Over the past few weeks I have spent many hours thinking about my personal information security requirements and discussing pros and cons with others. My goal with this article is to clarify few concepts that have surfaced in these discussions. I want to help you find your way in the jungle of information security.
Information classification
One size does not fit all. If you were to handle all your information as top secret, that would have a serious impact on your productivity and your wallet. This is the reason most companies develop information classification standards.
Information classification standards help sort information into categories based on sensitivity. They define how information should be handled in each category. The goal is to find fit-for-purpose approaches.
Typical categories include public, restricted, confidential, and top secret.
Public information may be shared freely. This includes information on public websites and in printed literature such as brochures and user guides. In a personal knowledge management scenario, this would include your blog, your book - in case you are an author -, statements you made on social media, any public speeches, etc.
Restricted information can be shared freely with a broader group of people you trust. This of pictures on Google Photos for a sports club that is accessible to all members. Internal company news, policies, and procedures accessible on the intranet would also typically fall into this category.
Confidential information is shared with others on a strict need-to-know basis. Think of a confidential product launch or a merger, acquisition, or divestment deal. The company may even require those involved to sign a non-disclosure agreement before they share any information about the project with them. In a private setting, your interactions with your tax or legal advisor, or your physician, would probably fall into this category.
Top Secret is information that if leaked would have unacceptable consequences. Quarterly financial results of large corporations typically fall into this category. It is not uncommon to host such information on a separate protected infrastructure, ring-fenced from the rest of the corporate network. As individuals, this would probably include your pin/password/code for your online banking environment. Sometimes, this could even include parts of your personal journal as well.
Thinking in these four categories and defining your own security standards for each is a good way to understand your needs and constraints.
What is e2ee?
End-to-end encryption ensures that only the intended recipient can access your message. To understand e2ee, consider the following alternatives:
No encryption
This means your message travels in clear text from your device to the recipient’s device. This is, for example, the case with SMS and with websites that are accessed via http (and not the secure alternative https). SMS is relatively safe because an attacker needs expensive technology to intercept SMS messages. Http is simply not secure, period.
Encryption in transit
The communication between your device and the server is encrypted, however, once it arrives, the server decrypts your message for further processing.
This is how websites using https typically work. Your provider can offer additional server-side services that require the processing of your message. These services could include group chat, or automatic transcription of a voice conversation, etc. Once the server has finished processing your incoming message, it forwards it (or its enhanced version - e.g. your voice/video message with auto-generated subtitles) to the recipient in an encrypted form.
Encryption in transit protects your message during the most dangerous part of the journey because attackers could easily intercept your message while it is in transit. Encryption in transit however leaves your message vulnerable on the server.
End-to-end encryption
In this scenario, your message remains encrypted during the entire journey from your device to the recipient. Encryption technologies ensure that only you and your counterpart can read the message, not even the service provider in the middle.
E2ee does not provide full security. Consider the simple scenario that you lose your phone, and you haven’t set a pin or password. Even though your messages were encrypted e2ee, the attacker could access all your secure messages by gaining access to your device.
Now consider that in practice you don’t need to lose your device, attackers using malware can gain access to your device while it is sitting safely in your hands. This is one reason why you should never install “free” pirated applications. There is no such thing as “free”, only you might pay with your privacy instead of your cash.
Finally, even if you have done everything to protect your device, your message may still leak if your recipient does not follow similar safe practices.
Trust-No-One
Trust no one Internet security - Wikipedia
In brief, according to the TNO design philosophy, keys for encryption should always be, and stay, in the hands of the user that applies them. This includes avoiding all trusted external parties, like for example the certificate authority in case of secure end-to-end SSL connections. However, most communication means rely on a trust relationship between at least two parties.
Security through obscurity?
Back in the 1990s it was common practice to install homemade anti-theft solutions into cars. Some people simply used a broken fuse; they replaced a good one with the broken one when they parked their car in an unsafe location. Others disconnected replaced or switched-up cables on the engine’s distributor. Some installed a magnetic Reed switch somewhere on the dashboard that you first had to activate with a small magnet before turning the ignition on. The assumption is that a thief will not have enough time to figure out why the engine is not starting.
Security through obscurity is an approach to minimize the risk of getting targeted by an attack.
Examples of security through obscurity include solutions in which an administrator changes default/popular/common settings, such as changing default port configurations for SSH, the default folders for applications, etc. Some people may hide passwords in binary files.
Security through obscurity can be good if combined with other security mechanisms and defensive rules. But if security through obscurity is your sole source of protection, you may be building your house on sand. Also, consider the case of hiding the key to your home under the front doormat. What if your obscurity isn’t so effective after all? If applied carelessly, you may make things easier for an attacker to uncover secrets.
How do I know who to trust?
As a customer, it is extremely difficult to assess the security of the services we use. Every company will stress the security of their services, even if their practices and architecture do not support this claim.
You can look for telltale signs:
Is the service using https? Is the certificate valid according to your browser?
What does Google bring up when you research the service? e.g. try a query like “how secure is onedrive?” or “icloud security breach”. Look for publications from independent parties and not the service provider.
Check the password policy for the service. Anything less than 8 characters lower + uppercase and numbers is unacceptable. Do they offer two-factor authentication? Have they sent you a registration confirmation email with your password in clear text? - a bad sign!
Is there a documented process for reporting security incidents?
Don’t let empty words fool you, that “your privacy is our number one concern...”. Are you able to find any evidence of external security certification and compliance to standards? Keywords to look for include mention of SOC2 Report, ISO/IEC 27001 compliance, participation in Cyber Essentials Scheme, CIF Certified logo, etc.
Are the services hosted at one of the reputable global service providers, like Amazon, Google or Microsoft, or at a no-name local shop? Not that small companies cannot be excellent, however large service providers have much more to lose with a security scandal.
Conclusion
Once someone steals your information or you leak it by mistake, you can’t take it back. You may find legal remediation, but the effects can be long and devastating. Take for example Jennifer Lawrence who, when reflecting on her nude photos being leaked in 2014, commented “I feel like I got gang banged by the f*cking planet” and “I would much prefer my whole house to have been invaded. That’s what’s so scary about electronic (things). I have such fear with my phone and my computer and electronics.” [*]
My advice is, take information security seriously, your life can turn upside down in an instant if you are not careful. It may be difficult to do due diligence, especially if you are not familiar with the technology. However, it is still much easier to conduct due diligence than to perform damage control.
Comments
Post a Comment