Of Demons and Angels: Fundamental Information Security Practices



Belief /biˈlēf/ noun

1. an acceptance that a statement is true or that something exists.

2. trust, faith, or confidence in someone or something.


Where Do You Stand?

Do you believe your data is secure because of the the word “secure” placed where you can see it?

Do you believe that your data is safe because it is password protected?

Do you believe no one has your data because it is protected by an SSL certificate?


 It’s the 21st century, appropriately coined “The Information Age”. It’s easy to be overloaded with information and misinformation. Every day you are targeted by marketing campaigns designed to persuade you to buy something, be it peace of mind or something claiming to be useful. Some are legitimate and some not so much. “Blind faith” is not how you should handle your personal information. How do you know that the merchant or charity that is taking your credit or debit card information is handling it seriously and securely? What are you doing to personally safeguard your personal, health, and financial information?

The Angels

Protection of your private information takes place at various levels all across the globe. Financial institutions and various governing bodies have an inherent need to ensure that the public’s private information is safeguarded. Laws are created to protect consumers and businesses alike in regards to safeguarding personal and financial information. There are various laws in every country and state or province. It may not be easy to become familiar with the ones that apply to your jurisdiction, however a good source for this information is DLA Piper’s Data Protection Laws of the World (http://www.dlapiperdataprotection.com/#handbook/world-map-section)

Outside of the law books and governing bodies, some service providers also do their fair share to protect your data by employing the use of firewalls, web application firewalls, data encryption, two-factor authentication, biometrics, as well as proper access control, separate of duties, and segregation of networks. There are also people all over the world devoted to discovering and patching vulnerabilities as they arise and ensuring software and hardware providers are patching their products. Yet, it’s simply not enough to keep sensitive data protected.


The Demons

With the increasing rate of discovered vulnerabilities, advances in technology, insecure networks, and weak passwords, the numerous safeguards that the government or any institution that handles your data implement could be for naught. It may come as a surprise to you that there are two vulnerabilities discovered every second. That increases the potential of your data being exposed to enormous proportions. With increasing advances in technology and the ability to garner substantial computing power with very little investment, it’s a race to prevent breaches before they occur.

The security of your information starts with you. There are products like oclHashcat that uses technology that is very similar to the programs used for mining electronic currency (http://hashcat.net/oclhashcat/) that boast the ability to attempt eight million password guesses per second provided the attacker has a high end graphics card in their personal computer. Couple that with a weak password and you’ve essentially “thrown your pearls before the swine”.

See http://www.bmyers.com/public/1958.cfm for top 500 commonly used passwords, if you are using any passwords listed there, or even just a simple dictionary word, change it to something less easily guessed immediately! Attackers have a wealth of dictionary based password lists they try against. I’d also recommend not using a password you have used prior to the Heartbleed vulnerability being fixed, there is a very large chance that your password has been leaked and is on a stolen password list.


The Reality

While laws and regulations may stipulate requirements to allow third parties to uphold when taking your personal or financial information, it’s a false sense of security in reality. Just as gun laws do not prevent criminals from obtaining guns, these laws that require safeguarding of information does not prevent criminals from obtaining your personal or financial information. Over the last twelve months where most of the laws and compliance regulations have been in place for over ten years, some major vulnerabilities and breaches have taken place. The responsibility for protecting personal data lies not only with the provider of data services, but also with the owner of the data.

It’s an invisible war going on for your information. Governments, corporations, media, and advertising agencies are collecting more and more about you, because to them it’s business as usual. However, malicious attackers are just waiting for you to hand over your information so they can steal it and do a number of malicious things with it from assuming your identity, laundering your bank account, or simply selling your information to the highest bidder.

Take the time to review some of the most famous breaches of the last twelve months and really think about how safe your data is.


Sample of breaches within the last 12 months


Avoid a Personal Apocalypse

No matter where you store sensitive data, whether on your computer, your phone, the cloud, external storage, or on a usb stick, you are still at risk. Sensitive data is everywhere. The POS systems at any store where you swipe your credit or debit cards, your financial institution, your health providers, the local, state, and federal government entities, your utility companies, your phone, internet and cable service providers, your schools and colleges, even your place of employment are potential targets. The first step in protecting your data is by ensuring you aren’t protecting it with a weak password.

Do not use the same password across multiple sites. Use a separate password for financial sites from the ones you use for random forums and a different one for any utilities or other merchant sites you use to shop online. Use a payment service to limit access to your financial data where you can. If you have the option to use two-factor authentication for any of the places you do business with, choose it over using a single password. If you must store your passwords and sensitive data locally or in the cloud, store them encrypted by using services like Folder Lock, Advanced Encryption Package Pro, or Dekart Keeper. If you don’t have anything other than passwords you need to keep private then use products like: LastPass, PasswordBox, or Dashlane

Ensure you clear your cookies after every online banking/shopping/bill paying session (http://www.wikihow.com/Clear-Your-Browser%27s-Cookies). Ensure that any site you log into is protected via SSL. If it is, you should see https:// at the start of the URL in your browser’s address bar.


Easy Security Checklist



Is your login SSL protected?

Check for the requisite https:// at the beginning of the url in your browser’s address bar!


Check for Heartbleed


If vulnerable - inform the site owner and stop using the site until it’s fixed - when it’s fixed change your password:


Clear Cookies

After any online session in which you used a password or sensitive information


Opt for 2-factor Auth

Opt for this where you can for most financial or healthcare sites. This may require an app to be installed on your phone or for you to carry a key fob.


Use Different Passwords

Use separate passwords across all sites where you store sensitive data. Don’t use the same password for twitter that you use for your banking!


Don’t use Weak Passwords


If your password is in this list or matches a dictionary word – change it immediately


Encrypt your Sensitive Data

  1. Choose a good encryption software for any sensitive data or passwords that you want to store locally or in the cloud.

Data Encryption

Site Logins and Passwords Only


Evangelize These Tips

Protect your friends and loved ones by informing them.