Is privacy a dependency of information security

Privacy

Privacy (Photo credit: g4ll4is)

Is privacy a dependency of information security?

by Jamie Titchener

If you read the news on a regular basis, you will find that most of the cyber security or data protection articles play heavily on the fear of an individual’s privacy being compromised.

But what many people don’t seem to realize is that privacy is in fact a dependency of information or cyber security. Only by having in place adequate information or cyber security policies and procedures can an organization ensure the privacy of their stakeholders, including customers, staff, suppliers, etc.

Whilst there are some unique challenges faced in the area of privacy relating to governmental legislation such as the UK Data Protection Act, organizations can start to effectively address many of the privacy concerns that their stakeholders have by adopting an approach such as implementing an ISMS that complies with ISO/IEC 27001/2.

By combining the right mix of people, process and technology in an ISMS, organizations can effectively manage many of the privacy risks that people are concerned about.

Find out more about ISO/IEC 27001 in An Introduction to ISO/IEC 27001 2013.

Leave a Comment

The Protection of Personal Information Act (POPI) in South Africa – Benefits and Challenges

POPI

by

In South Africa the Protection of Personal information Act (POPI) aims to regulate how companies secure the integrity and confidentiality of their data assets by taking technical and organisational measures to prevent the loss of, and damage and unauthorised access to, personal information. POPI was signed into law on 26th November 2013 but the commencement date is yet to be announced; companies have been given a year to achieve compliance with the Act. Penalties for failing to comply with the Act include prosecution, with possible prison terms of up to 12 months, and fines of up to R10 million. I believe that POPI will make life easier for IT organisations in South Africa.

Why is it so important for organizations to keep personal information safe?

Data breaches, and the resultant loss of information assets, can lead to huge financial losses for companies as well as the reputational damage and a loss of customer trust.  The lack of robust Information Security Management Systems (ISMS) can leave organisations of any size and sector open to data breaches. POPI’s objective is to regulate the way personal information is collected and stored by organizations, which will in turn increase customer confidence in the organizations. The Act will apply to all organizations, regardless of size or sector, whether public or private, including the Government. As a reminder of the importance of data security, the City of Johannesburg suffered a massive data breach in August 2013 which allowed anyone to read citizens’ personal billing information on the Council’s website, including full names, account numbers, addresses, and contact details. Anything could have happened to that information, including targeted phishing attacks, and the production of fake ID books and proof of residence, which could have been used for terrorist purposes.

POPI’s challenges

The major challenge of POPI is that companies will have to change the way they collect and store customer information as soon as possible: organizations have been given only a year to be compliant before the Act is enforced. Given the extent of changing business processes and employees’ attitudes it will be a serious challenge to reach compliance in only a year.

PwC’s “journey of implementation” report found that the majority of organizations in South Africa believe it will take several years to achieve compliance with POPI.

55

Source: PwC “The journey to implementation”

One way for South African organizations to make compliance with POPI easier would be to implement the international information security standard ISO27001, which sets out the requirements against which an organization’s information security management system can be independently audited and certified. Implementing the standard will help South African businesses fulfil the compliance requirements of any related legislation (including the Protection of Personal Information Act). Moreover, by implementing ISO27001, businesses ensure that they have effective controls in place to manage risk and protect personal information.

How to prepare for POPI

IT Governance SA has developed a wide range of ISO27001 books, training and tools to help organisations with weak information security management system, and recommends that companies look at the useful information about ISO27001 available on the company’s website.

Leave a Comment

How organization can handle cyberthreats

CyberActivisim

CyberWar, CyberTerror, CyberCrime and CyberActivism

Successful cyberattacks can damage your organization, no matter who is behind them

The goals of the cyberterrorist, the cybercriminal, the cyberactivist and the state-sponsored hacker may not be the same – but the outcomes can be equally devastating. Each can cause serious challenges for your organisation, ranging from information theft and disruption of normal operations to loss of reputation or credibility.

Cyber security is much more than technology

Many books on cybersecurity focus on technical responses to these threats. As important as this is, human fallibility and other known vulnerabilities will still allow hackers to easily break into a system that has not taken account of these factors.

CyberWar, CyberTerror, CyberCrime and CyberActivism encourages cybersecurity professionals to take a wider view of what cybersecurity means, and to make the most of international standards and best practices to create a culture of cybersecurity awareness within their organizations that complements their technology-based defences.

A cyber aware workforce equals better security
This second edition takes a deep look at the changing threats in the cyber landscape, and includes an updated body of knowledge that describes how to acquire, develop, and sustain a secure information environment that goes beyond technology. This enables you to move towards a cyber aware organisational culture that is more robust and better able to deal with a wider range of threats. Related references, as well as recommendations for additional reading, are included at the end of each chapter making this a valuable resource for trainers and researchers as well as cybersecurity practitioners.

Pre-Order this book today and see how international standards can boost your cyber defences. (download – Adobe, ePub, kindle)

About the author
Dr Julie Mehan is the Founder and President of JEMStone Strategies and a Principal in a strategic consulting firm in the State of Virginia. She has delivered cybersecurity and related privacy services to senior commercial, department of defence and federal government clients working in Italy, Australia, Canada, Belgium, and the United States. Dr Mehan is also an Associate Professor at the University of Maryland University College, specializing in courses in Cybersecurity, Cyberterror, IT in Organizations and Ethics in an Internet Society.

Comprehensive Cyber Security Risk Management Toolkit

 

Leave a Comment

Most common type of data breaches

DataSecurityBreach

Cyber attacks have become a regular occurrence in the last few years; in fact, you can’t turn the news on without some mention of a business suffering an attack. Most attacks are fuelled by criminals looking to steal valuable information, but what type of information is being stolen?

According to a report by Veracode, the top 5 types of information that are stolen are:

Payment Data

No surprises here of course. Card payment data is a very attractive form of information for cyber criminals to steal. Card data provides quick access to money in multiples ways such as siphoning the victims account, using their card for purchases or selling on the black market.

Selling and purchasing card payment data online is terrifyingly easy, so easy in fact that you could have bought several card details in the time it’s taken you to read this far.

Authentication Details

Details that allow authorised access into online systems are very valuable on the black market. Imagine the price tag on login credentials for the email address of a celebrity, or the president of an international bank.

Unfortunately, humans are subjects to bad habits such as using the same password for online accounts. So if cyber criminals manage to get hold of your Facebook password, then they will most likely be able to login to any of your accounts.

Copyrighted Material

Why would a cyber criminal pay for software when they could just steal it? With most websites being vulnerable to attack, a cyber criminal could in theory steal any software they fancy, costing organisations a large sum of money.

Medical Records

Thieves could sell your stolen personal health information on the Internet black market, use your credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.

Medical ID theft is worse than financial identity theft, because there are fewer legal protections for consumers. Many victims are forced to pay out of pocket for health services obtained by the thieves, or risk losing their insurance and/or ruining their credit ratings.

Classified Information

Depending on how you define classified, this could include information such as your organisation’s top secret product idea or the code for your security door. Either way, if it’s labelled classified then you don’t want it to be in the hands of cyber criminals.

Protecting this information

There is a high chance that the five forms of information listed above can be found on your organisation’s network, so what are you doing to protect it?

Data Security Breaches: Notification Law

Leave a Comment

Hacking Point of Sale

Hacking Point of Sale

A hands-on guide to achieve better security at point of sale

Hacking Point of Sale – A must-have guide for those responsible for securing payment card transactions. Hacking Point of Sale is a book that tackles the issue of payment card data theft head on. It covers issues from how attacks are structured to the structure of magnetic strips to point-to-point encryption, and much more.

Packed with practical recommendations, it goes beyond covering PCI DSS compliance to offer real-world solutions on how to achieve better security at point of sale.

Hacking Point of Sale…

•A unique book on credit and debit card security, with an emphasis on point-to-point encryption of payment transactions (P2PE) from standards to design to application
•Explores most of the major groups of security standards applicable to point of sale, including PCI, FIPS, ANSI, EMV, and ISO
•Details how protected areas are hacked and how hackers notice vulnerabilities.
•Highlights ways of defending against attack, such as introducing cryptography to payment applications and hardening application code

An essential guide for security professionals that are charged with addressing security issues with point of sale systems.

Leave a Comment

Business Downtime and Disaster Recovery

Infographic: Business Downtime and Disaster Recovery

The Internet is the largest store of information ever created, and those who can harness its power stand to reap tremendous rewards. However, handling data is also a significant responsibility, and disasters can cause severe problems. Here are a few facts about downtime and how to recover from disasters.
Infographic Disaster Recovery

Causes of Downtime

The most common cause of downtime is UPS battery failure, which is attributable to power failures. Many of these failures begin at the power plant, but some can be created by faulty wiring. Errors are a close second for causing downtime, and cyber attacks and equipment failure trail after them. Most causes of downtime are preventable through better security and better power management.

Effects of Downtime

Downtime has a clear effect on businesses that operate online. Customers cannot place orders when websites are down, and clients cannot rely on services hosted by offline servers. The long-term effects can be even more damaging. Customers may choose to make their purchases elsewhere, and clients may move to a different provider who promises better reliability.

How to Implement a Disaster Recovery Plan (DRP)

The most effective way to deal with disasters is to use servers provided by experts. One option is to purchase a hosted dedicated server that is rated to handle problems gracefully and effectively. Those who choose to host their own servers will want to ensure that data is kept safe through RAID arrays and periodic backups. It is important to ensure that backups are also stored in a remote location where they will not be destroyed by local disasters.

Businesses will also need to ensure that everyone knows what to do when disaster strikes. UPS batteries provide a limited amount of time to respond, but they are worthless if employees don’t know what to do. Automation can help, but there are certain tasks and decisions people will have to make.

Data is the lifeblood of online businesses, and high uptime ratings are essential for keeping customers and clients happy. However, many companies still fail to plan for disasters effectively, and many have been bitten by small mistakes that led to disastrous results. Fortunately, there are a number of options available for handling disasters effectively and preventing greater harm.

Why achieve a Disaster Recovery and Business Continuity plan

Leave a Comment

Comprehensive Cyber Security Risk Management Toolkit

Cyber Security Toolkit

 

Govern and manage Cyber Security risk with this unique comprehensive toolkit suite

 

Comprehensive Cyber Security Risk Management Toolkit Suite – Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular

There are a number of standalone, best practice approaches to managing cyber risk, none of which is on its own completely satisfactory. This toolkit helps you make an enormous leap forward by consolidating five separate approaches into a single, comprehensive, robust framework.

• PAS 555:2013 is the new standard for cyber security risk governance and management; it was created to work with a range of other standards;
• ISO/IEC 27032 is the international guidance standard for managing cyber security risk;
• The Cloud Controls Matrix was developed by the Cloud Security Alliance for cloud service providers;
• Ten Steps to Cyber Security is the methodology developed by the UK’s Business Department to help organizations of all sizes secure their cyber defenses;
• ISO/IEC 27001: 2013 is the internationally recognized standard against which an information security management system can achieve accredited certification.

Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular construction and control mapping matrix to add its additional controls to an existing ISO27001 management system.

This Cyber Security Governance & Risk Management Toolkit recognizes that mobile device management is a critical component of effective cyber risk control and therefore includes the ITGP BYOD Policy Toolkit as a value-added extra.

Included in this comprehensive toolkit suite is:

Comments (1)

PRAGMATIC Security Metrics

PRAGMATIC Security Metrics

Applying Metametrics to Information Security

 

Whereas other authors are strong on the number theory behind metrics and measurement, PRAGMATIC Security Metrics is a reader-friendly guide for hard-working security practitioners.  Without totally ignoring the underlying complexities, the book explains and interprets security metrics straightforwardly, adding a unique new ingredient to the mix: the PRAGMATIC method.

PRAGMATIC Security Metrics explains:

  • Why information security is vital, yet (as with risk management in general) so difficult to get right;
  • Why meaningful metrics are necessary to manage anything systematically and rationally, instead of relying purely on guesswork, experience and gut feel;
  • Who needs security metrics – who are the audiences, consumers and users of metrics;
  • How information security is currently measured – an overview of approaches suggested used and elsewhere;
  • Finding or developing potential (candidate) security metrics, including a few less conventional sources;
  • Assessing and scoring potential security metrics using the PRAGMATIC method;
  • 150+ example security metrics, structured in line with ISO27k, scored using the PRAGMATIC method, and discussed as if they were being actively considered by management;
  • Advanced security metrics – as if the rest of this isn’t hard enough already!;
  • Using security metrics – analysis, presentation, motivation …;
  • The downsides of metrics – possible drawbacks to having more effective security metrics;
  • A case study – a realistic worked example, developing a set of security metrics for Acme Enterprises Inc, an hypothetical commercial organization facing a range of strategic, managerial and operational challenges;
  • Conclusions including a set of take-home messages – things to put into practice immediately.

At face value, the PRAGMATIC method is just a way to score security metrics, but there’s much more to it than that.  Think about it: how does your organization determine which security metrics are worth using?  If you pick up a suggestion for a new metric from a book, a friend or a flash of inspiration, how do you assess its merits?  The usual approach is entirely informal and subjective.  Scoring and assessing the metric in a structured way forces you to think it through, in detail.

What about the recipients or audiences for your metrics: do you deliver the security metrics you feel are important, or do you make the effort to find out what they want – and if so, how do you frame that discussion?  What do you do to make them set aside the time to work out and explain their needs?

The PRAGMATIC method is straightforward, cheap and easy to apply, meaning that busy security managers can get up and running in a matter of hours.

Metrics are used not only to track and report performance but to identify problem areas and opportunities, and so drive security improvements.  With a focus on using measurement data in support of management decisions, the book takes the discussion up a level by elaborating on the design of an information security measurement system with obvious application in support of an information security management system as described by ISO/IEC 27001.

As soon as you appreciate the power of the PRAGMATIC method, you’ll be itching to put it into practice, especially if you, your colleagues and managers are presently struggling with security metrics.  Aside from the P.R.A.G.M.A.T.I.C. mnemonic representing nine criteria for assessing and scoring metrics, the approach is pragmatic in the ordinary everyday sense of the word.  You certainly don’t need a doctorate in statistics to make use of this book!  Practical tips are scattered liberally throughout, with further information and references in the footnotes.  We separated them out from the main text to encourage you to read quickly through the book at first to understand the overall approach, then go back to explore particular aspects in more detail as you apply the learning.  It is an introductory guide/overview and an implementation guide/training manual, all rolled into one.

by W. Krag Brotby and
Gary Hinson

ISBN: 978-1439881521 and 1439881529

Pages: 512 (150,000 words)

Publisher: Auerbach/CRC Press

Published: 2013

Order your copy today!

Leave a Comment

Why to use hardware-encrypted USB sticks

Hardware encryption has tangible benefits as file sharing and mobility tools, as backup drives and much more. Also hardware based encryption is more secure because the keys are embedded in the flash drive, require physical access to get, and very specialized knowledge to extract them.

  • Safeguard keys and critical security parameters within crypto-hardware
  • Authentication takes place on the hardware
  • Cost-effective in medium and larger application environments, easily scalable
  • Encryption is tied to a specific device, so encryption is “always on”
  • Does not require any type of driver installation or software installation on host PC
  • Protects against the most common attacks, such as cold boot attacks, malicious code, brute force attack

if you want your organization to avoid the risk of a data breach, you need to use hardware-encrypted USB sticks when you transfer data outside of the organisation, such as SafeXs 3.0. Using SafeXs 3.0 sticks will protect any data stored on them to a high degree as the data is hardware encrypted, which is more secure than using software encryption.

You should also use a USB stick management solution such as SafeConsole to ensure you are managing your secure USB sticks. This offers the advantage of being able to remote wipe data if a stick goes missing, enforce security policy across your sticks and a whole host of other security features.

Ensure your information security runs smooth through the use of a simple, secure USB stick such as SafeXs 3.0 that is  used in conjunction with SafeConsole Secure USB Management.

Integral® 16GB Crypto Drive – FIPS 197 Encrypted USB

Hardware Encrypted USB Flash Drive

Leave a Comment

Why achieve a Disaster Recovery and Business Continuity plan

What would you do if your systems were hacked or compromised by a virus? How would your IT systems cope in the event of flooding or an explosion?

What if your IT systems simply stopped working?

IT has brought many benefits to business. However, IT failures can seriously damage your ability to deliver products and services, harm your company’s reputation, and jeopardize your relationship with your customers. In short, poorly managed IT problems could threaten the survival of your business.

Create a Survival Plan

If you want to protect your business, you need to put in place a business continuity (BC) and disaster recovery (DR) plan to help your business survive. Disaster Recovery and Business Continuity, a quick guide for organizations and business managers shows you how to develop a plan that will:

•keep your information safe
•safeguard your company from viruses and phishing scams.
•store data safely, and prevent years of work from being lost by accident.
•ensure your communication links are secure, and keep you connected when disaster strikes
•bomb-proof your data
•protect your data in the event of fire or flood.

Read BCP/DRP practical guide and start building a business survival plan today

Comments (1)

How to Achieve Cyber Resilience

Becoming cyber resilient will give your organization the best chance of defending itself against and surviving from cyber attacks.

What does ‘cyber resilience’ mean?

Cyber resilience is the ability to repel cyber attacks while protecting critical business assets, rapidly adapting and responding to business disruptions and maintain continuous business operations.

So how do I become Cyber Resilient?

IT Governance has developed a 7-step approach to achieving cyber resilience. See the graphic below and click to enlarge.

7steps

9781849285261_frontcoveronly_rgb_v1 Cyber Resilience Core Standards Kit 

These standards will help you to implement a management system that will allow you to take advantage of the opportunities associated with operating in cyberspace whilst mitigating the threats and risks.
Includes the information security standards ISO27001 and ISO27002 and the business continuity standards ISO22301 and ISO22313.

 

Build your knowledge of these key areas and be ready to help deliver your organizations cyber resilience strategy

Developing knowledge of the best practice advice and guidance in the key standards ISO27001 & ISO22301 is key to delivering a successful cyber resilience strategy. Whatever your preferred method of learning, IT Governance have the products to help build the knowledge and skills you need.

An Introduction to Information Security and ISO 27001 (2013) Written by acknowledged ISO27001 expert, Steve Watkins, this pocket guide introduces the principles of information security management and ISO27001. This guide will help you understand how to start planning a project to implement effective, reliable and auditable systems.
9781849285261_frontcoveronly_rgb_v1 ISO22301 – A Pocket GuideISO22301: A Pocket Guide will help you understand the Business Continuity international practice, and provides guidance on the best way to implement a fit-for-purpose BCMS.

Leave a Comment

Why Two Thirds of Personal Banking Apps Have Vulnerabilities

Image representing iPhone as depicted in Crunc...

Image via CrunchBase

Personal Banking Apps study has been out,  a security researcher spent about 40 hours testing iPhone and iPad banking applications from the top 60 most influential banks in the world and his findings were totally shocking.

40 of those 60 applications were found to have major mobile security vulnerabilities, which is not something you’d expect to find in an application which authenticate you to your bank.

The conducted tests were split amongst six separate areas: transport security, compiler protection, UIWebViews, data storage, logs and binary analysis. Serious weaknesses were found in all of these areas.
40% of the applications can’t validate to the authenticity of SSL certificates, meaning that they’re vulnerable to monkey/man in the middle (MiTM) attacks

A full 90% of the apps contain non-SSL links, potentially allowing “an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam.”

50% “are vulnerable to JavaScript injections via insecure UIWebView implementations… allowing actions such as sending SMS or emails from the victim’s device.”

70% have no facility for any “alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks.”

The incredibly troubling study brings to light a very serious problem for the banking industry — and for consumers, of course — that will only become more severe over time as mobile banking app usage grows. Sanchez notes in his report that the various security vulnerabilities he identified could allow malicious hackers to intercept sensitive data, install malware or even seize control of a victim’s device.

When Banks are using their mobile applications as a competitive advantage, you may think that they’d thoroughly test these applications for any existing security flaws with vulnerability assessment or mobile Penetration test, to reduce the vulnerabilities from two third to an acceptable level. Major security flaws shows that applications have not been tested for security vulnerabilities at every phase of the development. Above all it shows Banks have a weak Information Security Management System (ISMS) in place. This can be especially a worrisome trend for smaller Banks due to lack of existing information security resources and expertise.

Mobile Information Security and Privacy Books

Mobile Malware Protection from from phishing sites and malicious URLs

Leave a Comment

What to Log for Authentication and Access Control

Authentication and access control plays a critical role in web application security.  Mostly for logging, all authentication and access control events should be logged which includes but not limited to successes and failures. If  we are logging only the successful events, someone may brute force attack the passwords without any detection or notice. On the contrary, let’s say only failures are logged, a legitimate or valid user may misuse, corrupt, harm or simply abuse the system without any detection. Besides that all other authentication and access control related events (such as account lockout) are important and must be logged.

  • Failed log in
  • Successful log in
  • Account locked /disable
  • Account unlocked / enabled
  • Account created
  • Password changed
  • Username changed
  • Logged out

Logs should include the resources involved in the web application (IP address, URL, user name, http method, protocol version, etc…) and document the reason why access was denied for the failed event. Some application provides much better logs than others. generally log entries should contain (user ID, timestamp, source IP, Description of the event, error code, priority).

All error conditions should be logged including simple stuff as sql query errors, which can help to detect sql injection attack. Some errors related to the availability of the application are important for early sign to trigger BCP. Availability is one of the main pillar of information security, so it should be logged and monitored. Log error conditions should include but not limited to (failed queries, file not found and cannot open error, unexpected state, connection failure and timeout)

Besides the inherent benefits of log management, a number of laws and regulations further compel organizations to store and review certain logs. The following is a listing of key regulations, standards, and guidelines that help define organizations’ needs for log management – ISO 27001, ISO 22301, FISMA, GLBA, HIPAA, SOX, and PCI-DSS.

Guide to Computer Security Log Management: Recommendations of the National Institute of Standards and Technology: Special Publication 800-92

Security Log Management

 

Leave a Comment

IT Governance Top 5 Bestsellers of 2013

With 2013 coming to a close, ITG is reflecting on what a year it’s been for the IT governance, risk management and compliance (IT-GRC) industry. In 2013  we’ve seen the highly-awaited release of ISO 27001:2013, the requirements for PCI DSS v3.0 and the Adobe breach which affected at least 38 million users.
Throughout it all, IT Governance has been there to serve IT professionals in America and assist them in implementing management systems, protecting their organizations and making their IT departments run more efficiently by implementing IT-GRC frameworks.
Below we have listed the top 5 IT Governance USA bestsellers from 2013:

ISO IEC 27001 2013 and ISO IEC 27002 2013
ISO 27001

Cyber Risks for Business Professionals: A Management Guide
CyberRisks

No 3 Comprehensive ISO27001 2005 ISMS Toolkit

ISMS toolkit

The True Cost of Information Security Breaches and Cyber Crime

Security Breaches

ITIL Foundation Handbook (Little ITIL) – 2011 Edition

ITIL

 

 

 

 

Leave a Comment

Hack-proof your life: A guide to Internet privacy in 2014

privacy

A guide to Internet privacy

to a hack-proof Life

Keith Wagstaff NBC News

It’s no secret that 2013 wasn’t a great year for Internet privacy.
Former National Security Agency contractor Edward Snowden leaked thousands of classified documents that revealed the depths of the agency’s electronic surveillance program. Users had their information stolen en masse from private databases, including a security breach in November that reportedly resulted in 42 million unencrypted passwords being stolen from Australian-based Cupid Media, which was followed by a massive hack of Target credit and debit card information.
So, what’s a concerned netizen to do in 2014? Turns out there are plenty of ways to keep your data safe without breaking your Internet addiction.

Complete Guide to Internet Privacy, Anonymity & Security

Take two steps towards better security
Even if you aren’t worried about NSA agents reading your email, you should still be concerned about hackers taking a peek at your sensitive bank information or your “50 Shades of Grey” fan fiction.
That is why it’s a good idea to take advantage of two-step verification, something that Google, Facebook, Microsoft, Twitter and other companies have been pushing more often lately as big password leaks have hit the news.
Basically, not only will the service ask you for your password, but it will provide you with a code via a text message or an authentication app that will verify your identity.
“People should take the extra step because it’s incredibly effective in making it hard for someone to break into your account,” Yan Zhu, technologist for the Electronic Frontier Foundation, an advocate for Internet privacy, told NBC News. “They not only need access to something you know — which is your password — but they need access to something you own, which is your phone or another secondary device.”

Check your URL
Every website you visit should have “https” before the URL in the browser, instead of just “http,” to ensure Web traffic is encrypted for a more secure connection — especially in spaces with public Wi-Fi like airports and cafes. What do you do if that extra “s” is missing? You might want to install HTTPS Everywhere, a browser plug-in for Chrome, Firefox and Opera that rewrites requests to websites to keep you protected.
Change your terrible password
The top three passwords in a November security breach that reportedly affected 38 million Adobe customer accounts:
• 123456
• 123456789
• password
Not exactly impenetrable. And password cracking software — much of it freely available — is only getting more advanced. So how can you protect yourself?
“Use long passwords, at least eight characters, but the longer the better,” Maxim Weinstein, security advisor at Sophos, wrote to NBC News. “Avoid words (including names) and predictable patterns like adding a number to the end of a word. One trick is to choose a phrase or song lyric and use the first letter of each word (e.g., “Oh, say can you see, by the dawn’s early light” equals “oscysbtdel”), perhaps making some substitutions to make it more complex.”

Don’t use the same password for everything
You should also have a different password for every site, so that a hacker who gets your dating website password won’t all of a sudden have access to your Gmail account. Weinstein also recommended using a password manager like 1Password or LastPass to keep track of all of them, or, at the very least, creating three different passwords for your work email, personal email and websites that you visit.

Browse without being tracked
Normally, when you search for something on the Internet, the site can see what search term you used, not to mention your IP address, which can be used to identify you. Switching from your current search engine to one like DuckDuckGo is one step you can take to protect your identity.
“When you visit anything on the Internet, your computer is sending information about itself over the Net that can be used to tie things back to you. Most services store this information, which then can be used by these government programs and other things to identify you,” Gabriel Weinberg, the site’s founder and CEO, told NBC News. “DuckDuckGo, on the other hand, does not store any personally identifiable information, so we literally have nothing to tie your searches to you.”
When you are using Google, you can browse in Incognito mode. It doesn’t mask your searches or IP address, but it does have some added privacy benefits, like not recording your search history and deleting new cookies after you close your browser windows.

How to be Anonymous Online – A Quick Step-By-Step Manual

Consider the power of Tor
For the strictest level anonymity, you can download Tor, a software network that bounces Internet traffic around thousands of relays around the world to mask what sites you have visited and where you have visited them from. (Although, as the recent arrest of a Harvard student who allegedly used Tor while sending a fake bomb threat shows, it doesn’t guarantee you will be completely anonymous).

Encrypt your email
While free Webmail services like Gmail, Microsoft’s Outlook and Yahoo Mail have upped their encryption standards over recent years, you might still want the added protection of end-to-end encryption. It basically cuts out the middleman and sends email messages directly to the recipient, who can only read it if he or she has two encryption keys, one public and the other private.
“I really hope end-to-end encryption becomes more popular over the next year,” Zhu said. “One of the great things about it is that because it happens on the user’s computer, they have full control over it. They don’t have to trust a third party to keep their data safe.”
The downside? It’s not very easy to implement. Even Glenn Greenwald, the former Guardian reporter who broke the Edward Snowden story, had trouble with it. You’ll need to download encryption software called PGP (Pretty Good Privacy), or the open-source GPG (GnuPG), and start using an email client like Thunderbird. (The Press Freedom Foundation has a good explainer on how to set everything up). It’s all not very attractive or user-friendly — something that Mailpile, which raised $163,192 this year on Indiegogo, is hoping to change by developing a more Gmail-esque interface.

Protect your chats and cloud storage
Email isn’t the only personal data you should be worried about. Plenty of services store chat logs, and while cloud-storage services usually have strong protections, your information could still be at risk from hackers or anyone who has your username and password.
Some good solutions: Programs like Cryptocat or Pidgin with the OTR plug-in, for encrypted chats, and Cloudfogger or BoxCryptor for storing sensitive documents on services like Google Drive or Dropbox.

Of course, the reason people pick passwords like 123456 is because it’s easier than the alternative. If you want complete privacy and security in 2014, you’re going to have to work for it.

Leave a Comment


SEO Powered By SEOPressor