Monday, May 25, 2020

Information Security for Dummies


We all know the importance of keeping our passwords safe, changing them regularly, and using a password complexity that is commensurate with the information being secured, but are there other considerations worth keeping in mind in terms of password security in particular? 

As a way to illustrate the inherent dangers of the “weakest link” in terms of security, let’s look at how we might skip trace a particular individual. Suppose we are seeking to take collection action against a John Smith, but we’re not immediately able to locate him. What are some techniques or methods to use from the office? Assuming the phone number is bad, have we nonetheless done an internet search of the phone? Just because the phone may be disconnected, doesn’t mean that it’s totally useless information. The person, for example, might have used the phone number in conjunction with a CraigsList posting in which he also used his e-mail address. By searching for the phone number (within quotes) in Google, you might track down his e-mail address. By repeating this search technique on the e-mail, you might find additional information—from want adds to message boards. Each piece of information can be taken and utilized to drill down further in the specificity of the particular search. This brings you closer to your goal. 

Likewise with password security, it’s entirely possible to take one set of information or data points and drill down, extrapolate to a wider potential field. Why should we be concerned about this kind of thing? Well, suppose we have an accounting firm executive with login credentials on his business phone for one particularly important client, and he has relied upon an obscenely simple login to safeguard a large online treasure trove of confidential payroll information. 
Not believing he’ll ever lose his phone, he has also referenced the names of other clients on his business phone.  

After an exciting auditor calculator unveiling party, the inebriated executive manages to leave behind his phone in the bar, and someone snatches it. The phone is successfully hacked and the login information for the payroll database is soon found and utilized. Using the other cookie crumbs of  information, it occurs to the hacker that their other client accounts may also be relying upon insanely stupid password security measures.  With a little trial and error and creativity, the hacker might be able to access other databases by using the executive’s stolen information as a kind of template or guidepost for his attack. In other words, one piece of information can suggest another, and so on.

This is why password security needs to be more than a linear concern. One piece of compromised information becomes a potential roadmap to other improperly secured data. All it takes is for one weak link to be shattered, and the security of a larger cache of confidential data is potentially placed at much greater risk--especially if the business is sloppy in safeguarding client information.

Lastly, whether you use GoogleDocs at the office or not, it’s suggested you pay particularly close attention to accessing GoogleDocs sent to you from customers and clients.  In a related vein, it’s highly advised that you avoid using your personal Google profile at the office.  Worst case scenario, you could inadvertently grant access to individuals outside your organization to view your (office) GoogleDoc collection or you could accidentally merge office and personal documents in the same account.  Not good.  One way to make GoogleDocs safer is to enable two factor authentication.

No comments:

Post a Comment