The Busy Executive’s Guide to Personal Information Security

Congratulations. As an executive you are the favorite target of ne’er-do-wells across the world. They will spoof email messages to staff and business partners in your name. They will try to hack your corporate account, your bank account, your email account, and your phone. In addition to hundreds of messages per week from semi-legitimate vendors who want to sell you their most recent search engine optimization snake-oil you will also get a variety of Word documents, PDF files, and PowerPoint presentations, most of which are laden with malware.

If this sounds depressing, it is. It is the world of Information Security. There are ways to protect yourself, however. This document will tell you the most important things you can do.

1. Patch Your Stuff!

The first thing you need to do is to patch. Software and hardware vendors provide regular security updates to fix security bugs. Or, rather, the reputable ones do. The first step is to use devices and software that provide timely and reliable security patch support. 

Microsoft provides security updates for 18 months, but after that you must upgrade to one of the new semi-annual releases. Apple’s policy typically includes full operating system updates free of charge for any hardware that has been manufactured within the past five years and security updates for two years for MacOS. We strongly recommend you set up automatic updates on Windows as well as Apple devices. If Windows is your platform of choice, you must also get hardware updates from the provider of your hardware. Their support commitment varies, however, so use a reputable vendor. With Apple those are included in MacOS. 

Apple provides security updates for iPhones and iPads for 5 years. Samsung and Google provides monthly patches for three years from the date the device was released, however, Samsung patches are often delayed. E.g., a recent critical issue in Android (CVE-2019-11516) was patched in Google devices on August 5, 2019, while the patch was not available on Samsung devices until September 4, 2019. For this reason, we do not recommend Samsung phones. Support for nearly all other Android phones is very sketchy, and often non-existen, and we recommend staying away from ones that lack a security support commitment. 

If you do not need a computer, we recommend an iPad or a Chromebook made by Google instead. Both are less complex and less vulnerable. IPad gets the same support as iPhone, while Google’s Chromebooks get support similar to Google Pixel phones (see below). Both automatically update virtually all their features, reducing the cognitive workload of management.

Don’t forget to update all the other things you have that run software. This ranges from your car to your TV and your lightbulbs. Generally, we recommend simplifying things and using fewer well-supported products. You also have to update all the other software on your devices, including browsers, mail software, etc. 

2. Get Rid Of Things You Don’t Need

You don’t have to update things you don’t have. Start by uninstalling Adobe Flash. You don’t need it. Nobody does. It is mostly just useful as a malware distribution vehicle. You very likely also do not need Adobe Reader (née Acrobat). It is also a common vector for vulnerabilities.

If Windows is your platform of choice, your computer probably came pre-installed with 15 or so Wild Tangent games, a couple of different trials of anti-virus software, three trials of various firewalls, and about thirty other programs of unclear provenance. None of these are supported by anyone. None will get patches. All have bugs and security vulnerabilities. Get rid of all of them. Then go to the Windows Security Center and turn on Windows Defender Anti-Virus and the Windows Firewall. It’s all you really need. 

Macs come with far fewer bits of crapware, but if you do not need them, you can get rid of things like Garage Band, iMovie, and Apple’s productivity suite (Keynote, Pages, Numbers…).

Most modern browsers support some form of add-ins or extensions. Most of our computing is in a browser today and most of these add-ins have access to everything that you can do or see in the browser. If you go to your credit card company, they can see the password as you enter it and the balances as they are displayed. If you go to your bank, a browser extension can submit a funds transfer on your behalf. Browser extensions are a common malware vector because the vetting performed on them by the browser manufacturers is often minimal. Even if the browser extensions are not malicious in and of themselves, they present an attack surface that malicious websites can take advantage of. For this reason, we strongly recommend that you do not install browser extensions you do not absolutely need. This means you have to make hard choices. For instance, at one point 8 of the 18 most popular ad-blocker extensions were actually outright malware. The other 10 all had security vulnerabilities of varying severities. Is blocking ads really important enough to risk exposing your and the company’s data? Most of the ad-borne malware uses Adobe Flash, so if you get rid of that, you are relatively well protected already.

3. Get a Password Manager

At some point someone has probably told you you must change your password every 90 days, it must be unique, it must be complex, and you must not under any circumstances write it down.

Most of that advice is abject crap. Most of us have between 150 and 400 online accounts. If you follow this advice you will generate three passwords per day and try to memorize them all. 

The smart busy exec gets a password manager to do this for them. Good options include 1Password, LastPass, and Dashlane. All work across all devices. Let them generate and store your passwords for you. You can even share passwords with your family and your closest associates, if they need access to the same accounts. 

If you choose, you may use a browser extension to auto-fill passwords for you. The mobile apps will also typically fill passwords for you, so you should never need to type them again.

4. Two-Factor Authentication

When you type a password you are presenting an authenticator. Authenticators come in three flavors: something you know, something you have, and something you are. Passwords are something you know, but they suffer from several significant weaknesses. This is why you should use more than one authenticator - multi-factor authentication (MFA), also known as two-factor authentication (2FA or TFA) and two-step verification (2SV).

Use 2FA everywhere you can!

Any form of 2FA is better than none. If a provider supports only one, use it. However, if a choice is given, there are several options, ordered by strength:

  • SMS or text message codes - This is where the service provider text messages you a code that you then transcribe as part of the authentication. It has several weaknesses, not least that mobile phone providers have a spotty track record of keeping bad guys from compromising their customers accounts.

  • Email codes - these are identical to text message codes, but are sent via email instead.

  • Approval-mode - Some services push an approval request to your mobile phone or another device, asking you to approve each sign-in. If you use Okta, Duo, or Ping at your company you have seen this option. It is also supported for Google accounts through the Google app, and for Microsoft accounts through the Microsoft Authenticator app. Just make sure you don’t click “approve” accidentally. 

  • One-time Password Generators - One-time passwords (OTP or TOTP) are 6-8 digit codes that are generated by an app or a device you have, such as Google Authenticator or Microsoft Authenticator, or time-based one-time passwords. 1Password includes a TOTP generator that is stored as part of your encrypted vault in the 1Password service. This means the codes sync to all your devices, a feature that no other app has.

  • Hardware tokens - The most secure, but also least convenient, form of 2FA. The most common tokens support the Universal Second Factor (U2F) or FIDO2 protocols, such as the Yubikey. To authenticate you use your username and password, then insert or tap your token to complete the authentication. Note that this option does not work with all devices and all applications.

Most importantly, use strong 2FA on all accounts on your company’s own services, and any public social media services. Recently, Jack Dorsey’s (Twitter CEO) Twitter account was compromised because he used weak authentication. Don’t be Jack.

5. Lie About The City You Were Born In

A lot of services now require you to answer “security” questions to have a mechanism to recover your accounts. Do not be fooled. Security questions degrade your security. They do not improve it. If your company provides services that have security questions, please stop. You are actively harming your customers’ security. Instead of having to guess your strong 16-character random password and get your phone company to activate your phone number on their phone, all the bad guys need to do is go to your Facebook page, learn that you were born in Cedar Falls, and now they are in your account. 

If you can avoid answering “security” questions, do. If you can go to a different service provider, do. If you cannot, lie about the answer. Use your password manager to generate a random password, and store it in the Notes section of the password entry. If you ever need it, you have it there. Just keep in mind that many providers require you to read your “security” question to phone support representatives, so you may want to keep profanity to a minimum and make sure you can read them out loud.

6. Don’t Have Access to Things You Do Not Need

It is always tempting for the boss to have access to everything in the company. But, be honest. What do you do these days? Do you spend a lot of time walking unescorted through data centers, or looking through the databases that store credit cards? We didn’t think so. You attend meetings. And do email. You do not need access to every building and every wiring closet in the company. People come to you! As we said at the beginning, you are an attractive target. But, you can’t leak things you don’t have access to. Ask your staff to revoke access to everything you don’t need access to on a day-to-day basis. 

7. Teach Everyone To Verify What You Ask For

It’s very common for fraudsters to spoof email messages from senior executives and business partners to lower-level staff members and demand money or other things from those recipients. Would your payroll staff redirect your payroll to a new account at a different bank based on an email (they think) you sent? Unfortunately, the answer is all too often yes. Teach your immediate staff to make sure they verify requests like this from you, and make sure your security group trains everyone else.

8. Backup Your Things

Having a backup of all your data protects you if you get attacked. Make sure the backup is protected with 2FA. A good option is to use either Google Drive or Apple iCloud to back up everything in your Documents. 

9. Anti-Virus

If you’ve read this far, you have probably noticed that we haven’t talked about anti-virus yet. That’s because anti-virus really isn’t all that useful any longer. Most anti-virus is just looking for known bad stuff. It’s routine to develop unique malware these days, and its especially common when you are trying to attack a specific executive. Nevertheless, using the built-in anti-virus in Windows and MacOS is a good idea. 

10. Don’t Forget Your Family

Your family is a target just as much as you are. Please make sure they exercise similar security practices. Also make sure you know how to reach them and how to verify that you are actually talking to them, especially via email.

11 Special Tips While Traveling

Travel is unfortunately a regular occurrence for executives. Domestic travel is usually pretty straight-forward, but when you traverse borders, a lot of the usual rules no longer apply. For instance, almost any customs or immigration agent anywhere in the world has a right to demand that you provide them with access to your computer, your phone, and any passwords for any service. The same is true for regular police officers in some parts of the world. Your options for refusing to comply are rather limited. You should plan for the eventuality where you were forced to provide access to your computer to a border agent and make sure that any data and services they have access to is minimized. 

Travel to certain countries also comes with additional risks. If you are in China, for instance, you may discover that you have a new Chinese best friend who is keen to show you around. That would be your government handler who’s assigned to supervise you and gather any data they can about you. You will also find that your cell phone is now full of Chinese text messages. These are advertisements. You are getting them because fraudsters bribed phone company employees to intercept all phone numbers registering with the phone companies and sell them the list. They could just as easily intercept and sell your SMS one-time authentication codes. This applies to other countries, such as Vietnam, as well.

While you may be asked to provide a Chinese government agent access to your computer, it is more common that they just go into your hotel room when you are not there to access it. The agents also have access to your hotel safe, so keeping your computer in the safe is not, well, safe. The safest place for it is at home. 

We recommend traveling to China with only a fully patched iPhone and iPad. Turn off automatic backups before you go. When you return, restore the device to factory settings, change the password to your password safe, and reinstall from a backup you made before you leave.

Summary

Congratulations, you are part of one of the most targeted group of people on the planet. Everyone from hucksters to government agents are interested in your data and your technology. Fortunately, you can take steps to protect yourself. If you just make these steps part of your regular daily routine, you will find that they are not that onerous after all. 


Comments

Popular posts from this blog

MFA Post 5: Time-based One-Time Passwords (TOTP)

Single Sign-On

MFA Post 7: Other Contact Mechanisms (Email, Phone,...)