Cyber Smart is a book about protecting money and information from cyber criminals by cybersecurity expert Bart R. McDonough. The book explains what bad actors are trying to accomplish through their uses of technology, as well as whom they target, where and when they strike, and how they operate so that people may take effective countermeasures. The introduction mentions the various attack vectors to be examined in detail later, then presents the five basic steps to cybersecurity that he repeatedly advocates throughout the book: keep devices updated, use two-factor authentication, use a password manager, use up-to-date antivirus software, and create data backups. This bit becomes a bit tedious as the book goes on, but each of these five points is good advice. He then lists several myths about cybersecurity that will be debunked throughout the book. McDonough finishes the introduction with a brief overview of the two parts of the book.
The first part contains nine chapters which cover the targets, goals, and methods of cybercriminals. This section is really only necessary for beginners in cybersecurity and other uninformed people, but it is good to have all of its information in one place as a go-to reference to refresh one’s memory even if one is well-versed in its subject matter. Chapter 1 begins with a story of wire transfer fraud, then tells the reader how to prevent oneself from being scammed in this manner. After providing some statistics, McDonough explains the differences and relationships between data breaches, hacks, and cyberattacks. The second chapter tells the story of notorious hacker Albert Gonzalez, then delves into hacker demographics, motivations, and methods. McDonough discusses white-hat and black-hat hackers, but does not mention grey-hats. He gives a brief overview of nation-state attackers, but mostly saves this subject for the final chapter of the book, as this is not the primary cyberattacker for most people. Hacktivism is discussed, then the chapter concludes with several stories of hackers who were caught.
In the third and fourth chapters, McDonough explains that the goal of hackers is usually profit and that their methods are different means toward that end, even for black-hats who served prison time and became white-hats. He tells the reader how stolen credentials are used and sold on black markets, then calls attention to medical identity theft, a rising threat in recent years. The various types of malware that afflict computers gets a thorough overview, as does the concept of social engineering, which is the use of deception to obtain personal information. The rest of Chapter 4 details the various types of scams that one may encounter. It is here that one sees the link between cybersecurity and security in the physical world.
Chapter 5 lays out the chain of events that comprise a cyberattack and explains how each step in the chain presents the defender with an opportunity to stop the attack. The sixth chapter begins with a story about finding a random USB stick that turns out to have planted by bad actors to spread malware, then explores other methods of attack, such as phony emails, impersonation in phone calls and texting, fake websites, and compromised Wi-Fi. In the seventh chapter, McDonough returns to the “Brilliance in the Basics” strategy, elaborating on each point. He recommends that some older, more vulnerable applications not be used, but does not consider the possibility of a fake security patch that could infect a device with malware while posing as a legitimate update. Two-factor authentication is rightly praised, but using more factors is barely mentioned in the book. After explaining what a password manager is, McDonough advises the reader to install an antivirus program and keep it updated. Unfortunately, details on their operation are left sparse, and there is no mention of blacklist versus whitelist antivirus methods. The chapter concludes by introducing cloud storage, which is covered in more detail later.
The eighth chapter is very short, and deals with mistakes. McDonough explains how to avoid being the source of a data breach that could be very costly to oneself or one’s employer. To end Part I, Chapter 9 offers advice on how to respond to an attack that has already occurred, going through the steps for dealing with phishing, malware, ransomware, and email compromise. The only questionable advice here is to pay the ransom for ransomware if all else fails instead of just eating the loss, as this encourages further attacks.
Part II contains twelve chapters which discuss specific threats and recommendations for different parts of a person’s life, with a list of steps to follow at the end of each chapter. It is here that one is most likely to learn something new. Chapters 10 and 11 deal with identity theft of yourself and your children, respectively. McDonough discusses how bad actors obtain personal information with which to commit identity theft. One wonders why he does not recommend incinerating identifying documents instead of merely shredding them before disposing of them. He directs readers to a website which allows them to check whether their information has already been compromised. He explains the difference between fraud alerts and security freezes while showing how companies like Lifelock are essentially scams. The rest of Chapter 10 offers advice for protecting one’s medical history, preventing identity theft against deployed military personnel, and helping senior citizens avoid scammers. Chapter 11 explains why bad actors target children for identity theft, which is a problem that lacks sufficient public awareness. Most of the defenses are similar to the measures for adults, with minor variations. The chapter also deals with online gaming predators who target children, general Internet use by children, and smart toys. Oddly, McDonough does not advise against using smart toys at all.
The twelfth chapter is about protecting money. It begins with an example of identity theft and illegitimate purchases, then surveys major types of financial fraud, including wire transfer fraud, home equity fraud, IRS impersonation, credit and gift card fraud, card skimmers, and several other types that target unbanked and underbanked people. Strangely, there is no discussion of how to protect one’s cryptocurrency holdings. Chapter 13 is a brief foray into protecting an email account. One may be surprised at just how insecure and naive the average person is while reading this chapter, from using the same password for personal and business accounts to expecting providers of free services not to sell their data.
Protecting files is the subject of the fourteenth chapter. It begins with a story about an intern who accidentally deletes important files to demonstrate how threats are not the only concern for file protection. This also illustrates the problem of having a single point of failure, which is solved by backing up important data. McDonough advises the reader on proper cloud storage and local storage, then discusses how to find the best cloud provider for one’s needs. Chapter 15 is about social media and the large amount of fake and spam accounts there that are used by bad actors. The dangers of posting too much personal information, especially concerning recent real-world activities, is reiterated from Chapter 5. McDonough explains how and why third parties engage in data mining on social media. His advice at the end to try to think like a bad actor would when taking countermeasures is very important and should appear more frequently in the book, perhaps even as a sixth “Brilliance in the Basics” item.
The sixteenth chapter is about protecting website access and passwords. The dangers of reusing passwords across sites is repeated, then McDonough gives an elementary explanation of password hashing. He then presents some shocking statistics about how many people fail to change passwords even after they have been cyberattacked. He discusses password managers again, as well as an up-and-coming technology called universal second factor (U2F). For those without such means, McDonough offers a formula for generating modestly strong passwords and several mistakes to avoid.
Chapters 17 and 18 cover computers and mobile devices, respectively. Cryptocurrency finally gets discussed, but only through malware that hijacks a device to mine cryptocurrency. The use of visitor devices by websites to mine cryptocurrency is covered, as is the volunteering of computing power to solve other complex problems. The mobile device port-out scam and the SIM swap scam are explained, then McDonough offers tips for preventing them. He compares and contrasts the security features of iPhones and Androids. When discussing device loss and theft, he cites some disturbing statistics about what people will do when they find someone else’s lost device. His advice not to use jailbroken devices is good for non-experts, but those who are highly knowledgeable can keep such systems secure.
The nineteenth chapter is about home Wi-Fi security. McDonough first warns the reader about outdated security setups, but acknowledges that the most secure setup, WPA2, has been cracked and WPA3 is not yet available. Threats detailed here include freeloading neighbors, malware, and improper router management. Though virtual private networks are mentioned throughout the book, they are not sufficiently explained until this chapter. Chapter 20 covers issues concerning the Internet of Things (IoT). Like the USB sticks from Chapter 5, IoT devices can come infected. The dangers of hacked cars are discussed, followed by problems with botnets, ransomware, and spyware. With the horror stories that McDonough shares about hacked IoT devices, one is left wondering why anyone would want to use them when perfectly functional non-linked devices exist.
The final chapter offers tips specifically for travelers. It begins with a story about Wi-Fi hacking on an airplane, then broadens to public Wi-Fi concerns in general, such as fake networks, man-in-the-middle attacks, packet sniffing, and physically snooping on a user. Next, McDonough discusses scams that tourists may suffer at the hands of locals. The chapter concludes with advice for traveling in general, then advice for how to take extra precautions in foreign countries.
Cyber Smart reads quickly for over 250 pages. The book brings to mind the old proverb, “To survive a bear attack, outrun the person with you.” This is to say that bad actors will always be with us, and they will probably always victimize someone because someone will not use proper security measures. But with McDonough’s advice, that someone need not be you, for being cyber smart is mostly a matter of not being cyber stupid. For the most part, he does an excellent job of leading the reader through the necessary elements of cyber-hygiene, but there are some dubious omissions, unanswered questions, and stylistic issues. The absence of a chapter in Part II dedicated to protecting one’s cryptocurrency holdings stands out, as does the lack of advice throughout the book for users of operating systems other than Windows and Macintosh (e.g. Linux). Some minor typographical errors are present throughout the book, and the doubled table of contents seems redundant.
Though this book is full of important information that can help many people avoid being victimized, and many people are unaware of much of this information at present, one who is familiar with cybersecurity measures is left wondering whether a deeper problem exists that no book like this can solve. But it would be wrong to fault McDonough for trying. A book of this sort unavoidably has a relatively short shelf life, as technology marches on at a rapid pace, and the development of quantum computing will require radical rethinking of some security measures. But for 2019, Cyber Smart is one of the best attempts at advising the average person on cybersecurity, and a second edition can be written when needed.