• cyber security

Identity protection by Imad Abbadi

In recent years we have witnessed unforeseen developments in internet services.

This includes, but is not restricted to, exposing the services of critical infrastructures over the internet, e.g. e-banking and e-health sectors.

Nowadays, some banks start to have full e-branch services enabling, not only transacting over the internet, but even opening accounts for new customers. This is both for cost saving and for customer convenience.  Similarly, healthcare system, pharmacies, hospitals and insurance companies are getting interconnected to increase trust and avoid crimes. Governments have already started offering almost all of their services over internet. Cloud computing is one of the major enablers for the vast development of such services for reducing costs and helping in new business modes in a way that has never been possible beforehand. 

The vast development of Internet services have dramatically changed our life. Internet comes with great advantages which no one can ignore; but, on the other hand, it is associated with risks that are hard to control. The development and usage of Internet services are so rapid that it makes it hard for humanity to understand its wider problems and get ready to tackle them. Security and trust establishment is one of the top discussed risks associated with the internet services. We keep reading alarming stories about cybercrimes which are not restricted to geographical boundaries, groups of people, nation, or a type of organization. We are all exposed and we need, as individuals, to learn the techniques and principles to protect ourselves and others in the cyberspace. This article specifically briefs the identity protection domain and clarifies the importance of our role as individuals to help in securing the cyberspace.

Establishing trust between communicating parties over cyberspace is becoming paramount. E-banking customers, for example, need to ensure they are communicating with their bank and not to a fraudster website. Simultaneously, banks need to ensure they are accessed by legitimate users and not by hackers. Attack tools are not restricted to a group of experts, but it is widely available and can be freely downloaded over the internet. The availability of such easy to use tools, the availability of valuable assets over the internet and the lack of proper internet policing encouraged criminals to hijack victims’ identities. Most of the attacks get through, not because of improper security controls, but importantly because of us. Hackers are aware that humans are the weakest link as they are still uneducated enough on how to interact in the cyberspace. Therefore, the majority of the top attacks and those causing wider effects are mainly targeted via humans rather than breaking a complex security control.

Identity fraud is one of the top security concerns as it is the easiest for hackers to start with. The existing standards in information security, or what is known as best practices, get outdated quickly considering the advances in the threat landscape. What was best practices, for example, ten years ago is no longer accepted. For example, using complex static password and keep rotating it every six weeks is no longer enough by itself to secure our identities. Technology vendors in this domain, kept under pressure by governments, financial bodies and others, develop new tools to mitigate against the advances in the threat landscape and simultaneously to be user friendly.

The questions that come to people’s minds is what we could do as an individual to protect our identities. As individuals or internet users we do not have much control over the deployed technologies, neither do we have sufficient knowledge to assess them. In several cases we would have to follow the agreed upon practices as in the case of those enforced by our employers, governments and banks.  Someone might say there is nothing we could do to protect our identities. This in fact is very incorrect; it is widely agreed between security experts and best practices that the source cause of major security attacks are individual’s lack of awareness in this domain. Phishing attack, as an example, are initiated by sending email to victims encouraging them to click on a URL or opening a file. If the targeted person understand the phishing techniques he can easily avoid it. There are several set of rules that we should follow as individuals, not only to protect our identities, but, in addition, to help treat major security threats. The most pressing ones are as follows:

-          Awareness – we would need to be aware about well-known security threats targeted individuals.  Those are available over the internet, and via employers’ awareness sessions which help understanding how to live in the cyberspace. This learning curve should be ongoing process and we should maintain and follow. We do not need to know all types of attacks but the most important ones such as phishing attack. We also need to get educated on social engineering and how to stop hackers from his early stages on impersonating our identities.

-          Password management – passwords are used to prove ownership of identities. Passwords are widely used but if we do not know how to manage it then it is easy for fraudsters to hijack identities. What can I do to protect my password?

o   Password rotation. Passwords ideally should be used only once - known as one-time password (OTP). OTP is a dynamic password which are getting enforced by several organizations such as banks. We should always opt for OTP whenever possible but it is not always provided by service providers considering the complexity and cost of deploying it.

Best practices recommend changing passwords every six weeks which is inconvenient considering individuals would typically have several passwords to remember. Keep changing passwords would result in complexity to remember them and might result in people writing them on a sticky note, typing them on PCs or just add a sequence number when changing their passwords. There is always tradeoff between security and usability. The frequency of password change should depend on the criticality of the protected asset. However, changing the password must not result in excessive complexity resulting in writing the passwords in sticky notes for example.

o   Password complexity. Passwords should be at least eight-character long and should contain numbers and special characters (e.g. -;@ etc). The password must not be something that is commonly known or can be bound to us (such as names, date of birth, place of birth, name of a city, etc).

o   Password uniqueness. We should aim to use application-specific password, i.e. a password must not be repetitively used across several applications. For example, a password used at work must be different than the one used for accessing a personal email, or the one used for e-banking.

I am fully aware that password management in practice is not so easy. So to make it practical I suggest the following rules:

-          Asset classification - try to think about the nature of your data (email, work records, files, etc) and aim to split them into categories based on their sensitivity so you end up with 3-6 trust domains.

-          Allocate for each trust domain a specific password and do not share the passwords across trust domain boundaries. For example, you could end up with the following trust domains: e-commerce websites (airlines, health-club membership, and newsagent); emails (e.g. Hotmail, GMail); e-banking; and e-government. Each allocate a specific password that is easy for you to remember but so complex for someone to guess.

-          Regularly change the password; something you can remember without the need to write it down but not too trivial to guess. For example, you could follow the technique for sequence numbering (adding a sequence number), but in parallel try to shuffle the characters –rotate the characters by one-two character when changing the password. For example someone password can be Pa$$w0rd35, then on next change make it a$$w0rdP46, then $$w0rdPa57 and so on.

-          Aim to use OTP whenever is available. Most e-banking services and emails providers support OTPs. Using OTPs will make the application secure and user-friendly (designed to be so).

-          Never share your password/PIN with anyone else; not even your service provider including banks and governments! Such entities will never ask for passwords.

 

This article briefly discussed the importance of humans in protecting the cyberspace. Humans are the weakest link of attack and most widely spread attacks were caused via deceiving internal employees into making an action enabling the attack to start. As individuals we need to focus on two directions: protecting our identities and to learn attacker technique focusing on those related to targeting individuals. For the earlier we briefed identity management. We also suggested some rules to help us in protecting our passwords without adding excessive complexity.