To understand how secure you are and what kinds of methods you should use to protect yourself, you could for example create a security plan for yourself. In such a plan you should assess what kind of information you have in electronic form and how you would want to protect it.
Define the asset you want to protect.
Assess the risk to understand the level of protection needed (confidentiality, integrity, availability).
Think about defence in depth and add protections.
A generally good way to think about security is to use the CIA triad we learned about in the first chapter of the course. The CIA triad consists of three sides of the same issue:
To get a feel for security-conscious thinking, let’s look at an example:
Tina uses Google Mail as her main email service. She uses her @gmail.com address to register to most other services she uses.
Let’s first think what the asset actually is.
It contains all of her personal email.
It can be used for identity theft and impersonating her online.
It contains personal information from all kinds of services, addresses, phone numbers, possibly social security numbers and even credit card information.
It can be used as a recovery email for most of the accounts she uses.
As you can see, the email address is not just an email address but it can be a lot more. How would you define the risk for this account? What kinds of protection should be used for it?
You probably assessed that the risk for the loss of the account is high. Good, now let’s think about what we can do to protect the account from abuse.
The password she uses should have a lot of entropy, so she needs to use a long password.
The password should not be stored anywhere in plain text.
Google accounts allow the use of multi-factor authentication, which adds an additional layer of security for the account.
There are multiple ways to approach security in Tina’s case. But how can we best balance security versus usability? How does she access the email?
A reasonably good way to protect the account is to use a long password of at least 15 characters. It can be memorised or stored in a password manager or on a piece of paper in a safe. Multi-factor authentication can be enabled, and with Google’s services you can use their Google app as an additional token. That’s more secure than using SMS and doesn’t require anything else besides having the Google app for authentication.
However, if Tina uses her mobile phone’s email application, the email is as secure as the access to her phone. So, if her phone is stolen and the attacker knows her PIN code, the account can be abused in multiple ways. To mitigate the misuse of her email account, she could use the account only via a browser and always log out after using the account. This is a huge hit on usability and she might be better off not sharing her PIN code with anyone. It’s up to you to decide how you approach this issue of usability versus security.
If Tina uses her phone as a multi-factor token, she really should enable backups for her phone to quickly get back her access in case her phone is broken or lost. It’s essential to have other means of accessing the account in addition to your phone. Most sites that offer multi-factor authentication provide you with backup codes in case your token is lost. These single-use tokens can be used to recover your account if you can’t access your token software or device anymore. Backups protect the Availability part of the CIA triad. If your hard drive breaks down and you don’t have an up-to-date backup, the Availability of the data is non-existent.
Google provides a service called Google Advanced Protection which only allows logging in to your Google account with hardware security tokens or using the Google Smart Lock app.
We’re not done yet though, as we also need to think about the system Tina uses to access the account. All software updates should be installed to make sure that no known vulnerabilities exist in the operating system or the software Tina is using. She should also make sure she is running a virus scanner with up-to-date virus definitions.
Tina should additionally make a habit of assessing what kind of network she is using to access her email account. If connecting to a public wireless network she can protect the network traffic by using VPN software.
Nick Rosener has written a really good blog post on his own approach to personal cybersecurity.
If you’re not using Google services, don’t worry. Most other services offer similar levels of security options for you. In the same way, most of the software solutions mentioned during this course have alternatives that might work better for you.
Ultimately it is up to you to decide how much security you want, but the point is that the decision should be an informed decision, not just the first possible one.
To recap, Tina's email account is a very important asset as it is high-risk for her if she should lose access to it or if an attacker should gain access to its contents. She should use a defence-in-depth approach to layer security measures using the three items in the CIA triad:
Confidentiality: Strong passwords, encryption while data is in transit, multi-factor-authentication.
Integrity: Only Tina should have access to the account and she should not share her account details.
Availability: Back up the data that allows access to the account.
After completing chapter 4, you should be able to:
get a basic understanding of how networks work
understand the importance of a secure connection and how encryption is an important step in this
understand how devices and hardware interact with network security issues
explain the basics of how to secure your devices and hardware