You're probably familiar with the traditional KISS Principle and if you're thinking of Gene Simmons or Ace Frehley, you're way off track. It has long stood for Keep It Simple Stupid.
I’d like to update this to Keep It Secure Simply.
What’s easier to simultaneously defend, one fort or twelve? Say you only have one fort. How many gates, doors, ramps and other access points do you want through the wall to defend? Since it is relatively easy to defend one door, this is why scaling over and sapping through / under walls was undertaken throughout history. Think of Helm’s Deep in Lord of the Rings!
The less points you have to defend, the better you can focus your defenses, making attackers work significantly harder.
Now think about your digital life. Consider these questions:
- How many exposure points do you have to defend? Look at your bookmarks. Look at your browser history for the last 60 days. Lots more there than you thought isn’t there?
- How many of them are interrelated? Consider these two high profile cases where hackers were able one piece of data from one link into use at another and then another to completely undermine these unfortunate souls.
- Could your digital life withstand such an attack? Sure, you can’t help an hourly-wage call center representative giving out more information than they should, but how far can the hacker then take a single piece of information and reuse it to move on and on? Here’s a couple tips:
- Use two-factor authentication everywhere you can and if at all possible change providers from one service that doesn't offer it to one that does.
- Don’t have your “password reset” email be your main email address. Better yet, create an email account that is for this purpose alone and of course with an email service offering two-factor access. Never use this “password reset” password to send an email.
- If a site has you answer questions that you then answer to help recover passwords or access, please, please don’t answer the questions accurately! The answer to a question such as “Best friend in high school?” should be something like “strawberry” or “piggedypoo”, not Bob. A good password manager can help you manage this easily. See next bullet point below on password managers… they have many uses!
- How many sites have you interrelated by using the same password? Yes, I know having a separate password for every site is impossible to remember without resorting to using patterns that then become apparent to attackers. If your online Chase bank password is “123Chase456” and your GoDaddy password is “123Godaddy456”, you really think those will hold up once one is compromised. Time to get with the 21st century and get a password manager that creates unique, complicated passwords for every site! Me, I’m a LastPass fan, but there are several good ones. Remember the two-factor tip above when choosing one!
- Do I really need to buy this on this site I've never used before? Sure it may save you a couple bucks today, but why give more people your credit card and attendant information than you have to? You drive down to bad parts of town to get a deal?
- How many of the services you use have more data than necessary? Couple tips:
- If you can sign up with fake data and have the service be effective, do it.
- Beware how much personal data you make public on social media, especially if you ignored my advice above in not answering challenge questions accurately. If the answer to the challenge question is “Best friend in high school?” is Bob, then how long would it take me to find this out on Google+ or Facebook?
- How many are stranded and you don't even use anymore? Time to work through your bookmarks or password manager and either close them, edit down to a bare minimum what data they have (they still need your credit card #?) and / or change the password to something unique and complicated. Do I need to bring up two-factor authentication again at this point <grin>?
- How many of them are necessary for you at all? If dey ain’t, den close ‘em down!
Yes, this KISS principle seems to fly a bit in the face of the traditional Keep It Simple Stupid version, but remember one of my Security Maxims: Being insecure is easier than being more secure. Since being secure isn't the easiest approach stupid, Keep It Secure Simply.