B&B_logo_red_sm

Mailbag: Cybersecurity Q&A

By Mark Lanterman

In recent months, I’ve been asked a lot of great questions regarding data privacy and best digital practices in a number of areas. So let’s devote this month’s column to answering some of those basic questions. 

 “I have a closet full of old devices, everything from laptops to hard drives to ancient cell phones. How do you properly dispose of old devices?” 

I think many of us find ourselves in a similar situation, and it is certainly risky to throw away devices without ensuring that the data contained therein cannot be retrieved. To start, make certain that the device or item you wish to dispose of is ready for disposal. You don’t want to realize that the hard drive you just drilled a hole through actually belonged to someone who still needed it. And that brings me to my next point. Physical destruction may be needed before bringing a device to a recycling center. (If I can whistle through it, odds are you can’t get data from it!) For an iPhone, factory reset may be enough before recycling, as any entity other than a three-letter agency will most likely be unable to access any data. But for other devices and hard drives (and for more peace of mind in disposing of any device), physical destruction is typically best.

 “What are some ways to stay secure while using mobile devices?” 

Definitely an important question. The National Security Agency has a mobile device best practices fact sheet that lays out critical ways to protect yourself and your data when using your smartphone.1 

Among the many helpful strategies it outlines, some key takeaways include using strong pins/passwords, disabling Bluetooth when not in use, disabling location services when not in use, being wary of malicious apps, updating your phone regularly, and avoiding connection to public Wi-Fi networks.  And although it’s not specific to mobile devices, it is also advisable to practice caution when browsing the internet and to avoid clicking on links contained in emails, especially those from unknown sources. Be aware of proximity breaches as well, such as “shoulder surfers” who may look at your screen while you work in a public place. Which brings me to my next topic…

 “What are some strategies for maintaining security while working remotely? How should a home office be equipped to fend off cyber threats?” 

In our day and age, working from home has certainly become a common practice. With this ability comes an expanded number of cyber threats, since multiple remote environments make for a greater potential attack surface. From a “soft skill” vantage point, it is important to be aware of your surroundings when you’re working remotely. Again, it is wise to take the possibility of “shoulder surfers” or compromised public Wi-Fi networks into account the next time you bring your laptop to your favorite coffee shop to get some work done. Furthermore, the same security strategies that apply to using mobile devices also apply to remote work more generally—employ strong passwords and multi-factor authentication, secure endpoints, always update your software as soon as new security updates are released, use VPNs, and be sure to only use approved devices. When working remotely, practice the same caution that you would use in your physical office and be sure to report any suspicious activity or possible breaches. Maintaining communication while working from home is critical in mitigating risk. Make sure that organizational training and cybersecurity practices take into account the risks associated with remote work. 

 “What can I do to prevent myself from becoming a victim of doxxing? What are some tips for data privacy?” 

First, as I’ve written before (“Doxxing redux: The trouble with opting out,” Bench & Bar Dec. 2019), scrubbing the internet clean of any trace of your personal information is probably unrealistic. While public-information reseller websites have “opt-out” pages, there are several issues when it comes to manually submitting these requests. If you haven’t already noticed, there are a huge number of sites of this type; keeping up with all of them would be challenging. Furthermore, even if you were to visit each site, opt out (a process which isn’t always as straightforward as we’d like it to be), and remove your information, it is very possible that the same information would repopulate within a matter of months. These sites tend to make it difficult to opt out to begin with by changing the page address or by requiring even more personal information to do so, such as a copy of your driver’s license. Clearly, it’s not a simple task that need only be done once. 

But we may be beginning to see hints of improved data privacy options for users. Recently, Apple released an update allowing users to opt out of cross-site data tracking.2 Some states, such as Vermont and California, have already enacted laws to regulate data brokers, and more such legislation may eventually be enacted around the country. In addition to disallowing cross-site tracking to prevent targeted advertising, it is important for those concerned about data privacy to consider the information they willingly share. Keep in mind that social media is a great source of information for cyber attackers to customize phishing emails or other social engineering-based attacks simply by using information that is easy to find. Make sure that social media settings optimize your privacy and be mindful that the things you post publicly don’t necessarily reach only the audience you intend. Practicing strong personal cybersecurity measures, such as those recommended for remote work, is also beneficial. 

I hope that these answers are helpful in contributing to a strong security posture, both at work and at home. Often, staying secure requires going the extra mile to prevent the kinds of threats that many of us consider to be unlikely. If recent cyber-trends have shown us anything, it’s that individuals, firms, organizations, and companies are all vulnerable to the risks that come with utilizing a variety of technologies. Taking precautions now is always better than dealing with a bigger problem down the road. 


MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.  


Notes

1 https://media.defense.gov/2020/Jul/28/2002465830/-1/-1/0/MOBILE_DEVICE_BEST_PRACTICES_FINAL_V3%20-%20COPY.PDF

2 https://www.nytimes.com/2021/04/26/technology/personaltech/apple-app-tracking-transparency.html