While it remains ironic to receive personal security advice from the law enforcement agency that tried to force Apple to hack their own products, Comey makes an important point; “I think people ought to take responsibility for their own safety and security.”
While governments are responsible for turning the Internet into a surveillance platform, and criminal activity continues to escalate at an alarming rate, poor choices and mistakes also result in significant damage.
The Internet of Things (IoT) footprint is expanding rapidly. Almost everything is becoming network connected: cars, thermostats, alarm systems, major appliances, scales, and even plug-in home fragrance warmers. It is difficult to find an urban home without WiFi and mobile devices. But few people really consider the security implications.
Part of the challenge is that common wireless routers, access points, and switches do not provide the features people need to protect themselves. “Guest” features on home networking equipment can help, but it is still difficult to isolate IoT devices from each other and prevent them from communicating with computers and mobile devices on the same network.
IoT vendors are not helping. They rush products to market, generally ignoring security features that are not essential to product functionality. International standards for network device security exist, such as the Protection Profile for Network Devices. But since consumers do not demand compliance with security standards, most vendors simply ignore them.
Email is another good example. Effective controls such as TLS for protecting email in transit and PGP for end-to-end encryption are readily available. If customers demanded it, Google, Microsoft, and Apple could easily implement both, make using them a default, and dramatically improve global email security. Even if they did so, individuals still must accept responsibility for how they use the services. Some security breaches are simply caused by carelessness.
A colleague is experiencing email carelessness first-hand. A young man with a similar name routinely provides my colleague’s gmail address by mistake. Over the past few years my colleague has received email from teachers, airline tickets from the young man’s mother, an apartment lease, and most recently, a login and password for medical records. For the first few months my colleague diligently replied, notifying the sender that they were contacting the wrong person. Responses varied; some people appreciated the heads-up. Others apparently thought it was a joke or even became argumentative. Now the messages are just deleted.
USB drives, especially small flash drives, continue to create significant risk for individuals and businesses. Encryption software is readily available, and many manufacturers even include it with the drives. More sophisticated devices include built-in, mandatory encryption. Despite the availability of these safeguards, people continue to walk around with tens of gigabytes (or more) of data on cheap, unencrypted drives. When they are lost, and they frequently are, the result is a security breach that could have been easily prevented.
The USB problem is so significant that some businesses use third-party software to restrict the devices, but for some reason operating system vendors have yet to include this functionality. Businesses have a clear requirement to enforce USB device policies. Individuals need to start considering the risks and making better decisions.
Personal responsibility for security is nothing new. Before computers existed, people chose whether to lock their houses and cars. Governments and product vendors need to help, but consumers and businesses are ultimately responsible for their own security choices.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…