Just recently, I was talking to a tourist who told me how safe my city was. I nodded and agreed. It took me few more minutes to understand which parts of the city he considered "safe".
There are parts of the city I normally wouldn’t visit unless I had to. And at that, I probably wouldn’t be visiting them in the late hours as he was. From personal experience I know that "feeling safe" is relative. What feels safe for one could feel dangerous or threatening to another. It’s the same with networks.
I can say that Enterprise networks are safe and secured, but in same breath I can say they are a very dangerous sphere. On the network, people and organizations can be exposed to blackmail, identity theft, ransom, abuse or more. Security threats are an unavoidable part of both worlds and it’s not going away. How can we mitigate threats to the extent where we make our personal and network lives better?
Here are 5 things you can do to mitigate threat to your network persona and your real life persona:
- Awareness is key
Be conscious of your environment. This is a very hard task because as humans we have selective attention. Be educated about threats as they are becoming more sophisticated. Educate yourself on how to identify what a threat is, what it looks like, what makes you a good target and most of all how to acknowledge you are under attack.
Many people and even organizations do not even know they are under an attack. This is why on average an attacker can spend up to 256 days in the network without being detected even though they can take the network down in a matter of hours. Look around. Know your surroundings. Identify your weak points. Identify your strengths so know how to get away safe in time of trouble.
- Be Doubtful
Trust is a good and important characteristic, however there is a place for doubt. Question everything and leave no open question marks. It was in my early days as a security professional that I was taught about this and I carry this quote with me to remind me: "there is no doubt where there is doubt." In other words, if there is a question mark lying above the operation it's probably not a good move.
A real life example is when credit card representative calls me I will always challenge them to prove their identity.
- Don't Fear
It will weaken you. Being fearless is not about being brave or acting stupid. It's about being in control. It's an attitude that reflects confidence. The meaning of the word confident has a wide spectrum -- from self awareness to acting vain or in other words imperious. I am referring to the range of meaning and self awareness.
I believe it's an essential characteristic one should use to keep in control. Assured people will project “secure” and are less likely to get attacked than others. It's about identifying unusual behavior before or when it happens. And for the very confident you can use your behavior for deceptive reasons by acting weak or fearful in order to attract and catch attackers like bait.
- Reduce Risk
Expose only what you need to. Don’t seek attention. Be organized. Carry what you really need and regularly assess yourself and know where your stuff is. When I feel there is a potential threat at hand, this helps me to keep my attention focused on areas that matters (in other words, my phone and wallet).
Verify that you have your data backed up (I sync to cloud), use multi-factor authentication mechanisms in addition to passwords (I do) and keep evidence such as taking pictures and videos.
- Be Effective
For me effectiveness is about being pragmatic. It's about knowing what I can do as opposed to what I can not do. I am taking the hat of the red team in that case.
I am constantly practicing and testing the effectiveness with actual scenarios. This includes challenging my son to break into my phone (whoever is thinking of penetration testing--raise hands now!) or take over my social account. I am ready to fail and improve with impervious as a goal in mind.