a bit despite the circumstances. "So just use common sense to defeat hackers?" he asked Mirinda, who at least hadn’t caused him to miss his train.
"Exactly!" There seemed to be a nod from the fedora. "Incidentally, not all hackers are malicious - that’s another misconception. Hackers range from law-abiding ethical hackers to the malicious ones. I’m a hacker - but I’d never hack a network without written permission and guidelines."
I wasn't going to incorporate this, and then Jim said 'hackers' and my brain just went "Oh no, there are good hackers!" and Mirinda had to speak up because essentially author avatar! I drew the information about White Hats - ethical hackers - from the articles I linked in the endnotes.
Jim shook his head. She seemed nice enough, but he just didn’t want to deal with this right at the moment.
Except he still needed to catch the train. For Adam’s sake, he hoped it was soon.
"Okay," he said finally. "But why would someone go after me? I’m a nobody working at a relatively small business. Shouldn’t they go after big businesses? Well-known people?"
"Small and medium businesses are attacked just as much as big businesses - it’s just that large businesses are more likely to make the news," Adam informed him. "Plus, smaller businesses have less resources to protect their networks. So if they can get some random employee - doesn’t matter who - to accidentally give the cybercriminal gang their password so they can get on their employer’s network… well. They go after everybody, no matter how famous or not."
When I searched 'cybersecurity misconceptions', trying to find some for this fic, most of the ones I encountered were aimed at businesses and not individuals. This is because a lot of vendors aim for the business market and so write articles aimed at said market. And while they are commercial and to some extent are trying to sell product, they do line up with the experience of cybersecurity professionals I know thus I felt comfortable including them as sources.
"So, what do I do about it?" Jim asked. "Do I just… worry about every message that comes into my inbox?" Or worry about every link, he wanted to say, but maybe he’d escape sooner if he asked a simpler question.
"No!" Adam and Mirinda exclaimed simultaneously.
"We want you to be aware, not scared," Mirinda added.
"Exactly! Cybercrime is a part of life in the connected world," Adam said. “Like any other crime, you can only do your best to make yourself safer. Don’t live your life in fear of what you might click, just think about it before you do."
I wanted to convey a message that I feel is important, as someone who at times has written articles on phishing/computer security awareness for my job - don't be scared, but use your brain.
"Even we experts click on the wrong stuff sometimes," Mirinda told Jim. "Do your best. Think. And don’t be afraid."
Yes, even people in the field get tired and don't check what they're clicking. And you would be surprised at the amount of professionals that have meant to copy a suspicious URL and clicked on it instead!
That brought a smile to his face despite the unusual circumstances. "Thank you."
Adam, the hatstand, and Mirinda faded in front of his eyes, as if they had never been there. The train showed up a minute later, just as Adam had predicted.
I'm not sure Adam's from Jim's reality, and so it made sense for him and Mirinda to disappear.
And as he boarded his train, the whole thing started to fade in his memory apart from the sense of being more careful… and maybe calling Mr. Roberts in the morning about his email. No sense in being worried, some voice in his memory told him. No need to worry. In the end, all would be well.
I'm including the sources here unaltered from the posted fic for reference but with no further comments. These are all in MLA format as that's what the Adam Ruins Everything source pages seem to use.
Sources:
Mobile attacks:
Poireault, Kevin. “Record Number of Mobile Phishing Attacks in 2022.” Infosecurity Magazine, 1 March 2023. www.infosecurity-magazine.com/news/record-number-of-mobile-phishing/. Accessed 8 December 2023.
Palmer, Danny. “Smartphone malware is on the rise, here's what to watch out for.” ZDNet, 9 March 2022. www.zdnet.com/article/smartphone-malware-is-on-the-rise-heres-what-to-watch-out-for/. Accessed 8 December 2023.
“Is working on your smartphone a risky business or are you cybersecure?” National Cybersecurity Alliance, 4 May 2022. staysafeonline.org/resources/is-working-on-your-smartphone-a-risky-business-or-are-you-cybersecure/. Accessed 8 December 2023.
Phishing and Social Engineering:
“Recognize and report phishing.” U.S. Cybersecurity and Infrastructure Security Agency. www.cisa.gov/secure-our-world/recognize-and-report-phishing. Accessed 8 December 2023.
“What is a phishing attack?” IBM. www.ibm.com/topics/phishing. Accessed 8 December 2023.
“What is Social Engineering?” IBM. www.ibm.com/topics/social-engineering. Accessed 8 December 2023.
Morrison, Sara. “The chaotic and cinematic MGM casino hack, explained.” Vox, 6 October 2023.
www.vox.com/technology/2023/9/15/23875113/mgm-hack-casino-vishing-cybersecurity-ransomware. Accessed 8 December 2023.
Alert fatigue:
“What is Alert Fatigue?” Proofpoint. www.proofpoint.com/us/threat-reference/alert-fatigue. Accessed 8 December 2023.
Amos, Zac. “Preventing Alert Fatigue In Cybersecurity.” Cybersecurity Magazine, 13 March 2023. cybersecurity-magazine.com/preventing-alert-fatigue-in-cybersecurity/. Accessed 8 December 2023.
Types of hackers:
“Black hat, white hat & gray hat hackers.” Kaspersky. usa.kaspersky.com/resource-center/definitions/hacker-hat-types. Accessed 8 December 2023.
“What is hacking?” Fortinet. www.fortinet.com/resources/cyberglossary/what-is-hacking. Accessed 8 December 2023.
Business cybersecurity myths:
Sobers, Rob. “Are These 10 Cybersecurity Myths Putting Your Business at Risk?” Varonis. www.varonis.com/blog/top-cybersecurity-myths. Accessed 8 December 2023.
Crowley, Ken. “5 Damaging Cyber Security Myths”. Trend Micro, 3 August 2022. www.trendmicro.com/en_gb/research/22/h/5-damaging-cyber-security-myths.html. Accessed 8 December 2023.
