This document serves as an outline of some best practices to keep your identity and your data safe. This is not a comprehensive guide – internet privacy is a large and technically complex subject, and there is a large gradient between ‘totally public’ and ‘full anonymity.’ While the security measures we at Cross the Divide put in place for our clients are both strict and enforceable, privacy is much more a matter of individual choice, and the degree to which you keep your internet behavior private is up to you.
Contents
Security Basics
Data Storage
Whenever possible, store all work-related data exclusively on the CTD network drives. The network drives we manage are backed up, secured, and have strict permissions limiting access. If your organization's policies allow it, you can store and share files from Teams, OneDrive, and SharePoint.
Do not store sensitive data on the desktop / hard drive of your local computer, in third party services (such as Dropbox or Google Drive), or on external USB / hard drives.
Why not?
- Physical security: Computers and USB drives can be (and frequently are) stolen. Anything stored locally on the computer is accessible to someone with time and tenacity, while anything on the network drive is safely out of reach.
- Backups: Anything stored on a local drive or in a third party service is not backed up, so if the computer breaks or the document is removed, we have no means of recovering it.
- Permissions control: Google Drive, Dropbox, and other services offer free or cheap document storage and sharing at the expense of security and privacy. Even when they are properly configured to limit access, these types of services are a primary target of hackers worldwide, and can be compromised.
Passwords
With so many services online requiring logins and passwords, it’s easy to become overwhelmed with the number of passwords you have to remember. This leads to common but very bad security practices, primarily the reusing of passwords. Do not reuse passwords across different accounts, do not store passwords when asked to by a browser, and do not use a third party password management tool (like KeePass).
Why not?
- Non-unique passwords: Most compromised accounts, whether they’re email, social media, or any other service, are not the result of true ‘hacking’ but of a password being captured either by malware or by a compromised website. What this means for you, as a user, is that if your Facebook password is the same as your Gmail password, which is the same as your bank account password, anyone who has access to one has access to all. Every service you use should have a different password.
- Caching passwords: Allowing a browser to ‘remember’ your password for you defeats the purpose of having a password. It saves you a few seconds of inconvenience while at the same time giving anyone with access to your browser access to your accounts.
- Password Managers: There are many password managers available that offer long and complex generated passwords, but again, if your password manager becomes compromised, the hacker has access to all your accounts rather than just one.
A better approach
Develop a simple, mnemonic system for remembering your passwords for every service while keeping them unique. For instance, let’s say your ‘base’ password is Secret. Every service you use will be a variant of that one password. Your Gmail password would be SecretGmail123, your Yahoo password would be SecretYahoo123, your Facebook password would be SecretFacebook123. While this may not seem like a particularly complex puzzle for a person to figure out, most account compromises are automated, and if your account passwords don’t match exactly, they’re thwarted.
Developing a simple, easy to remember, unique password system and changing your passwords a couple times a year is one of the simplest and most important things you can do for your personal security.
Multi-factor authentication
This is something we (Cross the Divide) will be relying on heavily in years to come, and many third-party services are beginning to offer it as well. Whenever a service offers this, it’s a great idea to take them up on it.
What is Multi-factor Authentication (MFA)?
Basically, MFA is a method of requiring two pieces of verification to log in to a service, the first being a password and the second being something external. Some services have you install an app on your smartphone – when you log in to the service with your password, you receive an alert on your phone which you must accept before being signed in.
Other services send a text message or call a phone number to verify your identity during sign-in.
A good rule of thumb is that any MFA is better than no MFA. Even if your password is compromised, unless the hacker also has your cellphone, your data is safe.
Email is heavily relied upon in the modern workplace, but it’s important to remember that it is an old, insecure system that was not developed with security in mind. Although our email servers are secure and backed up, the email ‘ecosystem’ of the internet is by no means a safe space.
What should I do about it?
- Understand Spoofing: Even with our security measures and spam filtering in place, it’s not a complex technical task to make an email appear as if someone else sent it. This is called ‘spoofing’. If you see an email from an email address you recognize, yet the message itself is suspect, it could easily be someone masquerading as another sender. This doesn’t necessarily mean the sender’s email account is compromised or ‘hacked’, any more than a false return address on a letter means the sender’s physical address has been broken in to.
- Know about the scams: In the last year or so, non-profits have become a much more common target for ‘spear-phishing’ attacks. The premise is the same as the old ‘Nigerian Prince’ email scams we know and love, but made to look much more realistic. A common example:
John, the accountant at Dedicated Nonprofit, receives an email (seemingly) from Jane, the CEO. In clear but simple language, Jane tells John to wire $10,387 to a specific account to pay off a consultant.
There’s no outlandish request for millions of dollars, the sender obviously knows the recipient is an accountant, and the email is well-written in proper English. However, the reality is that the scammer has a) found the name and address of the CEO and Accountant from Dedicated Nonprofit’s website, b) drafted a simple but realistic email, spoofing the CEO’s address, and c) set up an account to receive a large but not unrealistic amount of money.
This type of scam has been surprisingly effective, with even large for-profit companies losing millions of dollars.
With any email you receive, particularly of a financial nature, be suspicious, and reach out to the HelpDesk with any concerns at all, or with questions about an email’s authenticity. - Limit emailing of confidential info: In particular, always avoid emailing anything financial, such as credit card numbers, logins / passwords, or anything critical.
Suspicious Links
You'll find links everywhere on the internet. A link (short for hyperlink and also referred to as a URL) is a website page's address. You can think of a website page as a house, and the link is the house's address. You'll see this address in your browser's "address bar" at the top of your browser window. For example, here is the link for this page:
How do I protect myself?
- Be suspicious: It's very easy to create a well-designed fake website meant to trick you into handing over your sensitive account information to bad actors on the internet. We've even seen some impressive copies of Microsoft login pages or e-Doc signature pages.
- Never input your credentials: Let's say, for example, you normally navigate to "Facebook.com" and log in with your Facebook username and password. However, a bad actor might send you an email - carefully crafted to look like an official Facebook email - with a link to "Faceb00k.com" asking you to log into your account. If you enter your real Facebook credentials on that fake website, that bad actor now has your login information. And, as noted earlier, if you've used the same password for all your other accounts, that bad actor now has access to all those accounts.
- Preview the link: Before actually clicking on a link, try simply hovering the mouse over it. If you hover over any active link, you'll typically be able to view its full address. So in the above example, you may hover over the link and see that it goes to "faceb00k.com" instead of "facebook.com".
- For shortened links, such as those that use bit.ly or tinyurl, those websites typically have ways to preview the short link. For example, if you had a + to the end of a bit.ly short link, it will take you to a bit.ly page that displays the full address of the link. Similarly, for tinyurl, if you add "preview." between the https:// and the rest of the link (i.e. https://preview.tinyurl.com/test) , it will take you to a tinyurl page that displays the full address of the link.
- For shortened links, such as those that use bit.ly or tinyurl, those websites typically have ways to preview the short link. For example, if you had a + to the end of a bit.ly short link, it will take you to a bit.ly page that displays the full address of the link. Similarly, for tinyurl, if you add "preview." between the https:// and the rest of the link (i.e. https://preview.tinyurl.com/test) , it will take you to a tinyurl page that displays the full address of the link.
- Open the link in an incognito browser window: If you want to try opening the link, right-click on it and select Copy Hyperlink. Then paste and navigate to that link in an incognito browser window. This helps reduce the chance that bad actors will get access to any cached cookies or credential information stored in your regular, non-incognito browsing window. (And in case you're wondering about accidentally installing a virus by opening a link on a CTD-issued computer, it's a good time to review Is it a virus?)
- If you want, you can also check VirusTotal: You can navigate to virustotal.com, click the URL tab, then paste the link there. VirusTotal will then scan the link for any malicious attachments and flag them in red for you (you can also use VirusTotal to scan any suspicious email attachments before opening them).
- When in doubt, ask the Help Desk: Like the age-old adage goes, it's better to be safe than sorry. If you need a second pair of eyes on it, absolutely feel free to contact the Help Desk. We also recommend contacting whoever sent the link to you in order to verify its legitimacy (try calling them or using another verified contact method instead of simply replying to the original sender).
Privacy Basics
Privacy and Security, although related, are separate concerns in the technical world. We at Cross the Divide focus heavily on security, while privacy is more a matter of personal choice. In this section we will outline some common privacy concerns, and it’s up to you to decide how private you want your online presence to be.
Social Media
“If you aren’t the customer, you are the product.”
Social Media has become a common component of modern life, and it’s important to understand what this means for you and your data. Facebook, Google, Instagram, Nextdoor, or any of the hundreds of social networks that exist can be thought of as the world’s largest market research groups. Any service that is given away ‘for free’ is most certainly monetizing its users’ behavior. A few common examples:
- Targeted Ads: Facebook, Google, and other services are paid to show you ‘targeted ads’ which, based on your online presence, they think you are more likely to click on. They analyze everything you post or communicate, not necessarily for some nefarious purpose, but to more effectively sell you things. For instance, I have a dog, and am not ashamed to say that my limited Facebook postings are usually pictures of my dog. In the absence of any other info about me, Facebook presents me with thousands of ads for dog food, dog toys, etc. based purely on those analyzed pictures.
If you pay attention to the ads Gmail, Google Search, or any other social service provides, you’ll notice similar behavior. All of that data about ‘you’ is for sale, as well, to third parties. - Customized Searches: Based on what Google knows about your online profile, you’re presented with personalized search results. A common example of this is searching for the word ‘impeach’ – based on a combination of data about you, your physical location, and your perceived political leanings, you’ll be presented with sites about ‘impeaching Obama’ or ‘impeaching Trump’.
- Integrated Services: In order to extend the reach of this data gathering, many different social networks have integrated services or products. Spotify, the music service, integrates with Facebook. If you use and allow that integration, Facebook will know a lot about your musical tastes. Similarly, Google’s free browser, Chrome, allows you to sign in to your Google account, allowing lots of data about your browsing habits in Chrome to be harvested by Google.
The most important thing to remember about social media is that it is not ‘free,’ and to greater and lesser degrees it is always public. Prospective employers may look at your Facebook profile when deciding whether to hire you. Advertisers know what you do and do not like. Law enforcement agencies can and do subpoena all sorts of info from social networks and network providers, including things like location data.
Best Practices and Alternatives
If you choose to use social media, personally or professionally, know that you are giving up some amount of privacy to do so. The following suggestions are up to you to follow, at your discretion:
- Keep your personal and professional accounts separate – this applies to email, social media, etc. There are times when the convenience of having one single email / calendar / Facebook account can have serious negative drawbacks. Some organizations have strict rules about this, some do not, but as a rule it’s best to keep a stark line between ‘your’ accounts and your employers’ accounts.
- When privacy is a concern, use alternatives – there are usually safer alternatives to mainstream internet services. DuckDuckGo, a Google search competitor, is a prime example. DuckDuckGo offers a free, non-personalized search engine. Internet Explorer, as a browser, doesn’t collect the same browsing telemetry as Google Chrome.
Browsing the Web
Web browsing is not an inherently secure or private action, but there are steps that can be taken to make it more private.
- InPrivate or Incognito mode: Most browsers offer a special mode that doesn’t keep or cache cookies or other website data. Going to Amazon.com, for example, in a regular browser will instantly show customized results and ads for you, while going to the same site in InPrivate mode prevents Amazon.com from seeing your cached data. Keep in mind that this is not a secure or private method – this does not hide your browsing behavior from your service provider or keep the websites from collecting data about you, it simply prevents caching of cookies or other local files.
- HTTPS is better than HTTP: At the front end of any web address, you’ll see either HTTP:// or HTTPS://. Https:// is a secure, SSL based encrypted connection that offers significantly more security and safety on a site than http:// does. Nowadays almost any reputable site or service will offer an https:// site in addition to an http:// site, and you should always use it.
- VPNs: One common suggestion for private web browsing is the use of a VPN. VPNs are a more technically complex solution than will be covered in this document, but if you have questions about them, feel free to reach out to the Help Desk.
Use limited, trusted devices and software
This is more for personal devices than CTD-administered computers, as we already protect against malware installation or use of sketchy software.
Just as with social media networks, many ‘free’ pieces of software monetize their users in other ways. To protect your data and your personal computer, only install software that is a) from a trusted source, b) absolutely necessary, and c) free of any secondary applications or installers.
A couple of examples to illustrate this point:
- Free Smartphone apps, particularly on Android, are famous for having unscrupulous background behavior. Thousands of users discovered that a popular ‘flashlight’ application, which supposedly did nothing but turn on the camera’s flash, was uploading hundreds of megs of info about their phone calls and text messages from Android phones.
Be sure to research any app before you install it on your device. Remember, it’s not really free - they’re making money on it somehow. - Beware of Bundled or Optional Installers: When installing any piece of software, sometimes you’ll be prompted to install other unnecessary or unscrupulous junkware. A common example of this is the Java installer, which comes bundled with things like the ‘Ask Jeeves’ browser plugin, which does nothing but harvest data about your search behavior. Be highly suspicious of anything optional a piece of software asks to install, and only allow things you actually need.
- Beware of shared computers: Always be cautious about using public computers or devices. Computers at a library or cafe, for example, should never be used for important services. Programs like keyloggers, which can capture passwords, are often installed on public devices.
More Info
Both privacy and security are large, technically complex topics, much too broad to cover in one document. If you have any questions about either topic, we at Cross the Divide are more than happy to discuss them with you.
The most important part of internet privacy and security is being a cautious and informed user.
Thank you for taking the time to read our guide!
Other Resources
- Google’s privacy guides for all its services, including YouTube and Gmail.
- Facebook’s privacy basics
- Explanation of a ‘cookie’ and how it affects your browsing experience
- Google Search alternative
- One of many hosted email alternatives to Gmail or Yahoo Mail. Paid, but without the data harvesting.
- Our website! Reach out to us with any questions.
Related
Comments
0 comments
Article is closed for comments.