OpSec, short for “Operational Security”, are the tactics and procedures employed to manage the risks associated with operating in hostile environments, such as the Internet.
Would you believe me if I told you 80% of Cloud adoption was not to AWS or Azure? Likely not, but this stat is far from false, but admittedly a little trolly. So let me provide some context; if we look at what businesses and consumers have adopted from a Cloud perspective over the last decade, it becomes abundantly clear that the largest utilization of Cloud would be to Software as a Service (SaaS), rather than AWS, Azure or Google Cloud Platform. Now, of course you are already retorting that most SaaSes are running off of AWS and that is certainly not in dispute, but who do you have the contracts with? AWS or Ma and Pa SaaS Co.?
And herein lies an inconvenient truth: the majority of SaaS offerings and by extension mobile apps, that both businesses and consumers have come to rely on, have been or will be breached. This is a dark outlook on the future of our Internet consumption but the reality is the majority of our consumption are on SaaS services and mobile apps that have not taken adequate steps to protect our personal data.
In other writings I have discussed how the large CSPs are doing security better than us and how leveraging Cloud can actually enable us to do better security. But I always preface that statement with “if we let it”. That is because I believe we need to look at Cloud as a utility that we build off of and that it is our responsibility to leverage the Cloud capabilities to do security better. The breaches we are seeing on an almost daily basis are indicative that Ma and Pa SaaS companies are leveraging the Cloud to get to market quicker, but are failing to exploit the opportunity to do security better.
Cybersecurity experts understand that there is no perfectly secure system. Therefore we design our systems with the expectation of breach with the goal of minimizing the impact. We call this minimizing the blast radius. While this concept is used in systems architecture and engineering, us consumers of the Internet can also modify our habits in an effort to minimizing the impacts breaches have on our lives. So how do we minimize the blast radius?
When one is dealing with risk, any type of risk, we essentially have four options to choose from:
Accept the Risk: This is the act of ¯\_(ツ)_/¯ to risks and we are not even going to go there
Reduce/Mitigate the Risk: This is act of putting additional controls or activities in place to minimize the likelihood or impact
Transfer the Risk: The act of outsourcing some or all of the risk with things such as insurance, which for consumers is not a reality
Avoid the Risk: The act of not doing a risky activity, which is a decent approach but not always reasonable
So it is important to keep in mind whenever facing a decision of what to do, these are our options. While the simplest way to avoid being a part of a cyber security breach is to “avoid” the risk in the first place, it is not a reasonable expectation for businesses or consumers to simply not use modern day Internet based services. Therefore the rest of this article will focus on how regular Internet consumers can employ the Operational Security (OpSec) tactics us cybersecurity professionals use to reduce/mitigate the inevitable risks associated with using the Internet and SaaS offerings.
Most SaaS and mobile apps want you to sign up and share data with them. This will mean at a minimum an email address and a password. Most consumers will consider those two data points benign but I’d argue to the contrary. Your email ties you to you and all your other accounts. Your password which most consider secret, might not be as protected by the SaaS as we would like to believe and could be exposed if the SaaS suffers a security breach.
So with that in mind, before signing up for the latest and greatest SaaS or mobile app, it doesn’t hurt to check out their website and try to determine the company’s maturity and their stance on privacy and security. By now privacy and security have become selling points and it should be pretty obvious if the company takes protecting data seriously. On the other hand if the website suggests the company is a fly by night Ma and Pa SaaS, put together with duct tape, you may want to avoid.
In many cases SaaS offerings are monetizing off of the data you provide (directly and indirectly). So it is important to consider what they want you to share and if you should share it versus sharing fake data. Now, sharing inaccurate data could be against their lengthy terms and conditions that you didn’t read or potentially illegal, so it is important to understand the difference but for the most part you can likely get away with giving some inaccurate data that if lost in an inevitable security breach, won’t impact you nearly as much.
So from a direct data collection perspective this is the data you are actively sharing either through filling in details about you during sign up or profile updates, all the way to the photos and GPS coordinates you are choosing to share. This is a personal choice and a risk-based decision to share or not to share, but I will just reiterate that if the likelihood of the SaaS or mobile app you are using will suffer from a cyber breach, ask your self this one question:
Are you ok with that data becoming public?
Now regarding the indirect data collection, SaaSes and mobile apps can act like vampires sucking up data about you, where you are and what you are doing! Yikes. This is usually done behind the scenes through your phone or browser and can be very challenging to detect. Therefore the follow are a few recommendations to minimize the blast radius.
Most apps, especially apps focused on monetizing off of selling data about you are going to ask for an excessive amount of permission on your mobile device. You should review what they are asking to have access to and try disabling the permissions if you do not see an intrinsic value in sharing that type of data. Most of the time the app will complain but still function, however if it does not function you should ask yourself why does a flashlight app need access to my text messages…….. Creepy!
When we are using the Internet through a browsers, SaaS and websites are also slurping up lots of details about you and your activities from your browser. While most of these activities are to sell your hyper targeted advertising, the same information can be used for nefarious purposes and therefore we want to explore the opportunity to minimize the blast radius.
There are a many browser plug-ins that you can install as complimentary applications to your browsers which will minimize the blast radius while using the Internet.
Privacy Badger - Is developed by the EFF and is focused on blocking connectivity to online tracking services that are focused on tracking your Internet behaviors and sharing them with other advertisers and retailers
uBlock Origin - There have been many ad blocker browser plug-ins over the years and I have found uBlock Origin to be effective at minimizing how much advertising I see
NoScript - Admittedly I do not have this plug-in installed anymore. It is by far the most effective at stopping the creepiness of websites and SaaS, however it literally blocks all aspects of modern day websites, essentially breaking the Internet. This creates a bad user experience and eventually results in getting uninstalled. However, if you are treading off the beaten path on the Internet, it can be a life saver.
Please keep in mind that these browser plug-ins are intended to improve privacy but do not solve privacy and occasionally the website you are visiting will not work properly with the plug-in blocking the website. These plug-ins can be disabled temporarily or configured to white list websites and SaaS so that they load properly.
Over the past weekend’s Thanksgiving dinner with family, I chatted with my brother-in-law about cyber security. I gave him a preview of some of what I had been writing for this blog post which led us to discussing “Advanced OpSec” tactics which has now led to the following section. I originally thought the “advanced“ tactics were too complicated for the average Internet user and was going to leave them out. However, it turns out my brother-in-law was in one way or another already implementing many of these tactics at home! Now, by no means is he an IT professional by trade, but clearly he had an interest in protecting himself and his family from the dangers lurking on the Internet and figured out on his own how to implement these advanced tactics. Therefore, I added the following section for the average Internet user who want to use above average preventative (and detective) techniques to protecting themselves on the Internet.
The above recommendations are fairly easy to do and can help reduce the impact of an inevitable cyber security breach of your favourite SaaS or mobile app. However, I have decided to provide two additional tactics that I employ, which are more complex to implement, but are very effective in my defensive strategy.
I am sure this is not news, but don’t re-use the same password on different websites. This is because when the inevitable breach happens at your favourite website, hackers will attempt to re-use that password to break into your other accounts. We call this lateral account movement and it means a hacker who broke into a “who cares account” like DoorDash, will attempt to re-use your stolen credentials to break into say… your bank. Yikes!
So being secure on the Internet requires passwords need to be challenging to guess, easy to remember, but unique per website. Meeting these three requirements isn’t that easy without having an exceptional memory, which most of us don’t have, so here are a few tactics you can employ to have better passwords:
While the most paranoid will suggest having a new password for each website that looks like this: “V0&f3S*c!vv2:s12”, I am happy to agree with most normal people that is not a reasonable expectation. Instead we should be creating easy to remember passwords that are hard to guess by a computer or even a human. Now there is a great XKCD comic on the subject which will cover the basic concepts of strong passwords, but I would add to the XKCD’s comic by suggesting you can use similar passwords while still making them unique to the website. Let me explain.
A good password is something that is not a “dictionary word” and is long enough that a fast computer couldn’t eventually guess your password. As XKCD points out that yesteryear’s dogma of the C0mpl3x p@55w3rd is not as secure as it once once and they go on to suggest longer is better than complex. However, the obvious problem is as a password gets longer we humans will remember less of it, let alone unique ones for every website. Therefore, what if you could create a password that was unique to every website but still easy to remember?
Taking the “good password” from the XKCD comic “correcthorsebatterystaple”: it is long, somewhat easy to remember but not unique. However, if you shimmed in a character or two specific to the website, you would essentially have a unique password for each website that would be very easy to remember. So for example if you shimmed the second letter of each website into this password in a predictable location, they would look like this:
Good: Character in middle of the password for Gmail:
”correcthorsembatterystaple”
Better: Numeric value of character in middle of the password for Facebook:
”correcthorsebattery1staple”
Best: Embedded character in a word within the password for Instagram:
”cnorrecthorsebatterystaple”
Now, there will always be a risk that a human looking at the password could recognize the pattern, however as I mentioned in the Breaking Business blog post, most of these breaches are automated and therefore these patterns would likely not be detected by the computer. That said, if your password framework has a recognizable pattern such as “doghouse4gmail007!”, there is absolutely a chance that your other passwords could be guessed.
Now it make sense that you would want to know all your passwords, however that leads us to bad habits of simple and reused passwords. Well, there is an app for that. Let me introduce you to Password Tools. These tools allow you to securely store your passwords for each individual website and will aid in logging into the websites without having to type in your passwords. These tools provide substantially more features and security than when your browser’s password safe. I’ve been using LastPass for a number of years and very happy with how they have enabled me to have complex passwords without having to remember any of them!
This tactic is more complex than most of the other recommendations I have provided and requires some technical know-how, but I have found it to be very effective in minimizing the blast radius and as a bonus being an early warning canary that my data has been stolen or sold. Canary Email Addresses takes the concept of providing a unique password to each website a step further, by providing them with a unique email address as well! So how do I do this?
There are two means of using the canary email address tactic with one stealthier than the other. The easier but less stealthy of the two would be through Gmail’s “plus addressing” which allows you to append other words to your email address, essentially making it unique. For example, if your email address was johnsmith@gmail.com you could sign up for Facebook with johnsmith+facebook@gmail.com and magically would receive from the new johnsmith+facebook@gmail.com email address. This feature is easy to use, but does share the actual email account “johnsmith” which could allow a hackers to realize the true email address.
The more advance canary email solution will provides better overall protection but requires a little more work: buying a custom domain and email service. While I understand that paying for email seems weird to most Internet users, there are a lot of benefits in doing so well beyond being able to run canary email addresses. Once you are signed up you will need to configure a “catch-all” inbox within the email service. Most email service providers provide this feature which will allow you to receive all “undefined” email addresses being directed from your domain. Once the catch-all inbox is configured, any email sent to your domain will be automatically received in the catch-all folder. You can even create filters to move important canary email addresses to your primary inbox and leave the rest of the commercial noise in the catch-all folder for future review.
Canary email addresses add complexity to your day but here are the three major benefits for using them:
First, it minimizes the blast radius of a hacker getting a login and password from a breached website and using it on other websites. The username (and hopefully the password ;) ) are unique, therefore the hackers automated login checks will fail and they will move on.
Second, it is the canary in the coal mine that will let you know if your account details have been compromised as you will likely start receiving phishing emails to the canary address that only one website should ever know about
Last but not least, canary email addresses can help you determine if a legitimate looking email is in fact legitimate. For an example, if I bank with CIBC, I would have a cibc@mydomain.com canary email address and that would be the expected email address all CIBC emails would arrive to. If I receive a CIBC email to any email address other than cibc@mydomain.com, I know with confidence it is fraudulent and it goes in the garbage.
The Internet is a dangerous place that we love to play in and hackers are lurking around every corner. However, the cyber crime industry is playing a numbers game and highly automated hacking allow regular Internet users to leverage the above tactics of the cyber security professionals to stay one step ahead of the bad guys.