How to Work Effectively and Safely in the Cloud Part Two: Wherein Things Get Complicated
In my last sally into the topic of security in the cloud, I covered some basics. My discussions with Dr. Forno led me to some astonishing understandings and changed some of my computing habits. Today we are going to address some of those items: secure passwords, secure devices, and secure networks, in a deeper way.
For lawyers who find this all just a bit too much to handle, I recommend reading this but consulting an IT service that specializes in providing support to law practices. Using a system already in place will help you immensely, and you don’t need to be quite as aware of the nuances we discuss here. For attorneys with greater exposure and understanding f how technology functions, you will likely make changes to your habits as I did once you read this.
The password standard has changed. But even these can be difficult to remember — though at a minimum, keeping your password list in an encrypted document stored on your (hopefully encrypted) hard drive may be an easy and free solution, but it’s not a great one.
So a password manager is a fairly responsible tradeoff.
Password Managers. An easy phrase to remember is one thing, better still is to break out a password manager such as security expert Bruce Schneier’s Password Safe (free) or 1Password (a small fee). Some, like Password Safe, only handle password management, but others, like 1Password, allow you to store many types of information (licenses, credit card information, secure notes, etc.) along with all the expected features of a robust password manager, such as integration with your browser and/or fingerprint readers. What this means is that if you ultimately establish separate passwords for everything, you really only need to remember the password to your password manager to gain near-seamless access to your various sites.
This may sound counterintuitive and a dangerous thing — one place for everything? What if the password manager is compromised? Admittedly, if you lose or forget your password manager’s password, you will be in trouble. However, given that we need passwords for everything, and if we’re doing the right thing and not re-using passwords between sites, it’s practically impossible to keep them all straight. So a password manager is a fairly responsible tradeoff. But as a result, you need to protect that password and the encrypted password ‘container’ responsibly. But then again, some password managers will tell you if your login credentials show up in the ever-increasing number of data breaches, which can be a good thing for you to know about sooner rather than later.
Even Dr. Forno, a 20-year security industry veteran, only began using a password manager recently. As he put it, “I got sick of remembering which password style I used for which site. Plus, with the number of data breaches that steal our login information, strong passwords remain our first line of defense. So I took a week in 2017 and reset all my passwords to much more complex things that differ from site to site. It took me a while to get comfortable with not knowing how to log into my bank account without the help of my password manager, but the security benefit was worth it.” He dryly added, “not to mention, as we age, it’s good to have such items in one location!”
Phishing Scams. In Part One we talked briefly about phishing scams. Everyone gets these — I get a bunch every day, which thankfully are almost always picked up by my email server as spam. There are some obvious giveaways that these emails are a scam — bad grammar or spelling is pretty obvious. But, for the more sophisticated user, another easy way to tell is to look at the sender’s email address. Here’s one I got last week that I reported to Apple (I get at least 4 a week pretending to be from Apple):
How do I know this is fake and scam? Honestly, this one was pretty easy. An unsuspecting user might see the name of ‘Apple’ in the ‘From’ field and automatically believe it. In reality, if they look closely (perhaps right-clicking on the from field) they’ll see that that is not an Apple sender email address. They cc’d a few legitimate addresses from Apple and Microsoft to imply (er, ‘trick me into believing’) that this was a legitimate message. Third, that’s not the e-mail account that I receive receipts from Apple at. Fourth, it contains nothing but an attachment, which right there should make ANYONE suspicious. And fifth, I haven’t ordered anything from Apple anytime recently. It is possible to search for common phishing and spoofing scams online and reputable companies will tell you how to report them. For example, Apple’s is here: https://support.apple.com/en-us/HT201679
Oftentimes spam and phishing emails — and increasingly, text messages — will indeed look as if they come from a company you use:
Parsing the many ways that spam or ‘phishing’ (attempts to get your login/password information) emails look is far beyond the scope of this article. However, there remains one easy recommendation: if you doubt the message is legitimate or it gives you pause, contact the company that allegedly sent it — your bank, brokerage, doctor’s office, or service provider. Their cybersecurity and customer service teams are more than happy to work with you and will greatly appreciate not only your diligence and concern, but use your reported incident to better strengthen their own cybersecurity preparedness. Be part of the solution!
If you doubt the message is legitimate or it gives you pause, contact the company that allegedly sent that message.
For example, Wells Fargo offers 3 simple tips to help identify spam/phishing emails:
Non-Wells Fargo email address: The email address of the sender does not include the wellsfargo.com domain name, instead using something like “comcast.net”: WellsOnlineBank2@comcast.net.
Urgent call to action: The email includes an urgent request in the subject line and message copy, such as “for your protection and for security reasons.” Phishing emails may also contain extra spacing or unusual punctuation in addition to other red flags.
Suspicious URL: The email contains a link to a non-Wells Fargo URL, which could be a fraudulent website. If you’re using a laptop or desktop computer, you can check a link’s URL by hovering over it with your cursor, and the URL will show in your browser window.
Dr. Forno notes that in 2018, internet users (including him) noticed a modern twist on the classic spam extortion request. These poorly-worded messages, based on user names, emails, and passwords obtained from a prior data breach, claim to have recorded video of the recipient watching internet pornography and, for a modest fee (paid in anonymous Bitcoin or other cryptocurrency), pledge not to release that video to the victim’s ‘contact list.’ For many people, receiving such messages, particularly when they include an email address and password they once (or still) used somewhere online, can be more than a little terrifying — even if they don’t watch internet pornography. But rest assured, in nearly every case, this is just another internet scam!
Random security question answers. As Dr. Forno says, passwords are still the first line of defense. But all those security questions you have to set up, like “what was your first make of car” or “what’s your favorite sport?” A clever criminal can use public information (posts on social media, public records, etc.) to try and glean your answers to those — which they can then use to try and reset the password on your account by potentially correctly answering these secondary security questions and impersonating you.
So here’s a simple idea: you do NOT have to honestly answer the questions. These secondary security questions aren’t an application for a government security clearance, they’re designed to tell a computer or call center operator that you are who you claim you are; nothing more. You can easily go into a bank with documents to prove your identity and get things restored. You cannot do this so easily online. So, for example: perhaps my “mother’s maiden name” is ‘mustard’, the town where I was born is called ‘mayonnaise’, and my favorite sport is ‘ketchup.’ The computer or customer service representative won’t care what the answers are, only that they match with what they have in their database. Perhaps Dr Forno’s mother’s maiden name is ‘Chewbacca’ — who knows but him? However, remember that these security questions do not sync across different websites, so the ultra-paranoid can use different answers wherever they want — which is why that password manager is so handy! If you do go down the simple path, be sure to record your ultra-personalized (hah!) answers somewhere secure — like the aforementioned password manager — so you don’t create more problems for yourself.
It’s not enough to secure only the passwords. In some cases even more encryption is desirable.
Encrypting your files In Part One we talked about encrypting your device. You can encrypt individual files as well. For particularly sensitive files such as anything containing client data, financials, or intellectual property, consider encrypting those files for extra protection.
Segregate or Contain your browsers and tabs. If you don’t have or want separate devices as we recommended in Part One, another option for protecting your device is to use multiple browsers. For example, when logging into Google for work, Dr. Forno uses what he calls his “dirty” browser since he lets the sites involved collect data, run scripts, and do other things necessary for business. However, for personal business, such as banking, shopping, or personal email, Dr. Forno uses another browser altogether — one with much more stringent security and privacy settings based on his own needs. (For example, his personal browser blocks practically all Facebook and Google scripts, tracking cookies, and so forth.)
Similarly, you can use a technique called “containment”. In this case, a small browser addition will let you create individual browsing ‘compartments’ that are separate from each other within your browser. This has the advantage of not allowing items or data in one container (say, for work) be read or accessed by another container (say, for personal use) — and you don’t need to use different browsers to segregate things unless you’re ultra-paranoid. Moreover, you can color code your tabs and assign groups so that when you open various types of sites, they are automatically put into their respective containers. In the below screenshot, notice there are three colored bars on the tabs, quickly allowing you to see which ‘container’ the content is being browsed in.
Remote wipes. Most mobile devices have easy-to-use web-based features that allow device owners to remotely locate, disable, and/or erase their devices if lost or stolen. Setting this up differs from device to device, but it’s a fairly simple process that adds extra reassurance.
Beyond the simple password protections for securing a network, or limiting access by providing share links. There’s a few techniques which are vastly more effective.
Use a Virtual Private Network. Think of the internet as the postal system where most information is transmitted on postcards that anyone can read. If you want to keep something private, you’d double-wrap it in a plain envelope with nothing but the your address and the recipient’s on it. A VPN does the same thing for internet traffic by creating an encrypted ‘tunnel’ for your data to transit.
Using a VPN is considered a secure best practice, especially if you are using public or hotel wifi. I mentioned these as a possibility briefly in Part One. For an individual or small office, reliable VPN services can be purchased for a few dollars per month per user. Dr. Forno recommends software-based solutions like Private Internet Access (PIA) or NordVPN and to avoid free ones. The advantage with installing VPN software on each device (particularly in a wi-fi environment) it protects you from someone eavesdropping on your network from across the street, from the parking lot, or in the next office over.
For a more advanced technology user or larger office, consider buying a dedicated VPN ‘box’ that encrypts all internet traffic from your office network to the VPN server, which will help prevent eavesdropping by your ISP or someone on your local network. These capabilities are available in retail and professional-grade devices from Cisco, Juniper, and other companies. Of course, they can — and often do — cost more. But remember, in most cases, as shown above, VPNs only protect you against eavesdropping from your end of the connection to the VPN’s server. Once your data leaves the VPN’s server heading to its destination, your data is not protected!
Use a hidden and password-protected wifi network. Whenever you open your device and it searches for an available wifi network, it only sees open networks, even if that network is behind a firewall. Just go to your local Starbucks and see what wifi networks your phone or computer can detect!
To counter this, for home or office use, you should set up a hidden network by turning off the Service Set Identifier (SSID) — in other words, don’t ‘broadcast’ your wireless network’s name. Additionally, be sure to use encryption like WPA2 (Wi-Fi Protected Access) to further restrict who can actually connect to your network. This means you or your guests will only be able to access things if provided with the network’s name and a hopefully-strong password. This, coupled with VPNs, will help improve your network security significantly.
Use a known, secure, DNS. Whenever you surf the web send an email, or malware on your computer ‘calls home’, your computer uses the Domain Name System (DNS) to know where to send things to; DNS is essentially the internet’s phone book. Every network connection has DNS provided by your provider, who provides basic phone book services for your devices and programs.
However, given the many security problems we’re talking about, and those we aren’t, along with the sophistication of cyber-criminals, consider using an alternative DNS provider that specializes in security, privacy, and/or anti-spam/malware. For example, instead of using your ISP’s DNS, you can manually add DNS from Google (188.8.131.52) to your computer or router, and thus bypass your ISP’s server in favor of Google’s and their advanced capabilities. Companies like Cisco, CloudFlare, and IBM all offer free DNS services you can use, many of which also use things like artificial intelligence and threat analysis to catch potentially suspicious traffic coming from your network before you do! In the case of misbehaving browser scripts or malware, this can be an invaluable, proactive resource to minimize the potential of problems.
Data Privacy laws have changed — BE CAREFUL. I cannot stress enough how important data privacy law changes are. You probably heard of the new European rules on General Data Protection Regulation (“GDPR”) and thought “meh, not relevant, I’m in the US” — but it IS important. If your network stores data in the cloud, and it happens to be backed up on a server in Germany: you may be subject to GDPR. If your industry requires data privacy protections, you have newsletters with recipients in the EU, or you have customers in Europe, you are subject to GDPR.
GDPR is complex, which makes people think it’s scary, but in reality it’s fairly straightforward — much like working in the cloud. The key considerations to be GDPR compliant is active opt in and secure storage. What does this mean? It means that everyone you have any data on, that could allow a person to be identified, MUST actively opt in to your having that data AND that wherever you keep that data, it is kept securely. It doesn’t matter if they opted in before May 2018, it’s best that you explicitly ask them to do so again AND you keep a record of when they did so. Then encrypt it the data and store it in an encrypted location. Finally, if someone asks you to remove them, do so, immediately, and note that update as well. It’s as easy as that.
Go forth and work safely, knowing you’re following some best practices
Now you know some more intensive methods by which you can securely work in the cloud. You know that there are simple steps, and more complicated steps, and neither set are particularly terrifying or confusing. Choose a combination that works for you and feel safe knowing you enacted best practices.
Don’t forget to tell your malpractice insurer that you have taken these steps and established a tech security plan — it’s risk mitigation and it matters!
We hope this two part post on security in the cloud has been helpful. Technology is a tool — and like any other tool it comes with risks. Also like any other tool, those risks are easily mitigated with some effort and attention to detail. Remember that no tool or technique can guarantee you total security, but common-sense and low-cost solutions can make it more difficult for criminals to cause you problems.