For a closer shave, Claudiu introduces three easy cybersafety razors
Disputation is in our nature. People love to have opinions. Whether based on the best evidence available or confidently stated by the most articulate ultracrepidarian, arguments take time to resolve and always result in the irreversible consumption of a non-renewable resource: time.
To this end, philosophers have invented shortcuts they appropriately call razors to identify the previously resolved issues that are no longer matters deserving of fervent public debate. The evolution of these arguments is a quasi fait accompli that lubricates critical thinking to rapidly progress through an argument.
These handy rules of thumb include ones you have already heard of, such as Occam’s Razor (the simplest explanation is the most likely) as well as others whose skillful exploitation can be playfully disarming, such as Hanlon’s Razor (don’t assume malice when the likely cause is best explained as ignorance).
Philosophical razors are fun to discover and even more enjoyable to adroitly exploit in verbal combat. I leave the exploration of such useful tools as Hume’s Guillotine and Newton’s Flaming Laser Sword to my reader’s enjoyment and move on to the more pressing matter of short-circuiting the process of identifying peril in modern society.
We live in a world enabled by technology and fueled by data. Most of it is out there, a lot of it is created with us as its protagonist and a very small amount is ours to keep. Personal information is our most intimate asset. It is the last bastion of identity, that separates us from someone — or something that could otherwise lay credible claim to being us.
Personal information is valuable. To get to it, companies, criminals and governments are willing to infect computers, hijack our mobile devices and employ deception. We are all that stands in their way. Through your daily email, social media, instant messaging and other interactions, you, your family, your children are exposed to often-authoritative, urgent, imposing, immediate, demanding, claims that must be addressed right now.
Few of us are prepared to immediately evaluate such messages and as a result, we often end up sabotaging our own thought process, second-guessing our instincts, convincing ourselves to just click and see what it’s all about. In the words of the best con-men of the past 70 years, that’s what they want you to do. They want to confuse, scare, intimidate and exhaust you so you’ll just give in and acquiesce by clicking.
That click is an acknowledgment. It is your consent. It is the very reason online form buttons are matter-of-factly labelled “Submit”.
Let’s re-think that act of submission in terms that anyone can understand. We can empower those most vulnerable with a set of razors to sharply slice through the dishonesty, deception and misdirection by simply introducing three pre-sharpened tools that anyone can freely add to their cybersafety toolkit:
If a message is indistinguishable from phishing, it should be treated as phishing.
See how that works? That’s it. That’s all there is to it. Let’s move on.
Data Breach Razor
Assume that stolen data is being exploited, even in the absence of conclusive evidence that it is happening.
It’s as simple as that. You can’t prove a negative, so Occam’s Razor says to simply assume that if someone went through the trouble and expense to break into a company and steal stuff, chances are it has plans to monetize it.
Cyber Extortion Razor
Regardless of how a ransomware incident is resolved, the information has been stolen.
Close shave? If an organization claims that they ‘suffered’ a ransomware incident but regained access to the data and systems, it is irrelevant whether a payment was made. It is smart to assume that the data is now in the hands of cybercriminals and may remain an open wound for a long time.
Claudiu’s Incendiary Corollary
Without a detailed record of activity during an account take-over, the incident must be assumed to have impacted data integrity.
If a company was surprised by a data breach, chances are there exists no detailed log of what happened during the hack. That means an attacker could read and write data just as easily as the legitimate user whose account was hijacked.
The ability to modify files and arbitrarily change data is called data corruption, and it’s serious business. It can shatter trust in corporate financial reports, manipulate markets and change the risk profiles of individuals.
Would you trust data that an attacker could have spent weeks or months altering?
Why does this matter?
It is important because it can have a lasting impact on people and organizations. The steps victims must take when their assets have been stolen differ from those they should follow if an incident has been successfully resolved.
It would be foolish to assume otherwise, so why downplay the outcome and pretend that everything is fine? It’s not fine. Critical thinking is not wishful thinking. The best you can do is to sharpen your wits and quickly assess the situation to make a decision you won’t regret.