« New Resources for Security Awareness Programs | Main | Incident Response Cheat Sheets »

Monday, 25 June 2012

Are Your Data at Rest Also at Risk?

In a recent tweet (@securityskeptic), I offered a definition of "data at rest" in social media driven society:

Data at rest are information waiting to be exfiltrated or disclosed without notice or consent.

Is this a spot on assessment or am I overly cynical?

Much of your data at rest are data you disclose or share, so judge my assertion by considering how large a portion of our increasingly mobile- and tech-enabled society shares seemingly every waking thought. Everything's in play: what food we eat, where we dine, our travel plans, the sports we play or watch, whom we like or despise, Our work place matters, projects, or research. Our social engagements, personal health, medical advice, emotional states, and (intimate) relationships. Even information that is arguably not for play is at risk of disclosure, a consequence of mishandling or malicious (criminal) activities (exfiltration, exploits, or targeted extraction).

Many Internet users share spontaneously or frivolously. In some cases, users share because they can’t access content without doing so. In other cases, users share because they think they are only sharing with friends, family or colleagues. In social networking, sharing (disclosing) can be infectious (“he shared so I will”).

The problem with sharing

What you  post to a social network has more permanence – and exposure to unintended use or misuse – than what you share in a face-to-face conversation. How often do you consider who processes or collects data that you share or why, where the data are stored or for how long? Do you think about the possibility that "your" data may be further shared by web sites that collect data? Many users are only now coming to realize that when all these data are coupled with location services or applications, they paint a detailed and elaborate picture of the intimate or sensitive aspects of who we are and how we live and behave.

As a test, look at your history of tweets, Facebook or Google+ postings, public and restricted. Nearly all of us voluntarily reveal a great deal more personal data than we imagine. But while we facilitate, we really aren’t our own or only worst enemies.

Your data are more popular than you are

The extent to which bits and pieces of personal data are collected and shared for commercial purposes is alarming. If you have a virtual presence, virtually everyone wants to know everything about you. Worse, our willingness to share is creating markets for even more data. Moreover, the risk that personal data will be exfiltrated or disclosed as a result of a data breach can no longer be discounted or dismissed.

Every day, the same people who share without hesitation or discrimination express righteous indignation when they discover an app, service provider or vendor is collecting or sharing their life bits without notice or consent. But even a small sampling of evidence tells a different story:

We don't have the will to question why something is free. Example: mobile users are so consumed with the notion that "the Internet is free" that they hesitate to buy a registered version of an app for a paltry $.99 when they are offered a "supported by advertising" version. Few consumers consider what the app is collecting from a mobile device, how the collected data are used, and by whom.

We undervalue our personal data. Example: users concede to sharing or disclosing what they might in other circumstances consider private information because it's a precondition for joining a social network. The prevailing sentiment? Shoulder shrug, it's the cost of participation.

We are more trusting or naive in the virtual world than the physical world. Example: We’ll happily strike up a conversation with a Twitter account we follow or see in a retweet. Would we be as trusting if a fellow subway passenger inserted himself into a conversation we’re having with a colleague or friend? 

How do we correct course?

Don't think in terms of major course corrections. Instead, begin with these small measures:

Accept that “free” is not worth the hidden cost. Paying for a mobile app may “free” you from ads or tracking, and you may unlock more features.

Use social media, but do so with eyes wide open. Assume that no matter what privacy controls say, what you publish may be shared or disclosed (remember, privacy policies can be deceiving or may change, and legislation like CISPA may render such policies moot).

Review what you have already published on social networks. Look at the profiles and posts you've made. Where possible, take advantage of privacy settings. Delete or obfuscate personal data that reveals more about you than you are comfortable revealing.

When subscribing to new social network, submit the barest minimum of information you need to create an account. For example, if you can create an account merely by identifying your country of residence or state, don't include your street address.

Separate personal and social network correspondence. Create a separate email account and use this as your designated point of contact with social media sites (and for correspondence). I know individuals who have separate email accounts for each social network (fredstwitteraccount@<emailservice>, mlbfacebook@<emailservice>...).

Small adjustments to behavior can be beneficial. The harder but sometimes wisest adjustment, however, is:

Walk away if you're not comfortable with terms or conditions of service, privacy policy, or treatment of data you disclose.

 

Posted at 07:01 AM in Stop Think Connect |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...
  • Interisle's Phishing Landscape 2024 is here
    Our Interisle team today announced the publication of an industry report, Phishing Landscape 2024, A Study of the Scope and Distribution of Phishing. Interisle’s fourth annual study examines nearly four million phishing reports collected from May 2023 to April 2024 and provides historical measurements using over 15 million phishing reports collected at the Cybercrime Information Center over a four year period. Findings from the study: • The total number of phishing attacks grew to ~1.9 million incidents worldwide. • Phishing attacks hosted at subdomain providers increased by 450,000+ reported names, representing 24% of all phishing attacks. • The use of...
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....

Search

My Photo

Categories