Educational Program

Intro In our present day and age, information may as well be the new global currency. It seems like everywhere you go people are trying to get information on you. Every company nowadays has a loyalty account where they mask information collection as a thing that benefits you by giving you sales and discounts on products. Even more recently, cookies and other website analytics have come into the spotlight as needing regulation. Those are the ways people know their information is being compromised and taken, but just as the devil you know is better than the devil you don’t, a major concern are in the ways it is being compromised without a user knowing. These methods are often more malicious in nature and represent a very real threat on many levels.

Information can be anything that reveals aspects of you to another entity, but part of the severity comes from how the entity plans to use it. Some of the more harmless applications of it are for marketing and sales purposes, but more malicious endeavors will be along the lines of identity theft and financial theft. If a company becomes compromised, the potential ramifications are exponentially more drastic as they deal with many people and much more money than if a single person becomes compromised. Even in Calgary we have been witness to many cyber attacks that result in leaking of private information. In 2016 we had the University of Calgary ransomware attack where the attacker demanded $20,000 in ransom, and in the same year we witnessed Cowboys Casino patron and customer information compromised. More recently, Professional Excavators and Construction were targeted by a different ransomware attack and was measured to be worth over $100,000 to get everything up and running. The scary part is that people are willing to pay to get this information back, meaning they admit the information contained has value. Just like your house and belongings, things with value need to be protected. Take a look through the site to learn some habits and methods you can use to improve network safety!

The unfortunate reality is there isn’t a way to secure yourself 100% from everything the world can throw at you; if there was, security would be a non-issue and there would be no need for security analysts. Security itself is more of a spectrum than a simple yes/no; there are different things you can do to help make your system more secure, therefore harder to compromise. This is a concept called hardening. Hardening takes place on many levels: OS, network, program etc. While large technical endeavors are likely out of reach, there are many ways you can harden your own environment even just by changing your habits and tendencies. The following will contain a few ways you can promote system security:

VPN, which stands for Virtual Private Network is a great way of securing your information. When you are connected to a network that is being shared by many other devices (like a library, or coffee shop hotspot), a VPN will segment part of that network that only you can access. If the VPN is encrypted, it means the other users beside you won’t have access to the data you send and receive through it unless you give them access to the same VPN network you’re using.

While a VPN is never 100% secure and foolproof, it adds a large barrier between you and other users of a network connection that works to block access to your system. A good practice is to use a VPN especially when you’re working with sensitive documents. Browsing a YouTube video at a coffee shop is probably ok and won’t be an issue most of the time. When you’re working with sensitive information like client information and banking, it is wise to use a VPN to secure that traffic in transmission.

Ever taken a look at the URL bar on your website, and sometimes you see http:// and others you see https:// ?

The websites that include the ‘s’ are using a secure web server instead of an insecure one. This means that there are much fewer risks associated with those websites as they have their own security layer implemented right into it. That’s not to say you shouldn’t ever use a website that doesn’t have the ‘s’ in the URL, or that every website with the ‘s’ is a safe website, it means that you need to be mindful of what you do on said website. The non-secure websites mean your actions are more easily tracked and traced, and the information you enter (like account logins and passwords) can be plainly viewed by anyone who has connected to the website. Insecure websites like these are fine for reading, playing games, and even watching media, but are not suitable for aspects like banking or sharing sensitive information.

This is more of a habit than a specific barrier that exists. Part of our demonstration is being able to show you the types of information that can be gleaned by just viewing the network packets that are sent and received through a network. If information is not encrypted and is displayed as plain text, it can be viewed easily by many people that probably shouldn’t have access to it. Things like account numbers, credit card numbers and accounts names/passwords can be intercepted easily if they are entered as plain text anywhere. In the physical world, this is akin to having a sticky note with a password to a computer, stuck to the computer the password is for, or leaving a key to your house dangling on a string on the doorknob. A common thing that people do is download their paystubs and tax information from a secure source, then send it to a personal email account. The contents of that file can be easily be viewed if that email is intercepted. Because paystubs have identifying and financial information on them, these documents can hold a high value

Encryption works similarly to a secret language that you make with friends and other close peers that only you and them know. If you speak with those people who know the language, other people who do not cannot listen in unnoticed. Encryption is the process of taking information and scrambling it based on a random algorithm. Only the target user or group has the ‘key’ to decipher the encrypted message and view its contents, therefore securing the message from prying eyes. Many email providers use a mix of encrypted/unencrypted transmissions. Google, for example, stores the email you create as a plaintext file when you send it, and only encrypts it when it sends it to the recipient. This means that Google (and anyone with unauthorized access) can view the contents of your emails. You might have seen this in action if you send an event email in Outlook, and Outlook asks you if you want to add it to your calendar.

With that considered, end to end encryption means your email is encrypted the moment it is sent from your device to the recipient. Emails sent like this cannot be stored as plaintext on a server which significantly boosts how secure your emails are. While companies like Google aren’t snooping in your emails to try and steal your identity or money, and instead use information for improving their services or providing you with more efficiency, eliminating this area means that the people able to see the contents are drastically reduced.

We are NOT affiliated

Corporate systems contain more information than personal systems, meaning that an increased level of caution and focus should be exercised when using corporate devices and services. While the previous tips and pointers are going to be beneficial to the general populace, the following are a couple good habits to practice in the corporate environment to maintain security standards.

Follow Established Protocols
Odds are, if you work for a company that hands out devices for you to use, they have their own security protocols they follow. While the previous suggestions are always good to practice, protocols your company creates are guidelines you should be following and take priority over anything else. In many cases the corporate protocols and procedures are more thorough than many of the things you can do on your own as an individual, and are created to deal with the corporate information appropriately. Some general examples of this are:

- Changing your passwords frequently in case one gets compromised
- Do not reuse passwords
- Use established software/hardware provided

Protocols usually cover a wide variety of applications to maintain both your personal and corporate security when connecting to a public network. This can include things like not-accessing certain sensitive resources while on a public network, or using a VPN to encrypt your traffic when connecting to corporate servers.

Don't Connect to Non-Essential Sites and Services with Work Account and Devices
Another important way to promote security in public network environments is to only use corporate credentials and devices for corporate purposes. Everything you do online and every system you use is something that can b potentially be exploited and used as a vector for attack. When using corporate devices and systems, it is safe to abstain from engaging in non-work activity, for if your device becomes compromised, it acts as a gateway into the rest of the corporate environment.

If you are on a personal device, and accidentally click on an ad that infects your computer with malware, your personal computer is infected. If you were to do the same with a corporate device, or a device that can connect to corporate services, your device and the entire corporate network are compromised. This can lead to a substantial loss of data, information, revenue, and company reputation in the marketplace.

We have an in-person demonstration prepared for when a venue wants us to demonstrate how easy it is for data to become compromised. It utilizes a discreet microcomputer housed inside of a hollowed out book to monitor the network it is attached to. The Bookworm can detect unencrypted traffic with ease as long as it is connected to the network itself. By capturing the packets with this device, we can provide a tangible way for people to understand how information flows into and out of a network, and the types of information that can be seen by a scrying eye.