We recently chatted with Ed Ko, Co-founder and Director of Information Security Services of CampusGuard, and asked him several questions about best practices to keep your information secure.
Would you suggest a Wi-Fi password be changed periodically? If so, how often?
Periodically? Not necessarily. Changing your Wi-Fi password is a non-trivial exercise – every smart TV, mobile phone, laptop, or device that’s on your Wi-Fi needs to reconnect when the password changes. Given that amount of work, it’s best to set a strong password/passphrase that’s easy to remember and hard to guess. That doesn’t mean that you should never change your Wi-Fi password. Always change passwords when you think that it has been compromised or stolen. With many newer Wi-Fi access points, it’s possible to set up a “guest” wireless network so that friends can use Wi-Fi at your house without being on your “regular” Wi-Fi network. Changing your Wi-Fi password on a periodic basis may be something to explore if you want to make sure that the only people connecting to your internet are the ones you want to.
Is it okay to store documents on a corporate OneDrive from home?
If you are using a company-provided computer from home, (most likely with a VPN connection back to the office), this should be no different than doing it from the office. It’s best to steer clear of any activity on your corporate OneDrive on non-corporate computers or devices (this includes reading or pulling up documents). It might seem trivial, but it’s often difficult to ensure that your personal devices meet the minimum security requirements for the types of data that you may have access to. For the best answer to this question, please refer to your organization’s data classification policies or ask your data governance or information security officer. They will be able to tell you the types of data that are allowed to be access from remote and/or personal equipment and the rules on protection.
Is using single sign-on generally a good strategy for corporate and personal use? For example, some apps allow you to log in with Facebook – is that a smart move?
Single sign-on is fantastic for both corporate and personal use (when implemented properly). Single sign-on allows you to sign in to multiple, sometimes even disparate, systems with the same username and password, allowing you to not have to generate and remember more unique passwords for each system or service. For systems that also have sensitive data on them, the best practice is to also pair the username and password with some form of multi-factor authentication (like a verification code sent by text).
Using different passwords for each system I access is a good protocol, but how do I remember all my passwords?
There are multiple schools of thought on how to do this. Some preach using an algorithm to generate unique passwords (e.g. <name of the service> + <strong root password> + <unique variation based on the name of service>). For a dentist, a password under this method might look something like “dentist-supersecretstrongrootpassword-drill”.
If you have a strong root password and can keep word associations in your head about the service, this algorithm could work for you. In my own experience, I found that keeping those associations straight in my head to be difficult. So, I’m a big supporter of using a password manager to keep the passwords and other details at hand. Now, I only need to keep the password manager’s password in my head and the password manager does the rest.
If I use a password management system, what reassurances do I have that they won’t be hacked and all my information would be exposed?
Most, if not all, password managers are protected by a username and password and have no password recovery mechanism or backdoor to regain access if you lose the password. That means that if you are using a strong password, it should be inaccessible (unless your password is stolen). The other caveat to this is that if you forget the password, you will no longer have access to the password manager, either.
Is using a VPN secure enough for me not to be concerned about security?
VPNs are only effective at adding that additional layer of security when they are “connected.” That means when a machine is first powered on, the maximum timeframe for connection or idle connection is reached, or a network hiccup disconnects the VPN, the machine is no longer getting the additional protections provided by the VPN.
While I’m not telling you that you have to live in fear that you’re going to get compromised at any second while you are connected to the Internet, I am preaching that following information security best practices should be part of your normal routine. For my work-from-home environment, I have my corporate laptop on a separate Wi-Fi network than the rest of my home and guest Wi-Fi. On top of that, I am connected to the VPN when I am working on the laptop. I make sure that the anti-virus definitions are up-to-date. I don’t open attachments or click any links that I’m not expecting (unless I get verbal or other confirmation from the sender that it’s legitimate). As you can see, I don’t just rely on the VPN connection – I use all of those layered security best practices to keep my remote workspace secure.
Why do I need to be concerned about using Wi-Fi in public spaces?
There are still many “fake” public Wi-Fi connections that steal data that masquerade as legitimate Wi-Fi connections. When you connect to these imposter Wi-Fi connections, your Internet access will still function and you’ll still be able to go to secure websites, however, an attacker that is using what is known as a “man-in-the-middle attack” can steal all information going to and from your computer by intercepting and relaying the traffic, all while in between you and the Internet. Because of this, it’s best to not use public Wi-Fi and use your own mobile hotspot or another well-known connection.
Do you recommend using two-factor authentication? Is face recognition the best?
Two-factor authentication (2FA) and multi-factor authentication (MFA) are fantastic ways to bolster security. There are many MFA schemes out there and “best” really can’t be quantified until you define what “best” means to you. With all MFA methods, there are a number of challenges. Some include false rejection (being denied when you should not be), false acceptance (being allowed when you should not be), high cost, difficulty to operate, inconvenient MFA scheme, privacy concerns, etc. If you wanted the most accurate 2FA method with today’s technology, it’s probably retinal (or eye) scan. This scanner maps the pattern of blood vessels in your retina and compares that with each scan to validate your identity. It is highly accurate under normal circumstances and is the “best” for accuracy, but, in terms or cost, usability, privacy, etc., it ranks pretty low. Also, there are cases where retinal scans can give false rejections (e.g. eye trauma, pregnancy, etc.).