Cyber Defense Advisors

REPEAT AND REFINE: HOW DO YOU GET TO CARNEGIE HALL? (Pt. 6 of “Why Don’t You Go Dox Yourself?”)

Welcome back! In our last article, you cleared out your extraneous digital footprints by removing unnecessary accounts and opting-out of data broker services, and have finished a dedicated review of your online history. In this final section, we will answer the natural question encountered at the end of any journey: What’s next? 

Before becoming the series you’ve just read, I presented a version of this many times as a live talk at conferences and training sessions. After the first few talks, I noticed a consistent trend in the feedback when I was approached afterwards: people who said they felt anxious about how their online activity going forward might share more than they want. So I went back and added a final section to the talk, one that we’re going to cover together now: risk acceptance and the value of routine in good security.

POBODY’S NERFECT 

Some people think that the goal of good security is to eliminate risk. One of the first lessons you learn in this industry, though, is that eradicating every possible risk is very rarely practical, whether we’re talking about the individual or organizational level. This is because there are few choices one can make with zero possibility of a negative outcome, and because human beings are… human, and even with excellent discipline and good intent the best of us can mess up. 

The goal of good security strategy is instead to assess risk and find a healthy balance: to decide what is more or less important and valuable, to determine how damaging the worst-case scenario might be and weigh that against the potential benefits, and figuring out how much you can reasonably do to tip the balance and increase your odds of success. 

That’s fairly abstract, so let’s use a couple quick practical examples at both levels: 

Working with third-party vendors is a risk for companies, because they can only have so much control over that outside company’s policies and procedures and limited visibility into how well both are followed. But simply doing everything in-house and not relying on any suppliers or support externally is impossible for most businesses to survive. Instead, security teams focus on due diligence before vendor selection to make sure they’re choosing the best option, and work to make sure vendors can only access what they’re supposed to. 
Making new friends is a risk for individuals, because almost everyone has experienced the pain of a friendship souring and the heartache that can come with it. But simply going through life without personal connections isn’t terribly rewarding or likely to make us happy. Instead, we continually learn how to determine we can trust someone and the red flags that indicate trouble may lie ahead. 

I don’t know about you, but I grew up as a child of the internet, and the thought of never going online again isn’t one I’m likely to seriously consider. So rather than logging off forever, let’s focus on how we can both stay safe and stay connected. We’ve completed the “3 R’s” of the self-dox process: Review, Restrict, and Remove. But now, a surprise more shocking than the Spanish Inquisition itself: we’re going to add two final steps-Repeat and Refine.

THE ADVENTURES OF PETE AND REPEAT 

Every good security plan includes a plan for routine follow-up. We know that staying offline forever isn’t practical, so the next best thing is to set up a reminder to go through an easier version of this checklist on a regular schedule. Why is it easier? In this review, you had to look back on your entire life up to the present, and next time you’ll just need to look back from then to… well… now! Depending on how active you are online and how likely you are to be doxxed, this might make sense to do on an annual basis, or split into abbreviated and more frequent quarterly reviews. 

There is no one-size-fits-all approach to this review, but here are some typical checks you may want to consider: 

Some password managers have a built-in audit tool that will highlight re-used passwords or passwords that may have been captured in a data breach. Provided you’re generating new passwords for each account, you likely won’t have more than a handful of accounts or passwords surface in this review, so it shouldn’t take nearly as long as the first review. 
Repeat the HaveIBeenPwned search for your most important emails/usernames in case there are known password breaches that aren’t indexed by the password tool you use. 
Depending on how common your name is, it may be worth setting up a Google Alert for automatic notification when new search results for your name (or other contact info like phone number or email address) arise.  
Take a couple minutes to revisit the security and privacy settings of your top accounts. For social media, are your default permissions still restricted to the audience you want? Some services will automatically use the permissions for your last shared post if you change them, so it’s worth double checking.  
For all of your important accounts, if two-factor authentication wasn’t available when you completed this review, has it been added? Or are more secure options available, like switching to an authenticator app instead of receiving an SMS or code by email? Finally, check your activity for any new third-party sign-ins or apps that you no longer need. 
How up-to-date are your devices? Are there OS or browser updates pending for your laptop, desktop, or smart devices? Most of the tools or exploits someone might use to get access to your devices rely on security vulnerabilities that have since been patched by the software provider, but they continue to be successful because many people do not keep their devices up-to-date. Setting automatic updates is a great practice, but a quick inventory during your check-in will also be useful. 

Before we move on to our final (final, I promise!) step, let’s talk one more kind of repeating. A wifi repeater is a gadget that can connect to and boost the signal from a wireless network, helping to expand the network’s reach and keep a strong connection. In the same way, by sharing the lessons you’ve learned with your family and friends you will expand the reach of that security knowledge. Not only does that help keep the people you care about safer… but since we’ve seen how information shared about us by others can also be discovered by doxxers, it helps to increase your own safety as well! 

GOT TO ADMIT IT’S GETTING BETTER 

My goal in writing this series was to give a straightforward introduction and broadly-useful walkthrough of how to figure out what’s out there about you online. In the beginning of this series, I talked about how the level of risk for doxxing is not the same for everyone. You may want to go significantly further than we’ve covered in this guide if you are:

politically active 
in an important position 
the target of bullying/retaliation 
someone whose work requires an increased level of confidentiality like an investigative reporter 
a victim of identity theft

This can cover a wide range of additional steps like placing a freeze on your credit report, requesting a privacy removal from search engines, or even setting up dedicated secure devices/apps for communication online. The full scope of these additional protections is beyond what we can cover here, but I will again recommend the Self-Doxxing Guide from AccessNow and the Gender and Tech Safety Resource guide linked in the first post of this series as an excellent reference for where else you might want to check.  

Thank you for following along with me on this journey, and I hope that you found this guide and the resources shared have been helpful for you. Still have questions, or have you discovered any of the links/tools here are no longer available? Please let me know! Life comes at you fast on the web, and I want to make sure this guide continues to be relevant and helpful for a long time to come. You can drop me a line at [email protected], or find me on Twitter. Until then, happy trails and stay safe out there!  

If you can’t get enough security content and care deeply about making the web safer for everyone, we’d also love to hear from you. Please check out our open positions and how your passion can contribute to keeping people safe online. 

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn