Defend Your Data

Jason Chin - Interactive Technology Director

 


Never before in history has their been a war like this waged against your digital privacy and your data.  Our world is infested with hackers, identity thieves, malware, rogue States and draconian anti-privacy laws not to mention fires, floods and other natural disasters.

For a lot of people it is imperative that Confidentiality is maintained, the Integrity of the data remains pure, and most importantly the data remains available when needed.

With all that is happening, it is difficult for most people to first grasp what is happening, understand what the dangers are, then most importantly know what steps to take to defend themselves against the onslaught.

As an IT professional with over 22 years of experience in helping clients find solutions for their data, I will attempt to offer you some relevant advice on some things you can do to protect yourself.

The 'Air Gap' Method

If you are someone who is responsible for maintaining a high level of confidentiality with your data or you simply want the absolute safest method to protect your data, then this is it.  This method requires effort and organization, but physically ensures your data will not fall into the wrong hands.

In this context, 'Air Gap' means that you put physical 'air' between your data and the internet.  This means physically moving your data to removable media or fully encrypted hard drive(s) that are stored offline in a box inside your best friend's attic somewhere.

Passwords and Password Storage

In this day and age, passwords are the physical keys that decide whether someone has access to your data or not.  Running that fine line between choosing super strong passwords and remembering them are a common problem, but I have a neat solution for you.

When selecting a password, try using a 'phrase' of at least 15 characters that you can remember instead of a single word - and use a different phrase for each website if you can.
To ensure you never forget it, acquire an old Blackberry phone, take the SIM card out and store your passwords in there. (You can usually find one on your favorite classifieds or online auction website).  Since these old phones won't have any access to the internet, you can rest assured that your passwords are safely stored.

One other thing with securing your passwords:  Avoid using wireless keyboards.  Understand that If a device has a radio in it, then it can be potentially listened to by unwanted folks.

Computer/Device Encryption

It is always a good idea to fully encrypt your computer's hard drive or your device with full encryption with a password of at least 15 characters.  All Apple iOS and Android devices come with it enabled, but others you will need to enable it yourself.

If you use Windows, the whole disk encrpytion is called "Bitlocker", or Apple it's called "FileVault".  You will have to enable it manually.

'Whole Disk' or 'Whole Device' encryption makes it extremely difficult for anyone including law enforcement to get access to your data without your permission. Even Apple and Google claim that they themselves have no way of unlocking your device when encryption is enabled.

While we still must take everything they say with a grain of salt, it is always a good idea to enable the feature.

They key to encryption is the password.  Use a very strong password.

If you encrypt it with a 4-digit password, it will not take much effort for the hackers to break in.  If you use a 15-character however, it would theoretically take them years to break in.

Secure Your Internet Traffic

Whether you are checking your email, browsing the internet, or using your favourite app you are actually sending and receiving millions of personalized bytes of data back and forth every minute - and that is just how it has to be.  If you are travelling abroad, or using a Public WiFi connection then this becomes even more important.

The question becomes, how do I block everyone else from seeing this data?  The answer is encryption and how much of it to use.

To help understand how your physical internet connection works, I will try and illustrate it using the following word diagram of you sending an email to someone overseas using your smart phone:

YOU SEND EMAIL > WIFI > YOUR ISP > ? > GMAIL

When you enter in your password on a website, or send an email, the data that you send goes through a myriad of connection points any of which can be compromised by a hacker at any given time.  We have to assume that a hacker will have access to the physical bytes of data.  Our challenge is to make those bytes so unreadable that it would take way too much effort for the hacker to understand it.

Option A: Use SSL Protocols (TLS for Email / SSL for Websites)

If you are one of those people who don't completely understand how this works, that's okay.  There's a lot of us.  To summarize, encryption protocols typically provide a way for you to know absolutely that the website or email provider that you are connecting to is actually who they say they are while allowing the transmission of data to be fully encrypted.

Here's the diagram of you sending an email with encryption:

Without VPN:
YOU SEND EMAIL > WIFI > ISP > SSL HANDSHAKE > GMAIL
In this diagram, it is arguably possible for WIFI or ISP to listen in on the SSL handshake between you and GMail where the keys that will be used are agreed upon.

With VPN:
YOU SEND EMAIL > VPN > GMAIL
As you can see, you have theoretically removed all of the attack vectors for people to snoop on your data.  Because you are using VPN, even the SSL handshake is obscured from WiFi and the ISP.


Option B: Use a Virtual Private Network (VPN)

A VPN ensures that no matter what information gets transmitted or received that it will be encrypted substantially based on how secure the VPN is.  Here is how your traffic looks now:

YOU SEND EMAIL > VPN > ? > GMAIL

As you can see you just eliminated a whole bunch of possible attack vectors that a hacker could use to snoop on your data.  While your email send is not 100% secure, you have just improved it immensely.  This is an especially valuable method if you are in a country where you have concerns that anti-privacy laws may allow law enforcement to steal your data.

Note:  If you run a company and it is common for your employees to travel abroad, I highly recommend providing them with a VPN service and instituting a policy where it must be used at all times when using a device that routinely connects to company servers.


THE CLOUD

One of the great advantages of storing your data in the cloud is that it is exceptionally convenient and means you don't ever have to worry about backing up your data.  These advantages come with a great caveat however.  Your data is only a correctly guessed password or hack away from being given into the wrong hands.

There are quite a few solid providers for cloud storage these days, so one option to mitigate any risks is to divide up your data among cloud storage providers.  You can create a system based on type of document, or type of data or whatever you wish to keep yourself organized.  The idea would be to avoid "putting all your eggs in one basket".

However, there are some nice open-source alternatives to trusting mega-corporations with your data.  Products like Owncloud or Syncthing can provide seemingly the same level of convenience while keeping your data stored on systems you already own.  As with anything there are risks with these as you will need to ensure your software is kept up to date on a regular basis.

Be Aware of the Physical Location of Your Data

Thanks to the Edward Snowden revelations in 2013, the knowledge surrounding intelligence activities has shone a light on the importance of each individual's privacy.  Each country maintains their own laws and standards on what 'privacy' actually means so it is important to understand where your data is physically located.

Countries such as the US have been traditionally been known as a safe place for privacy, but unfortunately these days it is regarded as one of the worst.

It is highly recommended that you do your research and find out which country is most desirable for you to store your data when using Cloud services.


In Summary

I have doubts that there will ever be a 'Eureka' moment when we can just sit back and relax and know that our data is safe.  We must remain vigilant against the countless enemies that are out there prowling in wait to get at your precious jewels - your data.

Keep yourself informed of the latest threats and be constantly evaluating how and where they can affect you.