Two weeks after its release, Mark Greaney’s True Faith and Allegiance is already number five on the New York Times best seller list. It’s the latest action-adventure in the Tom Clancy franchise featuring hero Jack Ryan, Sr.
Greaney’s book explores the dangers you face when your enemies combine information you’ve shared publicly with data taken from places you thought were private. If you’ve already plowed through its 700 pages you might have new introspection about your social media presence.
True Faith and Allegiance explores the weaponization of stolen personal information. In the hands of foreign intelligence officers and terrorists, the results of oversharing are unpleasant, even violent. The book foreshadows news about a real case of data theft by foreign agents. On December 29 the FBI and Department of Homeland Security published a report describing how Russian civilian and military intelligence services compromised and exploited computing assets associated with the 2016 U.S. election.
The DHS/FBI report identifies spearphishing as the entry vector for the Russians who penetrated the Democratic National Committee. The joint report does not name targeted individuals, but the New York Times had earlier reported Clinton campaign chairman John Podesta was phished by a fake warning from Google to change his email password, revealing 60,000 emails to the hackers.
Similar disasters earlier in the year include large companies handing over tax return information to criminals effective in spoofing email from corporate executives. Hospitals, utilities and police departments became hostages in ransomware schemes enabled by targeted email. A federal indictment revealed how Chinese hackers had breached the online records of several NYC-based international law firms, and used stolen info for illegal insider trading.
In all of these cases, simple hygiene might have prevented the breaches. To help protect your privacy and property, we offer these New Year’s resolutions:
Don’t invite trouble by oversharing
Sharing too much information online leaves you vulnerable to highly targeted spearphishing.
Do you use LinkedIn? Fine, but consider how your profile information could be abused. Does your public profile state you work in payroll? Be wary when people you have never met ask to join your network. They may be gathering information or planning to ride your reputation into the network of their true target. Fake social media profiles persist because they work for the criminals using them to elicit public information that can fuel old school manipulation.
Does your Internet profile include the name of your spouse or children? Is your CV or resume posted online? What about an older version that reveals where you lived 10 years ago? That and other innocent information can be knitted into a well-researched, narrowly targeted email message that you are likely to open.
Stop, Think, Connect before you click
Careless email handling makes it easy for cybercriminals to penetrate computer networks. Armor yourself against social engineering by pausing and applying your common sense. Did you get an email request from a colleague who typically phones? Call her to confirm it. Did you tell Facebook you are a Star Wars fan? Maybe you’ll open an email about the death of Carrie Fisher and click on a dangerous link. Slow down, be wary and apply common sense.
Consider the worst case scenario
Whatever your political affiliation, when it comes to Twitter, impulse control matters.
Consider the JetBlue passengers who were ejected from an airliner after one directed impolite remarks at Ivanka Trump. Afterward they claimed they had not harassed the daughter of the President elect, but one of the couple tweeted shortly before boarding, “my husband chasing them down to harass them.” An effort to delete the tweet after the fact only made matters worse, leading to an online petition asking that he be fired as a professor at Hunter College.
Stop using passwords
Start using (longer) passphrases instead of (shorter) passwords. Use an easy to remember phrase and add numerals and special characters. “GoL0uisvi11eCardinals” is probably longer than your current password, easy enough to remember. If you’re not a Cards fan, it’s even better protection–no one will guess it. And, don’t share passwords among your own accounts.
Prepare for the business risks of privacy breaches
No business is immune from exploitation of publicly-available information, and smart businesspeople will be victims of computer-based crimes. Unfortunately, the consequence of a security breach can include regulatory violations, compliance headaches and legal bills. While bolstering your cybersecurity, give attention to your compliance obligations. They vary by industry. Develop an action plan in the event of a breach. Understand not only your technology, but the laws that apply when you use it for business.