Simply Cyber (vol 39) – Summer Travel Priorities: Comfort, Convenience, Cost (Selecting Security Priority Lanes)

Back on the road and in the air to visit family, friends, and favorite vistas! The national parks in Utah are busy but not impossible. I visited Arches two days in a row with just one car ahead of me going through the gate. Capitol Reef and Bryce Canyon were just as easy.

Denver International Airport was a different story, however. Years ago I opted for the security priority lane privilege (TSA Pre)—and have never regretted the cost and registration process effort. Walking barefoot through the millimeter wave scanner is not my happy (unlike walking barefoot through saltwater waves). Nor is digging for my clear plastic quart-size bag of suspect gels and liquids (unlike digging in sand with grandkids). I don’t have to worry about forgetting my electronic gadgets in the plastic bin. Comfort and convenience with some cost involved.

That’s what security investment priorities should provide: comfort and convenience at a reasonable cost. How can companies—and individuals—frame security initiatives to balance and satisfy these competing priorities? How difficult are the top five high-impact security mechanisms?

Comfort as peace of mind. The conventional security triad names three overarching characteristics of security: confidentiality, integrity, availability (CIA). Companies within the DoD supply chain are contractually bound to ensure confidentiality as the lead priority: DoD-controlled unclassified information (CUI) must be protected. Depending on the circumstances, a CUI compromise (confidentiality failure) could lead to work order suspension, False Claims Liability Act damages (three times the contract value plus $11,000 per incident), or disbarment. For these companies, implementing the security control objectives in NIST SP 800-171 is imperative. Do-it-yourself tools are available through state-level NIST MEP centers like Manufacturer’s Edge, through NIST, and through partner resources like Project Spectrum.

For all individuals and companies (even those not subject to contractual requirements like DFARS 252.204-7012, FAR 52.204-21, PCI-DSS, or HIPAA), protection against the top three cybersecurity attack techniques—phishing, social engineering, ransomware (i) —promotes comfort (peace of mind) and does not have to raise change-averse objections related to decreased convenience and increased cost. Global cybersecurity crime now outpaces global drug trafficking in terms of business “value.” It’s big business. (ii)

Convenience as a long-term perspective. From a short-term perspective, assembling the documents and going through the interview process for TSA Pre approval was not convenient. It required about eight hours, allowing for the time to make the extra run to the airport and back. I have not begun to calculate the number of hours I would have otherwise spent standing in line, nor the inconvenience of unpacking/repacking required inspection items. My gut tells me I came out ahead. The inconvenience of dealing with a potential account compromise in this world of cybertheft leads me to the long-term view of what constitutes convenience. It takes at most 15 seconds to re-enter credit card numbers (for eCommerce sites) or passwords (for cloud-based accounts like MS Outlook or Salesforce) rather than opt for their being remembered and stored by others. I’m OK with that.

Cost as reasonable investment. As with technology refreshment budgeting, investments in cybersecurity can be a “pay me now, pay me later” scenario. Production downtime has a cost, as do ransomware demands, which increased by 300% between 2019 and 2020, and storage fees for “just in case” files that have reached the end of their useful life.

Top 5 best practices. High-impact security mechanisms include the following:

Access control: Use robust passwords or passphrases (12+ characters, unique for each account, unguessable (iii), unshared), multifactor authentication (MFA) (iv), least privilege (limit access to files, drives, or accounts to what is needed to accomplish job requirements). Also, limit use privileges—read, write, modify, delete, copy, print, share—to actual job needs.

Communication assurance: Restrict use of the corporate or home network to essential communications. NOTE: Streaming media is not essential (unless you are in the film or music production industry) and is strongly associated with compromised websites. Media streaming, gaming, and certain web surfing activities should be performed over a guest network. (Yes, family members can be considered “guests”.) Verify who has sent an email prior to responding (i.e., beware of truncated or look-alike sender names or domains). Report phishing attempts to appropriate authorities. (v) Use virtual private network (VPN).

Endpoint protection: Use one or more anti-virus applications for real-time scanning of documents and devices to identify vulnerabilities; keep all software up-to-date; use physical and/or cryptographic (e.g., passwords) mechanisms to secure hardware; report lost or stolen devices immediately. Don’t share corporate devices with others, even trusted family members. Consider using endpoint firewalls. Back up work documents in multiple places.

Media protection: Lock up and physically protect sensitive documents, external hard drives used for file backup, flash drives. Remove hard drives before sending equipment out for repair. Password-protect laptops and consider using encrypted flash drives. Safely dispose of all sensitive media by shredding, degaussing, or otherwise rendering them unreadable. (One of our client companies uses a drill press for its in-house disposal needs.)

Secure configuration: Change default settings on all devices and equipment, select app preferences for greater privacy (vi), deactivate unnecessary protocols like Bluetooth when not in use, close ports as appropriate (vii), never opt for “save this password” or “remember me” features.

Training and awareness: Although this could be considered an “endpoint protection” variant, learning about emerging threats, likely vulnerabilities, indicators (e.g., recognizing phishing, social engineering, and ransomware signs) (viii) and recommended mitigation can empower all of us. It does not have to lead to a dead-end conclusion that “we are doomed.” NIST’s Small Business Cybersecurity Corner is a superb resource.

Select a security priority lane.

The reality is that we cannot protect everything at once, but we can decide how to balance our priorities with respect to comfort, convenience, and cost. Tools and resources abound. It just takes a plan, determination, and action.

Safe travels!!!

(i) As identified in the 2021 Data Breach Investigations Report.
(ii) Reports estimate about USD$1T annually or 1% of global GDP.
(iii) Check whether your password shows up in common hacker resources at haveibeenpwned.com. While there, check whether your email accounts have been compromised in publicized data breaches.
(iv) MFA consists of two of the following three: something you know (e.g., security question), something you have (e.g., token), something you are or do (e.g., facial recognition). MFA is often confused with two-step authentication, for example, two passwords. Using two different passwords to access an account is just layering two “something you know” factors, rather than layering two different factors.
(v) If you receive a phishing email, forward it to the Anti-Phishing Working Group at reportphishing@apwg.org. If you receive a phishing text message, forward it to SPAM (7726). Report the phishing attack to the FTC at ReportFraud.ftc.gov with: cybersecurity, phishing, scam. We can all be part of the solution!
(vi) The National Cybersecurity Alliance is a great resource for tips on performing a privacy check on mobile and other devices.
(vii) See NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems.
(viii) Some resources include Malware Bytes’ advice on dealing with business email compromise or BMC, FTC’s advice on phishing, and CMU’s advice on recognizing phishing attacks.