9

tl;dr at the bottom

I have been searching around and I haven't been able to find a definitive answer to the question(s). I mainly work with OS X so that will be the base for my questions.

  • How easy is it to be hacked if you're behind a standard router (Airport for example) if you haven't visited a phishing site and you haven't downloaded and installed any malicious software, and have a good password mixing caps, numbers, and symbols, and keeping my machine up to date?

From what I understand, most security holes are started because the end-user gives access by doing something like those two examples.

tl;dr: What are the actual chances of attack on the average user using average software, with secure passwords and average hardware setups without the aid of phishing, the attacker gaining physical access, or a malicious file being applied by the target user after it was sent to them from the attacker?

ElRojito
  • 193
  • 4
  • I think these hacking (XSS, exploits) are using by industrial spys or military techies. So the ods that an average user that isn't holding some secrets to be hacked are (in my opinion) very low. I don't post an answer, because I have no idea if I am right or wrong. This is just an opinion. – Ant Jun 18 '14 at 08:39
  • big vectors are java, adobe reader and flash. gangs trawl for gain, if they cannot get data from you they can sell, they can add your box to zombie horde and sell the CPU cycles. Or get an indian (three calls I have had were all indian) to call you saying your pc is broken and persuade you to install ransomware. – Ruskin Jun 18 '14 at 09:38
  • 1
    Your 5 bullet points in your question are effectively separate questions. I have deleted them from your question here. I think some have been answered already on this site, so have a search. If you can't find them, please ask as new questions. – Rory Alsop Jun 18 '14 at 10:27
  • You should add "patches up to date" to that list, but then, you really aren't an average user with all those criteria set, but rather a security conscious one. – AJ Henderson Jun 18 '14 at 15:14
  • I added keeping up to date. That's something I do as well, just slipped my mind at 3 AM. But yes, that is definitely huge as far as I understand (just look at Flash for example) – ElRojito Jun 18 '14 at 22:25
  • 1
    There is a popular saying: Either you know that you are hacked, or you still don't. – abhinav singh Jun 19 '14 at 09:42

2 Answers2

11

tl;dr - It is incredibly easy to be hacked as an average user. It is also rather easy to protect yourself online. Unfortunately most average users don't see themselves as a target so do not protect themselves appropriately. It doesn't matter if you are not a CEO of a large company, or have very little in your bank account - your PC is a target even if you aren't. Many acquaintances of mine who espouse the virtues of not running antivirus/antimalware etc state that they have never been hacked, but closer analysis shows that all of them have. They just didn't know it or care! Many were part of botnets that could be part of attacks on others. Some just collected account details...

There are various studies posted online which are very scary reading. The online myths page at MIT has these 3 classics (but read the whole page):

Myth 1: The internet is so huge; no one will attack my computer.

Fact: Hackers use automated tools that continually probe computers to find attack vectors. A new, unprotected computer installed on the internet will be generally be compromised within seven minutes.

-

Myth 2: I'll worry about security once someone finally tries to attack me.

Fact: Attacks are ongoing, day and night. Your system must have anti-virus software (to keep out bad/dangerous files) and have up-to-date system software in order to close newly-discovered security holes. Use the bigfix system to keep your system in tip-top shape automatically.

-

Myth 3: Firewalls and anti-virus software will fully protect my computer.

Fact: You must also update your system software for newly discovered security issues. Most of all, though, you must keep your passwords and personal identity information confidential except where they are supposed to be used. Otherwise, your most critical information is at risk. Finally, even frequently upated anti-virus software only protects against known viruses: new malware can sneak by if it hits your computer before the next update.

In terms of how long it takes, this page from SANS is a good starting point:

enter image description here

From the page:

The survivaltime is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • That's great information Rory. According to this what would be an "unprotected" machine in your eyes? – ElRojito Jun 18 '14 at 22:36
  • 2
    His answer is indeed excellent. I can't speak for him but I would say: Keep your machine patched, don't allow JavaScript from sites you don't trust (noscript for firefox is brilliant), and consider having AV, though AV isn't good at preventing things, it's only good at mopping up for more generic things. More than 80% of the threats out there will depend on JavaScript though, controlling which JavaScript runs is key, but difficult to communicate to the general public. Drive-by malware in banner ads running javascript can be all it takes, the user doesn't have to 'run' things if JS is. – pacifist Jun 19 '14 at 03:48
  • I'm curious: you say "Many acquaintances of mine who espouse the virtues of not running antivirus/antimalware etc state that they have never been hacked, but closer analysis shows that all of them have" - what kind of analysis are you talking about? Care to post a few links? – lorenzog Jun 19 '14 at 10:34
  • Analysis= me using standard tools. Antimalware/antivirus/rootkitdetection :-) – Rory Alsop Jun 19 '14 at 10:39
0

I would like to add to the thread that aside from the need to have an up to date system, anti-virus, anti-malware, properly configured firewalls that are patched, and rootkit detectors, I would say that using IDS (intrusion detection systems) and IPS (intrusion prevention systems) are a good thing to include in your system's arsenal. Some will prevent responding to port scanners such as nmap, NSAT, or nessus so that attackers cannot find system vulnerabilities, should they exist. I would also say that using trusted proxy services, VPNs, and Tor is a good idea as well to make locating your system specifically much more difficult.

On another spectrum, having such tools in your system's arsenal such as Nessus and nmap which to use to scan your own system is a good way to find vulnerabilities and fix them before attackers find them.

Yokai
  • 795
  • 4
  • 7