KISS Principle: Keep it Secure Simply

You're probably familiar with the traditional KISS Principle and if you're thinking of Gene Simmons or Ace Frehley, you're way off track. It has long stood for Keep It Simple Stupid.

I’d like to update this to Keep It Secure Simply.

What’s easier to simultaneously defend, one fort or twelve? Say you only have one fort. How many gates, doors, ramps and other access points do you want through the wall to defend? Since it is relatively easy to defend one door, this is why scaling over and sapping through / under walls was undertaken throughout history. Think of Helm’s Deep in Lord of the Rings! 

The less points you have to defend, the better you can focus your defenses, making attackers work significantly harder.

Now think about your digital life. Consider these questions:

  • How many exposure points do you have to defend? Look at your bookmarks. Look at your browser history for the last 60 days. Lots more there than you thought isn’t there?
  • How many of them are interrelated? Consider these two high profile cases where hackers were able one piece of data from one link into use at another and then another to completely undermine these unfortunate souls.
  • Could your digital life withstand such an attack? Sure, you can’t help an hourly-wage call center representative giving out more information than they should, but how far can the hacker then take a single piece of information and reuse it to move on and on? Here’s a couple tips:
    • Use two-factor authentication everywhere you can and if at all possible change providers from one service that doesn't offer it to one that does.
    • Don’t have your “password reset” email be your main email address. Better yet, create an email account that is for this purpose alone and of course with an email service offering two-factor access. Never use this “password reset” password to send an email.
    • If a site has you answer questions that you then answer to help recover passwords or access, please, please don’t answer the questions accurately! The answer to a question such as “Best friend in high school?” should be something like “strawberry” or “piggedypoo”, not Bob. A good password manager can help you manage this easily. See next bullet point below on password managers… they have many uses!
  • How many sites have you interrelated by using the same password? Yes, I know having a separate password for every site is impossible to remember without resorting to using patterns that then become apparent to attackers. If your online Chase bank password is “123Chase456” and your GoDaddy password is “123Godaddy456”, you really think those will hold up once one is compromised. Time to get with the 21st century and get a password manager that creates unique, complicated passwords for every site! Me, I’m a LastPass fan, but there are several good ones. Remember the two-factor tip above when choosing one!
  • Do I really need to buy this on this site I've never used before? Sure it may save you a couple bucks today, but why give more people your credit card and attendant information than you have to? You drive down to bad parts of town to get a deal?
  • How many of the services you use have more data than necessary? Couple tips:
    • If you can sign up with fake data and have the service be effective, do it.
    • Beware how much personal data you make public on social media, especially if you ignored my advice above in not answering challenge questions accurately. If the answer to the challenge question is “Best friend in high school?” is Bob, then how long would it take me to find this out on Google+ or Facebook?
  • How many are stranded and you don't even use anymore? Time to work through your bookmarks or password manager and either close them, edit down to a bare minimum what data they have (they still need your credit card #?) and / or change the password to something unique and complicated. Do I need to bring up two-factor authentication again at this point <grin>?
  • How many of them are necessary for you at all? If dey ain’t, den close ‘em down!

Yes, this KISS principle seems to fly a bit in the face of the traditional Keep It Simple Stupid version, but remember one of my Security Maxims: Being insecure is easier than being more secure. Since being secure isn't the easiest approach stupid, Keep It Secure Simply.

NSA FUD. Ain't acronyms fun?

NSA FUD. Ain't acronyms fun?

Probably more information in this article on the NSA surveillance issue than many of you are interested in reading, but I couldn't help pointing out Bruce Schneier's agreement with my Security Basic #5: If someone wants to "get" you, they will. Bruce puts it this way:

"These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it's in. Period."

Read More

Security Concept 5 (of 5)

Security Concept 5 (of 5)

Concept 5: If someone wants to "get" you, they will. This is the most difficult reality that most never want to consider. Having worked in the area of IT (Info Tech) security for over 20 years and especially working in selling internet security products, I've been in hundreds of meetings where security discussions dive down the "make us perfectly secure" rabbit-hole. The best way to stop such madness inducing explorations is to point out that all security eventually comes down to physical security. How's that?

Read More

Security Concept 4 (of 5)

Security Concept 4 (of 5)

Concept 4: There is no "silver bullet" of security. Security like staying warm is best accomplished in layers. Consider your favorite heist movie. Financial institutions physically protect assets with locked doors, security guards, video cameras, motion detectors (infra-red, lasers, etc.), dye-packs (video), seriously hardened vaults with still more keys including time release controls, etc. Some of these are not just purely preventative, but:

  • Predictive: Identify threat before it penetrates further layers, and
  • Forensic: Given Concept 1, it is good to have a leg up in recovering stolen goods.
Read More

Security Concept 3 (of 5)

Security Concept 3 (of 5)

Concept 3: You have to trust someone. This is true in both the physical and electronic world.

  • You put letters in the mailbox trusting your neighbors and the USPS to do and not do what they are supposed to do.
  • Ever get in a car and drive down the street with oncoming traffic? Those yellow lines actually protect you from those cars or are you trusting complete strangers? 
  • We all make phone calls communicating the most intimate details of our lives to others. Countless phone company employees have the ability to capture or monitor these calls illegally using the same functions legally used by law enforcement with warrants. Not that tough for someone to hack into calls from the phone boxes in your neighborhood.
  • Got a bank account? A credit card account? Your funds are more electronic than anything else accessible to dozens if not hundreds of financial institution employees. 

Phone companies, cable companies, health care organizations, financial institutions, internet service providers, etc. are all regulated and have dizzying arrays of security controls in place. Problem is that they are staffed by humans and humans are immoral, easily tempted beings, which is why the regulations and security controls are in place. Controls are just that. See Concept 1, above. The postman can easily steal your checks, a phone technician can easily bug your calls, a bank employee can easily transfer your funds elsewhere.

Read More