"Security for ordinary folks": Lessons from Signalgate
A couple of days after this all broke I was due to do another "security for seniors" session. We were *going* to start frauds and scams. But with this all over the news, and everybody talking about it (mostly incomplete, and often misinformed), and with some many basic security lessons to be learned from it, I figured I should take advantage of the opportunity. So I covered the scandal, pointing out, along the way, that even though this news story was about national and even international security, it still had lots of lessons that *everybody* could benefit from.
So, day by day, herewith some security lessons, applicable to seniors, homemakers, owners of your own business, students of security, security professionals, and all the way down to vice presidents of superpowers.
"Security for ordinary folks": Lessons from Signalgate - 1 - Rules
Lesson one: this is why we have information classification rules.
Okay, maybe I have to back up a bit here. A lot of ordinary folks will think information classification, itself, only applies to governments, the military, and big corporations.
First of all, this whole story, and scandal, couldn't have happened to a nicer guy. I mean that, quite literally. Nicer people are people who tend to follow the rules. The MAGA camp is led by someone who not only doesn't think that the rules apply to him, he doesn't think that there *are* any rules, at all. He thinks that rules, and policies, and laws, are for suckers. People who follow the rules are weak, and are at a disadvantage when dealing with him. He doesn't like rules, and laws, and doesn't think that there are any norms or standards of behavior. He likes chaos. He likes chaos because it means that he can do pretty much anything, and needle people, and get under their skin, and make them mad, knowing that when people are mad they will make mistakes. The art of the deal, in his true viewpoint of the world, is simply taking advantage of every mistake that everybody makes. People who believe that there are rules, and laws, and norms of conduct, are going to be at a disadvantage when dealing with him. Since he doesn't like rules, he makes sure that nobody who is around him believes in rules, or laws. He doesn't want to have anybody around him who will tell him that you can't do that: that that is against the law, or this is against policy, or that normal rules of diplomacy, or business, or anything else, say that you shouldn't do this. Whatever "this" happens to be at the moment. He wants to be able to do whatever he likes, and the weirder, and more chaotic, probably the better. So the people he's got around him are also people who ignore even the fact that there *are* rules, laws, policies, or anything else that could restrict and confine and limit what you actually do.
But that is simply a political position, and a social observation, and really doesn't have anything to do with security for ordinary people. What does have to do with security for ordinary people is risk assessment. Risk assessment is simply looking at any activity, and noting what risk this activity poses for you. And, in terms of information security, it is looking at any piece of information that you provide, and noting how important it is, to you, that this piece of information either be available to you, or, more likely, not be available to anyone else. Or be available only to a select group of people. And what are you going to ensure that that group of people remains select.
To illustrate this point, I assume that all of you know not to paste your credit card number on the outside of your door. Or to print it out on pieces of paper, and to scatter it around the neighborhood. If somebody gets hold of your credit card number, there is a chance that they can use your credit card number to start buying things with, and then you have to pay for them. And, on one of the occasions when a media outlet asked to have me on the air, it was about using credit card numbers on the Internet. I should mention that this happened about thirty years ago, and so the technology involved in credit cards, and credit card numbers, was a little bit different. The host of the program, after we had talked about the bulk of the issues that had raised the topic, jokingly said something about he guessed that I would never buy anything with a credit card on the Internet. I said that I never had, but that I had no objection to doing so. He was greatly surprised, and asked why that was the case. I asked him if he had ever paid a restaurant bill with a credit card. He, once again very surprised, said that of course he had. Remember that this was taking place quite a while ago. This was before portable terminals and card readers would come out to the table as a matter of course when paying the bill for the meal. What, I asked, you mean to tell me that you are willing to give your credit card to a person who is probably making minimum wage, knowing that they are going to take your credit card away from the table, and take it who knows where, and do who knows what with it, before they bring it back? Oh, he said. I take your point.
The point of saying that we need to do information classification is to say that we need to think about the value of the information that we are dealing with, and then think about the possible risks of handling that information, in the way that we propose to handle it. Is it safe for us to do an e-transfer? Well, probably it is. Is it safe for us to send our credit card number, in an email? Well, the risks involved in that are probably a lot higher. Is it safe for us to send our bank account information in an email? Well, I have done that, when I'm performing a contract for someone overseas, and they are going to be paying me by SWIFT transfer. But I have a specific account, which contains very little cash, and which I use specifically for those kinds of transactions. You have to decide what the risks are, what the value of the information is, to you, and what the risks of that information going astray are, to you, and, even if you don't set up a formal information classification system for yourself, you do have to think about how valuable this information is, and what kinds of protection you need to put on it. That is, basically, the basis of information classification. How valuable is the asset, to you, and how great is the risk, to you. You have to make that decision.
No comments:
Post a Comment