What’s your data risk tolerance?

In response to a reader Ben Brooks wrote a recent article about his personal data security practices. That got me thinking about my own risk posture and how I secure the devices I own.

Hard Disk Encryption

Ben starts off with advice on disk encryption.

The basic things to encrypt are all of your HDDs/SSDs, your internet connection (when on a public network), your passwords, and any financial information you keep on your Mac.

Personally, I don't use it. Unless you are travelling to high-risk areas ( China? ) or are a high-profile person ( Scott Snowden? ) carrying highly sensitive your risk is quite low. Disk encryption is just too much of a hassle for the average person to deal with an it won't protect your data from a determined attacker.

I don't encrypt. I also don't carry any highly sensitive information on my a MacBook. I have no financial data on any portable device I own -- iPads, iPhone, etc --- I am more likely to have my iPad or iPhone lost or stolen than a laptop.

My philosophy is to try my best to mitigate the most likely scenarios.

iPad and iPhone

I hate having to type in a password each time I use my iPhone or iPad. But … both of these devices -- more so the iPhone -- are with me everywhere I go. These devices have apps for accessing my financial accounts and certain online storage accounts. Since it is more likely that I'll lose my iPhone or have my iPad stolen I put a very strong password on my device. Strong means something 12-18 characters in length. Something that's a combination of letters, numbers and symbols. No anniversaries. No birthdays. No names of your favourites pets.

Change your passwords regularly. At least once a year.

Most financial apps allow you to set a short four digit pin instead of requiring you to enter a username and password each time you use the app. Personally, I don't need access to my financial accounts more than once a day so I don't mind entering my credentials each time.

Internet Connection

I have two Apple AirPort Express wireless routers on my network. Both are configured to use WPA2 -- the strongest encryption for available for consumer Wi-Fi. I secure my wireless network with a strong password. I also enabled the guest network feature. This reduces the chance that compromised -- certain family members use Windows -- machines will attack my computers. The guest network also has a password. Why? I live in a townhouse development. Either my neighbours or the kids waiting at the school bus were surfing my network. At least that's what my router logs showed. Not anymore.

But just as I don't trust other computers on my network I don't trust other networks with my devices. I want to prevent malicious attackers from sniffing my network connection when I'm in an internet café. I want to be sure that a compromised computer on my in-laws' network doesn't hack my device. I encrypt all my internet traffic. Even when I'm on my own network.

The second most important thing to secure on your computer is the information you send and receive over the Internet. This information, if not encrypted, can easily be swiped by malicious individuals on open networks. (Think Starbucks, hotels, conferences.) This data is a very easy thing to secure with a Virtual Private Network (VPN).

Ben mentions Cloak which is a $24/year service -- per device. I use [Umbrella VPN][umbrella]. It's an enterprise-class service from the folks who run [OpenDNS][opendns]. For $25/year I get VPN coverage for all the mobile devices in my home. I have it installed on my iPad and iPhone, my son's iPad and iPhone, my daughter's iPad mini, my wife iPhone and her MacBook ( which almost never leaves the house ). The Umbrella service provides an easy to install app and profile, and a web front-end for configuring service options -- like the included web filtering. My family is no longer afraid to use Xfinity hotspot or Starbucks wi-fi.

There is, of course, an alternative: tethering. While tethering on a cell network is not the most secure thing, remember that the goal for the average user is just to be harder to hack than the average person.

But note Ben's caveat.

If you choose to use tethering via an iOS device, be sure to choose your own WPA key, as the automatically generated keys are susceptible to cracking.

I'm an Apple geek. No, I don't mean a Mac geek. I mean Apple. We have three iPads, three iPhone, a MacBook, an iMac, two AirPort Express devices, and an Apple TV. My kids and I have matching t-shirts with the words "I'm a Mac" on the front.

Passwords

Ok, so this is where I should advise you to use strong, unique passwords for every site and get yourself a copy of 1Password.

I love 1Password. I use the auto-generate password feature quite often. As I stated before I use 12-18 character passwords.

However, there is a caveat. There needs to balance convenience and security.

Because there is a set of accounts that you will need access to if everything goes tits up, you should have a core set of strong passwords, perhaps unique, that you can commit to memory.

The email account that you will use to recover your password from your other accounts? That needs to be something you can remember. Something you can recall if your 1Password ( or LastPass ) password file is deleted. Use a long phrase you can remember and use the first letter of each word of the phrase in the password. Substitute numbers for some of the letters and add some symbols as well.

For example, "I love listening to local bands play outdoors in the summertime" would become "illtlbp0it5t!".

Email

Longer version: it’s possible but incredibly cumbersome to encrypt this data and requires both sender and recipient to have encryption setup. Essentially you can’t just encrypt an email, one way, as both parties need to be able to deal with the encrypted data. The tools exist but they’re generally unfriendly to install and use.

I think Ben is overstating the difficulty of using digital certificates for encrypting email, especially given his position on full disk encryption. Installing a digital certificate is free and easy. I digitally sign all my email and my most technically savvy friends already used certificates. It's great to send encrypted email from my iPad or iPhone.

When you are evaluating how to secure your digital life, the most important thing is to determine what you are most paranoid about. Is it the NSA? Or Bob, the hacker that loves venti Macchiatos and reading your Twitter DMs?

The NSA most likely have tools that can defeat most of the consumer security tech available. I'm just trying to keep out the bored neighbourhood kids and the financial data thief sitting in the local coffee house.

Author: Khürt Williams

A human who works in information security and enjoys photography, Formula 1 and craft ale. #nobridge