Tuesday, May 7, 2013

Being a “Paranoid” in a Social World

As the one responsible for LAN security in a major technology company, I am paid to be paranoid. As one that has been involved in security threat research for over a decade, I know there is good reason to be paranoid. In fact, I dealt first-hand with a case of credit card fraud a couple of months ago. Computer threats have evolved from pranks for attention a decade or two ago, to a major business that by one account is more lucrative than illegal drugs. At the same time, our lives are more Internet-connected (and accessible to bad guys) now than ever before – smartphones, tablets, game consoles, DVRs, home security systems, even household appliances and cars have network connections. A smartphone and a free app can become a credit card skimmer. Bots can troll Twitter to harvest phone numbers, bank card numbers, and phone PINs. One "vendor" even advertises a fraud service right in the open on Facebook.It’s enough to make a paranoid want to duck and cover, isn’t it?

Well, not exactly. Security is about understanding and managing risk, not fearing it or running from it. As a matter of fact, much of life is an exercise in managing risk. I drive a car though I know there is a risk of being injured in a collision. I ride roller coasters though I know there is a risk the ride has not been properly maintained. I eat at restaurants though I have no way of being certain the food was prepared properly or the kitchen kept sanitary. I risk snakebite when I walk around my rural backyard. I risk a lightning strike when I watch the fantastic power of a thunderstorm. I risk being rejected when I invite a family to Awana. I risk spraining my ankle (again) when I play basketball. I risk being stung by a jellyfish (again) or bitten by a shark or pulled away by a rip current when I swim at the beach. This week I am building a zip line from which I will risk falling.

These risks have varying degrees of likelihood, and some clearly have more dire consequences than others, but the point is in almost everything we do, we make choices as to risk. Professional risk management people say there are three basic ways to address a risk. Acknowledge and accept the risk (I know there is a chance of getting hurt on a zip line, but it’s so much fun that the risk is worth it). Transfer the risk (I know I could get injured, or have financial liability, in the event of a car wreck, so I pay an insurance company to take that risk for me). Or take some action to reduce the risk (learn to swim parallel to the beach to escape a rip tide; wear sturdy workboots and avoid spots where rattlesnakes are known to hide).

Technology changes rapidly, never more so than in the last few years. In many cases, new technology brings incredible convenience. 20 years ago if I wanted to order something not readily available from a local retailer, I had to find a catalog or call a vendor, figure out what specific product to order, send a check, wait for the payment to be verified, and wait for the product to be delivered. Now I can search Amazon.com, place an order online, and have something delivered by the end of the day. 10 years ago communicating with a team I coached, or a ministry I served, meant lots of phone calls or letters sent home (most likely to be discarded without ever being read). Today I can set up a Facebook group and a group texting app, and keep in touch amazingly easily. What’s more, when a student or clubber is missing, I can check the parent’s Facebook status and see if I should send a get-well-soon card, or cheer them on at a contest, or wish them safe travels.

All this comes with some risks to understand though – and once understood, I can decide whether to accept, transfer, or mitigate the risks. A few basic tenets:
  • The Internet was designed first and foremost communicate, not to maintain privacy. Granted in a controlled situation there are ways to communicate securely without fear of eavesdropping (encrypted email works great, as long as both parties have the technical prowess to set up encryption, and SSL / HTTPS is pretty robust as long as you can be sure no one has intercepted the data before it entered the SSL channel). These cases aside, expect that anything you share will be made public, including to the one that you would be mortified to have read it. If you don’t want your spouse / boss / business partner / mom / student / etc. to read something, don’t post it online.
  • Bad guys are often lazy. They will go after the easy target. If you keep up-to-date with software patches, use an anti-virus program with frequently-updated signatures, use a firewall, and use web proxy filtering software, you can move yourself out of the easy-prey category and increase the chances they will move on to someone else.
  • Bad guys are also very creative, and very motivated. Assume that at some point, a malicious piece of software will find its way onto any computing device that you use on the Internet, and then take appropriate action to minimize the damage when it happens. Specifically, separate any sensitive activity (be it banking, email, social media, etc. – you are the best judge of what is important to you) from web browsing.
The last point is why I have yet to adopt any of the banking apps available for my smartphone. As convenient as it would be to deposit a check by snapping a picture of it, or to log in to my brokerage account from my mobile to make a trade, I have not yet found a solid and convenient way to separate sensitive and non-sensitive behavior on one smartphone. That does not mean that I shun all technology though. It simply means that I have not found an adequate way to transfer or mitigate the risk, and I judge the risk as too high to accept it, so I do not take on that specific risky activity.

That in a nutshell is how I avoid pulling my hair out as a paranoid in a highly-connected world. Oh, cutting my hair short enough that I cannot pull it out helps too! :-)

How about you? How do you strike a balance between paranoia and practicality?

P.S. After writing this, I came across a sad example of paranoia gone overboard. A high school student in Florida was arrested and expelled for a chemistry experiment gone awry. There may well be more to the story than is being told publicly, but on the surface it looks like what happens when paranoia pushes aside common sense. I remember a high school chemistry mistake I made that could have ended similarly in today's climate. Thankfully, all I got was a lecture on lab safety and a few days' notoriety among other students.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen