No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safeguard your privacy!
Staying connected online have never being easier with the great rapid push and rush into wide mobility adoption in businesses, as well as more consumer demanding quicker and frill-free online shopping (or "google") for readily available online e-Services. All these are well received virtual experience - just look at the use of social media sites, such as Facebook, Twitter, Instagram and LinkedIn. They are very often the one-stop which becomes everyone daily routine to-do for check-in and update one's status whereabouts, sharing openly one's feeling (on that day) t virtual friends.
We are now online "slaves" - indulge into self-advertisement to anyone connected online, including known and unknown. Are we overdoing this and revealing (or at sharing) too much details including even our family, friends, employer and beyond.
What is the real Impact to ME?
No doubt being online is a necessity for business and also for personal experience. We take measures to make sure we do not overdo sharing online and to close one. Despite these measures, the trading off remains with our details shared with external trusted parties like those public government agency or equivalent services organisation. We becomes their sacrifices on their declared cyber breach and penetration by adversary. We lose our identity and privacy. See one from Ashley Madison leak
- the "real' declaration truth of fake online profiles.
In order to allow persons who are Guests on our Site to experience the type of communications they can expect as Members, we create profiles that can interact with them....These profiles allow us to collect messages, instant chat and/or replies from individuals or programs for market research and/or customer experience and/or quality control and/or compliance purposes....The profiles we create are not intended to resemble or mimic any actual persons.
a) Losing one's identity: Your identity is stolen or compromised by another attacker or someone you assume they are. They exploit your identity for non-legit cases like stealthy monetary exchanges on your behalf. Tricking your trusted partners and close working alliance to open up their secret information e.g. competitive business proposal and dealing of big company acquisition.
- Truth is "you" are the one whom they trust but your phished identity did you injustice.
b) Losing one's privacy: Your identity and more importantly, your own personal details are compromised. They are stolen and published into the public online without your knowing or concurrence. Welcome to the age of "Organisation Doxing
" as shared earlier on when you become virtually "naked" through the data leaks from your entrusted organisation (or even your employer).
- Truth is you are now easily googled online - Try replacing the "password" with your unique id or name (hopefully you do not see any of your revealing details like photos)
Another wide spread breach in public report include United States Office of Personnel Management (OPM) and Anthem Inc incident. They (yet again) proof their collateral damages impact greatly on the employee and their family too. Staying connected in cyber space, in fact, is double-edged and trade-off we have to live with you - putting ourselves to constant monitor and cyber adversary mercy.
Quick 101 to "Protect Myself"
Since there is no "cyber armour" that to safeguard ourselves. Simple scheme of restricting ones to shorter surfing hour is just a mean to the end. The end we are looking out for is not a matter of "If" we can protect ourselves but "how" to reduce our risk exposure instead of going back to ancient archaic habits (e.g. communicating using snail mail). Check out a quick "101" rule of thumb for self-check to discover, assess and reduce our own online exposure.
1 - Don't lose your password
- This sounds straightforward.
2 - Don't get phished
- Review your password and check if it falls within those easily guessable category or the so-called "default" password list like "password or "1234", "admin" or combination of these words etc. We are not doing ourselves justice by having simple password.
- Stay skeptical upon receiving any form of online requests via email etc, asking for urgent assistance or SOS help
- Refrain opening up claimed "official" letters attachments (or even travel invoice receipt document). Verify with source or sender first.
- Watch out for fraud - do not reply or click any links in the email or SMS received. Hover over link and delete messages on suspicion.
- Do not succumb to scam. If a family member or friend has posted an odd message you cannot verify (i.e. they are in danger and need urgent assistance for money for any "unforeseen events"), make a call on their mobile phone or contact them by some other means to confirm the message is truly from them.
- Avoid giving the benefit of doubt even to close or known source on their online urgent correspondences. If they really know you well, they would have already drop you a call for urgent and important message or notices.
3 - Don't assume trust & Don't take thing "as-is"
Train ourselves to take a stop and look out for red flags diligently. Anything deemed too unbelieving or enticing as a deal, it is likely not as it claims. Check on avoid being phished
to have a better perspective to keep one alert on different real cyber scam schemes.
- What I meant by "as-is" refers simply to not take thing at face value and for granted. The presented information is not always real and trustworthy unless proven otherwise. Ask more questions to verify its truth for those claims.
- Avoid being "overly" gullible without the veracity and validation of the information source. This is especially when it comes from your friendly social media or via mobile provider as messages.
- Take a "zero trust" stance and seek for showing of verifiable evidence. By default, no assumption should be made. Human is creature of habit. We create and stick with our principles dearly including "bad" online habit - being too flippant in online interaction, sharing and exchanges (recall the Ashley Madison breach earlier on) of your personal details.
A quick self check (or test)
Check out the good, bad and ugly side of organisation
and how they are doing to re-gain and maintain good side with end-user trust. W should be asking more relevant question
when in state of investigation during a breach or discovery for evidence to proof a claim to make an informed decision. Instill such habit regime to remind ourselves - avoid emotion overrides.
Below is an easy check on your out of office messages. You may be asking what does it got to do with this discussion. Information can be leaked out in any means and unknowingly in your workplace, or personal habits. It is not solely about refrain oversharing the social media by making sure those privacy settings are done diligently. The below is something most missed out.
Before we share, always ask "Is the information necessary to be advertised publicly and make accessible" and "Is the information too much". If either one is "Yes", review or simply don't share. in this instance you need to assess information sharing for internal and public consumption.
- Do not be too revealing by brandishing everyone in your team unnecessarily.
If necessary to share more, always limit to send to specific receiving party. The technology are here to help in limiting the sharing aspects. Leverage on them and avoid the "default" setting or stereotypical in the organisation culture. Have a good time chat with your IT team too.
Besides the "OOO" message configurations, we need to beware also our machine can be "leaky". Below is an instance of the latest Windows 10 release. For those who is already in this bandwagon, quickly drill into the below Privacy settings. Avoid having your personal details "exposed" to Windows backend services unknowingly. At best, you can further take control by stating out front different level of granularity of your choice
(e.g. level 0 for only anonymous data) indicate to share with Microsoft.
Not forgetting also the latest iPhone iOS 9 which you can further protect yourself by leveraging existing "new" privacy settings.
As whole, stay proactive in sharing but not over-doing it - we cannot be 100% "leak-safe". Remember these summed up principles.
- Be wary of social media scams, they can manipulate your kind empathy to their advantage.
- Be diligent and use some common sense and patience. Always verifying beyond doubt and stop upon suspicions.
- Recall and try out the Protect Myself 101 principles. Institute a skeptical mindset.
- Have a contingency plan to avoid oversharing online in one means only.
- Remember all above.
Have the attackers and phisher work harder by not being an easy prey or slave to them. I will be sharing more in my next article on more specific "anti-doxing" drill for individual safeguard check too - will update this article with the link once available.