Privacy vs Security

Among the questions that I’m regularly asked are those concerning privacy.  The context for these questions leads me to believe people often confuse privacy for security.  The truth is at times the difference between privacy and security is rather small.

The interesting thing about these two concerns is how closely they mirror two of the fastest growing sections of tech itself: security and big data.  Due to the way networking was developed with ease of sharing in mind and how inherently complex the internet is, it is no wonder so many companies and individuals are focused on security.  Big data has been a bit more behind the scenes as it rises in popularity.  Today with growing ubiquitous access to computers, faster and more powerful super computers and transformation of all data to digital formats, we shouldn’t be surprised about the interest in big data.

Big data has allowed us to reduce the time and cost it takes to sequence human DNA, enabled computers to win against humans in chess, Go and Jeopardy, and helped cities analyze and predict traffic patterns.  Big data is also commonly used in marketing and sales.  Companies are now able to collect data through a visit to that company’s own website, social media and paid for third-party data.

A good portion of the data that social media and third-parties are collecting is through tracking your Internet behavior.  Say, for example, you open your web browser and go to Facebook, then Amazon.  Unless you are taking actions against being tracked, it is likely both Facebook and Amazon know more than you would imagine about what you recently have done on the web.

Security...

is an issue that exploits a flaw in the system.  The flaw can be us humans, the code in the system or issues with the hardware.  Good security eliminates as many chances for these flaws to be leveraged or even exist as possible.

Unfortunately, humans are now the weakest link in any security policy.  Many security exploits involve tricking us into installing something malicious, granting access to sensitive people or information or giving away critical insight into a system.  For example, phishing relies on fooling recipients into taking an action such as logging into to “your Office 365 account” on a site which appears to be Microsoft, but is a phony.

Outside of humans being taken advantage of, security relies on scanning the network for activity or applications for malware.  In the IT world we rely on vendors releasing patches and updating firmware for security flaws as they are discovered or reported.  Windows and Apple are constantly patching their systems for new issues found by the numerous security professionals searching for bugs and flaws.

Lastly, security is often exploited due to poor practices or lack of understanding of the systems themselves.  One example of this is the practice of “least privilege”.  This means an individual is only assigned the appropriate level of security to do their job.  The tendency for IT administrators is to give administrative rights to users so they can do their job, however normally administrative rights are not necessary.  Without administrative rights users are less able to get infected or inadvertently allow malware leverage this elevated status to attack the network.  Another issue that would fall into this area would be setting up a network to allow guest users, but not isolating the network, thus inadvertently allowing the guests access to sensitive data stored on the corporate infrastructure.

Privacy...

is the tug between website owners or companies and individuals.  One of the early tenets of the Internet was that it was free, which remains the same today.  Many sites that are not selling a particular product, like social sites (ex. Facebook), make money by offering ad space or trading information about its visitors.  Often a site’s collection of data about users conflicts with what its users feel is fair or acceptable.

One of the first methods for tracking users was cookies.  Cookies are usually little text documents that websites create on your computer.  These cookies track you while on their website and can store login information or your session activity, like placing items in a shopping cart.  Much like other ideas, this was a useful tool for helping users navigate a website.  However, as time has passed, companies started using cookies in ways that became troublesome to some people.  Why should Facebook know what my Google searches are?  Why am I seeing an ad for something I just searched on Amazon?

Recently, tracking users has become even easier as we are programed to click past any End User License Agreement (EULA) which states the service or application you are about to install/use can collect data on you.  If you are signing up for free services on the Internet, such as Google or Facebook, a good portion of the revenue model of these companies is to mine data, package the analytics and sell this data to companies.  More subtlety, users are giving information to companies like Facebook and Google if they are using the Facebook or Google sign-in services to log in to other third-party accounts.

Finally, the big data collection item out there rests in the palm of our hands: our phones.  For the most part Apple has done what they can to ensure your privacy, but inherit in the technology are ways to track you.  Stores have implemented systems that allow them to track all the phones that come in] by monitoring the wireless antenna connection probes.  Local law enforcement agencies have started implementing systems to track cell phones outside of what your carrier does to ensure your phone works.

Security Best Practices...

should be thought of in layers, as we should no longer be relying on any one single action, software or solution to protect us.  As many security layers that can be implemented without annoyance or breaking the bank, the better.  Many helpful security practices can be set up with little to minimal costs.  Below are nine layers to tighten security:

1. Test and verify your users do not need to be logged into their computers as administrators. This alone can dramatically slash the chance of getting infected by a virus.  Is there an application that prevents this from being a solution that you can put in place?  No?  Well, then try setting up local administrator accounts on each users’ computer and let the user have that password.  This would allow them to run applications as an administrator but not be logged in as one.
2. Similar to not allowing users to have administrative rights on their machines, we should not allow unnecessary traffic on the network. If you have a firewall, that means making sure only traffic that is needed is allowed to pass through the firewall.  It is best practice to isolate guests on a network to prevent them from accessing your file server or other corporate network infrastructure.  If you have users that are remotely accessing the network, make sure they are using a VPN or a similar tool which has the same level of security.
3. Make sure your laptop, firewall, software, antivirus, network devices and anything else is up-to-date with the latest firmware and patches. This is the only method to prevent an exploit making use of a software flaw.
4. Use a password manager. One of the biggest weaknesses is passwords.  Humans tend to have rather bad password habits.   Even if we adhere to password policy guidelines, it can be tough to come up with a solution that is truly complex enough and easy enough for you to use and remember.  If you use a vetted password manager, the ability to use long, complex and strong passwords becomes exponentially easier.
5. Implement MFA (Multi Factor Authentication) everywhere possible. Passwords are a broken technology and we should harden our passwords by utilizing MFA.  MFA works by adding an additional piece of information that would need to be supplied after entering your credentials.  This code can be delivered by text (SMS) or via an application on your computer or phone.  Not everyone out there is offering the possibility of adding MFA, but if it can be added, and you want to protect your system, it is a great option.
6. Keep current backups. Be sure to have a copy stored in a different location from than the primary backups.  Many people forget that backups are good security. Good security states, “It is not if, but when, you have a security incident.”  If that is where we start, we need a good backup solution, or better yet, a good disaster recovery plan so that when something goes wrong there is a way to recover with minimal down time.
7. Educate your users. As stated before, we are the weakest link and education is the best solution to fix this weakness.  For SWAT, that means we take the time to have our higher level techs teach the lower level techs.  We have also spent quite a bit of time with our clients providing education sessions to help prevent users from getting themselves in trouble.  If you are trying to do this on your own it can be a daunting task.  A few suggestions of mine are: Security Now!, Darknet Diaries, Hak5, Krabs on Security and Threat Post.
8. Document your network. It is difficult to be aware of and identify all the vulnerabilities without knowing what exactly is in your network.  Also, if there is an incident that needs investigation, documentation can cut down how long it takes to find the issue and verify if action is required.
9. Encrypt high value items. If there are laptops that leave the network and a possibility of sensitive data living on that hardware, encrypt the hard drive.  If you need to send a message including sensitive data, send it as an encrypted email or find another secure channel to deliver the message.  As you are surfing around the Internet make sure sites you visit are using HTTPS.  I even recommend using the browser plug-in HTTPS Everywhere, which you can use with Firefox, Chrome and even Microsoft’s Edge browser.

Privacy Protection...

can also make use of the layered approach as specific solutions to specific privacy issues tends to work best.  Another principle of privacy is to isolate your data leaks and spread out your activities to make it more difficult for any one service to track you.  The thing to keep in mind about privacy is we tend to give away our information in turn for online services; you should make sure this tradeoff is acceptable.  Here are eight steps you can take to increase privacy on the Internet: 

1. Change the settings in your browser to enable tracking protection or the Do Not Track setting, as well as disable third-party cookies. This is relatively safe to do without making websites unusable.  Cookies do have a purpose and totally disabling them can make a large part of the Internet frustrating to use.
2. When given a choice to sign in to services with your Facebook or Google accounts, don’t instead create an account with the website you are visiting. Signing in to services with Facebook or Google is far more convenient than keeping track of multiple usernames and passwords, but it does allow Facebook and Google to collect more information about you.  Instead use a password manager to create new passwords and to keep track of both your username and password.
3. Use a VPN service when using public Wi-Fi. Privacy on an open public network does not really exist unless you are only using encrypted communication methods.  I recommend using a VPN service which will encrypt your data. The better ones even encrypt your DNS queries.  My personal favorite is TunnelBear.
4. Use Incognito or private browsing. Using these privacy modes on your browser means that when you close down the browser, the data that had been collected during that session should be cleared out.  It also should mean that if you are using this in conjunction with several different browsers for different tasks, the ability to track you will be more difficult.  For example, open Gmail in an Incognito Chrome then use normal Firefox session to do your other surfing. This will prevent Google from knowing what you are doing in Firefox and vice versa.  If you can use different browsers for social media, email and normal surfing, you should also notice targeted advertisements subside.
5. Consider using DuckDuckGo instead of Google for your searches. DuckDuckGo has been growing in popularity for some time now as an alternative to Google.  DuckDuckGo’s claim to fame has been that they are far more focused on privacy than Google and that their money making model does not rely on tracking your Internet activities.
6. Clear your Google history. If you are interested in resetting what Google knows about you, Google provides an excellent way to do this.  Clearing your Google history once and while is a good idea even if you are not concerned about privacy.
7. Use privacy plug-ins like Ghostery, uBlock Origin (found in the browser stores), Privacy Badger and Disconnect. There is not much need to run all of these as several of these plug-ins overlap in what they offer.  The plug-ins are safe and work well with Chrome, Firefox and even the Edge browser.  I do not recommend using ad blocking plug-ins as this can make some sites less usable and can disrupt the revenue model that several reputable websites use.  Additionally, many ad blocking plug-ins make money by allowing companies pay to be excluded from being blocked.
8. Go the extra step and turn off the location settings on your phone when you are not using them. Usually location services are unnecessary, but you would want to re-enable them while using services like Google or Apple Maps, Uber or Lyft.  Many other applications will want to use location services, but they do not really need location services to run properly.