Saturday, September 29, 2018

Information Security

In my line of work, I have to know a lot about information security. My focus is more on software and websites, but some of my coworkers set up secure networks and workstations. Yet even when everything is done correctly, that security may still fail. In most cases, the weakest link turns out to be the users.

I've organized this post for easy skimming if you want to just read the bold text.  Or, you can dive down into the details and hopefully gain a little more understanding.

Everything can be hacked.

The question isn't whether something can be hacked—it's how hard it is to hack. A flower shop computer is definitely easier to hack into than a nuclear reactor, but both can still be hacked if you know how to do it.

Your goal should be to make it very difficult to gain access to your data. The inexperienced hackers should not be able to figure it out, and the experienced hackers should not consider it worth their time. If you're storing government secrets, you will want to go even further, but that is not within the scope of this blog post.

Find a trustworthy tech person.

Even if you know a thing or two about computers, find someone whom you can trust for tech support. And be sure to make it worth their while to help you when needed.

Be sure that you can trust them.

You may have to give a tech access to your data for them to fix something, so trust is very important here. I'd recommend going with someone experienced, because experience will tell them that they really don't want to know what you have on your computer.

Dont' jump between multiple techs.

Each additional person adds a potential point of failure. Keep the circle small.

Secure your own computer.

The news mostly reports about websites and databases being hacked, but most of the data breaches I've seen first hand have been on personal computers. Make sure that your computer is not the weakest link.

Keep your computer updated.

Never turn off automatic updates, and routinely update the software that you use. As security holes are found, they are fixed. You want the latest fixes.

This also includes your virus protection software. Make sure that it is updated regularly so that it knows about the latest viruses.

Never turn off your firewall.

If your "trusted tech" tells you to turn off your firewall for more than a few minutes, then call them stupid and find someone else. It's okay for them to turn it off for a minute to diagnose a problem, but it should never be turned off permanently.

Be careful opening files that you didn't create.

Programs are dangerous, Word documents are questionable, and pictures are only usually safe. I say "usually" because it is possible to put a virus into any type of file. Some are easier to do this with than others, so the easier ones such as programs and documents should be given an especially thorough looking-over.

If you do not trust the person who sent you the files, or if anything looks suspicious, then don't open it until you've verified that it is safe. This can be handled a variety of ways, including: talking to the person who sent it, conferring with your "trusted tech", or simply deleting the file.

Regularly back up your files.

Even if we are super careful, we may still get into trouble. As a backup plan, you should regularly backup of all of your important files. Not only is this a good idea from a security perspective, it is also a good idea from a data retention perspective.

Surfing the 'Net

You can go overboard with security by using VPNs, proxies, and other tools, or you can just accept the fact that some websites just aren't very trustworthy. I prefer to go with the later and follow a few simple security rules.

Be careful what websites you visit.

Websites that are taboo seem to be the worst about being malicious. I'm not sure why, but it's almost as if the people who make such websites don't have very high morals.

Even websites that aren't about taboo topics may be malicious. If you don't know the website, don't trust it. You may still want to visit it, but don't enter in any of your personal information or passwords.

Get an ad blocker.

Usually, the website has little control over the ads that it serves, and some ad platforms aren't very secure. Using an ad blocker will block a lot of potentially harmful content. As an added bonus, you get legitimate advertisements blocked too!

Do not trust tech support popups.

The #1 most common way that I see people infected is by calling fake "Microsoft" because of a popup when they visited a malicious website. Instead of calling the number on the screen, call your "trusted tech" that I mentioned earlier.

Pay attention to what your browser says.

Most popular browsers will tell you in the address bar whether a connection is secure. If the website is not secure, then do not enter any sensitive information on that website. Also, if your browser stops you with a big red warning screen, that means stop and close the tab.

Social Networking

While most popular platforms are secure, they usually do sell our data. Those third parties are the weak point. A chain is only as strong as its weakest link, so these super-secure systems may not really be so secure after all. That's okay so long as you keep it in mind.

Do not share any secrets.

Not only do your friends talk, the social network does too. If you don't want something to be public, then do not share it on a social network. It will be seen by more people than you intend to see it.

Your legal notices do not work.

I see a lot of posts that go something like, "I do not give Facebook permission to share my data." People expect for that to be legally binding, but it's not.

For such a text to be legally binding, all parties must intentionally agree to it, and there must be a record of such an agreement. I've never seen Zuckerberg comment "I agree" on such posts, but I guarantee you that all of us checked "I agree" while setting up an account.

Disclaimer: While I've done my research on this topic, I am not a lawyer and this is not legal advice. Consult a lawyer if you're serious about wanting to press this issue.

Be careful what third parties you allow access to.

Those "Sign in with [whatever]" buttons are very convenient! I no longer have to create an account for every service that I use. But they come with a downside – you are giving a third party access or control of some of your data.

On all popular social networks that have this feature, you can review which third parties have an access token and what data is shared with them. Review this and revoke access to the ones that you don't want on there.


Emails are not secure. We've been throwing technologies at it for years to improve its security, but it still sucks as a secure medium. Still, the convenience of it may be worth it if you're careful.

Verify unknown senders or emails.

If you receive an email from someone's "other" account that you haven't seen before, call and verify that it's them. If you receive an email that it doesn't make sense for you to have received, call and verify that they sent it. Or, just delete the emails if they don't look important.

Encrypt or don't send sensitive information.

If you want to leave your key under the doormat, that's fine, but don't be surprised when a robber finds it. It's the same concept here. If you do not encrypt sensitive information sent over email, then don't be surprised when a hacker gets it. I use this analogy because it's really up to you whether to go with convenience or security.

Be careful of attachments.

Every time that you open an attachment, you're at risk. Even if you trust the sender, who's to say that their computer hasn't been compromised. Weigh the risks, consider the convenience, and decide whether to gamble with your security.

Is it worth it?

As a software developer, it is my job to protect computer users. My aim is for my creations to never be the weakest link, but I can never dictate what else the user may have on their computer or how they may use it. Sometimes it feels like a losing battle, but that isn't how we should look at it.

With computers, we can do so many incredible tasks that we couldn't easily do before. The cost is a little bit of security. Is the benefit worth the cost? I think that it is. We just need to be aware of the risks and take appropriate precautions.

This is by no means an exhaustive list of precautions that can be taken, but I consider these to be some of the basics. I hope that this helps some of you to be safer on computers so that you can continue to enjoy that very useful technology.