Protecting Your Protecting Your Personal Information in Personal Information in

the Digital Erathe Digital Era

By Jason Beatty / NAR IT Technical Infrastructure By Jason Beatty / NAR IT Technical Infrastructure TeamTeam

Introductions: Introductions: A little about your A little about your presenterpresenter

Have worked in the IT field since 1997Have worked in the IT field since 1997

Worked for a large hospital and two Fortune Worked for a large hospital and two Fortune 500 companies before joining NAR. 500 companies before joining NAR.

Currently work with IT’s Technical Currently work with IT’s Technical Infrastructure Team Infrastructure Team

New presenter, welcome critiques afterwardsNew presenter, welcome critiques afterwards

The Goal of This The Goal of This PresentationPresentation

Learning what your digital assets areLearning what your digital assets are

Examining the current risks onlineExamining the current risks online

Making a plan to reduce your exposureMaking a plan to reduce your exposure

Tips on reacting to an information breachTips on reacting to an information breach

About 45-50 minutes of presentation, 20-30 About 45-50 minutes of presentation, 20-30 mins of discussion afterwardsmins of discussion afterwards

Assets, risk, exposure, Assets, risk, exposure, breach -This sounds like a breach -This sounds like a spy movie...spy movie...

This presentation will not prepare you for This presentation will not prepare you for international counter-terrorism or espionageinternational counter-terrorism or espionage

These are fancy names for basic concepts you These are fancy names for basic concepts you already know. It’s common sense, applied in a already know. It’s common sense, applied in a new arena. new arena.

We will not be covering firewalls, encryption, We will not be covering firewalls, encryption, or advanced security techniques. Just the or advanced security techniques. Just the basics.basics.

Why should you Why should you care about care about information information security? security?

Many of your interactions with homebuyers may be conducted using online Many of your interactions with homebuyers may be conducted using online accounts accounts

If you didn’t have access to your email or online accounts, could you conduct If you didn’t have access to your email or online accounts, could you conduct business as effectively? business as effectively?

If your customer’s personally identifying information were used to mass mail If your customer’s personally identifying information were used to mass mail spam from your account, would it damage the relationship you have with them? spam from your account, would it damage the relationship you have with them?

If your customers lost trust in your ability to keep their information confidential, If your customers lost trust in your ability to keep their information confidential, how much time and effort would it take to rebuild that trust? how much time and effort would it take to rebuild that trust?

Section 1: Section 1: Assets Assets

The “Who” and The “Who” and “What” of “What” of Information SecurityInformation Security

What’s an asset to you? What’s an asset to you?

Who you areWho you are

What you own (digitally)What you own (digitally)

What other assets you can accessWhat other assets you can access

How quickly you can access other assetsHow quickly you can access other assets

Why “who you are” is Why “who you are” is importantimportant

So where’s your stuff? So where’s your stuff?

Some questions to ask regarding where you keep Some questions to ask regarding where you keep your digital informationyour digital information

How many online accounts do you have?How many online accounts do you have?

What do those accounts have access to? Checking? Credit? What do those accounts have access to? Checking? Credit?

How many computers do you own? (did you count your smartphone?)How many computers do you own? (did you count your smartphone?)

What information is on each of those computers? What information is on each of those computers?

Do you make backups? Where are those? Own a flash (USB) drive? Do you make backups? Where are those? Own a flash (USB) drive?

If you had to list these things and couldn’t use a computer, could you? If you had to list these things and couldn’t use a computer, could you?

More bad news, we’re More bad news, we’re leaky...leaky...

We are always leaking information in our We are always leaking information in our everyday lives everyday lives

Cell phone conversationsCell phone conversations

Social MediaSocial Media

Trash (physical trash) Trash (physical trash)

Wireless networksWireless networks

Business CardsBusiness Cards

Have you seen this Have you seen this guy? guy?

QuickTime™ and a decompressor

are needed to see this picture.

More bad news: More bad news: Information theft is a big business Information theft is a big business nownow

As more and more of commerce is As more and more of commerce is conducted online, organized crime conducted online, organized crime moved there as wellmoved there as well

The same protection schemes that were The same protection schemes that were used in the old neighborhoods still used in the old neighborhoods still happen online. “that’s a very nice happen online. “that’s a very nice website, it’d be a shame if anything website, it’d be a shame if anything stopped people from seeing it.” stopped people from seeing it.”

You and your computers can be used as You and your computers can be used as tools, without even being aware of it. tools, without even being aware of it. (zombies and botnets) (zombies and botnets)

What’s out there: What’s out there: Phishing scams (misdirecting your web login to a bad site) Phishing scams (misdirecting your web login to a bad site)

Keyloggers and other malware attempting to capture your passwordsKeyloggers and other malware attempting to capture your passwords

False bank sites with similar names/designs as the main sitesFalse bank sites with similar names/designs as the main sites

Fake security warnings that ask you to click OK, executing arbitrary codeFake security warnings that ask you to click OK, executing arbitrary code

Other addons or programs that report confidential info back to a central Other addons or programs that report confidential info back to a central sourcesource

Legitimate sites that may sell parts or all of your registration information Legitimate sites that may sell parts or all of your registration information or usage. “if you don’t pay for a service, then or usage. “if you don’t pay for a service, then youyou are what’s being are what’s being bought or sold”bought or sold”

So what can we do? So what can we do?

Don’t panicDon’t panic

Assess your risk/exposureAssess your risk/exposure

Create separations between work and home, financial and Create separations between work and home, financial and entertainment accounts. Separate passwords.entertainment accounts. Separate passwords.

Learn to keep a clean computer, scan and test regularly. Empty Learn to keep a clean computer, scan and test regularly. Empty cookies often. cookies often.

Make a plan for what to do if various accounts get breached. Make a plan for what to do if various accounts get breached.

Practice regular information hygiene. Weekly/monthly/yearly routinesPractice regular information hygiene. Weekly/monthly/yearly routines

Section 2: Risk and Section 2: Risk and ExposureExposure

What can be compromised, and the cost of a What can be compromised, and the cost of a breachbreach

Assessing your riskAssessing your riskWhich computers do you use to access each of your accounts? Which computers do you use to access each of your accounts?

Do you own each of these computers? Are they public or private? Do you own each of these computers? Are they public or private?

Are you saving your passwords or other information on these Are you saving your passwords or other information on these computers? computers?

Are you wiping your Internet History after you leave a shared Are you wiping your Internet History after you leave a shared computer?computer?

What can someone do with the information if they take it? What can someone do with the information if they take it?

Which of your accounts share a password? Work and Home? Bank Which of your accounts share a password? Work and Home? Bank and Facebook? and Facebook?

Does your whole family use the same computer? Do your kids know Does your whole family use the same computer? Do your kids know any of your shared passwords? any of your shared passwords?

How ‘strong’ are your passwords? Dictionary words? Family or pet How ‘strong’ are your passwords? Dictionary words? Family or pet names? Birth dates? Parts of your own login name? names? Birth dates? Parts of your own login name?

Thinking about tiers of Thinking about tiers of securitysecurityWhat if we organized our accounts based upon the What if we organized our accounts based upon the personal impact of a breach of information: personal impact of a breach of information:

Financially damaging or personally devastating Financially damaging or personally devastating (banks, credit, medical, etc) (banks, credit, medical, etc)

Personally damaging (medical, lifestyle, Personally damaging (medical, lifestyle, controversial info) controversial info)

Potentially embarrassing (joke messages on your Potentially embarrassing (joke messages on your Facebook/twitter) Facebook/twitter)

Mildly inconvenient (“Oh no they compromised my Mildly inconvenient (“Oh no they compromised my Food Network recipes!”) Food Network recipes!”)

The Castle MetaphorThe Castle Metaphor

Tiered passwords and Tiered passwords and strengthstrengthFor each tier of accounts, decide what makes sense regarding shared For each tier of accounts, decide what makes sense regarding shared

passwords, complexity of the passwords, and how often you change passwords, complexity of the passwords, and how often you change them. Here’s my strategy: them. Here’s my strategy:

Tier 1:Tier 1: Bank/credit accounts or things with direct access to either of Bank/credit accounts or things with direct access to either of them (auto bill pay, Amazon, iTunes, etc) or 401k each have their own them (auto bill pay, Amazon, iTunes, etc) or 401k each have their own very strong password. None of them would be shared with other very strong password. None of them would be shared with other accounts, so hacks cannot cascade to other accounts. Changed once accounts, so hacks cannot cascade to other accounts. Changed once a year or if they are ever shared/leaked. a year or if they are ever shared/leaked.

Tier 2:Tier 2: Accounts that relate to medical history or other privileged Accounts that relate to medical history or other privileged information also have strong passwords, but might share passwords if information also have strong passwords, but might share passwords if they’re for similar things. These are also changed once a year or if they’re for similar things. These are also changed once a year or if they are ever shared/leaked. they are ever shared/leaked.

Tier 3:Tier 3: Facebook, Twitter, other social media and accounts linked to Facebook, Twitter, other social media and accounts linked to my online ‘presence’ would likely share a strong password. These my online ‘presence’ would likely share a strong password. These would be changed on an as-needed basis.would be changed on an as-needed basis.

Tier 4:Tier 4: One-off accounts for other websites, low priority stuff with One-off accounts for other websites, low priority stuff with only my email address. Shared strong-ish password. Changed on an only my email address. Shared strong-ish password. Changed on an as-needed basis. as-needed basis.

To each their own...To each their own...

For some people, a Facebook account For some people, a Facebook account being compromised is as bad or worse being compromised is as bad or worse than a financial breach. For others, the than a financial breach. For others, the release of their Internet history would be release of their Internet history would be personally devastating. personally devastating.

Consider what information is stored in Consider what information is stored in each account or location. Weigh your each account or location. Weigh your options.options.

If your information is valuable to you, treat If your information is valuable to you, treat it as such. Learn how to protect it and it as such. Learn how to protect it and practice good information hygiene. practice good information hygiene.

To list or not to listTo list or not to listI keep an offline (flash drive) list of all of my I keep an offline (flash drive) list of all of my accounts.accounts.

I do not carry this list around, it’s in a media safe. I do not carry this list around, it’s in a media safe.

The list is password locked, and does not contain The list is password locked, and does not contain passwords to the online accounts. passwords to the online accounts.

In the list, I have the login name of every account, In the list, I have the login name of every account, which website it goes to, and what it has access to which website it goes to, and what it has access to (credit, bank, paypal, email, utilities, etc) and the (credit, bank, paypal, email, utilities, etc) and the phone number of who to call if that account is phone number of who to call if that account is compromised.compromised.

I make it a habit to review the list every 6 months. I make it a habit to review the list every 6 months.

The list itself is a big riskThe list itself is a big risk

Building a map to all of your information is a Building a map to all of your information is a large risk. If compromised, outsiders would large risk. If compromised, outsiders would know where to target attacks. know where to target attacks.

That list should remain offline and in a secure That list should remain offline and in a secure location. location.

•The advantage to having the list is that you are much more organized, can The advantage to having the list is that you are much more organized, can track your online presence more carefully, and react quicker in the event of track your online presence more carefully, and react quicker in the event of a breach. a breach.

•The list is only as valuable as it’s accuracy. Review it regularly and update The list is only as valuable as it’s accuracy. Review it regularly and update it. Remember that hygiene is a regular, practiced thing. it. Remember that hygiene is a regular, practiced thing.

•Make the list if you’re comfortable with the tradeoff, and keeping it Make the list if you’re comfortable with the tradeoff, and keeping it updated. updated.

Please don’t make a clear text Please don’t make a clear text password list after you get home...password list after you get home...

If you make a text or Excel password list, If you make a text or Excel password list, you’ve increased your vulnerability/exposure a you’ve increased your vulnerability/exposure a lotlot

Password protecting an Excel file isn’t very Password protecting an Excel file isn’t very securesecure

There are great products out there for keeping There are great products out there for keeping an encrypted password database. an encrypted password database.

1Password and MSecure are my favorites. 1Password and MSecure are my favorites.

Making strong P@$Making strong P@$$W0rDs:$W0rDs:Strong passwords generally contain:Strong passwords generally contain:

8 characters or more8 characters or more

Upper and lowercase Upper and lowercase

Numbers and symbolsNumbers and symbols

Not a dictionary word, nor a part of your name, and not easily guessedNot a dictionary word, nor a part of your name, and not easily guessed

The password listed above is a terrible example. Everyone uses @ for an The password listed above is a terrible example. Everyone uses @ for an A. A.

How to make a strong password easy for you to remember, but hard to How to make a strong password easy for you to remember, but hard to guess:guess:

Use a phrase or song instead of a word. Preferably a phrase that you Use a phrase or song instead of a word. Preferably a phrase that you like, but don’t use in conversation or email, and can’t easily be guessed. like, but don’t use in conversation or email, and can’t easily be guessed.

I used to like the phrase “There is no fate but what we make”. A I used to like the phrase “There is no fate but what we make”. A password based on this phrase would take the first letter of each word. password based on this phrase would take the first letter of each word. So So TinfbwwMTinfbwwM becomes the beginning password, then add a favorite becomes the beginning password, then add a favorite number and symbol to it. number and symbol to it. TinfbwwM8& TinfbwwM8& is a very strong password that’s is a very strong password that’s easy for me to remember. easy for me to remember.

Favorite XKCD.com comic about password Favorite XKCD.com comic about password strengthstrength

Other safety mechanisms...Other safety mechanisms...

Many banks and credit providers have fraud protection. Many banks and credit providers have fraud protection.

Not all fraud protection is for Not all fraud protection is for youryour benefit. Some providers simply state that benefit. Some providers simply state that in the event that you are defrauded, they are not liable and will shut your in the event that you are defrauded, they are not liable and will shut your account off. The time to find that out is not when you’ve suffered a breach. account off. The time to find that out is not when you’ve suffered a breach.

Others may send alerts to freeze all associated bank/credit accounts (e.g. Others may send alerts to freeze all associated bank/credit accounts (e.g. Paypal) in the event of a dispute, possibly causing you to default on Paypal) in the event of a dispute, possibly causing you to default on scheduled payments.scheduled payments.

Find out what exactly is covered in the event of identity theft or fraudulent Find out what exactly is covered in the event of identity theft or fraudulent purchases. Sometimes $50 out of your pocket, the rest is covered. purchases. Sometimes $50 out of your pocket, the rest is covered. Sometimes only 100 miles from home is covered. Ask for plain-English Sometimes only 100 miles from home is covered. Ask for plain-English answers. answers.

Are you comfortable with the level of fraud protection for each account?Are you comfortable with the level of fraud protection for each account?

Some good news about fraud Some good news about fraud protection:protection:

Credit and bank strategyCredit and bank strategyFor my own finances, I keep many of the recurring utility online For my own finances, I keep many of the recurring utility online accounts (Nicor, ComEd, AT&T, etc) linked to my main credit card that accounts (Nicor, ComEd, AT&T, etc) linked to my main credit card that has $50 of “no fault” fraud protection. In any incidence of fraud, even has $50 of “no fault” fraud protection. In any incidence of fraud, even if I’m found to be at fault, I should only be liable for the first $50. if I’m found to be at fault, I should only be liable for the first $50.

I have a separate credit card from a different provider with similar I have a separate credit card from a different provider with similar fraud protection, and I use that for any higher-risk accounts (Amazon, fraud protection, and I use that for any higher-risk accounts (Amazon, iTunes, etc.) For that account, I’ve set it up so that I’m emailed after iTunes, etc.) For that account, I’ve set it up so that I’m emailed after every purchase. I also have the option of being texted for every every purchase. I also have the option of being texted for every purchase, but I chose not to activate that. purchase, but I chose not to activate that.

For the few accounts that required that I link them directly to my For the few accounts that required that I link them directly to my checking account, I opened a side checking account with my bank, checking account, I opened a side checking account with my bank, and have an automatic funds transfer between accounts. This clears and have an automatic funds transfer between accounts. This clears money into the smaller checking account, but keeps the larger account money into the smaller checking account, but keeps the larger account mostly unexposed. mostly unexposed.

Regular credit/bank Regular credit/bank hygienehygiene

Weekly, I review my financial accounts and make sure I recognize all of Weekly, I review my financial accounts and make sure I recognize all of the purchases, and my alert settings are still setup. the purchases, and my alert settings are still setup.

Yearly, I call my 3 credit card companies and my bank and talk to a Yearly, I call my 3 credit card companies and my bank and talk to a representative regarding the plain-English explanation of my fraud representative regarding the plain-English explanation of my fraud protection. While this is no way legally binding, it at the very least helps protection. While this is no way legally binding, it at the very least helps me understand what they’re liable for, and what I’m liable for. I ask me understand what they’re liable for, and what I’m liable for. I ask questions such as: questions such as:

What are some examples where I would not be covered in the event of What are some examples where I would not be covered in the event of fraud? fraud?

Do you have any advice or examples of further ways I could safeguard Do you have any advice or examples of further ways I could safeguard my account? (verbally authorize purchases over a certain amount, etc) my account? (verbally authorize purchases over a certain amount, etc)

Do you offer a credit card with my picture on it? One-time credit card Do you offer a credit card with my picture on it? One-time credit card numbers?numbers?

Do you have any written materials explaining how the Do you have any written materials explaining how the complaint/resolution process works for a fraud claim? complaint/resolution process works for a fraud claim?

Regular computer hygieneRegular computer hygieneCarefully consider when to use saved cookies, saved password, and saved Carefully consider when to use saved cookies, saved password, and saved forms. If those were compromised, what information could be gained? forms. If those were compromised, what information could be gained?

Is there anything on my history that I don’t have documented or Is there anything on my history that I don’t have documented or memorized? Clicking “remember my settings” should only be a memorized? Clicking “remember my settings” should only be a convenience, not a crutch. convenience, not a crutch.

If someone else needs to use my computer and I have to walk away, I If someone else needs to use my computer and I have to walk away, I create them their own account. Even if they’re not malicious, it’s possible create them their own account. Even if they’re not malicious, it’s possible they could compromise my information unintentionally. they could compromise my information unintentionally.

Learn how to lock your computer when you walk away, it’s easy to do on Learn how to lock your computer when you walk away, it’s easy to do on Windows or a Mac. You can also PIN-protect your mobile device. Windows or a Mac. You can also PIN-protect your mobile device.

When making purchases online, I verify that I’m browsing securely (lock When making purchases online, I verify that I’m browsing securely (lock icon in the bottom right, https:// site) and don’t save credit card info to be icon in the bottom right, https:// site) and don’t save credit card info to be used again. used again.

Before committing to the purchase, I re-evaluate the site. Does the site Before committing to the purchase, I re-evaluate the site. Does the site seem professional? Are they likely to be conscientious with my seem professional? Are they likely to be conscientious with my information? information?

How far do you go? How far do you go? For each person, the answer is going to be For each person, the answer is going to be different. different.

I keep applying security until it gets in the I keep applying security until it gets in the way of getting stuff done, or it takes more way of getting stuff done, or it takes more time/money than what I’d lose if I suffered time/money than what I’d lose if I suffered a breach. a breach.

Remember that you aren’t an island. If Remember that you aren’t an island. If you’re breached and aren’t aware, it’s you’re breached and aren’t aware, it’s likely you’re a bridge to someone else likely you’re a bridge to someone else being compromised too. being compromised too.

Learn to get comfortable with what’s Learn to get comfortable with what’s exposed and what’s secured. If you’re exposed and what’s secured. If you’re doing it right, a breach should get your doing it right, a breach should get your immediate attention but not be immediate attention but not be devastating. devastating.

Thank You! Thank You!

Any Questions? Any Questions?

Got a story to share? Got a story to share?