"Security for ordinary folks": Lessons from Signalgate - 7 - Is doing that really worth it?
Lastly, we have, is doing that really worth it? Also known as, should we be doing this at all?
Now, this chat channel was, supposedly, set up to prepare for a military operation. The purpose and intent of this discussion, supposedly, was to plan a military strike to degrade the capabilities of the people who are firing missiles at cargo ships transiting the Suez Canal. Certainly, on the face of it, this is a worthy endeavour.
Planning a military raid of this type certainly involves classified information. So it is extremely interesting that, in defense of their actions with regard to the whole scandal, those involved in the chat have said that no classified information was provided over this channel. This is, of course, arrant nonsense. The timing of the launch of warplanes sent to perform such a military strike is classified information. And, if it isn't, it should be. So, the statement that no classified information was sent is horse feathers.
However, there aren't many other instances of classified information in the chat. Indeed, when you read the entirety of the chat, or at least the entire transcript that is, so far, available to us, what strikes you is the lack of planning that is actually going on. This does not sound like a planning discussion. It doesn't seem to be planning anything. In point of fact, when you read the transcript, it sounds like nothing so much as a bunch of frat boys, at a kegger, commenting about how many females they have dated (for varying values of "dated").
Yes, there is information that is, or should be, classified. The classified information should not have been included in a discussion over a channel with this lack of security. No classified information should be discussed over this kind of communications channel. But the bulk of the discussion, far and away most of the text that is contained in the transcript, contains a remarkable lack of actual information. There are lots of opinions. There are insults galore. But planning?
So, you have to ask, why was this communications channel set up in the first place? And it's not the only one. Apparently, we are now learning, at least twenty similarly insecure communications channels have been created. It's likely that pretty much the same cast of characters are all holding similar discussions, potentially with similar classified information that shouldn't be discussed over them, and, presumably, with a very similar lack of purpose or value.
Once again, while it may be disturbing to know that the highest officials in the land are wasting their time in this kind of chatter, and that there don't appear to be any adults in the room in this particular administration, what does this have to do with you, as an ordinary person, concerned about your security?
Well, you should be asking yourself the same question that I asked at the beginning: is any of this worth it? Is what you are doing valuable? Is the information that you are holding actually of use to you? Are the emails that you are sending really necessary? In particular, are you sending information, in an email, or posting it to social media, or entering it into a website, just because the website asks you to enter it, when there really is no need for it? Lots of retailers want to obtain information on you. They would like to have your address so they can send you promotional letters. They would like to have your phone number, so that they can make promotional phone calls to you. They would like to have your email address, or your social media account, or your various social media accounts, so they can send you promotional material that way, at much lower cost. But, as I asked of a retailer once, in the store, when, in finalizing a purchase, he asked me for my telephone number, why? What is the purpose of providing this information? In terms of answering questions on a website, or when making a purchase, yes, sometimes there are purposes and needs for the information, particularly if you're paying with a credit card. But why provide this information, just because you can, or just because somebody mentions something related to it? Think about what you were posting. Think about what it lets people know about you. If you take a picture of a couple who are visiting you, in front of your front door, does that provide people with your street address? (A lot of people are particularly fond of posting pictures of their kids on social media. A lot of people who are trying to enlarge their footprint on social media, or who see themselves as influencers, do a lot of this, and have posted pictures of their kids, or videos of them doing various activities, for pretty much all of their lives. Some of the kids are now starting to object to the fact that their own privacy, that is, the kids own privacy, is pretty much completely compromised, because of postings that their parents have made.)
We have a common saying in the information security community: if you don't want people to know all the details of your private lives, stop posting all the details of your private lives on social media.
We talked, earlier, in our first and second lessons, about risk management. Risk management is the heart of security management, and therefore the heart of security. One of the last stages of risk management is cost-benefit analysis. Cost-benefit analysis is where we measure the cost of what we are going to do or are proposing to do, with the benefit that we expect to derive from doing it. So, to boil this final lesson down to its basic components, what benefit is it that this activity is going to do for you, compared to the cost, work, effort, or expended resources, that you are going to have to pay in terms of actually doing it? And, in terms of posting information, what is the benefit that I am going to derive from providing this information, or posting this information, compared to what it might cost me in terms of what information this gives away, to somebody else, that might come back to bite me later?
No comments:
Post a Comment