We’re encouraging you to take a long hard look at what sensitive information you give away every day, whether that be publicly at work, and on social media. Learn more below.
We’ve all seen it, the post-it note with hastily scribbled passwords in plain-sight. Login credentials for the domain controller taped to the server rack. The proverbial keys to the kingdom laying on the castle steps. The concept of “clean desk policy” was introduced to put an end to this bad practice. However, years have gone by and the landscape for which this policy was developed has transformed. With the ever-changing climate of social media, the cloud, and our always-online presence, it’s time to talk about the evolution of clean desk policy.
When it was introduced, clean desk policy was intended to ensure accountability for sensitive information at all levels of the organization. This could be passwords, personal information, or protected health information. The Department of Defense even adopted the practice and put their own spin on it to protect SECRET and TOP SECRET data. Clean desk policy aimed to curb the occurrence of unnecessary spillages, identity theft, and data loss by standardizing protection for all.
The goal of this article is to have each reader take a hard look at what information you give away every day. After reading you should understand why it’s important to take clean desk policy home with you. Finally, I want to explore the idea of extending the concept of clean desk policy to your virtual space, the portion of the internet you inhabit through various forms of social media.
Internet users have been reminded to keep their passwords secret in one way or another since it was still cool to call it the World Wide Web. As far back as America Online, we received regular notifications reading something like, “An AOL employee will NEVER ask you for your password.” These messages are important; they provide a psychological primer for the reader. Seeing the warning over and over again has hammered a red alert procedure into your head that will sound the alarm bells if a stranger should ever ask for your password.
The social media age has forever changed how we share our lives with the world. Most of us have spent the last decade sharing every moment with our “friends” on Facebook. We announce our birthdays, weddings, and family gatherings online. We celebrate childbirth and stay in contact with our distant relatives through social media. We “check in” on Facebook, allowing the service to access GPS location data on our phones. Everything about our lives is shared as social media. For an attacker, this kind of behavior is as good as a password.
When Sarah Palin’s Yahoo email was compromised in 2008, the hacker did so without ever needing her password. The attacker instead researched the answers to Mrs. Palin’s security questions. I am referring to the questions and answers you generate during most account registrations. You are intended to provide secret, not easily discoverable answers. In the event you lose the password to your account, you would be able to recover access by providing the answers to your security questions. However, most of us hastily complete this section of account registration without ever considering how an attacker may use this information.
Today, security question guessing is one of the most popular methods of account compromise. An attacker can use our social media pages to learn answers to security questions without ever having to interact with us. Since the nature of the attack is such a low risk, it’s often one of the first methods an attacker uses to gain unauthorized account access. When’s the last time you stopped to ask yourself which of your security questions could be answered by other people? Could your friends or family answer your security questions? What about someone you are connected with on Facebook? How about a complete stranger with the email address from your business card? Who knows the name of the street you grew up on? Could I look at your Facebook page and determine where you went to high school? How hard would it be for a total stranger to figure out your mother’s maiden name?
Your current city and hometown should be considered sensitive information. This would provide an attacker with answers to several security questions.
In the penetration testing world, we call this gathering of information planning and reconnaissance. This is the phase of a penetration test where we gather as much publicly available intelligence as possible. The major difference here is a penetration tester has consent, usually a written agreement to perform testing. Unfortunately, hackers use the same methodology while preparing to attack unknowing victims. The next time you consider celebrating your birthday on Facebook, or filling in an “About Me” section to include your address, email, or interests, consider how that information may be used to compromise you.
Now that you’re aware of how hackers may compromise your accounts, let’s talk about how you can protect yourself against it. The absolute best way to mitigate this risk is by setting up two factor authentication for your email. Most modern email providers offer this extra layer of security for free with their service. For example, Gmail sends two-factor text messages directly to your phone. When you login, in addition to entering your username and password, the service prompts you for a time-based PIN. An attacker would need to have your phone in addition to your standard password to guarantee access to your account.
If you aren’t interested in the highly recommended two factor authentication, you have some other choices. You probably already have a separate email address for work and home use. Some security professionals take this to the extreme and use a separate email address for every service. Yes, this means one email for Facebook, one for Netflix, one for PayPal, etc. The concept here is eliminating the single point of failure that occurs when you have a catch-all email address for your online activity. Once an attacker gains access to a single email servicing everything, they have access to almost every service associated with that email. Chances are, you are using the email they have compromised as a backup recovery option for the services associated with it. The attacker simply goes through the account recovery steps for every service, slowly but surely compromising each in little more than a few hours. If you have a separate email per service, you are providing a logical boundary that isolates the attacker to a single account. As an added bonus, when it comes time to work with customer support to regain access to your compromised email, using this method means you won’t be on the phone for days restoring access and resetting passwords to dozens of associated services.
The last recommendation is add something random to your security question answers. Consider adding a secret PIN or string of characters that only you know. This way, hackers hoping to scrape your answers from a publicly available resource would be unsuccessful.
In this example I have appended “90930” to my answer as the secret PIN. Even if you decided to add the same secret PIN to every answer, the account would still be more secure this way. The downside to this method, of course, is having to remember a secret PIN. However, if setting up two factor authentication isn’t technically feasible for you, and you aren’t interested in keeping 20 email addresses, taking this extra step to protect your security answers may be key to protecting your accounts.
Regardless of which method you choose, I wanted to take this opportunity during National Cyber Security Awareness Month to encourage readers to further secure their online presence. While these extra steps for security can be a burden, none of them are quite as burdensome as having a stranger rifle through your private life. I hope today’s blog has provoked thought in regard to what information you provide on social media. In the future, be cautious of what answers you choose for your security questions. Remember, whether in the physical or virtual space, clean desk policy can only be as effective as the person following it.