Protecting your jewels
How do you protect information when it flows like water and can be stolen with just a glance?
The opposing forces of the need to communicate and share information vs the need to limit who can store, process, access and utilise this information often create conflict and confusion.
In this article we discuss the human aspect of security.
Back to basics
In a previous article we discussed the mechanisms of social engineering. With the current prevalence of attacks against the users of online platforms such as Office365 through Business Email Compromise, it is not surprising that our staff and executives have become an attractive target.
Simply put, society works because people trust each other. So what happens when the information we use to determine trust (relationships, shared knowledge, personal attributes such as photo's, videos and speech) have been manipulated (see deepfake)?
It is becoming increasingly difficult to know who and what to trust, so much so, that many of our communications mediums now are open to abuse.
I recently provided some one-on-one consulting to a clients' management team to help them understand their personal attack surface as well as how to minimise and reduce the associated risks.
Whilst this type of interaction can be a confronting experience, most participants were highly engaged and found it to be very educational. This is somewhat surprising for executives whose main focus is not information security, but the running of their business. Security leadership (and support) from the top is a very positive thing.
So what can be done?
But what happens if the genie is already out of the bottle and the bad-guys already have the information they need to attack you?
Well, here are a few tips from our friends at the ACCC.
One of the take-aways from a Sydney based Privacy guru that I shared a panel with recently is to consider your response to online approaches for information as you would in the real world. (paraphrased)
e.g. If a shady 3rd party suddenly approached you in the street, you would be naturally cautious and therefore probably not offer up personal or private information to them if they simply requested it.
Conversely, any random website that someone visits online, when asking for the same, seems to result in people willingly sharing information that has nothing to do with the intended interaction.
e.g. I want to order a Pizza online and am asked for my Full Name, sex, DOB, home address, email address, credit card number, etc etc - not all of which may be required for the transaction, and most of which are likely to be retained in a soon-to-be watering hole target for compromise.
Applications using Facebook etc to authenticate you, that then go on to want to "Access your friends list" and "Post Messages as You" - are either the result of very lazy application development or an evil attempt to harvest your information.
The other point that was made was that You (as an individual) are probably under no real obligation to provide accurate personal information (if it is not required for the transaction or by law).
The issue for us as people is that it is difficult to be told that - in order to:
a) access a website
b) purchase a product
c) obtain some information
d) accept this software agreement
...that you have no choice (if you want the intended outcome).
It is therefore not surprising that many of us simply surrender (or privacy) in order to live in this society we have created..
Here are some other suggestions to help limit your attack surface:
if there is not a legal / legitimate reason for you to provide personal information to a 3rd party - then don't. Responding with "Withheld" or "Not Provided" or "private" may be completely appropriate if this information is just being gathered (and potentially on-sold).
where you may be at risk of being added to a perpetual or ongoing onslaught of email marketing or spam, use a disposable email account.
avoid using important email accounts (such as work, iCloud, etc) that could be linked to financial transactions or other professional processes and interactions.
use spam filtering and antivirus, and even if something appears to come from a trusted source, if it is unusual refer to the IRL (In Real Life) - contact the supposed sender before opening anything unusual or unexpected. A simple technique is to flag/highlight/quarantine any email that comes from an unknown sender.
if you receive unwanted marketing email (spam) or message from a company that you did not subscribe to, report it . The more people reporting these issues - the greater the response from regulators like ACMA
conduct self-phishing campaigns or enlist the help of services to do the same, as over time, this can help to make your workforce more cyber aware.
If you would like to discuss options to inform and strengthen your workforce against cyber attack, get in touch.
Author: Clinton Smith