Thinking Security: What Could Possibly Go Wrong?
This is the 30th blog in a series about security and how security is about how you think.
We’ve all done it – clicked on a link, opened up an attachment, typed in sensitive information to a website. What could possibly go wrong?
A number of things could go wrong – the link could be malicious and go to another site, the attachment could be poisoned and infect our computer, the website could be fake and be stealing credentials, and the list goes on and on. There are many things which could go wrong, but probably won’t. We don’t all live our lives in paranoia – we want to believe that everyone who uses the Internet is usually good and nice. But it takes due diligence from everyone to make sure that everything stays secure.
Think of these examples – A person is taking a survey on the street and asks your name. Do you give it to them? What could go wrong? What if they ask the names of your kids? What about your address? What about your bank account information? What about information about others? Would you give that information to someone whom you should trust (for example, a police officer)?
What about responding to an email from a well-meaning Nigerian prince or clicking on the embedded link of his email? Do you pay by credit card at a restaurant if the server brings a device that swipes the card at the table? What if the server has to take the card someplace out of sight to swipe it? (Here, “swipe” takes on an intriguing double meaning.) What if you order at a restaurant and your server asks for your name to match the order later? Do you give it to her? Or are you already so paranoid you give her a fake name?
The people who use computers and training them to be secure constitute one of the largest security issues. Like it or not, humans are the weakest link in the security of any system because they tend to believe that everything is good. Some people also call this area “The Human Element.” I It’s how we make sure the people who also work with the information around us are doing the right things – not clicking links, opening attachments, or sharing our (or our client’s) sensitive information. One of the secret (okay, not so secret) goals of this blog is to share a secure way of thinking with others.
The key issue isn’t really about paranoia. It’s about evaluating the risk of disclosing that information – does the other person need it? What is the risk in my sharing? What’s the risk in performing a particular operation? For example, I eat sometimes at the food trucks parked around Drexel University in Philadelphia, where I’m an adjunct professor. I never use my credit card because I’m not confident that the trucks’ credit-card processing is totally secure – I always pay cash.
When I’m travelling, I never use my debit card – always my credit card, because of the extra layers of security and protection that the card company provide in case things go wrong. Even saying in a blog that I have a debit card and credit card is some amount of disclosure. You notice that I didn’t say the financial institutions of those cards because you don’t need to know that information.
But how do we get others to “think security”? They could all read this blog (and I would likely be better known if they did so ). But it’s about sharing the “thinking security” mindset. It’s constantly enhancing our mindsets about how to be secure and encouraging others to do so. There are many ways that this happens – watching the nightly news about the latest scams targeting our area or reading material on websites (validated, of course) that contain information about identity theft and how to notice it and then sharing that information.
It could be just being more selective about sharing sensitive information about yourselves and the people you know. Validate that the other person needs that information – and validate the ways that you authenticate the other person or website. For example, would you give information to someone who called with an ID of “Name Unavailable”? Would you even pick up the telephone?
It’s not being paranoid, it’s just thinking through what could possibly go wrong with sharing information or performing a certain operation. It’s also about sharing and teaching that mindset to everyone around us so that they also THINK security.