Special Edition
Computer security testing comment and analysis from SE Labs

The first security technique you should master!

Security planning can make your life easier to manage. It’s easy to become paralysed when you consider all of the threats that exist and all of the possible solutions. You can’t buy every security product available and you certainly shouldn’t even try.

There are risks that we all face (let’s call those ‘general risks’) and risks that are quite specific to you (‘individual risks’).

Security planning for anyone, whether you are the CEO of a large enterprise or a retired amateur gardener, should take into account what risks you (specifically) face and the consequences of something bad actually happening.

General risks

In this article we’re going to focus on cybersecurity, but the principles apply to any area of your life. In the computing world there are three major threats that we all face:

1. Data loss
2. Data theft
3. Device loss

At the end of the day, most personal and business IT security problems boil down to those three things. Losing access to your data doesn’t always mean someone else has stolen it. Your hard disk might fail and you don’t have a safe copy of your data anywhere else. Similarly, data theft doesn’t have to mean that you’ve lost access to your files – just that someone without authority has access too.

Data is valuable. Sometimes it’s irreplaceable and often it’s costly in time and/ or money to replace. Your personal photos capture unique moments in life. You maybe spent days writing an important report. Personal identity data, such as your social service number and photo identity documents, take time and money to replace. And they can be abused and cause you to lose more time and money.

Security planning will save you time and money even in the short term.

Sign up to our monthly business and personal security newsletters.

Security planning saves time and money

And that’s usually what it comes down to: time and money. You can argue that you have emotional attachment too, but if you don’t lose control of your data then there’s not usually a reason to get upset.

Device loss, whether by accident or theft, is also expensive in terms of time and money. How you balance that against data loss depends on the value you place on your data and how wealthy you are.

For example, you might not be able to afford a new laptop easily, but the novel you’ve spent years writing is completely irreplaceable. The cost of losing that data is far higher to you than a new laptop. If you are low on funds you might be best advised to spend what you have on a small USB drive today, rather than saving up so you can buy a new laptop sometime in the distant future. If you have a lot of data, investing in an online backup solution would be more sensible.

Data loss: a true anecdote (names changed to protect the naïve)

John keeps track of his finances obsessively. He uses his laptop computer and religiously makes backups of a single file onto a USB flash drive. He values this data highly.

He returns home to find that his house has been burgled. The laptop, and the USB drive that was attached to it, are gone. He will never be able to replace that data, although obtaining years of bank statements and re-entering the data might approximate the work he had done before.

John’s mistake was to focus only on the risk of hardware failure. If his hard disk had died, which they used to do a lot back then, his backup would have saved the day. He didn’t imagine that the USB disk would be stolen. He didn’t do any serious security planning. Five minutes of thought would have helped!

Mitigating this risk could involve one or more of these approaches:

1. Hide the laptop after use (inconvenient but cheap)
2. Hide the USB drive after use (quite convenient and cheap)
3. Use an online backup service (very convenient and quite cheap)

We’ve seen that cybersecurity threats are largely about data loss, theft and loss of devices. The solutions tend to balance convenience and cost.

A quick word on insurance

You can handle most risks with insurance. This won’t help replace the irreplaceable such as photos or life’s works, but it can cover the cost of lost hardware, money and business – depending on the policy. The risk averse will combine insurance with preventative measures, such as those below.

Insurance is essentially a gamble. You bet that a problem (like a theft, or your own death) will happen, while the insurance company bets that it won’t. In a weird way you only ‘win’ if something goes horribly wrong in your life. When that happens, you hope that the insurance company will pay out. If nothing goes wrong you’ve spent money for ‘peace of mind’. It’s sometimes worth assessing your need for insurance, where it’s not legally required (e.g. motor insurance).

Classic cyber security advice

Cybersecurity experts have already worked out the most likely threats for most normal people. This is why you see the same advice repeated across millions of websites:

1. Back up data
2. Run anti-virus
3. Update software
4. Don’t click on email links
5. Don’t re-use passwords

You should follow all of that advice to reduce the likelihood and impact of a successful cyberattack.

If you want to understand more about why these tips work, our DE:CODED podcast covers security planning in depth, with examples. Listen to it using the player below, or subscribe to the show and catch that episode and more!

Who are you?

If your appetite has been whetted by the general advice we’ve given above, you can get more specific and start making a personal security plan.

This might sound a little too philosophical but, if you want to understand the individual threats you face, you need to know who you are. By doing so you can work out where your vulnerabilities and strengths lie. And the identity or nature of your allies and enemies.

The first thing to do, when working out your threat model, is to think about what you value the most – your ‘assets’.

Try to pick a scope before you start. We’ll look at personal cybersecurity, but you use the same approach with personal safety at home, family safety on holiday or even pet safety.

In the cybersecurity world common assets will likely be, in no particular order:

1. Credentials for your internet accounts (passwords, usernames, other means of authenticating)
2. Files (your photos, college work, any output from hobbies etc.)
3. Computer(s)
4. Mobile devices
5. External hard disks
6. Other hardware (e.g. microphones; cameras; printers; networking)

Categorise your assets

Earlier we talked about data and devices. But at this level we can split data down into your security credentials and your files. You might even split these further into ‘critical’, ‘important’ and ‘casual’.

For example, your main email account is at the heart of your digital life. If bad guys can access that, they can reset many of your other accounts and cause you a lot of work and potentially financial loss. Your email account’s password is squarely in the ‘critical’ box.

Your Netflix password, on the other hand, might be ‘casual’, because you’re happy to share it with friends, despite Netflix’s T&Cs!

Some photos could be casual. These are the sorts of things you’d upload to Facebook. Others might be more sensitive, such as a photo of your passport. These would be ‘critical’ and should probably be stored in encrypted form, such as using Microsoft Windows’ BitLocker, Apple macOS FileVault or at least in password-protected Zip files.

(It’s much easier to password-protect Zip files on a PC than it is on a Mac.)

The network hardware that runs your office or home is almost certainly more important than the posh microphone and camera you use to make Zoom calls better. External hard disks holding your business files are extremely important. The ones holding ripped DVDs are possibly less so, but that’s up to you!

Your time, your money, your head

At the end of the day your priorities will be dictated by time, money and some element of your personality.

For example, if you lose your device you will have to pay for another one, and then spend time and effort setting it up again. But you might also feel extremely uncomfortable with its loss. This could be rational, because now someone might be able to get to your data. Or you simply might be upset because something you’re emotionally attached to is gone.

No person is an island

Whether you like it or not, you will almost certainly depend on other people to some extent. We trust that friends and even casual acquaintances aren’t out to harm us. Our partners and parents should have our best interests at heart. This is not a weakness. In fact, it is a strength.

Allies can look after physical assets for you, when it’s not safe for you to keep them close at hand. They can hold copies of important passwords, in the same way that you might leave your front door key with a trusted neighbour. You might even give an ally access to some of your internet accounts – from something as unimportant as a Netflix account up to a joint bank account.

Sharing files, such as holiday photos, can be pleasurable (although the recipient might not enjoy this as much as you think!) Sending important documents using the internet is convenient. Consider whether to allow the recipients the ability to view only, or to edit.

For various reasons we don’t recommend you ever share your email account, even with a spouse.

Which leads us onto an unpleasant but important fact: allies can become enemies.

Keep your enemies distant

Divorce rates are high globally and are particularly so in economically developed countries with high levels of education across the genders. A trusted spouse can turn quickly into an aggressive enemy. We’re not suggesting that you stop trusting your partner. But keeping certain internet accounts private is a good principle to maintain when things are going well, so you don’t have to worry should they go less well in the future. It might be more awkward to remove access than never to give it in the first place. And if they take over your email account before you do, life could become even harder.

You will have enemies, or at least opponents, even if you can’t think of any. Just as in the physical world, random cyberattacks happen all the time. Look through your email’s junk folder and you’ll probably see dozens of phishing attacks and other fraudulent messages offering you money and so on.

Semi-targeted attacks

Have you ever received an unexpected support phone call what purports to be Microsoft or your Internet Service Provider (ISP)? These are just some of your enemies and you need to be ready for when you ‘meet’ them. They might know something about you, but they are not out specifically to get *you*. We call these semi-targeted attacks.

It may be that you are of potential interest to more serious criminals. If you run a business, are in the process of buying a house or are simply older (the idea being that you likely have more money than a young person) then the target on your back is larger. The attack could become more specifically targeted at you.

Only you know who you are and can guess at who might profit from running a cyberattack against you. But if you have a bank account with money in it then general cyber attackers will be interested. If you hold a responsible position at a large company then industrial spies might pay attention. Academics working in certain areas of science or politics will also be attractive to governmental agencies.

Finally, and less excitingly, you might be your own worst enemy! Is it more likely that you’ll forget a critical password or lose your phone down the toilet than being targeted by a government hit squad?

Form a plan

At this stage you’ve thought about what you want to protect and from whom. You may also have a few ideas about who your allies and enemies are. It’s time to prioritise. Risk assessments (which is what we are doing here) usually take the form of putting the likelihood of a problem up against its impact. Consider the following table:

	High Likelihood	Medium Likelihood	Low Likelihood
High Impact	HIGH	HIGH	MEDIUM
Medium Impact	HIGH	MEDIUM	LOW
Low Impact	MEDIUM	LOW	LOW

You can use a chart like this to start forming your plan. List out some realistically conceivable scenarios, including loss, theft or destruction of an asset.

For example, consider your work bag, which contains your phone, laptop and ID. The loss or destruction of this asset would be high impact. The amount of time, money and effort to restore business as usual for you would be large. And the inconvenience you face without it would be disruptive to your work and personal life.

We’ll use the top three parts of our Risk Assessment Chart to classify some different situations. Are you likely to leave your bag on the train? If you commute daily then this is a risk, but you know yourself best. How much of a risk is it that *you* will leave your bag on the train? Medium?

What about theft? What is the crime rate like in your area? Does your bag look expensive? Do you look tough or ‘muggable’? Maybe for you the risk of theft is Low.

Plug that information into the chart and we can see that leaving a bag on the train is a High risk and having it stolen is a Medium risk.

Walking through the risk management

Now we have two risk ratings, and we need to handle them.

Risk of leaving the bag on the train: High

The following steps could reduce your risk to a more acceptable level:

• Always keep your bag on your lap.
• Use something from your bag, like a book or laptop, on your commute. You’ll need to put them away at the end of the journey.
• Insure the contents of your bag.
• Don’t put anything valuable in your bag.
• Stop commuting.

You can see that there are a variety of countermeasures, some of which are more realistic than others. Insurance is a common way to reduce risk, but it usually only helps with the financial replacement of items. It won’t give you back the time you spent creating work or setting up new devices.

Risk of losing the bag to theft: Medium

The following steps could reduce your risk to a more acceptable level:

• Always keep your bag on your lap.
• Insure the contents of your bag.
• Don’t put anything valuable in your bag.
• Use a scrappy-looking bag.
• Stop commuting.
• Take self-defence classes.

Many of these steps are similar to those relating to leaving the bag on the train, but we have a couple of extras. You could become less of a target by using an inexpensive bag to hold your valuables. You could also become a ninja and beat off any potential muggers, but that brings its own new and interesting risks.

Given that some solutions work for both types of threat (loss and theft) consider the efficiency available here. Always keeping your bag on your lap will make it fairly certain that you and your belongings stay together. An unpretentious bag won’t attract unwanted attention. Also consider not putting all your tech in one basket, and keeping your ID, for example, in a pocket.

Security planning basic principles work

By applying basic security principles to all parts of your life, you can take control of the risks that matter the most to you. There is no one-size-fits-all plan, but you can use a number of general plans to improve your chances. Our general cybersecurity plan will reduce your risk online. With our extra tips you’ll be in the top 1% of secure internet users.

Security planning isn’t the preserve of the paranoid. You can save money by being efficient and not paying for insurance you don’t need, or redundant systems like spare laptops and phones. You save time because you won’t lose data in the event of a ransomware attack or physical theft. And ultimately life will be more convenient because you won’t waste time taking unnecessary security steps.

Sign up to our monthly business and personal security newsletters.

Posted on May 24th, 2022 by Simon PG Edwards and tagged 2022, cyber security, home user, infosecurity principles, insurance, online security, physical security, security, small business, threat profiling