Protecting Your Personal Information in the Digital Era By Jason Beatty / NAR IT Technical Infrastructure Team

Introductions: A little about your presenter Have worked in the IT field since 1997 Worked for a large hospital and two Fortune 500 companies before joining NAR. Currently work with IT’s Technical Infrastructure Team New presenter, welcome critiques afterwards

The Goal of This Presentation Learning what your digital assets are Examining the current risks online Making a plan to reduce your exposure Tips on reacting to an information breach About minutes of presentation, mins of discussion afterwards

Assets, risk, exposure, breach -This sounds like a spy movie... This presentation will not prepare you for international counter-terrorism or espionage These are fancy names for basic concepts you already know. It’s common sense, applied in a new arena. We will not be covering firewalls, encryption, or advanced security techniques. Just the basics.

Why should you care about information security? Many of your interactions with homebuyers may be conducted using online accounts If you didn’t have access to your or online accounts, could you conduct business as effectively? If your customer’s personally identifying information were used to mass mail spam from your account, would it damage the relationship you have with them? If your customers lost trust in your ability to keep their information confidential, how much time and effort would it take to rebuild that trust?

Section 1: Assets The “Who” and “What” of Information Security

What’s an asset to you? Who you are What you own (digitally) What other assets you can access How quickly you can access other assets

Why “who you are” is important

So where’s your stuff? Some questions to ask regarding where you keep your digital information How many online accounts do you have? What do those accounts have access to? Checking? Credit? How many computers do you own? (did you count your smartphone?) What information is on each of those computers? Do you make backups? Where are those? Own a flash (USB) drive? If you had to list these things and couldn’t use a computer, could you?

More bad news, we’re leaky... We are always leaking information in our everyday lives Cell phone conversations Social Media Trash (physical trash) Wireless networks Business Cards

Have you seen this guy?

More bad news: Information theft is a big business now As more and more of commerce is conducted online, organized crime moved there as well The same protection schemes that were used in the old neighborhoods still happen online. “that’s a very nice website, it’d be a shame if anything stopped people from seeing it.” You and your computers can be used as tools, without even being aware of it. (zombies and botnets)

What’s out there: Phishing scams (misdirecting your web login to a bad site) Keyloggers and other malware attempting to capture your passwords False bank sites with similar names/designs as the main sites Fake security warnings that ask you to click OK, executing arbitrary code Other addons or programs that report confidential info back to a central source Legitimate sites that may sell parts or all of your registration information or usage. “if you don’t pay for a service, then you are what’s being bought or sold”

So what can we do? Don’t panic Assess your risk/exposure Create separations between work and home, financial and entertainment accounts. Separate passwords. Learn to keep a clean computer, scan and test regularly. Empty cookies often. Make a plan for what to do if various accounts get breached. Practice regular information hygiene. Weekly/monthly/yearly routines

Section 2: Risk and Exposure What can be compromised, and the cost of a breach

Assessing your risk Which computers do you use to access each of your accounts? Do you own each of these computers? Are they public or private? Are you saving your passwords or other information on these computers? Are you wiping your Internet History after you leave a shared computer? What can someone do with the information if they take it? Which of your accounts share a password? Work and Home? Bank and Facebook? Does your whole family use the same computer? Do your kids know any of your shared passwords? How ‘strong’ are your passwords? Dictionary words? Family or pet names? Birth dates? Parts of your own login name?

Thinking about tiers of security What if we organized our accounts based upon the personal impact of a breach of information: Financially damaging or personally devastating (banks, credit, medical, etc) Personally damaging (medical, lifestyle, controversial info) Potentially embarrassing (joke messages on your Facebook/twitter) Mildly inconvenient (“Oh no they compromised my Food Network recipes!”)

The Castle Metaphor

Tiered passwords and strength For each tier of accounts, decide what makes sense regarding shared passwords, complexity of the passwords, and how often you change them. Here’s my strategy: Tier 1: Bank/credit accounts or things with direct access to either of them (auto bill pay, Amazon, iTunes, etc) or 401k each have their own very strong password. None of them would be shared with other accounts, so hacks cannot cascade to other accounts. Changed once a year or if they are ever shared/leaked. Tier 2: Accounts that relate to medical history or other privileged information also have strong passwords, but might share passwords if they’re for similar things. These are also changed once a year or if they are ever shared/leaked. Tier 3: Facebook, Twitter, other social media and accounts linked to my online ‘presence’ would likely share a strong password. These would be changed on an as-needed basis. Tier 4: One-off accounts for other websites, low priority stuff with only my address. Shared strong-ish password. Changed on an as-needed basis.

To each their own... For some people, a Facebook account being compromised is as bad or worse than a financial breach. For others, the release of their Internet history would be personally devastating. Consider what information is stored in each account or location. Weigh your options. If your information is valuable to you, treat it as such. Learn how to protect it and practice good information hygiene.

To list or not to list I keep an offline (flash drive) list of all of my accounts. I do not carry this list around, it’s in a media safe. The list is password locked, and does not contain passwords to the online accounts. In the list, I have the login name of every account, which website it goes to, and what it has access to (credit, bank, paypal, , utilities, etc) and the phone number of who to call if that account is compromised. I make it a habit to review the list every 6 months.

The list itself is a big risk Building a map to all of your information is a large risk. If compromised, outsiders would know where to target attacks. That list should remain offline and in a secure location. The advantage to having the list is that you are much more organized, can track your online presence more carefully, and react quicker in the event of a breach. The advantage to having the list is that you are much more organized, can track your online presence more carefully, and react quicker in the event of a breach. The list is only as valuable as it’s accuracy. Review it regularly and update it. Remember that hygiene is a regular, practiced thing. The list is only as valuable as it’s accuracy. Review it regularly and update it. Remember that hygiene is a regular, practiced thing. Make the list if you’re comfortable with the tradeoff, and keeping it updated. Make the list if you’re comfortable with the tradeoff, and keeping it updated.

Please don’t make a clear text password list after you get home... If you make a text or Excel password list, you’ve increased your vulnerability/exposure a lot Password protecting an Excel file isn’t very secure There are great products out there for keeping an encrypted password database. 1Password and MSecure are my favorites.

Making strong Strong passwords generally contain: 8 characters or more Upper and lowercase Numbers and symbols Not a dictionary word, nor a part of your name, and not easily guessed The password listed above is a terrible example. Everyone for an A. How to make a strong password easy for you to remember, but hard to guess: Use a phrase or song instead of a word. Preferably a phrase that you like, but don’t use in conversation or , and can’t easily be guessed. I used to like the phrase “There is no fate but what we make”. A password based on this phrase would take the first letter of each word. So TinfbwwM becomes the beginning password, then add a favorite number and symbol to it. TinfbwwM8& is a very strong password that’s easy for me to remember.

Favorite XKCD.com comic about password strength

Other safety mechanisms... Many banks and credit providers have fraud protection. Not all fraud protection is for your benefit. Some providers simply state that in the event that you are defrauded, they are not liable and will shut your account off. The time to find that out is not when you’ve suffered a breach. Others may send alerts to freeze all associated bank/credit accounts (e.g. Paypal) in the event of a dispute, possibly causing you to default on scheduled payments. Find out what exactly is covered in the event of identity theft or fraudulent purchases. Sometimes $50 out of your pocket, the rest is covered. Sometimes only 100 miles from home is covered. Ask for plain-English answers. Are you comfortable with the level of fraud protection for each account?

Some good news about fraud protection:

Credit and bank strategy For my own finances, I keep many of the recurring utility online accounts (Nicor, ComEd, AT&T, etc) linked to my main credit card that has $50 of “no fault” fraud protection. In any incidence of fraud, even if I’m found to be at fault, I should only be liable for the first $50. I have a separate credit card from a different provider with similar fraud protection, and I use that for any higher-risk accounts (Amazon, iTunes, etc.) For that account, I’ve set it up so that I’m ed after every purchase. I also have the option of being texted for every purchase, but I chose not to activate that. For the few accounts that required that I link them directly to my checking account, I opened a side checking account with my bank, and have an automatic funds transfer between accounts. This clears money into the smaller checking account, but keeps the larger account mostly unexposed.

Regular credit/bank hygiene Weekly, I review my financial accounts and make sure I recognize all of the purchases, and my alert settings are still setup. Yearly, I call my 3 credit card companies and my bank and talk to a representative regarding the plain-English explanation of my fraud protection. While this is no way legally binding, it at the very least helps me understand what they’re liable for, and what I’m liable for. I ask questions such as: What are some examples where I would not be covered in the event of fraud? Do you have any advice or examples of further ways I could safeguard my account? (verbally authorize purchases over a certain amount, etc) Do you offer a credit card with my picture on it? One-time credit card numbers? Do you have any written materials explaining how the complaint/resolution process works for a fraud claim?

Regular computer hygiene Carefully consider when to use saved cookies, saved password, and saved forms. If those were compromised, what information could be gained? Is there anything on my history that I don’t have documented or memorized? Clicking “remember my settings” should only be a convenience, not a crutch. If someone else needs to use my computer and I have to walk away, I create them their own account. Even if they’re not malicious, it’s possible they could compromise my information unintentionally. Learn how to lock your computer when you walk away, it’s easy to do on Windows or a Mac. You can also PIN-protect your mobile device. When making purchases online, I verify that I’m browsing securely (lock icon in the bottom right, site) and don’t save credit card info to be used again. Before committing to the purchase, I re-evaluate the site. Does the site seem professional? Are they likely to be conscientious with my information?

How far do you go? For each person, the answer is going to be different. I keep applying security until it gets in the way of getting stuff done, or it takes more time/money than what I’d lose if I suffered a breach. Remember that you aren’t an island. If you’re breached and aren’t aware, it’s likely you’re a bridge to someone else being compromised too. Learn to get comfortable with what’s exposed and what’s secured. If you’re doing it right, a breach should get your immediate attention but not be devastating.

Thank You! Any Questions? Got a story to share?