Of Demons and Angels: Fundamental Information Security Practices

09/01/2014

 

Belief /biˈlēf/ noun

1. an acceptance that a statement is true or that something exists.

2. trust, faith, or confidence in someone or something.

 

Where Do You Stand?

Do you believe your data is secure because of the the word “secure” placed where you can see it?

 

Do you believe that your data is safe because it is password protected?

 

Do you believe no one has your data because it is protected by an SSL certificate?

 

 It’s the 21st century, appropriately coined “The Information Age”. It’s easy to be overloaded with information and misinformation. Every day you are targeted by marketing campaigns designed to persuade you to buy something, be it peace of mind or something claiming to be useful. Some are legitimate and some not so much. Believing that a site is secure by “blind faith” is not enough in regards to your personal or financial information. How do you know that the merchant or charity that is taking your credit or debit card information is handling it seriously and securely? What are you doing to personally safeguard your personal, health, and financial information?

The Angels

Protection of your private information takes place at various levels all across the globe. Financial institutions and various governing bodies have an inherent need to ensure that the public’s private information is safeguarded. Laws are created to protect consumers and businesses alike in regards to safeguarding personal and financial information. There are various laws in every country and state or province. It may not be easy to become familiar with the ones that apply to your jurisdiction, however a good source for this information is DLA Piper’s Data Protection Laws of the World.

Outside of the law books and governing bodies, some service providers also do their fair share to protect your data by employing the use of firewalls, web application firewalls, data encryption, two-factor authentication, biometrics, as well as proper access control, separate of duties, and segregation of networks. There are also people all over the world devoted to discovering and patching vulnerabilities as they arise and ensuring software and hardware providers are patching their products. Yet, it’s simply not enough to keep sensitive data protected.

 

The Demons

With the increasing rate of discovered vulnerabilities, advances in technology, insecure networks, and weak passwords, the numerous safeguards that the government or any institution that handles your data implement could be for naught. It may come as a surprise to you that there are two vulnerabilities discovered every second. That increases the potential of your data being exposed to enormous proportions. With increasing advances in technology and the ability to garner substantial computing power with very little investment, it’s a race to prevent breaches before they occur.

The security of your information starts with you. There are products like oclHashcat that uses technology that is very similar to the programs used for mining electronic currency that boast the ability to attempt eight million password guesses per second provided the attacker has a high end graphics card in their personal computer. Couple that with a weak password and you’ve essentially “thrown your pearls before the swine”.

See http://www.bmyers.com/public/1958.cfm for top 500 commonly used passwords, if you are using any passwords listed there, or even just a simple dictionary word, change it to something less easily guessed immediately! Attackers have a wealth of dictionary based password lists they try against. It is recommended that passphrases are used, rather than a simple password. So instead of simply using “rooster” as a password, you could use “TheRoosterCrows@6”. Also remember not to use a password you have used prior to the Heartbleed vulnerability being fixed (April 7, 2014), there is a very good chance that your password has been leaked and is on a stolen password list.

 

The Reality

While laws and regulations may stipulate requirements for third parties to uphold when taking your personal or financial information, it’s a false sense of security in reality. Just as gun laws do not prevent criminals from obtaining guns, these laws that require safeguarding of information does not prevent criminals from obtaining your personal or financial information. Over the last twelve months some major vulnerabilities and breaches have taken place. The responsibility for protecting personal data lies not only with the provider of data services, but also with the owner and/or provider of that data.

It’s an invisible war going on for your information. Governments, corporations, media, and advertising agencies are collecting more and more about you, because to them it’s business as usual. However, malicious attackers are just waiting for you to hand over your information so they can steal it and do a number of malicious things with it from assuming your identity, laundering your bank account, or simply selling your information to the highest bidder. A breach happens when a there is a failure of controls that are in place to protect things like data, equipment, persons, or places. You may not have control over how others handle your data, but you do have the ability to protect yourself and control over where you enter that data. It may take some effort but it will be well worth it if you are able to prevent malicious actors from being able to steal your information.

Take the time to review some of the most famous breaches of the last twelve months and really think about how safe your data is.

 

 

Sample of breaches within the last 12 months

 

Avoid a Personal Apocalypse

No matter where you store sensitive data, whether on your computer, your phone, the cloud, external storage, or on a USB stick, you are still at risk. Sensitive data is everywhere. The POS systems at any store where you swipe your credit or debit cards, your financial institution, your health providers, the local, state, and federal government entities, your utility companies, your phone, internet and cable service providers, your schools and colleges, even your place of employment are potential targets. The first step in protecting your data is by ensuring you aren’t protecting it with a weak password. Remember, it’s now how a breach may occur, but a matter of when. At some point, some sites or applications you use may end up exposed to attackers that will be more than happy to take that information and use it for nefarious purposes.

 

Do not use the same passphrase across multiple sites. Use unique passphrases for financial sites and keep them separate from the ones you use for random forums and a different one for any utilities or other merchant sites you use to shop online. Use a payment service to limit access to your financial data where you can. If you have the option to use two-factor authentication for any of the places you do business with, choose it over using a single password or passphrase. If you must store your passwords/passphrases and sensitive data locally or in the cloud, store them encrypted by using services like Folder Lock, Advanced Encryption Package Pro, or Dekart Keeper. If you don’t have anything other than passphrases you need to keep private then use products like: LastPass, PasswordBox, or Dashlane.

 

Ensure you clear your cookies after every online banking/shopping/bill paying session (http://www.wikihow.com/Clear-Your-Browser%27s-Cookies). Ensure that any site you log into is protected via SSL. If it is, you should see https:// at the start of the URL in your browser’s address bar.

 

Consider using a payment service, like Google Wallet, ProPay, Dwolla, WePay, Skrill, and PayPal, rather than entering your credit card data into various merchant sites that you aren’t sure you can trust.

           

           

Easy Security Checklist

 

1

Is your login SSL protected?

Check for the requisite https:// at the beginning of the URL in your browser’s address bar!
https://www.ultratools.com/tools/sslExam

Paste the link of any site into this one and check for a valid certificate.

2

Check for Heartbleed

https://filippo.io/Heartbleed/

If vulnerable - inform the site owner and stop using the site until it’s fixed - when it’s fixed change your passphrase.

3

Clear Cookies

http://www.wikihow.com/Clear-Your-Browser%27s-Cookies
After any online session in which you used a passphrase to sign in where sensitive information is stored.

4

Opt for 2-factor Auth

Opt for this where you can for most financial or healthcare sites. This may require an app to be installed on your phone or for you to carry a key fob.

5

Use Different Passphrases

Use unique passphrases across all sites where you store sensitive data. Don’t use the same password for twitter that you use for your banking!

6

Don’t use Weak Passwords

http://www.bmyers.com/public/1958.cfm

If your password is in this list or matches a dictionary word – change it immediately

7

Encrypt your Sensitive Data

  1. Choose a good encryption software for any sensitive data or passwords that you want to store locally or in the cloud.

Data Encryption

 

Site Logins and Passwords Only

 

8

Weigh the Risk

Before you upload that image or enter sensitive information into a site, weigh the risk. If you are uncomfortable with the information being made public, it’s probably best not to put it on the internet at all. This includes e-mail, the cloud, online storage, text messages, etc.

 

Evangelize These Tips

Protect your friends and loved ones by informing them.