The 10 Immutable Laws of Personal Security on the Internet
There have been a number of unbelievable data breaches lately and I have been fielding a ton of questions from personal friends and colleagues who are genuinely worried about their personal information and they want to do better with securing their digital life. In an attempt to provide some guidance on how to make better security decisions on the Internet, I’ve honed these ten immutable thoughts for consumer-level security:
1. Consider it public.
Unencrypted data stored in the cloud should be considered public even if you believe it is not.
2. Encryption of data should be accomplished by the data owner.
Do not depend on the caretaker. If the caretaker also encrypts, that’s a bonus! Encryption can be done easily by either buying encryption programs, leveraging open source, or even better, if you are a business, come up with your own technology – it really isn’t hard!
3. Encryption of data should be as unique as possible.
Standard encryption is an oxy-moron and the origin of many data spills. It may consist of outdated methods that have been around since the 1970s! The whole concept around encryption is that few people understand the codes, and it is even better if they don’t understand the algorithms. Ideally, encryption is ‘need to know.’ In our world of perverted security through standard approaches we have departed from the foundation of the need of encryption.
4. Change your security model routinely.
Every time you prepare your personal taxes, you should change your security model. This consists of changing passwords, changing operating systems or versions, changing security vendors, changing as much as possible. Changing your architecture is a lot of work, but in the long run your departure from the old and adoption of the new will serve you well. The reason? The effectiveness of different security models can decay over time. Consider churning your credit card provider too – this is a very powerful technique in avoiding scams and fraud.
5. NEVER trust a site with anything less than two-factor authentication.
The more you can combine the following attributes to authenticate into a website, the more secure it is:
- a password (something you know)
- a token / device such as a USB fob (something you have)
- need to leverage biometrics such as fingerprints (something you are)
- voice recognition and technology which leverages geo-location (somewhere you are)
6. Turn your computer off when not online.
Why? Because one can’t access a computer which is off. True, soon they will be able turn on a computer which is off from which we can to disable cords, etc. However, today it is sufficient to turn off your computer.
7. Avoid using popular, standard or free software.
The more standard (such as Windows, Adobe, Android, Apple, etc.) and open the less secure. The more unique, closed and arcane, the more secure. Some example of closed, unique and arcane software is something which was developed internally to your company and few outside of your company understand it’s workings or attributes.
8. Ease of use is a foe of security.
Avoid the easy route and encourage obstacles. Obstacles to you are also obstacles to potential perpetrators and data thieves.
9. Pay attention to the grey areas.
Grey is where the black hat hackers (bad guys) lurk. So if you don’t have clarity around the security of something (e.g. Cloud explanations, etc.) you don’t have security.
10. Trust, but verify.
Require your vendors to prove the security of data. Constant downtime of a vendor translates to a broken vendor with bad security. Use outages as an excuse to get updates from your vendor relationships – including your banks!
Your daily security activities can provide opportunity to traverse far and wide from the foundational principles of security. Understanding the key principles of security will assist in architecting and directing your security controls.
What is clear is that the pace and veracity of threats will continued to expand. Understanding the intent of security principles is more powerful than the security elements themselves. Consider constantly sharpening your “saw” to implement defenses in concert with these principles and don’t become beholden to established vendors or technical solutions.
Catch up on more great security thought leadership and I also invite you to download your copy of the newly updated Radware DDoS Handbook. This handbook is the ultimate guide for everything you need to know about DDoS attacks – the most persistent and damaging cyber-attacks.