Before you resort to a tin foil hat
A weird checklist of obvious but often overlooked non-cryptographic security practices.
The most advanced encryption won’t help you secure the data if the overall approach to security is careless or presumptuous. The smarter you are, the more secure is your data. Right? Wrong! The more we know, the more we think that some of the rules do not apply to us, and the less time we take for the boring yet necessary security measures.
Apply any level of complicated cryptography you want, but when the common sense principles of data security are ignored, no cryptography will save you. What’s the use for the mega secure password if it’s taped to your designer’s monitor?
Even in our security engineering office at Cossack Labs, where we design and develop sophisticated data security tools and should be quite attentive to security, every once in a while someone forgets to lock the desktop while leaving to grab a coffee, and gets a locomotive in their shell in their ~/.bash_profile.
And, by the way, if you think that the simple yet effective rules of common sense data security don’t apply to you, you’re already violating the rule #1:
You are a target for malicious attackers. Remember it
Yes, you. Although we, human beings, tend to cultivate the comforting “oh, it’s so stupid\awful, it won’t ever happen to me” approach, you never know, and it’s better to keep the guards up. Better (excessively) safe than sorry if your work has some specific demands towards data protection or actually revolves around data security.
Practice good password management
Never share passwords. Pick strong passwords (that won’t fall prey to a rainbow table attack or simple brute force) and keep them private, preferably not in plaintext.
Use Two-Step authentication wherever possible
Use the code that the verification system sends to a landline phone or cellphone, via SMS (although that’s a bit of a risk), via multi-factor authentication system like Google Authenticator. Remember that even two-step authentication has risks and vulnerabilities and cannon be the be-all-end-all of your data security.
Activate foreign login alerts
Monitor your accounts for suspicious activity. Knowing the details of each new login into the account/system makes it easier to stop a possible breach in its tracks.
Inspect the resources that ask for your username/password
Every time you are asked for your personal information (in a web form, an email, a text, etc.) think if you can really trust the request. Scammers and phishers will go a long way to steal your information.
Digitally sign your email
Secure your mail with a digital signature. This provides assurance that it was you — not somebody else — who signed the contents of the email.
Practice the principle of least privilege (PoLP)
Don’t log into an account with administrator rights unless you absolutely must do so to perform specific tasks.
Keep your environment secure
Install and maintain security software, use a firewall. Also, use a security-friendly operating system; keep your software updated by applying the latest service packs and patches as they arrive.
Only use the software from known and trusted sources
Check the newly downloaded software thoroughly, using reputable virus detection software. Check hash sums to verify the integrity of downloaded files.
Remove unnecessary programs or services from your computer
Uninstall any software you’re not using. This will protect you in case the software that just lies dormant on your machine becomes compromised though a previously unknown vulnerability.
Avoid public wireless hotspots (like plague)
If you really need to connect to that public Wi-Fi spot, at least make sure to turn off the file sharing and mark the Wi-Fi connection as a public network. Turn on the firewall if it’s not already activated. Better still — use a VPN.
Don’t click random links
In terms of damage caused to humanity in recent years, this should be the rule #1. Never click suspicious links. Suspect everything. Beware of email or attachments from unknown people, or with a strange subject line. Never open an attachment you weren’t expecting (even if it looks innocuous). If you don’t know the sender, better delete the message without reading it. Needless to say, propagating chain mail or viral hoaxes is plain stupid.
Be careful of what you share on social networks.
Don’t be that person who overshares on Facebook or live-Tweets every step of their vacation (to find their apartment robbed afterwards). Beware of suspicious emails and phone calls that ask for personal or financial information. Treat your personal information like you would treat cash — this helps you avoid phishing and social engineering. Don’t hand your info out to just anyone.
Only provide your personal information over encrypted connections
For online banking or shopping, stick to trusted sites that use encryption to protect your information. To determine if a connection to a website is encrypted, look for `https` at the beginning of the web address (the “s” is for secure or check for the “lock”) on every page. Log out after you’ve completed the transaction. Remember that some sites only use encryption on the login page, which means that all your further actions on such resource could be compromised and your data — stolen.
Perform regular backups of your data using several forms of media
Secure your external/backup data drives. If you keep sensitive information on a flash drive or external hard drive, make sure to keep these mediums locked.
Watch what you plug into your computer
Remember that thumb drives and smartphones can also contain malware. They can even burn your computer!
Never leave your device unattended
Lock your computer if you step way even for a moment. Period. Never leave devices unattended. Their physical security is just as important as their technical security.
Restrict remote access
Disable file and print sharing. If you absolutely must share a resource with others, correctly set the file and directory permissions. Only enable remote connections when needed, disable them when you’re finished.
Treat sensitive data very carefully
Keep things like credit card information, student records, health information, etc.) off of your workstation, laptop, or mobile devices.
Remove the data you no longer need in a secure way
Remember that simple deletion of sensitive materials is not enough — use disk wiping (method that writes a series of 1's and/or 0's over the disk to securely remove the data). Physically destroy the media containing sensitive data that cannot be wiped (i.e. CDs, DVDs, etc.). For destruction of paper document, use (at least) a cross-cut paper shredder.
And of course — use encryption wherever possible.
Summary
Even though we provided lighthearted illustrations to make this extensive list of rules (that could make Captain Obvious happy) an easier read, information security is not a matter to be taken lightly. The best approach to protecting the data you can take is to keep in mind the basic set of Murphy’s laws and act knowing that:
- Everything that could go wrong with your data will go wrong.
- If you have just one backup, you have no backup.
- If it seems too stupid and/or obvious, you should mention it anyway, or better still, make it a printed regulation.
- Your data could be compromised even if you are careful, but if you’re careless it will be compromised.
- They are watching you.
Thanks for reading!
Got something to add? We’d love to hear from you! Please reach out to us via info@cossacklabs.com or @cossacklabs.
