Privacy practices and secure communications

By Brian Nibley

It’s a common misconception that privacy concerns are only for the paranoid or those with something to hide. In reality, having greater privacy is often a prerequisite to having greater security. If your information is made private, it’s a lot harder to compromise. Hackers need something to bite on in order to take a chunk of your life or business and tear it to shreds. Don’t give them that initial morsel. Do all you can to step into the shadows.

According to the Electronic Privacy Information Center, basic privacy is a constitutional right. A few simple methods to help prevent attacks include having better privacy practices and avoiding phishing tactics.

According to Marketwatch, Mark Zuckerburg has said that privacy comes before profits for Facebook. If that’s true, then surely companeis like Facebook take measures to protect their own privacy. The methods described here apply to both individuals and corporations of all sizes. Below are a few things that can be done to make some of the actions of your company more private.

  • Use DuckDuckGo as your default private search engine. DuckDuckGo does not track its users, meaning there will be no trace of what your employees search for. This will alleviate some concerns over corporate espionage. In addition, DuckDuckGo generally yields better research results than most other private search engines.
  • Use Protonmail for all private company communications. Protonmail is an encrypted e-mail service based in Switzerland. Free accounts come with up to 500 megabytes of storage. E-mails sent to these accounts are private and cannot be seen by outside sources. Encrypted e-mails also come with the option of setting an expiration date – meaning they will delete themselves without a trace after a set amount of time, from one hour to twenty-eight days. It doesn’t get much more private than that.
  • Use Signal 2.0 for all cell phone communications. Signal allows for the same kind of security and privacy provided by Protonmail, but for texts and voice calls. Just as with encrypted e-mails, encrypted texts can be set to self-destruct after a time.

Better privacy practices won’t solve all your problems.

But they are a big step in the right direction.

If you can’t prevent an attack, you need to at least know it’s happening. If not, there’s no end to the damage that can be done. Many corporations and nearly all individuals have no detection whatsoever. Even government agencies tasked with protecting from cyber-attacks don’t always have sufficient detection.

Take the National Security Agency (NSA), for example. For months, Edward Snowden was opening classified documents and downloading them. He managed to attack undetected the entire time. An insider threat escaped the awareness of the NSA due to poor detection. How can you stay private and prevent this from happening?

StationX Canary Tokens allow you to create files that will act as trip wires for unauthorized access to your data. If an attacker opens a Canary Token, you will receive an e-mail notification immediately. This lets you know someone has been poking around in your system and keeps your data private.

While it’s ideal to not get compromised in the first place, having adequate detection ensures that you can mitigate the damage done by an attacker. Once detected, you can shut down all systems, preventing further privacy intrusions.

Most of the time, however, detection won’t be much of a concern. Hackers have figured out that the best way to gain access to a system is to go straight to the source via social engineering. Hackers have begun to turn into amateur spies. The majority of successful hacking today is not done by means of some sophisticated computer program or network attacking technique. It’s simply accomplished by using phishing tactics.

Educating employees about phishing is one of the simplest and cheapest ways for companies to prevent attacks. Many organizations have already begun incorporating such education into their standard training programs. Phishing e-mails, phone calls, and websites are the most common techniques used by hackers.

Never click a link or download an attachment in an e-mail without being 100 percent certain that it’s from a trusted source. In fact, it’s best to not even open e-mails unless you can tell they’re from someone you know. Be sure to check the address the message was sent from. A common tactic used by attackers is to use a name from your contacts with a single letter changed in order to violate your privacy.

Another way to help avoid this is to use separate private e-mail addresses for your inbox. Give one address out for general purposes and another for strictly business. This way, if an e-mail comes from your general address, you will know to be on high alert for anything suspicious. This will prevent attackers from phishing for your information.

Make it a rule to never click a link or download an attachment in an e-mail, period. This shouldn’t be hard to do. With cloud storage, you don’t need to send e-mail attachments as often as in the past. And you can always find a link on your own rather than trying to go there directly through the e-mail. Attackers use this method often to invade privacy.

Phone calls are a more sophisticated form of social engineering. A caller might impersonate someone higher up the corporate ladder and ask for sensitive information. They will then use this information to make an attack. Again, the easiest way to avoid this is to make it a rule to never share information whenever possible. Verify the source, and then see if there’s some other way to do what’s needed. This will keep you private.

Fake websites are perhaps the most difficult phishing traps to avoid. They can look exactly like the real thing. It’s even possible for an attacker to fake the SSL certification and padlock image in the URL. The only way to avoid these attacks is to constantly check the web address word for word. If anything appears to be off, don’t enter any personal information. In addition, most browsers and anti-virus programs have features that will warn you of potentially fake sites.

Using encrypted communication, having some detection set up, and avoiding phishing will go a long way toward preventing hackers from doing their thing. It will also mitigate the damage that can be done in the event of a successful attack.