The Complete Guide to Cybersecurity for New Programmers
When starting out as a programmer, you’re way too busy to pay attention to anything unrelated to your core competencies. You have your hands full with learning new technologies and languages, and executing projects.
Though it may be tough to squeeze in, it’s important that you find the time to learn cybersecurity.
Code that is insecure can be costly in terms of time required to rectify it, or worse, in money and business repercussions if the issue goes undetected.
In this post, I will show you the fundamentals of cybersecurity so you have all the essential info in one place. We’ll first take a look at common attacks and best practices, then I’ll share some tips and recommendations on cybersecurity skills and technologies.
What Is Cybersecurity and Why Should You Bother?
Cybersecurity refers to the process of securing data, networks, and devices from misuse by hackers.
Data is incredibly valuable and ranges from credit card details to Social Security numbers and medical records. When you’re working for a company or a freelance client, you can be handling your customers’ sensitive data—which you simply can’t afford to compromise.
In the first half of 2019, data breaches exposed over 4.1 billion records. What’s more, a recent study found that hackers attack computers with internet connections every 39 seconds—that adds up to, on average, 2,244 attacks per day.
One successful breach is all it takes to burn your credibility—or that of your business—down to ashes. For instance, in late 2016, two hackers were able to get names, email addresses, and contact numbers of over 57 million Uber app users.
This led to a $20 billion drop in Uber’s valuation, termination of the chief security officer (CSO), and a besmirched company reputation. Plus, they had to pay the hackers $100,000 to delete the data and keep their mouths shut.
Clearly, it doesn’t hurt to learn the basics of cybersecurity as a new programmer.
Before we discuss the cybersecurity best practices you should know about, let’s take a look at some common types of cyber attacks.
Types of Cyber Attacks
A cyber attack is an intentional and typically malicious attempt to capture, modify, or erase private data. Cyber attacks are committed for a variety of reasons, but the majority are motivated by ransom.
Here are the four types of cyber attacks that most commonly affect users, including programmers.
Brute Force Attack
A brute force attack (or “password guessing”) attack is when the attacker attempts to guess usernames and passwords, either manually or using software that does the guesswork at blazing speeds.
This attack will often try known username and password combinations from past data breaches. The attack is successful when people use passwords that are either weak or common for different applications (for instance, when your social media and work password are the same).
Your best defense against brute force attacks is to use strong passwords and avoid using the same password for different apps, as well as using two-factor authentication. We’ll take a closer look at this and other cybersecurity options later in the post.
Distributed Denial of Service (DDoS) Attack
A distributed denial of service (DDoS) attack is when the attacker floods a network or system with a myriad of activities—such as messages, requests, or traffic—in an attempt to cripple it.
A successful DDoS attack can be used as a means of extortion and blackmailing. For instance, website owners can be asked to pay a ransom for attackers to stop a DDoS attack.
Such an attack is usually done with the use of botnets, which are groups of internet-connected devices—for example, laptops, smart speakers, gaming consoles, or servers—infected by viruses that allow the hacker to use them for performing such an attack.
DDoS defense techniques include the use of firewalls, VPN, anti-spam, content filtering, and load balancing.
Malware refers to malicious software and techniques used by hackers to infiltrate computers and networks to steal vulnerable private data. Here are a few common types of malware:
- Keyloggers track what a person types on their keyboard. Keyloggers are often used to get passwords and other private information, such as Social Security numbers.
- Ransomware encrypts your data and holds it hostage, forcing you to pay a ransom if you wish to unlock and regain access to your data.
- Spyware tracks and “spies” on your online activity on behalf of the hacker.
Malware can be delivered via a variety of routes, the common ones being:
- Trojans, which infect computers or networks through a seemingly harmless entry point, often disguised as a legitimate application.
- Viruses, which corrupt, erase, or modify data. These can spread from computer to computer when they’re unintentionally installed by careless users.
- Worms, which are designed to self-replicate and autonomously spread through all connected devices that have the same vulnerabilities.
A phishing attack is when hackers try to trick people into doing something that is seemingly urgent or beneficial, like submit personal information for a limited-time reward.
These are extremely common and can be attempted through download links, emails, fake websites, or forms that look legitimate on the surface.
In addition, spear-phishing refers to when the attacker targets a particular person or company, rather than mass spamming.
Cybersecurity Best Practices
Cybersecurity isn’t something you can fully ensure by following rules set in stone. There is no foolproof way to safeguard you or your business’s security in the online world.
However, there are some best practices and cybersecurity techniques you can use to protect yourself in the best way possible.
Create Near-Impenetrable Login Credentials
This may sound super-obvious, but many people, including tech-savvy coders, use predictable passwords with meaning attached to them, such as a slightly modified version of a loved one’s name, initials, or birth date.
Such passwords are easy to remember, and thus, easy to hack.
Instead of having an easy-to-remember password, use a random password generator to create a super-strong password that can’t be guessed. Set a limit to the permissible number of login attempts, too. This is a simple yet powerful way to thwart brute force attacks.
Also, to prevent the wrong person from obtaining easy access to all your sensitive personal or business data, let your logins expire after a few hours of inactivity, even though it’s a minor inconvenience.
Moreover, be careful about sharing login privileges. Ideally, don’t share them at all. But if you run a business and absolutely have to, only a few select employees you fully trust should have login rights. And if an employee with credentials is no longer associated with your business, make sure to reset the credentials in a timely manner.
Keep Your CMS Up To Date
You’re likely using a content management system (CMS) for your personal website or at your workplace. While using a CMS like WordPress or Magento is a great way to manage your website more efficiently, it comes with vulnerabilities that can be exploited by hackers.
Consider WordPress: It powers over 35% of the internet and is still growing in popularity. But with its popularity and extensive customizability (using countless plugins and themes) come weaknesses and easy entry points that make WordPress a prime target for hackers.
Hundreds of thousands of WordPress sites fall victim to cyber attacks each year, despite the fact that WordPress in itself is a secure CMS.
All the extensions you install to make life easier, in the form of plugins and themes, are potential entry points for cyberpunks. Many of these plugins aren’t as secure, and while the vulnerabilities are usually fixed by their developers, you may fail to apply the patches on time.
So, see to it that your CMS, its themes, and its plugins are always up to date with the latest version.
Be Vigilant About Social Engineering Scams
You may feel you’re smart enough to differentiate between legitimate and fishy emails, and you likely are, but everyone has a lapse of judgment from time to time.
Always keep an eye out for phishing emails and scammy websites with shady downloads or offers. After all, phishing is an effective, high-reward, and minimal-investment strategy for hackers to gain access to sensitive information, such as your credit card details. As a result, it’s always going to be a threat.
Here are a few precautions to protect yourself against social engineering attacks:
- Be wary of emails from unknown senders or even familiar people (like your company’s CEO or your doctor) who do not usually communicate directly with you. Don't click on links or open attachments from those senders.
- Check the sender's email address to ensure it's from an authentic account. Hover over the link to see the associated web addresses in the “to” and “from” fields. Also, look for slight character changes that make illegitimate email addresses appear visually legit—a .com domain where it should be .gov, for instance.
- Note grammatical errors in the email content, as they’re almost always a sign of a scam.
- Check for logos: Do they look legit? Does the font match? Are they in high resolution?
- Use an anti-phishing filter on browsers and emails, as well as antivirus software to scan attachments.
Enable Two-Factor Authentication (2FA)
The strongest of strong passwords can still be broken through. And there’s always a possibility that your login credentials will fall into the wrong hands.
So, instead of requiring a mere password to successfully log in to your profile or website, use two-factor authentication wherein you’re sent a verification code to your registered phone or email to verify that the person logging in is indeed you.
Use a Virtual Private Network (VPN)
Public Wi-Fi hotspots are great. They’re free and don’t require a password. They save you from exhausting your mobile data.
However, there’s a cybersecurity cost attached. Whether it’s your friendly neighborhood cafe or the airport, public Wi-Fi spots are perfect for hackers looking to steal your data or invade your privacy.
Hackers use these open networks to attempt man-in-the-middle attacks in which they position themselves between you and the network’s router. They can then create fake login pages to steal your credentials or the data sent from your device.
You can protect yourself from these by using a virtual private network (VPN). A VPN creates a “tunnel” through which your data travels when entering and exiting a web server. That tunnel encrypts your data and hides your location so it can’t be read by hackers or malicious software.
So whether you’re surfing the internet on public networks or planning to use streaming services like PrimeWire, consider getting a VPN for extra security.
Perform Frequent Backups and Malware Scans
You’re likely tired of hearing this, but frequently backing up important data is indispensable. It’s like eating your veggies—you know it’s a good thing to do but don’t really want to do it.
Let’s say your business website gets hacked. Every second of downtime is costing you serious money.
In this case, the quickest bounceback is to restore your last backup. While some hosting service providers perform automatic backups for you, almost none of them do it on the ideal frequency (daily or, at most, weekly). So, take it upon yourself to schedule frequent backups.
Next, using an antivirus tool, perform regular malware scans to track and remove viruses and outdated software or extensions that can be exploited by hackers. Conduct vulnerability tests using a vulnerability scanning tool to reveal your web app’s weak points.
New vulnerabilities emerge all the time, and something that was secure last month may not be secure today. Make a point of scheduling backups, scans, and tests ahead of time.
Skills and Technologies to Learn
Cybersecurity is a rewarding career path, with an average salary of nearly $90K.
But even if you don’t want to start a career in cybersecurity, it’s a good idea to know about the skills and technologies you need to be a savvy programmer.
While programming knowledge isn’t necessary to be good at cybersecurity, your knowledge of programming languages certainly gives you a head start. Let’s take a look at what the experts have to say about what you need to know to protect yourself.
Kristen Kozinski, who now manages enterprise security education at the New York Times, says, “You don’t need to be an expert, but being able to read and understand a language is a good skill to have [for cybersecurity].”
Chris Coleman, president of Woz U, says, “It’s only with a firm understanding of the vulnerabilities of systems that someone can predict and prevent cyberattacks.” That is, you need to be able to think like a cybercriminal.
Specific technical skills vary based on the area of specialization, but broadly speaking, Coleman recommends the following cybersecurity skills for programmers:
- Security and networking foundations
- Logging and monitoring procedures
- Network defense tactics
- Cryptography and access management practices
- Web application security techniques
Your focus, regardless of what you’re working on, should be to understand the system—what’s happening behind the scenes, what data is important to its functioning, the goals of the system owner, and the weaknesses a hacker may try to exploit.
For example, if you’re looking into a payroll system, start by asking these questions:
- How do employees get paid?
- Where is their data housed?
- How can this system fail?
On the technical side, it’s good to have an understanding of network architecture, administration, and management of operating systems (like various Linux distros or Windows), networking, and virtualization software. Get to know and love things like firewalls and network load balancers.
Apart from this, soft skills—the ability to clearly articulate complex concepts, great presentation and listening skills, teamwork, and so on—are, of course, prerequisites for success.
For example, you might have to present the concept of social engineering to unsuspecting employees, or communicate complex subjects or strategies to C-suite executives who may not have a technical background.
As the field is constantly changing, having a willingness to learn is also key. Furthermore, according to Dice, potentially important certifications include the following:
- CEH (Certified Ethical Hacker)
- OSCP (Offensive Security Certified Professional)
- CISA (Certified Information Security Auditor)
- GCIH (GIAC Certified Incident Handler)
- Certified Information Systems Security Professional (CISSP)
- Information Systems Security Architecture Professional (CISSP-ISSAP)
- Information Systems Security Engineering Professional (CISSP-ISSEP)
- Information Systems Security Management Professional (CISSP-ISSMP)
If you wish to pivot to cybersecurity as a career someday, these certifications can be extremely valuable.
According to Joseph Carson, the chief security scientist at security vendor Thycotic, “Cybersecurity certifications are essential to showing the level of knowledge of a cybersecurity professional. However, they should never alone be the only reference.” He adds, “Certifications should be combined with solid industry experience to get the right level of skill set required.”
For staying on top of the latest and greatest in cybersecurity, here are a few resources you should consider following:
- National Institute of Standards and Technology (NIST) has a cybersecurity program that routinely publishes insights and standards on various cybersecurity topics.
- Center for Internet Security (CIS) is a global, nonprofit security resource and IT community used and trusted by experts in the field.
- Cybrary is a mostly free cybersecurity training and career development platform with quality educational videos, certifications, mentorship, and hands-on practice labs for all kinds of cybersecurity topics and specializations.
Keep Your Data Safe
Now you know the fundamentals of cybersecurity—the what, why, and how—along with the skills, technologies, and certifications you need as a new programmer wanting to learn more about this exciting field. So, as a hacker would probably say—time to get cracking!