30 Moves of Cyber Security

The Basic Form: 30 Moves
 
There is a basic form that Sifu teaches each new student when they join the class.  It's called '30 Moves'.  It's a wonderful form that teaches the student how to move through the basic Kung Fu stances while incorporating punches, kicks, as well as blocks.  It has both linear and circular movements that contain different layers of interpretation.  With practice you will learn to go through the form in a confident and efficient manner.  I know you are wondering, what does a basic Kung Fu form has to do with cyber security?  Perhaps more than you imagine, let me explain.

Defining the Problem

You may not realize this, but each day there are billions of attempted attack from the dark corners of the internet on our personal information online.  They are automated, sophisticated, and relentless, and they succeed from time to time.  Lately it seems that the hackers are winning some key battles.  Just this past year for example, Sony's PlayStation Network was hacked into with millions of account information stolen, Gmail accounts of federal government employees were hacked into last month, and Citigroup just announced that financial information of 200,000 customers were just stolen this month.  Can you imagine if a hacker obtains access to all your emails from your gmail, hotmail, or yahoo account?  What if you can never access that account again?  Worse yet, what if someone with an agenda simultaneously obtains your social, family, financial, medical, and personal information, what kind of damage can they do without you ever knowing who they are and where they are located?   In light of this, we should review our own internet usage practices to make sure that we minimize our exposure to unnecessary online risks.  Defending our online presence is like defending our physical presence, it takes knowledge, practice, and discipline, just like practicing forms.  For some sacrifice in convenience and time, we gain a peace of mind and stronger online presence.

Basic Principles and Application

1. Have no favorite sword.
Most of us use a suite of online/cloud services in our everyday live for things like photo sharing (i.e. flickr, smugmug), instant messaging (google, yahoo, skype), entertainment (apple, netflix) socializing/networking (i.e. facebook, linkedin, twitter).  This is the way of modern life and we accept the fact that we'll need to share at least some of our personal information with each of them in order to use them.  However, we should not overly rely on one company to provide all our online service needs.  While I give facebook my social network information, they don't have my credit card, phone, or address information.  While I share my financial information with my bank, they don't need my music preference, or education history.  While my insurance company might have my medical history, they don't need to know who my friends are and have access to my email accounts.  The bottom line is to use multiple services from different companies.  DO NOT trust your financial, personal, social, and medical information all to one organization/company!

2. Expected repeated, layered attack.
When you do get attacked in cyber space, it's very rare that there will only be one single attempt.  Hackers nowadays are sophisticated and they'll use multiple methods to fish out your passwords, phone number, mother's maiden name, and the city you grew up in.  A single password will not provide you with the necessary protection you need.  First, develop multiple passwords for yourself, some of them may be more valuable than others, and use multiple passwords!  Do not, rely on one password for all your accounts.  Second, DO NOT use anything like your birthday, family member's names, pet names, phone numbers, bank account numbers, anniversary, or simple phrases like 'joelovesjane' in your passwords.  Ideally, they should be a LONG sequence of letters and numbers that only you can remember.  Spend some time on this, it's worth it.  Third, ideally, even if someone obtains your password, they can't access your account.  Google has implemented the '2-step' verification process for their accounts which I think is worth implementing.  In addition to your password, you'll need a temporary randomly generated passcode generated by Google that's sent to you that you use in combination with your password to access your account.  It sounds like a pain, but if you have a smartphone, it's really not hard to do.  In other words, there is an app for that!  Just make sure your phone is also secure.  Do not carry it around without passcode protection.  For iPhone specifically, you should enable the '10 tries before the phone is wiped' feature.  There is no reason why you'll enter you passcode incorrectly for 10 times straight.

3. Be mindful of what you cannot see.
First, everybody should always remember is that email transmission is NOT secure!  Any internet router that routes your email (and there are always several routers used for each email delivered) can in theory access your email, and you have no control over that.  If you are going to send anything important/private using email, encrypt it first, then send it as an attachment.  Second, always delete your cookies, LSO's, and clear the browser cache, history, and search, each time after you use an web browser.  An amazing amount of personal information is shared by your browser and left by your browser each time you access the internet.  There are browser extensions that can do these clean ups for you and you should use them.  My favorite browser is Firefox mainly for the reason that it has many privacy protection extensions written for it.  Arguably the most powerful of these extension is 'NoScript'.  Google it and read about it.  In essence it blocks, by default, websites from executing little programs in your web browser.  These little programs (aka javascripts) can gather information about your location, create cookies to track your web browsing, and find out what your favorite websites are.  Be very aware of javascript and do not let any website you don't trust run them on your computer.  Finally, quit your web browser if you are done using it for the day!  That is the perfect time to wipe your browser clean.

4. Practice your weapons and learn how to use them.
Visit, understand, and customize the privacy settings of your favorite web services.  Have you ever gone through your facebook privacy setting?  Do you care if only your friends can see your photos chugging that beer while in that super tight speedo, or everyone on facebook can see it?  You CAN control that, learn how to do it!  The same applies for websites like google, they have marketing preferences and web browsing history settings that you can adjust, learn how to set those.  Have you ever used an unsecure WiFi network to access your email account?  Guess what, the owner of that WiFi router who is a complete stranger to you just got your password.  There is a way to make that much more difficult of course.  If you company or school has Virtual Private Networking, use it, especially on open WiFi network, or if you want to access facebook from China.  Finally, do you leave your desktop, laptop, external hard drives, and thumb drives at work or somewhere others can access?  Make sure they are locked down, have a good password for the screen saver, and quit/reset your web browser.

5. Have a backup plan. 
In case the online services/devices you rely on breaks down or got hacked into you need a back up plan.  You want to make sure you can still access the information you need while resolving the security breach.  Have a backup copy of key emails.  A simple way of doing this is to create multiple email accounts (free and easy to do) and forward all the email from you main accounts to the other.  Make sure the accounts have different passwords.  If you lost your smartphone, you can both remotely track it and remotely wipe it clean.  But this require you to set it up beforehand, learn how to do this!  For the iPhone Apple offers this service.

6. Be disciplined!
Finally, be discipline in your online communication.  The less frequent important information get transmitted, the less likely they'll be intercepted.  Do not talk about your bank account numbers, passwords, social security number, driver's license numbers in any email, chat, SMS, facebook, or IM services.  If you have to communicate these information to someone, do it over the phone or encrypt it first, at least you know that only the government and phone companies are listening.  Cyber security, more than a set of practices, is a mindset.  You have to regularly revisit the issue, and always ask yourself, what is the security risk of any new online service and is there a better more secure way using the service.

Many basic principles of Kung Fu are as applicable to our online life as they are to our everyday life.  Of course we cannot completely prevent all hacks and attacks unless we complete quit living in the 21 century.  For an average internet user like most of us, the goal is to minimize online risks and make plans to counter attacks and breakins when they do happen.  I hope you find this article useful to you in some way.  See you on the journey.  Grow, learn, teach.