Joff Thyer //
Recently I have been thinking about online challenges I encounter in daily life. As I thought about it, I realized that many of these items I practice on a regular basis. While it feels pretty intuitive to me to follow these guidelines, it may not feel as mainstream to many others so I thought I would write some things down. Adopt a mindset that there will be a business that gets compromised and that you have provided some of your data to in the past. How are you going to mitigate the risk to your own personally identifiable information? What are you doing proactively before a breach occurs, and how will you protect yourself when you learn that your own data is at risk? Below is a suggestion list of good digital hygiene items that I came up with.
1. Use long pass-phrases.
In the information security community, we talk about this all the time. Our line of thinking is that a pass-phrase (ie: unique sentence) is easier to remember than a complex password. On the subject of length, longer than 16 characters make for good strength. One example might be: “WeLoveDriving2TheMountains4FunTimesAndAdventures!”. Shorter length passwords are subject to both brute force and dictionary attacks. In addition to pre-computed encrypted password representations, there exist very large dictionaries of common passwords, and plenty of computing cycles to perform offline attacks. It is entirely feasible that any organization you are doing online business with will have their encrypted password database stolen (ex-filtrated) at some point in time. Your choice to use a very long passphrase is going to make plaintext recovery of your specific password computationally challenging.
2. Use an online password vaulting application with two-factor authentication.
There are many good choices in this arena today. The beautiful thing about a password vaulting application is that remembering your own master passphrase (key) is the main responsibility. For passphrases/passwords to all applications within the vault, you can choose to use the maximum length, complexity, and pseudo-randomness that the application permits, and avoid reusing passphrases entirely. Sadly with some applications the passphrase length, and complexity is limited. The downside of a password vaulting approach is that all your eggs are indeed in one basket so you better choose an application vendor that is time tested, highly reputable, and of course has a very secure approach to managing this critical data. In addition to choosing your strong primary passphrase to the vault, I would strongly advise using a second-factor authentication to access the vault.
3. Use a dedicated computer and/or dedicated web browser for financial transactions.
Your browser gets significantly polluted and potentially compromised from generalized web surfing. You have all seen persistent cookies which present targeted advertising in different browser tabs. Tracking and profiling using cookie information are very common these days. A cross-site request forgery (CSRF) attack could easily happen and you would never know what hit you until it’s too late. A CSRF attack involves exploiting an existing application by manipulating the trust relationship that your browser has in one browser tab from a separate browser tab or window. Trusted browser cookie data is usually manipulated in order to perform the attack.
You know which banking, and other financial sites which are important to you and that you use to manage your own sensitive data on a regular basis. At a minimum, dedicate a web browser to perform those actions, and make sure that the browser never visits any other website other than what you have selected to be within the inner circle of trust. Clear all browser history and cookie data upon exit every single time from that browser. Even better if you can dedicate a computer (or virtual machine) entirely to this task. It takes some discipline but it is worthwhile to pursue.
4. Guard your privacy as much as possible.
Let’s admit that many of us use social media. How much information are you sharing about yourself in the process? Think for a moment how much information you wish to share and only go that far. Know that once you sign-up for social media, anything you provide is potentially public information. Understand and control your public media presence. Only share information that you are comfortable standing in the middle of a busy street and yelling the same information aloud.
5. Don’t install risky applications with known vulnerabilities.
While the operating system landscape has slowly evolved and improved over the years to automate vulnerability remediation and patch management, the application landscape is quite different. There are many known vulnerabilities in applications over time. In particular, products like Java, Adobe readers, and flash media software have had a string of known vulnerabilities. Think about whether you really need to use this software? Does it belong on your computer at all, and can you live without it?
6. Use full disk/flash media encryption on mobile devices.
Your mobile computing device might get lost or stolen at some point in your travels. What data is contained on that device, and what prevents the thief from mercilessly pillaging the information from the device? Make sure that you have an idle timeout and screen lock configured on the device. Make sure the pass-phrase is strong, and ensure that data is only acceptable after your credentials have been successfully entered.
7. Always use credit cards when traveling and monitor accounts closely.
This one is directed more towards the road warriors. Here in the U.S., the danger of compromising your debit card means potentially losing your banking funds and not being able to recover them. As sad as it is, the larger credit card companies have become very good at data analytics and identifying out of character transactions. They will shut your account down very quickly if they suspect fraud. Those of us who travel frequently know this all too well because invariably it becomes a false positive situation for us. But more to the point, you are not putting your personal banking funds directly at risk by using credit and recovery from a fraudulently used credit card has become fairly routine.
A useful addendum to this idea is to use Paypal for online purchases. It is a well tested and secure transaction service that affords a nice level of protection for your online experience.
8. Restrict access to your credit report/credit freeze
Whenever you apply for a new loan of some sort, your credit scores will be checked with the major agencies. There is very little reason to allow your credit scores to be checked indiscriminately and since there have been numerous personal identity compromises, the credit agencies do allow you to freeze your credit line checks not allowing the credit line check to proceed without your authorization. In many U.S. states, this is now backed by law.
9. Backup your data
How would you recover if you became a victim of ransomware? This type of malware usually results in your data getting encrypted and then results in a demand for payment to recover an encryption key and decrypt said data. From a personal user perspective, there are many backup services available which will make sure your secure data is stored in the cloud. Rather than pay the ransom, I suspect most would prefer to format and start over.
10. Make a copy of key account numbers, and store it in a safe or other physically secure location.
When all else fails, sometimes you just need the paper. I would suggest having a small fireproof/waterproof safe at home in which you can store valuable information such as birth certificates, passports, backup media (if you like), and more to the point some printed information that gives you some recovery mechanisms should a real disaster occur that renders your digital devices worthless.
You can learn more straight from Joff himself with his classes:
Available live/virtual and on-demand!