Thursday, May 21, 2015

The INconvenience of INfosec




May 21, 2015

The INconvenience of INfosec in the Digital Age

I often get requests from civic groups, consumer groups and the media to speak about information security (infosec) practices, trends, etc.  Although infosec is not our primary role at Pro Digital, it does seem as if there is a vacuum of individuals willing to tell folks what they should do with regard to protecting their data, even if it is just the simple things.  What I constantly try to drive home is the notion of personal responsibility with regard to your information security.  YOU are responsible for the strength of your passwords and how often you change them.  YOU are responsible for the data you put out on social media.  YOU are responsible for making sure your mobile device isn’t left unattended in a public place.  YOU are responsible for not leaving your desktop up and accessible when not at your desk.  All of these concepts (and more) really drive the point home that infosec is everyone’s responsibility. 

Being a former cop and investigator, I know there are evil people in the world.  There are just plain bad people who, if they worked as hard as they do at trying to exploit the innocent, hard-working people at a REAL job, they might actually be successful in life.  Sadly, this is not reality.  It’s because of this that I generally keep my head on a swivel, both proverbially and physically.  Even in my own home, I generally lock my desktop when I walk out of my office.  I have decent security on my smart phone and tablet.  At Pro Digital, we also make it part of our mission statement to secure our client’s data.  We take all of these measures because 1) it’s vitally important to maintaining confidentiality and 2) someone else would love to get ahold of this data and exploit it.  But is it inconvenient?  You bet!

Unfortunately, human nature is often to take the path of least resistance, which is in direct conflict to good personal information security practices.  It’s a pain in the butt to change your password every 60 days.  Encrypting your data takes time and can even slow down the speed of access of your data.  It’s hard to keep track of multiple passwords, especially if you take the recommended precaution of using non-dictionary-based words, numbers and symbols.  Multi-level verification with security words, passwords and biometrics makes logging on a longer, tedious process.  Mix all of these factors together and the fact is most people won’t do it (if they have a choice).  But as this chart illustrates, there’s a huge reason why you should do it:



Thanks to the recent Sony hack, everyone thinks our cyber-enemies are in foreign countries.  The fact of the matter is, we have plenty of cybercrime happening right here at home.  And it’s up to YOU to protect yourself.  The government won’t do it, your bank won’t do it, your company won’t do it.  Sure, they’ll put some measures in place to push you along to decent infosec practices, but when it’s all said and done, it’s up to you to make sure all of your passwords aren’t the same.  It’s up to you to put those optional security measures on your mobile device in place.  Here’s another reason:



What’s more important than your money?  You work hard for it, you save, you invest, you make savvy purchases.  Good infosec practices take less time than clipping coupons and will save you much more money in the long run.  Make sure you always know where your mobile device is.  Make sure it’s locked-down and, if it’s lost or stolen, you can wipe the data remotely.  Even though you may want to, don’t use the “quick log-on” option.  This will only increase the likelihood that someone will guess your PIN and access your account(s).
We all love convenience and indeed, convenience is one big reason why we all love our mobile devices.  But what’s more inconvenient than having your identity stolen or your credit score destroyed by someone opening accounts in your name because you didn’t protect your personal information well enough?  I sometimes use clich├ęs in this blog and this is another one of those times: An ounce of prevention is worth a pound of cure!

So what else should you do?  Take the time to come up with new passwords.  Change them often, at least several times a year (perhaps when you change the batteries in your smoke detector).  Don’t ever, EVER use the same password for all of your accounts.  Embrace and use multi-level authentication because it will protect you.  Don’t use common words or words that can be found in a dictionary for your passwords and make sure you mix up symbols, numbers and letters.  Need an example?  Let’s say your favorite color is purple and your mother’s birthday is September 25.  Instead of making your password Purple0925, try Purp13#0925.  Sometimes, it’s just that simple. 

Free wi-fi is great and it’s everywhere.  Unfortunately, you should never use open wireless networks like those found in coffee shops, restaurants and hotels.  Yes, I know this means you’ll be using up more of your cellular data on your mobile device, but trust me, open networks are fodder for hackers and quite easy to compromise.  Think of how a packed Starbucks or a crowded hotel is a target-rich environment for someone who knows what they’re doing.  At home, make sure your wireless network is secure and using a password scheme similar to what is mentioned above to connect.  Hide and don’t broadcast your network so anyone connecting to it needs to know the specific name and password to log on to the network.  If someone sitting outside your home can access your network, in theory they can access every single device connected to the network including mobile devices, laptops, desktops and gaming systems. 

When making purchases online, use a credit card with ID theft protection.  Don’t make purchases from websites that are from countries that may have opposing interests with the US or western ideologies.  Most internet browsers offer a very definitive symbol to let you know they’re using good security, so pay attention before you input and send your credit card information, it should be easy to tell when you look in the browser bar.  On mobile devices, only make purchases through verified, trusted apps.  This is generally less of a problem on Apple devices than on Android devices because Apple vets all of the apps on the App Store and holds developers to a standard.  Android apps can be open-source which means they can be made and posted by virtually anyone.

Good infosec is everyone’s responsibility, but first and foremost, it’s yours.  Larger companies and banks have armies of data security experts on their side to help you, but even they sometimes get beat.  And no one wants to be a victim, so let’s all agree to do whatever we can do to prevent it, right here and now.  The encroachment of digital devices for every aspect of our lives is only going to increase.  Make the decision now to be a responsible user of the technology

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.
Twitter: @ProDigital4n6