Information Security for Beginners

Posted on December 26, 2013
Tags: information privacy security personal

Tim Lavoie

As I have mentioned, I feel it is important that I be able to control my own information, so that I can affect how it is used, and where and how it is available to others. Some different categories which may apply are as follows:

  • Really private, not shared
  • Selective sharing, such as with specified friends
  • Public, and intended to be so

What I would like to do is explore some options which are available to the general public, and which are geared towards providing you the level of control you desire. What my wife will help me to understand is that not everyone has the same skill sets or points of view when it comes to these things, so for any given kind of information use, there is not going to be a single “best” solution for everyone.

To start off, I should explain some basic tenets of information security. Before your eyes glaze over (hopefully), let’s just clear up what this means. You may take anything regarding security to mean that some PITA at work insists on not letting you do anything fun, and perhaps gives you hell for installing random things to your work PC. What security should mean to you is summed up by an acronym, “CIA”. No, not that “CIA”, but Confidentiality, Integrity and Availability.

Confidentiality means that information which should not be shared, is not, or at least not in any way you want to avoid. Maybe you want to keep your Mom’s birthday present a surprise, or you feel that you should be able to discuss politics with friends without worrying about your employer.

Integrity in this sense is not about your strict sense of right and wrong, but rather the integrity of your data and your systems. In other words, how resilient are they to tampering with by others? Can people change your school grades, driver’s license record, and web site? How about your prescriptions or criminal history? Naturally, there are already controls around this sort of abuse, but the same principle applies to your own computer, posts on the Internet and so on.

Availability means the availability of resources you care about, not your marital status. If others can lock you out of your house, or out of your computer, you will be upset. Recent malware called, “Cryptolocker” is making the rounds these days, and its goal is to extort money from you by encrypting your information and then demanding payment to change it back. Naturally, this is a failure in integrity terms also, in that your data has been altered prior to the demand being made.

For each of these categories, there is a range in which the amount you care will fall. For instance, you may not care whether the general public knows the name of your cat Fluffy, but you care greatly whether your employer knows about your sexual peccadilloes or how you tend to vote. Integrity of your information could take the form of the accuracy of your accounting records for a home business, or whether the backups for your computer actually contain the same data you hope to preserve. Availability as discussed is the extent to which you have access to your own property. If someone walks off with a cheap pen, I don’t likely care, but I will be seriously upset if they leave with my car or laptop.

That brings up a good point, in that the assets being considered have a certain amount of value to us. This doesn’t have to be financial to be important, but rather can be considered as the level of personal loss which might occur if something were to happen. In other words, this could be financial, or it could be tied to reputation, personal health, social standing or another factor entirely. What matters is that it matters to you, for whatever reason. It doesn’t even have to be a fixed value. The release of a highly-anticipated new game for a software company might mean that there is strong demand, which will be affected if that game were to be copied and made available for download by software pirates. Months later, they will still work to protect their property, but the likely damage resulting from a new breach of the same game will be much less. In the same fashion, you may be concerned if your parents are unaware that you are gay, but it’s a non-issue in many places once key people are aware; at that point, it is all water under the bridge, and someone spilling the beans will be fairly unimportant.

This time factor can be used in other ways too, in that the control you are able to place on something may be effectively a delaying action as far as you are concerned. Encryption is one such area, in that advances in available computing power may enable an attacker to figure out what something means, but you may not care if it takes long enough. Maybe that would mean that the author of a document is long passed, or just that it takes long enough that the secret is no longer important, you’ve made your money or whatever.

The key thing for you to consider is the importance for the confidentiality, integrity and availability of your information and other computing resources. This will affect the amount of time and money you feel necessary to maintain this control in the face of whatever threats you feel are worth considering. The flip side of this is that there are tools which may enable this control without costing you an uncomfortable amount, by making it fairly easy for you to keep it difficult for others.