In The Clear: Information Gathering by ISPs, Why You Should Care, and How to Protect Your Privacy

image labeled for noncommercial reuse
I was speaking with my wife last night about the impending bill that allows Internet Service Providers (ISPs) to gather information about the browsing habits and behavior of its customers, and then sell that information to third parties. I told her that we needed to get a Virtual Private Network (VPN) service to encrypt our internet traffic and deny our ISP the treasure trove of information that they could gain from us. Her response surprised me. She asked what use it would be to use a VPN if most consumers did not and simply carried on as they always had. After several attempts to convince her that my priority rested on the privacy protection of our own family, my wife asked how making such an effort would actually solve the problem.
I was at a loss for words at that point, a fact that was probably very evident to her. She then continued by saying that I should pivot my privacy evangelism outward and explain the same to others, as most people will not know enough about the situation to actually care. This was a severe gut check, seeing as how most of my writing and speaking over the last few years has been centered on breaking information security concepts down in a way that will make users understand and care about the consequences of their digital actions. By only thinking about finding a technical solution to my own problem, I was doing no different than organizations that implement user behavior analytics (UBA) to combat insider threat (as opposed to taking the time to ensure that their employees are effectively trained). While UBA can be an excellent compliment to user awareness training, it should never be a substitute as it does not actually solve the root problem.
Thus – this article is my response. Just like my wife, most people are very willing to give up on their own privacy in order to more easily access the apps and websites that they frequent. How many people freely hand over their personal information to the world through Facebook, Tumblr, Twitter, Instagram, and countless other social media outlets? After all, what do they have to hide? Anyone can follow them around the grocery store to see what they buy on a regular basis (Note: this is already done digitally, which is another topic completely).
The important thing to understand here is it isn’t just about what you are “Googling”. Other information is farmed, such as the order of websites that you go to, how much time you spend on each one, what you buy online, what types of social media websites you use (which can lead them to mine the information freely provided, as stated above), what internet-connected applications you use, what type of devices you have connected to the internet and their software versions, what usernames you frequently use, etc. While we pay for access to the internet, the internet itself is primarily free. I heard someone on one of the securityweekly.com podcasts once say something to the effect of “if the product you are using is free, you are the product.”
Google, Facebook, and several other vendors have been using your behavior and information for years in order to generate income. I’m not saying that we need to pull out our aluminum foil hats, as that is simply their business model. We have control however, about how much information we make available about ourselves, our families, and our employers.
Several companies are currently looking into using user behavior for their multifactor authentication solutions. By knowing where you are, how you use your device, and what you use it for, they can generate a digital fingerprint that does a very good job at identifying and authenticating users. This isn’t simply an idea for fantasyland – it is being used and it absolutely works. Behavior authentication is likely going to be the solution to passwords and other poor authentication methods. Now let’s get back to the topic at hand. All of that information that behavior authentication technologies use will be freely available to your ISP (and anyone they sell it to).

This may sound like fear, uncertainty, and doubt (FUD), but common knowlege about you can be used for more practical purposes as well. Whenever you try to recover a forgotten password from your back or almost any other website, you are asked a set of security questions. How many of those could be determined by observing your online activities? Better yet, what if they could use that information to get into your email? Of all this, I have not yet seen any requirements for protecting the data that the ISP collects on you, whether or not they plan on selling it.

Finally, I would be irresponsible if I did not at least provide a few solutions to this problem. Some examples of relatively inexpensive and easily-configured vendors can be found in this article and countless more that are popping up every day in response to this concern.
If you have any questions, please do not hesitate to leave a comment. We can be the change we want to see in our lives – we just need to understand the need for it. 

Steve Higdon has been working in the information security field for over ten years, providing support and consultancy to both public and private sector organizations. Steve can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.

The IT Security “Skills Gap” Isn’t a New Concept

There are two very real problems in cybersecurity today that you may or may not have seen in the headlines, reputable periodicals, or even your LinkedIn feed. There just aren’t enough skilled security professionals to go around. How could that be, when we are frequently inundated with requests for mentorship from people who are trying to break into the field? To be frank, organizations simply aren’t hiring entry-level information security professionals. They all want someone with demonstrated skills and experience to help secure their information environments.
The solution might be older and simpler than we think. Apprenticeships have been around for hundreds of years – even in the United States. There are records of apprenticeships in New England as early as 1640, where Thomas Millard worked and received on-the-job training from William Pinchon. European apprenticeships go back even further, especially in the stonemason and blacksmith trades. It didn’t end there, with skills trades like plumbing, carpentry, electrical, and even butchery lasting  well into the late part of the 20th century before seeing decline. Throughout history, we have been able to find creative ways to help bridge skills gaps through on-the-job training programs. The information security field can see all the benefits of early-day apprenticeships, where training, experience, and certification separated amateurs and hobbyists from trusted professionals.

The hardest part about starting an apprenticeship program is getting started. Human resources, recruitment, and other staffing processes will differ from more traditional employment. Fortunately, there are government programs in place to assist organizations with implementation, such as the Department of Labor’s ApprenticeshipUSA and various state-run programs. These programs also help find ways to subsidize costs and raise awareness. Even more benefits might be available by offering apprenticeships to veterans, those with disabilities, and recent college graduates.
If your organization is finding difficulty keeping the information security workforce charged, or if you are looking for ways to increase your team without breaking the bank, please consider giving back to the entire information security community by starting an apprenticeship program.

Steve Higdon has been working in the information security field for over ten years, providing support and consultancy to both public and private sector organizations. Steve can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.

Image: Repro. of painting by (Louis-?) Emile Adan (1839-1937), copyrighted by Braun & Co., N.Y., Public Domain, available via Library of Congress (ID cph.3b27512)


People and Information Security: My Personal Mindset Shift

image source:Mike Bird (https://pixabay.com/en/users/MikeBird-1860391/)
When I transitioned from Active Duty military to the Reserves, I was very fortunate to land an information security job within the Department of Defense. If I am being absolutely honest with myself, I probably wasn’t ready to to take on a role at that level. One of my favorite quotes for these situations comes from Richard Branson, the business magnate that has a net worth of about $5.2billion. He said, “If somebody offers you an amazing opportunity but you are not sure you can do it, say yes – then learn how to do it later!” I’ve lived by that idea and it hasn’t yet served me wrong. On my first day as a bonafide information security professional, I hadn’t received my network access and was dutifully reading hard copies of information security policies and regulations. After watching me stare with glossed eyes into a three-ring binder for several hours and perhaps even feeling a bit sympathetic, my new boss decided to test my metal. He handed me a stack of printed slides and told me to look them over, and then share my thoughts.
I remember that it was a request for a commercial internet connection that would help a small IT shop test their remote communication kits for their executives. After a few quick glances and wanting to prove myself, I threw the stack of paper onto the table that separated our desks and told my boss that all they wanted to do was get around the security controls that are protecting the organization’s network. They probably wanted to play online games, stream video, or engage in some other activity that would keep them from doing their job. I leaned back in my chair with a feeling of smug success. My supervisor picked up the slides, held them in his hands, and told me that he called the manager of that IT shop the day before. Up to that point, the helpdesk employees were forced to take the communications kits home with them for testing and applying updates. They would certainly be willing and able to keep accomplishing their mission in this manner, but the manager was trying to find a way to allow his employees to keep their work in the office and not impede on their time off. He had tried everything he could to find a way to use the organization’s network to get the system updates and testing done, but compliance barriers blocked every attempt.
I was speechless, and not because I’d just been gently put into my place. I had such a profound change in mindset at that moment that I couldn’t be bothered with speaking while I tried to sort it all out in my head. My formal education in information security and certifications failed to teach me the most important lesson, which was one that I better understood several years before when I was a young enlisted-man serving as a tier-1 helpdesk technician. At the end of the day, it isn’t about applying security controls, complying with regulatory requirements, or even protecting the information. The purpose of security is to protect the mission. It is to protect the key business functions and capabilities that further the vision of the organization. Those helpdesk employees didn’t care about policy or assessments. They just wanted to make sure the equipment worked when it had to. It wasn’t my job to lock down the information, network, or devices. I had to find a way to allow people to do their jobs securely. Even though it was several years ago now, this moment’s lesson served as a catalyst of a personal mindset shift that I could no sooner unlive than forget.
If you are reading this, you may be wondering what you can do to increase the security awareness in your organization. Technical controls, policies, and compliance requirement alignment do a fantastic job at addressing yesterday’s problems, but only an intentional and impactful information security awareness program can help to discover and respond to the issues of today and tomorrow. We are constantly bombarded by references to the “insider threat”, so it is only natural that we start to think of the people in our organizations as vulnerabilities. This train of thought creates more barriers than benefits. We’ve seen several new products hit the market that are designed to analyze user behavior and highlight abnormalities. These tools certainly have high hopes to tackle the concerns over insider threat, but do not even attempt to solve the root problem – users either don’t understand the security consequences to their actions or they simply don’t care. It is our job as information security professionals to increase their understanding in a way that influences users to start caring. If we can even take a few steps toward that goal, the people in our organizations can actually become security controls rather than vulnerabilities.
Steve Higdon has been working in the information security field for over ten years, providing support and consultancy to both public and private sector organizations. Steve can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.