In the fourth part in the series we’ll look at the confidentiality of your data, the implications of it not being secure and how you can go about making sure that it is. To understand how to protect your data, you need to understand the situations in which your data needs to be protected.
Your data can be at rest or in transit. Data is in transit when it is being transferred from one device to another over a network, an example of which is your financial information transiting the internet whenever you login to your online banking and view a statement. What is stopping someone from intercepting the data your bank is sending you?
Data is at rest when the data is residing on storage media, an example of which is the photos stored on your phone. What is stopping someone from accessing your phone and scraping all the private data from it?
Perhaps the most common way for people to lose the confidentiality of their data is through unauthorised access of the physical device containing the data. In order to protect the data stored on your devices, you should encrypt the devices storage.
This can be done on several levels, with the most effective being full disk encryption. This is built into nearly every operating system: Windows (Bitlocker), MacOS (FileVault), Linux, Android and iOS all have options to enable this from the settings menus.
But be careful! If you encrypt your device and you don’t have the password or recovery key, you will not be able to retrieve your data.
Your devices are not the only place your data is stored. Online services make up a large proportion of people’s personal data. Your social media accounts and online banking alone could give someone enough information to steal your identity.
Access to your email could allow someone to reset passwords for the 118 online accounts the average person in the UK has. Make sure your passwords are different from one another and sufficiently complex that they cannot be guessed.
Organised online criminals can use clusters of computers to make hundreds of billions of guesses per second, so complexity is important. Make sure your password uses a combination of upper-case and lower-case letters, numbers and symbols, and is over 12 characters long.
Try not to contain common words, or if you do then obfuscate them. If you are struggling to remember all of these new passwords, you’re not alone. The average email inbox has 37 forgotten password emails in their inbox.
Try using a password manager (there are a number available, often free) to manage all your credentials.
The lifetime of our devices is becoming shorter and shorter. When you’re finished with a device it tends to be either thrown in a drawer or flogged on eBay. Some make it their full-time job to buy cheap used devices and extract the valuable “deleted” data from them.
When you delete a file all you are doing is deleting a reference to that file’s location on your storage media. The file itself still exists in that location. Secure deletion is the process of writing over each bit on the storage media until there is none of the original data left, making it truly unreadable.
If you are getting rid of a device like a laptop or desktop computer, run a utility to write over each bit multiple times, enough to protect your data from most threats. If your data is particularly sensitive make sure the application you use follows the US Department of Defence 5220.22-M data wiping standard.
Securing your data whilst it is in transit may seem like a more complex task but there are many ways that service providers and website hosts are already trying to protect your data. Traditionally, websites have been delivered using HTTP.
If your data were to be intercepted using HTTP, everything send to or by you would be in plain-text for anyone to read. SSL or TLS (HTTPS) allows the website’s server to encrypt the content that is sent between the servers, leaving intercepted data completely unreadable, and thereby protecting your confidentiality.
The problem with adding encryption at the host-layers is that information like the source and destination of your request must still be in plain-text, so anyone can see who you are talking to, just not what you are saying.
To protect the source and destination information, encryption must be implemented at the link or network layer. For individuals the best solution is to use a VPN (virtual private network) anonymisation service which allows you to appear to be part of the VPN providers’ network by creating an encrypted tunnel between your device and their VPN server.
By implementing these basic controls, you are at least making a start on keeping your data secure.
What we all need to be mindful of at all times when using our devices is knowing exactly where our data is, who might be able to see it and what you are actively doing about stopping any unwelcome access to it.
In the final part of the series we’ll take a look at how you can keep your data safe from destruction by third parties.
Daniel B Brown is a security consultant at FarrPoint.