No Secrets, No Privacy, No Security

cybersecurity_436x270Last week we talked about the impossibility of keeping secrets over the long term, the liberation of secret information by groups or individuals who just wanted the secrets exposed.  A close cousin, conceptually, is privacy.  At this point, there is no privacy anymore, not really.

Time was when your life was largely unknown, and privacy was an easy thing to have. But this is not the case anymore.  Much of our personal information we have given away willingly via Facebook, LinkedIn, and other online sites.  Anyone with a modest amount of computer ability can find out a lot about almost anyone, pictures of them, their family and pets, their home and car, vacation destinations, you name it.  There is a new term for this phenomenon – “over-sharing.”

Then there is all the data that is being collected about us when we shop, pay bills, pay taxes.  I get emails from Amazon every week offering me video, books, or other merchandise (for some reason, lots of electronics in my case..hmmm) that I might like.  And most of the time they are right, I do like these selections.

And this very personal information escapes into the Dark Web at the hands of data thieves who use this information to create alternate identities, pursue fraudulent financial transactions, get free medical care, buy stuff, take out loans and credit cards.

The problem of course that this information is all on a server somewhere, on a network, and that network is connected to the Internet, which means it is potentially connected to anyone.  The problem is security, or the lack of it.  Security is hard.  It is hard to implement, and hard to use consistently and persistently.  The sad fact is that most of the data that has been exposed over the last several years could have been properly secured, but wasn’t because the people in charge of this information were unwilling to budget and spend the money required to secure this information. It escaped and is no longer private.  Because it was too hard to implement.  Because they thought no one would be interested in their data.

There are some fairly obvious solutions that continue to be avoided for reasons that can only be considered foolish at this point.  The first is encryption.  Data can be, and ought to be, encrypted at rest, when stored on a hard drive on a server, and when in motion.  Encryption in motion we are all familiar with.  The HTTPS encrypted connection we make on our web browser any time we are making a financial transaction is an obvious example.  Some email systems are encrypted now.  But the fact is that bit and byte that travels over a network ought to be encrypted.

Another one is two factor authentication.  I recently set up Google Authenticator on my smartphone, and where I can use it, it requires not just a password (which may have been stolen in any countless data breaches), but also a security code that is available from the phone app.  So someone would have to have my password AND my phone to access my online accounts.  Not impossible, but certainly more difficult.  And impossible if my attacker is in the Ukraine and I am in Minnesota.  The fact that every website  and service is not offering or supporting some form of two-factor authentication is ridiculous.

So there are a couple things you can do to improve your information security position, and that is look for vendors who provide full encryption both file level and transmission level.  And look for and patronize those companies offering two factor authentication.

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.