The term security posture is used in information security to describe the overall security effectiveness of a given system, service, or network. All aspects of security strength and weakness are evaluated and weighed against both potential and known threats in an effort to gauge the current level of protection. This same process can be used to develop a “personal” security posture, by assessing and strengthening the overall security effectiveness of your online accounts and identity.
While the process of assessing the security posture of an organization or network can often be a daunting task, performing an evaluation of your personal security posture can be simplified and completed in a short period of time.
Understanding the scope of your online identity is an important first step in assessing your overall security posture. Make a list of every user account you have online–include every account: banking, email, social media, online shopping, etc. For most of us the list will be quite lengthy, but it is important to include all accounts.
Using the list of accounts, review each account and determine if each is important enough to keep. Reducing the total number of accounts will reduce your overall exposure to online threats, and at the same time will ease the security burden of remembering and maintaining additional passwords for those extraneous accounts.
User Account IDs and Passwords
Review the credentials for each user account. Do you use the same user ID/user name for most or all of your accounts? If so, this makes it much easier to locate your accounts online. Do you use strong passwords on these accounts? If not, now is the time to change them. Are you reusing the same password across accounts? If so, this is a major issue and needs to be corrected as soon as possible. You should have unique credentials for each account you own online.
Email and Attachments
Virtually every user on the Internet utilizes email as a primary means of communication, however, due to the pervasive nature of email and the standard well known protocols used for mail transfer, email is a leading avenue of attack for malicious software and cybercriminals. Because no spam filter is perfect, you should treat every message received with caution, even those that appear to come from friends, relatives, or companies you do business with.
Phishing, a common type of attack, uses email to collect personal and financial information from you, often with the use of malicious web sites linked in the body of the email, purporting to come from a legitimate or known business or web site. The victim is tricked into accessing the web site provided in the email, and unwittingly enters their personal information, believing it to be a valid web site they are accessing, while in reality the information is collected and used by an attacker to gain access to the victim’s accounts.
Email attachments should never be trusted, and should only be opened if received from a reliable source, and only if you have up-to-date anti-virus and anti-malware software installed on the computer system used to access your email.
Social Networking Profiles
Determine what information is publically available on your social networking profiles. Providing personally identifiable information for public view on social networking sites increases the risk of cybercrime, such as bank fraud and identity theft. Personal information such as your location, names of family members, place of employment, and the like are all important pieces of information for someone looking to steal your identity. You should consider removing this level of detail from your profile, or configure your profile so that this type of information is visible only to a close network of friends and family.
Anti-Virus and Anti-Malware Software
You should review the scheduling of automated anti-virus and anti-malware operations. Here we will make the necessary assumption that you do in fact have anti-virus and anti-malware software installed on your Internet-connected laptop or desktop computer (suffice it to say, the failure to have this critical software leaves you highly vulnerable.) While most anti-virus and anti-malware software can be configured to apply updates automatically and to perform automated scans on a scheduled basis, many times this automated activity is overlooked or ignored. In severe cases a system can go days, if not weeks, without performing scheduled tasks if an issue arises with the software.
Review the operational logs of all security software on a routine basis to verify that all scheduled activity is occurring as configured. If a scheduled update or scan is missed, take the time to execute the missed tasks manually to ensure that system security is maintained, and be sure to perform missed updates first, so that manual scans are using the latest scanning engines and signature files.
Using Public Internet Kiosks or Terminals
Using public internet terminals may put you at risk for identity theft. If the terminal has been breached, everything you do while online may be recorded by an unknown person. From passwords, to account and credit card numbers, everything you enter into a public Internet terminal is at risk of being used to access your accounts and potential result in the theft of your identity.
To protect yourself while using a public terminal, limit the websites you access to those that do not require a user ID or password, and under no circumstances should you enter any personal information such as a credit card number or your social security number from a public Internet kiosk or terminal.
Password Protection of Mobile Storage Devices
Laptops, smart phones, and thumb drives are commonly lost or stolen with thousands of incidents reported each year. These devices often carry large quantities of personally identifiable information and are a treasure trove for cybercriminals fortunate enough to possess them. Protecting these devices is essential.
Laptop computers should be power-on password protected, and if possible the laptop hard drive should be encrypted. Only thumb drives supporting password protection and encryption should be purchased and used, as the small size of these devices make their loss or theft more likely. Smart phones should always be password protected, both to protect the data stored on the phone and to prevent fraudulent calls from being made from the phone.
Evaluate Information Provided to Websites Upon Request
Countless web sites will ask you to provide information such as your full name, date of birth, address, phone number, email address, etc., often simply to search their catalogs or to participate in a discussion thread. Give as little information as possible, and if the information is “required” to access the site, look for similar sites that do not have a requirement for you to divulge personally identifiable information.
You should review and decide what types of information you are willing to share, and ensure that you adhere to your own limitations. Remember that the more information you provide the easier it is for someone to invade your privacy or to commit fraud against you.
Personal Information Stored Electronically
All user-generated documents stored on your Internet-connected laptop or desktop computer should be reviewed to determine what personal and financial data may be stored on the computer. Documents containing banking/credit card account or card numbers, social security numbers, lists of passwords, and the like should never be stored on an Internet-connected computer. These types of documents should be stored on removable media or other means of offline storage to mitigate the potential exposure of this information if the computer is breached.
Online Shopping Habits
Online merchants expect to lose approximately $4 billion annually to online fraud and scams. Shopping online requires that you use your street smarts in the virtual marketplace by following common sense practices:
Always shop from a secure, trusted computer system, and ensure that the site you are shopping through is SSL encrypted, which protects all data exchanged between the web site and your PC. If the address of the site begins with https: (“s” for secure) instead of http:, then the site is using SSL encryption.
Avoid shopping through a search-engine query, which can lead you to random merchants you’ve never heard of, also, consider using alternate forms of payment, as opposed to your personal credit card. Services such as PayPal allow you to purchase securely without ever exposing your credit card information to the merchant web site. Many financial institutions and card issuers–including Bank of America, Citibank, Discover, and PayPal–offer the ability to generate unique, “one-time use” account numbers that are good only for a single shopping transaction. These disposable account numbers can not be reused, making them useless to anyone obtaining them illegally.
Just as no single security measure will guarantee the overall security of a company, network, or computer system, no single measure applied to your user accounts or online habits will guarantee that your online identity is safe. When multiple measures are combined, however, the overall effectiveness of your personal security posture increases exponentially, making it far more unlikely that you will become another cybercrime statistic.