Understanding how security assumptions can put your data at risk | Network Security

Posted by Geraldine Hunt on Tue, May 26th, 2015

In this first article we discuss the implication of risky browsing habits. The big shift that’s occurred over the past three years is a result of significantly increasing volume of commerce that is now transacted on the Internet. As more businesses make more and more money from ecommerce, the cybercriminals want to get their share. The motivation now for the vast majority of cyber attacks is money. The attacker pro­file has shifted from amateurs to professionals that want to make money and, in many cases, those professionals are very organized. It is their full-time job to attack sites. The bad guys, in some cases, will hire other people as mules to transfer money from one place to the other, so it’s an extensive, organized network. We’re not ­fighting against amateurs anymore.

How can we keep track of all that?

The same way you learned to ride a bike, bake a tart Tatin, operate powerful machinery or build a house: step by step. Computing devices are everywhere. We each own a few devices that have Internet connectivity. We trust them with our most intimate information, we do business with them, go to bed with them and wake up with them. We drive with them, run with them and even swim with them. One would assume that considering the amount of time we spend with those devices, we must be really good at protecting them and the information that transits through them or resides on them. Unfortunately that is not the case. There are so many risks and threats that it is hard to keep track of what you should be paying attention to.

We have to keep an eye on scams, rootkits, malware, viruses, Internet hoaxes, spyware, denial of service attacks, data theft, data corruption, social engineering attacks, spam, compromising photos… the list goes on!. It seems that every day some brand new threat appears in our digital lives.

Most of the threats that we worry about have to do with data, that is what we are worried about. So it would make sense to first stop, and ask ourselves what we do with our data, whom we give it to and where we leave it? In order to protect anything, you must first know what you want to protect. So ask yourself: what data do you have? Where is it? Does it need to be all over the place? Yes, why? No, why?

Your assets are your data.

Define your assets. Once you're done with that, ask yourself who might want your data. All types of data including credit card numbers and identity information is very attractive for cybercriminals. 

Other types of data cybercriminals want to get their hands on :

• ID Numbers: social security, passport
• Financial Records
• Medical Records: healthcare status, insurance benefits, and health payment history
• Intellectual Property: trade secrets, technology licensing
• Business Secrets: plans, financial reports, legal documents
• Sensitive Customer Information
• Personal Information: date of birth, mother's maiden name and phone numbers
• Passwords

Within hours those stolen credit cards were being sold in online black markets for $100 each. Online black markets are an ever expanding channels and growing underground economy. Criminals can also burn those credit card numbers onto blank magnetic stripes of their own and hand those out to mules who then go to ATMs and try to do cash advances or use the cards at various points of sale.  The US banking system is particularly vulnerable to that because they do not required pins or use a credit card authentication keys. Because of this weakness and data loss, the US are starting to change those payment systems.

Once you know what you want to protect, find out how people protect the same kind of asset? What are your suppliers, competitors or customers using? Read, ask, bother your colleagues, read forum posts. No matter what your information security posture is, you can always learn more, get better at protecting your data, improve your computer habits.

We all have habits about everything, whether we are aware of it or not. Those habits can be good  or bad.

How can you differentiate between a good and a bad habit?

• Anything that leaves things to chance, is doomed to fail, sooner or late.
• Habits we are unaware of, are dangerous.
• Not knowing what your data is, is dangerous.
• Not knowing where it is stored is dangerous.
• Storing your data in a single place is dangerous.
• Storing in many places is as dangerous.
• Not backing up data is dangerous.
• Reusing the same password for different services is dangerous.
• Blindly believing everything you read in an email or on the Internet will get you in trouble.

We must stop assuming things, we must check the facts, we read, learn, discuss, and share. There is no other way. You have to start paying attention to your habits and assumptions when it comes to computing devices, data and the Internet.

• Do you protect your computer with a reasonably complex password?
• Are you user given security awareness training including password management?
• Do you write your user name and password on a Post-it?
• Do you store your on-line passwords in your browser password manager database?
• Do you lock your phone with a security mechanism?
• Do you ever leave your computing device unlocked and accessible?
• Do you encrypt your data and communications?
• Do you truthfully answer any query for personal information?
• Do you always give your real full name, birth date and personal information when a service requests it on-line?
• Do you run anti-spam, anti-virus and web filtering solutions?
• Do you update software regularly?
• Do you use network security solutions that auto update?
• Can you differentiate between a real email from your boss and a fake one?
• Do you know what message you should be getting when you anti-virus found something suspicious?
• Have you ever installed forbidden software at work?

All those questions have one thing in common, our habits and assumptions about our devices and how we use them. So stop! Ask yourself what your assumptions and expectations are. Your habits have grown out of them. If you have good habits, can you teach them to your colleague or create a training program?  We've reached that point where everything seems related to everything else. We all do well or we fail collectively.