Annual security and privacy review 30 Dec, 2017

If you’re interested in information security at all, you probably know that process and discipline are its bread and butter. From your day-to-day hygiene: “don’t reuse passwords”, “don’t sit on security updates”, “don’t paste secret keys to Slack”; to more strategic questions like “what if I lose my laptop?” or “will this service be around in a year?”. As usual, forming the right habits can make you significantly more protected than average, but beyond that, you’ll need a more formal approach.

As a Getting Things Done (GTD) adept, I embrace the concept of periodic reviews. I go through my current tasks daily, I do a weekly examination of my projects on hold, and finally, I take time to reflect on my life goals every few months. As I’m writing this post, I’m wrapping up my third annual security and privacy review: a simple process that helps me worry less about my digital life. As David Allen puts it: “You have to use your mind to get things off your mind.”

So, what is a security and privacy review? If you’re familiar with the GTD method, you’ll feel right at home:

Get clear. Document and prioritize your digital assets. Get current. Review the security of each asset. Get creative. Reflect and plan improvements.

Let’s go over each step in finer detail, but first, a little warning. In this post I assume familiarity with the basics of securing your computer and protecting your identity online. If you feel lost, this Gist by Vicki Boykis is an excellent starting point. Once you’ve got the base covered, come back here for more.

1. Get clear

1.1. Document your assets

To get started, put together a list of your digital assets (on subsequent reviews, update this list). Write down any of your Internet-connected devices, digital storage devices (e.g., USB sticks or external drives), servers, and online accounts. The latter can prove difficult, because it’s common to have hundreds of accounts on various services. Unfortunately, I’m not ready to offer a well-established way to triage those, but asking the following questions can be helpful:

If compromised, can this account cause me direct financial damage (any banks or other financial organizations, budget planners, online stores with saved credit cards, etc.)? Do I use this service to share my opinions, photos, or other personal data (whether publicly or with a limited number of people)? Does this service support OAuth (i.e., do I login to other services with this account), or is it connected to another (valuable) account via OAuth?

If you answered yes to at least one of these, add that account to the list. Also, add your primary email account as well as all your recovery email accounts, all your SSH and GPG keys, and don’t forget to list all of your work accounts (neglecting those can sometimes get you fired).

Note. When evaluating the importance of your online accounts, beware of the “I have nothing to hide” trap. It often helps to replace “everyone” with a real person: your boss, parents, ex. If you’re not convinced, watch this classic talk by Glenn Greenwald..

A bonus tip for all 1Password users (other password managers probably support this too): it can be useful to sort your logins by last use date for the purpose of determining the most used ones. Sorting by creation date is a life saver on subsequent reviews.

1.2. Prioritize

While there is no lack of formal risk assessment techniques, I believe they’re too involved for our purpose. Instead, I adopted two different approaches: one for physical devices and one specifically for digital assets.

If you’re a typical user who primarily oscillates between the safety of their home Wi-Fi and various corporate and public networks, assign the highest priority to the devices that leave your house: typically your phone, tablet, and (or) laptop. Then goes your home router, and finally, any “stationary” devices connected to it (printers, desktop computers, smart speakers, etc.).

Digital assets are a little more involved. Currently I prioritize them by three different factors: amount of use, sensitivity of information, and what I call Reputation & Wallet score: the risk of damaging my professional or personal reputation; or causing financial damage. Put the documented assets in a table (or spreadsheet) like below and assign a risk score between 1 and 3 to every factor.

Service Amount of use Sensitivity R&W Score Total GMail 3 3 3 9 Mint 2 3 2 7 Facebook 1 1 2 4

While filling out this table, you might discover some unused accounts (e.g., an orphaned social network profile). I recommend pruning (canceling or removing) such assets, because they might otherwise be used by someone else. Another reason to do it is just to have fewer accounts to worry about.

At the end of this step, you should have a comprehensive, prioritized list of your sensitive assets. Don’t worry if you feel like you missed something: you can always add things later. Now is the time to review the security of each item.

2. Get current

At step two, I audit each asset and plan (or, if trivial, make) any necessary improvements. While the nature of such improvements is likely to depend on the type of asset, the audit is always focused on the classic CIA triad: confidentiality, integrity, and availability.

2.1 Improving confidentiality

Confidentiality means restricting undesired access to your information or devices. Some common measures to improve confidentiality include:

using cryptographically strong and unique passwords and secure PIN codes,

setting up multi-factor authentication,

making sure your actual privacy settings match your assumptions,

reviewing connected apps for OAuth-enabled web services,

encrypting your built-in or external storage devices,

using a firewall to protect your computer from other machines on the same network,

updating your software or firmware,

limiting physical access to your storage and computing devices.

Some online services like Google or Facebook provide built-in security checkup functionality, which walks you through a number of steps like ensuring that your password is sufficiently strong, and your recovery phone number and security questions are up to date. For others you’ll have to do it manually.

Confidentiality review is the perfect excuse to google your own name. Sometimes, such search can turn up unexpected surprises. For one, I like introducing people to Google Activity. If you don’t know what it is, you’re likely to be surprised when you see a comprehensive history of your web searches, visited locations, and other online activity going back years. Among my favorites: if you’re a long-time user of YouTube, your liked videos are probably public and they’re visible in your Google+ profile. Make sure you don’t have anything compromising there or better lock it down. I’ve heard stories of employers screening candidates out based on their YouTube history.

2.2 Ensuring integrity and availability

For your peace of mind, it’s imperative that your valuable data remains accurate, complete, and available. While there’s always a chance that you’ll lose everything, the following strategies tend to minimize such risk:

having one or more backup strategy for your local files,

adding a periodic reminder to export data from proprietary apps (e.g., Evernote, Dropbox, Feedly),

physically printing everything that’s of crucial importance (not joking).

When it comes to availability of your online assets, I strongly encourage you to consider the lockout scenario. Imagine that you lost access to your phone and all your computers (e.g., a house fire or you got robbed in a foreign country): how are you getting your online identity back? If you’re not sure, role-play this scenario and find out.

3. Get creative

Usually, by the time I reach this step I already feel in much better control. The entirety of my digital life is laid out and up to date in my spreadsheet. All necessary improvements are planned, and following the two-minute rule, I have a lot of smaller tweaks already done. This is the perfect opportunity to asses the changes since the last review and reflect on the big picture. Some questions that I might ask myself are:

Do I still trust Evernote with my notes?

Should I switch my email from GMail to my own domain?

Is Cryptomator still the best for encrypting files in cloud storage?

Should I continue to self-host my blog?

You, of course, will have your own questions. Some of them might spur an additional research project, others you will answer or discard immediately. Once you cannot think of anything else, the review is over. Congratulations! 🎉

Afterword

I want to emphasize that security is not something you do once a year. On the contrary, it’s a never-ending grind. The annual review is just the cherry on the cake which is your daily security hygiene. And yet, you’re never completely safe: despite any effort you’re still likely to get hacked at some point — such is the state of software. However, by regularly contemplating the worst, you will be better prepared if it happens.