Data Security (Policy & Procedure Wednesday)
It’s the first Wednesday of the month, which means today we discuss ways to add to your policy and procedure manual. Catch-up on previous posts here.
Data security is something we hear a lot about, but the average person doesn’t always consider their own habits and practices and how it impacts their own security. Many people assume they don’t have a need for enhanced security protections because they are not doing anything wrong. This is a valid reason, but applying strong data security is not always about protecting you from “Big Brother.” It can protect you from hackers, commercial spying, and also provide physical security.
Security is not convenient, but the sacrifice of some convenience can pay off dividends in your peace of mind and personal protection.
The usage of data security practices depends on everyone’s needs, some more so than others. We have identified three levels, all building upon each other, to suggest here.
Level One — The Bare Minimum
Put simply, if you use any device that has ever connected to a cellular or internet signal, you are at a risk of someone viewing your data. It’s not necessarily impossible to be 100% anonymous online, but its very, very difficult.
The first rule of data security, therefore, is to minimize your expectation for total privacy. It’s not uncommon for us to wonder who would be interested in hacking our systems, as we rarely see ourselves as a target. Targets are not always selected by hackers because of their worth, but their potential ability to impact others (and some hackers are just mean and select at random).
Commit to applying strong practices in your own data storage and browsing habits. Assume your data, emails, and messages are all being monitored. While this may not be the case, practicing some common-sense here may prevent you from saying anything that you don’t want shared.
In addition to being prepared for your data to be reviewed, you should also be wary of any data received from others. Carefully review emails, messages, and other communicates before ever clicking a link or downloading a file. Never, ever click a link or open an attachment out of curiosity. If you’re ever not sure, do not open or click. It’s a much safer choice to confirm receipt with the sender through another channel.
In addition to practices you implement, its necessary to set-up some software and options to do the heavy lifting for you. Select a thorough, simple to use to virus program on your computer and devices. There are two important things to remember when it comes to virus protection:
- Expensive does not mean better. In fact, some of the best programs are of no charge or minimal cost.
- No particular operating system is virus-immune; even MacBooks can get a virus.
For any Internet user, the most significant line of defense is a strong password. You may use a strong password, but your security is diminished if you reuse a password. Considering that most online services now require passwords, using a new password every time can be time-consuming and difficult (remember, security is not convenient).
To that end, we recommend a reliable, secure password storage system. For some, using a cloud-based storage system in the form of a password manager is helpful. Others rely on a piece of paper. It should be weighed as to what works best for you (remembering security is not convienent) and what is the most secure. Do not share passwords in any fashion other than a secure system or in person.
Two-FACTOR authentication is different than two-STEP authentication. In two-step authentication, you take an additional step in your browser before gaining access. Security questions are an example of two-step authentication. Two-FACTOR authentication, however, requires a different device or channel. When a service texts you a login code, for instance, it is using two-factor authentication. It requires you to use a second device or channel, which creates a greater level of security (a would be hacker would also need to access your phone or email, not simply just your password, in order to bypass two-factor authentication).
Some data is likely fine to store in the cloud if you have also applied the steps listed here. We also recommend creating regular back-ups of your data, and storing sensitive files on encrypted thumb or hard drives that are secured.
Some examples of data that should not be stored on the cloud includes customer information, any financial information, opposition research, etc.
Regularly, you should examine your settings across any service you use. Seriously consider if you need to send crash reports, usage details, etc., to any provider. Examine any services you have given access to with another account — Google, Twitter, and Facebook are prime examples that some services use to have you login to their system with your Google information.
HTTPS in a web address stands for “hypertext transfer protocol secure.” HTTP/HTTPS is how your browser communicates with websites. Without the “S,” your browser looks at the IP address with the website, connects, and then sends all data through clear text. ANY information sent through a HTTP site can be viewed by hackers, your ISP provider, etc. This means passwords, credit card numbers, etc. When a site uses HTTPS, your browser checks the site’s security and confirms it’s legitimate. The site has been issued a security certificate that “vouches” for them. The site then encrypts the traffic so that it becomes MUCH more difficult for anyone to drop in and see what you are transmitting. For instance, if Google searches are performed on “http://www.google.com” (with no redirection to https://www.google.com) anything you search for is practically public, and there’s no guarantee you are even on the Google site. When you search through “https://www.google.com” you prevent people from seeing what you are searching. Many sites will automatically redirect you to their https site, but you should glance at the address bar to see if there’s a lock icon (depending on your browser) to verify you are at an https site. If you are not using https, you are public. This means your ISP (internet service provider) could see what you are searching online. With https, they can only see what site you connected to, not individual pages.
Second Level — A Little Further
The information presented thus far are good first steps, but for minimal cost and time, you can take extra steps to maximize your protection.
You may assume that your messages are of no interest to a hacker, particularly if you’re not relying on messages to send passwords or sensitive information. While you may not be trading state secrets via text, if you are discussing anything sensitive, confidential, or properitery, an encrypted message service is recommended. When selecting a service, you should be sure to use a service that is “end to end encrypted,” which means the message is completely encrypted — if its not, the messaging provider may be able to view your messages while they are in transit, as would a hacker.
Installing email certificates allow your emails to be “digitally signed.” This lets the recipient know that the email is verified from you, and was not tampered with or altered in transit.
Virtual Private Network (VPN)
A Virtual Private Network, or VPN, allows for more secure browsing that makes it difficult for your IP address to be tracked. You connect to a VPN, and from there, your Internet traffic is connected through one of your VPN’s IP addresses. This shows your location as the location of the VPN IP address.
At a bare minimum, you should use a VPN any time you are secured to a public wi-fi network. While VPNs may create some delay in browsing (bouncing to different IP addresses can increase load time) or affect your location settings (you will appear to be in another area if using a website’s location-based service), we recommend staying connected to a VPN at all times. Set it and forget it.
Third Level — Even Better
Should you have applied the practices thus far, you’re further ahead than most people in protecting yourself and your data. Two additional tools exist for those who need even more.
Tor browsers are great tools to hide your Internet traffic even more. When you connect through a Tor browser, your computer connects to the Tor network, encrypts your traffic, and bounces your traffic around across different “nodes” throughout the Tor network. Tor is able to anonymize your traffic because it separates your identity from your traffic. Be careful using Tor — it is also used by those with ill intentions.
Email encryption can be tricky to explain and implement. In short, you have a public and private “key.” TO illustrate this, think of the public key as a locked container and the private key as an actual physical key. When you send an encrypted email, you are sending it to the recipients locked container, and the recipient can only open it with his or her private key. These keys are linked to your email address. If anyone attempts to access the email without the email addresses’ private key, they will find useless numbers and characters. Public keys can be given to anyone, as you are simply giving someone the address to send things to a locked container. Your private key is the only way to unlock the container. You may often see journalists and other professionals post their public key online for people to send encrypted emails.
Again, you should adjust your expectations for total privacy online. Simple steps can allow you to maximize your safety, work more comfortably, and protect yourself. Always take care as to what you are sharing online, and apply simple procedures whenever possible. Remember, you may not care if the NSA is reading your email, but you definitely want to avoid hackers or people who wish you harm to do so! Regular privacy check-ups and staying up to date on data security trends is important. An ounce of prevention is worth a pound of cure.