Privacy = Security

TOM: Today’s topic of the Deeper Dive Quicklook is “Privacy = Security.” We touched upon this a little bit in last week’s webinar entitled “Why Your Passwords Suck.” In my years of doing this and being in technology and cybersecurity, there’s a big misconception and a lot of myths that we’re going to talk about regarding privacy.

But having said that, the one thing you’ve got to remember is that your personal privacy is a component of security or cybersecurity, and your privacy, both personally and for the company, is a part of that overall security posture and what you guys do to protect your utilities or whatever type of business you have. It’s really the first step.

I’m sure you guys are familiar with me talking about if you only have to buy one thing from us, it’s to get the security training because the human element is where it all breaks down. Vast majority of attacks are caused – I shouldn’t say caused, but they are due to, in most instances, somebody clicking on the wrong link when they shouldn’t have. It’s just ignorance, and I don’t mean that in a bad way. It’s just not knowing what not to do and how to protect your company and yourself. It’s kind of like privacy.

And this doesn’t require technical controls. It doesn’t require anything you need to buy from us. I mean, we can make recommendations and everything, but you don’t really have to spend money. What privacy is, and what good privacy practices are, is just recognizing that you are private. You have information that you keep private. You don’t share it with the whole world, or your neighbors, or even your family. There are things you want to keep private. It’s the fundamentals of having a good security practice in both your personal life and your water utility.

Privacy deals with things like authentication. That means authenticating the person trying to log in to a website or to an accounting software package or billing software package. It has to authenticate you are who you say you are. It has to do with integrity in both not divulging that information – the private stuff – but also reporting when something bad does happen to you. We’ll talk about that in another slide.

But just remember that anything that has been put into a computer, not just online, but even on your personal computer, is – I meant to correct this because I think I screwed the word up, but nothing is truly safe from somebody hacking. Nothing. You can hack air gapped computers. Air gapped computers are those that aren’t connected to anything but electricity. No Bluetooth, no Wi-Fi, no network cable. Even those can be hacked. So once it’s in a computer system, it’s core data that has to be protected. You remember the onions. The core of that onion is what needs to be protected. Your credentials absolutely must be protected, but there’s other things as well.

Let’s take a few looks at some common myths about privacy and security – because remember, privacy is part of security.

“Complex passwords are good enough.” They are a definite improvement over your pet’s name and the year you were born or your child’s name and the year they were born or the university you attended’s mascot or the make and model of your first car. But that’s not good enough. The best complex passwords, if you reuse it, just about makes it useless. But they’re not good enough, and you have to keep everything in mind here.

Another myth I hear commonly is “Only criminals should be concerned about their privacy” or – and this one’s related – “I have nothing to hide, so why not let the government gather my communications to stop terrorism?” Those are both myths, and you do have something to hide. Every single person on this call, every single person you meet, has things that they need to keep private. Your bank account login information. If you think that you don’t have to guard that, just pop it in the chat box or send me a private message with your login information.

Email. You may think that your email is benign, but I’m sure there’s something in there that at least would be embarrassing if it was revealed publicly. There might even be more serious things. But outside of that, emails are used to reset passwords to other websites, commonly without any other authenticating data like the make and model of your first car or your mother’s maiden name.

So everybody has something to hide ,and I’ll get to why the terrorism thing is not an adequate reason either on another slide. I don’t want to make this political, but I’ve spent years studying privacy, and it has real-world implications besides the fact that most of us on the planet live in a democracy that protects personal privacy.

Another myth that I commonly hear is “Information leaks are IT problems.” Once again, the human element – your personal privacy practices are not an IT problem. As an IT company, I can help you establish good practices, and we go through these when we do a network assessment. But they’re not IT problems. Remember, these breaches and things like that by far happen because of a con job, human to human con job or a scam, a confidence scheme. Or, in the IT world, it’s called social engineering.

Those are all fancy words for what’s been around for thousands of years, and it’s one person conning the other person to gain an advantage, to get data they wouldn’t have access to, and then to do whatever they will with it. In the case of criminals, it’s to make money; in the case of nation-states, it may be to influence your vote and so on and so forth; to create chaos and havoc with hacktivists. You guys are familiar with the different threat actors there are out there. Those are usually done through con jobs.

And then another myth that I hear is finally, “Maintaining personal security is expensive.” It’s not only not expensive, but it’s actually free. There’s one tool you really need, and there are free versions of it. Not my favorite one, but it doesn’t have to cost anything for you or your company to get really good personal privacy in place – which, being a part of security, will help with that tremendously.

I think I’ve made a pretty good case for personal practices = company security, except think about your own personal security hygiene. What do you do to protect your personal information? Like mother’s maiden name, your Social Security number, your driver’s license, your login information. That is personal security hygiene. Do you reuse passwords? Are there 20 sites that are your email address and your pet’s name plus, I don’t know, your college mascot’s name, and it’s reused? That is bad security hygiene, or bad privacy hygiene.

And for most people, they’re going to take that to their workplace. Now, maybe your workplace enforces a lot better practices. If you view that as a hassle and you hate it and things like that, it affects your personal security and privacy. You need to embrace good security and privacy practices and make it part of your personal life. It’ll work for both of those environments. If you compartmentalize your life with work and school and personal life, you’ve got to start with personal to practice privacy, especially these days.

Google’s #1 way they make money, Facebook #1 way they make money, is by selling your information. They are not incentivized to do a good job of protecting it. Now, Google do a better job of protecting it certainly than Facebook, but once again, they make their money from selling your data – what websites you visit, what you’re looking at on Amazon, all these different things. And that data can be used to attack a company through a spear phishing attack. I went to the University of Arkansas, and if somebody says, “Hey, Razorback Alumni!”, they’ve got my attention. It’s social manipulation, social engineering, all of these different things. You’ve got to be a lot more private in your life. This is going to be more important as the decades roll by.

Another thing you’ve got to be mindful of is everyone in your organization, their security hygiene practices – the company’s security posture is only as good as the weakest employee or the weakest network user in that organization. So if all of you are sitting here and nodding your head, “Oh yeah, I know that, Tom,” and everything else, look around your office. There’s Bill over there, there’s Mary over there. Do they practice good security hygiene and privacy hygiene? Do they grumble every single time they’ve got to use multi-factor authentication and their phone is in their purse or out in the car?

Well, there’s a good chance that security awareness needs to be indoctrinated into your workplace where you guys can be a security-first environment. It goes back to authenticity and ethics. This is what we want to do.

Finally, I think that a personal breach – if you get your Facebook account hacked, I really think you should think seriously about not only reporting it to the company or your utility, but if you’re a director of the utility, you might want to consider making that part of your overall security policy or, as many of you know, the administrative controls of having a good secure environment. Because chances are that Facebook breach could reveal that the passwords and those sets of credentials have been used inside the company as well. They don’t have to give you the information that was breached, although that would be helpful. But just the fact that you know that and you can make sure your company is secure is a really good practice.

This is where we’re going to go over last week’s a little bit, but this is “How does my security hygiene affect the company?” Like I’ve mentioned, reused credentials, poor passwords, no system to create secure and unique credentials, and low or no use of multi-factor authentication. As an aside, anyone have any questions, drop them in the Q&A or the chat box. I’d be happy to answer them.

So that’s how it affects it. These are some of the things that affect your company’s security policy by the way you practice your own privacy and security hygiene.

What are the solutions? Same as last week. You never use the same credential set on multiple websites. You also don’t share credentials with colleagues, friends, or family. If they need access to something, create them a unique set of credentials. Actually, you need to back up one step: why do they need access? And then what kind of access do they have to have? Do they really need administrator access? No, in most cases not. So if everyone on your computer network has administrator privileges, congratulations, you are ripe for a ransomware infection that will infect every single computer on your network. That’s administrative controls. That doesn’t cost anything to prevent.

Don’t use poor passwords. All these Facebook questions, I’m simply amazed. They go, “Let’s do” – I don’t know what they call it – trivia or something like that. “What was the make and model of your first car? What’s your favorite song? What’s your favorite artist? Who’s your favorite president? What was your high school mascot?” Isn’t it funny how those are the same things when a website’s trying to verify your identity or authenticate your identity, they ask you some of those same security questions? You have to protect yourself privately by not putting that out there. That’s just smart business. And if you’re not doing that in your personal life, you’re probably not going to do it in the company, either.

You need to use a password manager. For those of you that feel like whatever it is, $12 a year or $20 a year for 1Password is too expensive, LastPass is free. It does a good job. I just happen to prefer 1Password. We’ve got an affiliate program with them where we get a tiny bit of revenue. Nothing for me to get excited about, but it just works better than LastPass. And I used LastPass for years, so I kind of know what I’m talking about on that.

But use LastPass. It works pretty good. It’s not bad. It’s very, very safe and effective, and it will encourage you to not only create unique credentials for every website, but you’ll get to the point where you won’t even care what your password is. It kind of takes that hassle thing out of it if you’ll just invest a little time in learning how a password manager works. And they all have great videos and everything else that you can look up and grasp it pretty quickly. If you do it for a week and practice good security and privacy controls for a week, that’s really about all it takes.

Finally, use MFA wherever possible. That stands for multi-factor authentication. Like last week, these are 3 that are common. Google Authenticator – so far, anything that I’ve come across that tells you to use Google Authenticator, it will work with all the other MFA tools out there. The exception being some of the more – the ones like RSA, and there’s another one. But Authy, Authenticator, 1Passowrd can actually do MFAs. They’re all Google Authenticator compatible.

And then Duo, same thing. It’s Google Authenticator compatible, but it also has push authentication. You only have to press OK on your phone if the website or application supports it. We are a partner of Duo, and we put that on every single remote desktop access. So if you’re a client of ours, you access that desktop remotely, you have to use Duo in order to do that. Feel free to give us a call and we can go over some of that with you and explain why you should be doing that. We feel so strongly about it that we do not let our clients remote access without buying Duo. Or at the very least, get some other MFA on there. They don’t have to buy it from us, but we only support Duo. And it’s really easy to use. I don’t even know why you’d use anything else.

So now, once again, just as a reminder – I don’t know who was on last week and this week, but if you go to this website – write it down. As always, I know you have your note-taking notepad in front of you. Haveibeenpwned.com without the “a.” You can search your email to see if it’s been part of a breach. These attendees and what it reported were attendees from the last session that I went through haveibeenpwned with their email addresses. This is public. You can do your family and everybody else. It’s no big deal. Lots of services do this. I think 1Password has started checking now and letting you know if you’ve had a breach on any set of credentials.

But anyway, haveibeenpwned.com. That’ll get you there. Punch your email address in there and see if that’s a part of a dataset. It’ll tell you if the password was collected or other personally identifiable information, like your mother’s maiden name, your favorite artist, your favorite song, and so forth.

If you’ve got any questions, right now is the time to ask. Or you can always fire off an email or give us a ring. We’d be happy to address any of those. We’ve got a free high-level network assessment for any utility out there that would like to get a ballpark of what we’re looking at, to see if every time I use the word “affordable” or “inexpensive,” you can put that relative to what you think is affordable and inexpensive. But at the very least, you’ll have a better idea for when you’re doing your risk assessment for AWIA or just doing the right thing for your utility. You’ve got to know where your risks are. A captain has to know the condition of his ship at all times, for all threats.

We’ll be happy to do that for you at no charge. Just give us a ring. We can set up an appointment and get down to it. We also still have 30-day free trials on our security awareness training, which I have beat the horse to death – but if you do nothing else but get security awareness training, your utility will be so much better protected.

That’s my last slide. We’re ending a little early today. You know, when I was doing the research for this, I was really having a lot of trouble with finding research on privacy versus security. It’s really a problem. I think we might do some more on this and get into the meat of it.

Oh, I forgot about the – I did make a reference and I thought it was in a later slide, but without getting political – and the terrorism aspect of it. A lot of people, if you do a knee-jerk reaction, the San Bernadino terrorism attack where the couple killed all these people in a government office of some sort. The FBI wanted Apple to help them break into the phones. On the surface, that sounds like, “Why would they not do that?”

Well, first of all, Apple could not do it. They would have to create a way to get in there. You really have to put a lot of thought into it. I probably shouldn’t have even brought this up, but what it goes down to – and feel free to google this, but long story short – we’ll add this to the next one when we talk about privacy, because it affects all of us. It requires reflection and thinking about it and things like that.

But had they cracked the phone or given the FBI a crack for it, that would’ve been the end of everybody’s privacy and security when they’re using their phone. And remember, everyone has something to hide. Also, remember that the NSA itself has been hacked. Once that ability has been created, it’s going to fall into criminal or nation-state threat actors, and it will be used against you. So it’s a greater good thing.

And we have to remember that these crimes have been committed for thousands of years, long before the invention of a smartphone. I don’t want to get into a debate about this; I just want you to think about your own beliefs. Keep an open mind, because privacy is – there’s a lot of aspects to it, and if you truly want to live in a free country, in a free society, you have to guard that.

I did get on a soapbox, didn’t I, Kindsey?

KINDSEY: Just a little bit. [laughs]

TOM: Just a little bit. I’m trying to – I know that everybody here is going to knee-jerk and disagree with that and all, but I have spent a lot of thought about it. Yeah, I did get on a soapbox.

Just practice good personal security hygiene and privacy hygiene for yourself, and it’ll transfer to your company. And that’s to protect you. You can take my whole free speech argument out of that if you’d like, or my Fourth Amendment, or the Fifth Amendment thing out of it. Just think about what happens if your Facebook account gets breached. Are those credentials used anywhere else, or what impact does that have on me and my company that I work for? Just forget I ever said anything about the politics thing. Just know that that’s the foundation of good security, is remaining private with a lot of stuff. And it’s hard for people like me. I think it’s hard for everybody. You don’t want to be that person, right?

Any questions, comments? Questions or comments, Kindsey?

KINDSEY: Doesn’t look like we have any.

TOM: I must give all of the perfect information every time.

KINDSEY: I think so. [laughs]

TOM: Well, I’m going to pretend that’s true, anyway. All right, Matt’s going to talk about…

KINDSEY: Cyber insurance versus cybersecurity.

TOM: Right. That’s next Tuesday at 2 p.m. Central. Thank you, everyone, for being here. Register up for next week’s or the whole series. We’ve got a bunch more to come. Thanks for your time.