Contemplating Vulnerability Monitoring

[Kubla]

I'm a home user and have never been hacked.

That you know of.

A good hacker could enter your system copy any data they wanted and leave without a trace, and or install malware that even if you found it afterwards you would not know how you got it, likely assume you got it from something you downloaded, or if your system crashes you would naturally blame a windows update or random hardware failure.

I would suspect a lot more of us have been hacked in one form or another than we will ever know.

 

[Andy Ful]

Hacking for mischievous 'fun', hacking for identity theft, hacking to plant bots, hacking for stealing biz intelligence, and hacking to stalk are all common.

Saying that something is common can be misguiding for the readers. Those hacking events are only a small fraction of all Windows infection events. Furthermore, all infection events related to exploits are not so common in the home environment, if the user simply updates Windows/software.

The attacker can use various Methods: phishing, delivering malware through email attachments, drive-by downloads, and other more direct attacks like cellphone hacking. And all the methods rests on some part of your Windows, devices or network having some vulnerability.

True for devices (especially the routers), but not really an issue for Windows 10 and software (if properly updated).

To prevent disruptions to CIA ( confidentiality, integrity and availability ) which we take for granted, one has to know your vulnerabilities and then put up defenses accordingly.

I think that MT forum is not the best one for discussing such topics. Did you mean that the home user should be afraid of CIA?

Risk evaluations should consider the cost of the device/PC, the time and cost it takes to recover from an attack, and the disruptions to CIA. Risk evaluation is not gut based feelings that one is a Mr. Nobody Important or that one is not a biz. Funds and time should be allocated for proper protection. Vulnerability monitoring is just a more pointed way to decide on what protection to get, instead of just following popular concepts like 'must get an antivirus program'. Commonly we perform risk evaluations when we do things like buying a good door lock and installing a smoke alarm. No reason why we shouldn't do it for our IT possessions, and our personal data, which is a very important part of modern living.

Your post is rather related to businesses and organizations. It is not necessary for home users to monitor vulnerabilities and perform risk evaluations. Also, I do not think that most people perform risk evaluations when buying good door locks or installing a smoke alarm.
They usually do such things when advised by a friend, family member or someone who is an "expert" (also from the Internet website). The same is true for Windows, because most people who know something about security will advise you to regularly update Windows and the installed software.

If I would consider the danger for home users via exploits, then it could be the router firmware in the first place.

 

[upnorth]

A ocean full of fish, one will have gems in it's mouth.

You can find just as many reports for anything else, doesn't mean there's a high chance of it happening, same as the reports that cellphones cause cancer.

Your Home System is in fact safer than Enterprise Systems, as companies that tend to use outdated Software with known exploits, even then the Systems need to infected and exploited before a hacker can even dream of doing anything, so just use an Anti-Virus.

This is not the movies, where you input an IP address in a shiny software and finds half a dozen open doors for you to press a button and enter with no effort. Even a cheap router will stop those attacks, don't even need to mention Windows.

I would pay if anyone managed to enter network, leave alone any of my devices, and I'm not using any Anti-Exploit nor shiny Router.

Reading reports normally helps and I strongly recommends it to anyone, as what I personal learned and many others over the years is that reports in general cristal cleary describes things ( Internet Hacks ) that actually happened, along with attack descriptions and even links to patches etc and not something that " maybe or perhaps " will happen. Just scroll in MTs news section. It's already flooded with great information. More then one gem in that ocean as it's also one of my personal favorite sections on this forum.

From what I understood, upnorth thought about all forms of hacking, including malware delivered via the Internet (also phishing and email attachments), just in purpose to gain control on the system.

Here I fully agree with Andy because he understand what I mean.

 

[Andy Ful]

@lunarlander,
it is your thread so it is OK if you are interested in monitoring the computer/devices/network vulnerabilities. There are probably more people interested. But please, do not try to convince the readers (home users) that they should do it, because they could be in a danger otherwise. There is no evidence for such a danger, if the home user simply updates Windows and software.

 

[Ink]

You're more likely to get broken into than hacked.

 

[upnorth]

@lunarlander,
it is your thread so it is OK if you are interested in monitoring the computer/devices/network vulnerabilities. There are probably more people interested. But please, do not try to convince the readers (home users) that they should do it, because they could be in a danger otherwise. There is no evidence for such a danger, if the home user simply updates Windows and software.

Of course I can't speak for @lunarlander but personal I can't see him/her try convince " home users " in this thread just as much or little even I do. Maybe I missed something?

Not inform people, even Home users about the risks that does exist ( Internet Hacks in all forms and shapes both private users effected and companies etc ) it's pretty hard IMO to open there eyes and hopefully make them curious enough start checking for information and maybe even learn a thing or two. I do fully agree patched/updated systems is much safer and something one should recommend when and if possible but bulletproof ( not mentioned by you Andy ), personal I don't believe in that.

 

[Andy Ful]

Of course I can't speak for @lunarlander but personal I can't see him/her try convince " home users " in this thread just as much or little even I do. Maybe I missed something?

Not inform people, even Home users about the risks that does exist ( Internet Hacks in all forms and shapes both private users effected and companies etc ) it's pretty hard IMO to open there eyes and hopefully make them curious enough start checking for information and maybe even learn a thing or two. I do fully agree patched/updated systems is much safer and something one should recommend when and if possible but bulletproof ( not mentioned by you Andy ), personal I don't believe in that.

So maybe I misinterpreted some statements.
Anyway, you and @lunarlander are right that there are vulnerabilities also in the home environment related to devices (printers, cameras, routers, etc.) that can be dangerous to users.
They are usually not properly configured and not updated for years.

 

[roger_m]

That you know of.

Yes, but I have no reason to believe that I have ever been hacked. As others have mentioned it's highly unlikely that the average home user will get hacked. It can happen, but it most likely won't, unless an individual is being specifically tageted.

 

[lunarlander]

Hi Andy,
I do think people evaluate risks when buying door locks and smoke alarms, without realizing it. They buy a better lock when there are more valuables in the house, or when securing a mansion. They buy better alarms also if they value their lives more, like when they are of higher status. Ir's like when we choose a better AV product - if people have more valuable data to protect, they buy the premium version. Some risk evaluations are more ingrained in society than others, like buying door locks and burglar alarms. Other risk evaluations are taught by the more experienced, like when drafting an biz agreement people consult a lawyer who teaches them to cover their ass in the agreement. IT security is a relatively new field, and We are the more experienced, so we have to teach.

CIA stands for confidentiality, integrity and availability. We loose confidentiality when our secret ( perhaps personal, data is exposed. Things lose integrity when can no longer depend on them to be correct and unmodified, like when someone else modifies our email. Things lose availability when we can't use the thing when we need to, like when our documents are encrypted by crypto-malware.

IT security is built on protecting these 3 aspects. So when we go looking for the best security programs, we are trying to apply protection to our CIA.

 

[shmu26]

If people are worried about getting hacked, the first thing they should do is encrypt all data that they consider private and valuable. Don't keep valuable secrets in clear text on your computer.

I personally know people who worked in the cyber department of the Israeli army, and I can tell you that if they want to hack you, they will succeed! In the end, they will own your computer, no matter what you do. But I can also tell you that they will not waste their time hacking low-value targets. They are not bored. They have better and more profitable things to do. There is no need to be paranoid.

 

[Andy Ful]

...
CIA stands for confidentiality, integrity and availability.
...

Ha, ha. So, I like CIA.
How do you like 0Patch?

 

[Andy Ful]

Hi All,

I am contemplating adding some form of vulnerability monitoring to my mix. Nessus comes to mind.
...

Nessus (or OpenVAS) is good for finding network vulnerabilities. Nmap is good for network auditing and detecting incidents (although it can also find vulnerabilities).
The professional version of Nexus can also scan for vulnerabilities of network devices (printers, routers, firewalls) Windows OS, virtual machines, etc.
One can install Nessus Home on Kali Linux:
Nessus Home
Nessus on Kali Linux 2018.2
https://docs.tenable.com/nessus/7_1/Content/Resources/PDF/Nessus_7_1.pdf

Other possibilities:
An Ultimate List of Ethical Hacking and Penetration Testing Tools for Kali Linux
A List of Pen Testing Tools The Professional Ethical Hackers Use - Hack Ware News