The following document from the National Cybersecurity and Communications Integration Center was obtained from the website of the University of Rochester Medical Center.

Digital Footprint: Assessing Risk & Impact

• 14 pages
• TLP: GREEN
• February 18, 2014

To facilitate efficiency and effectiveness on a global scale, massive amounts of data are stored and processed in systems comprised of hardware and software. Each digital transaction or interaction we make creates a digital footprint of our lives. Too often, we don’t take the time to assess not only the size of our digital footprint, but what risks are involved in some of the choices we make. Our data lives in our social media profiles, mobile devices, payment accounts, health records, and employer databases among other places. The loss or compromise of that data can result in an array of impacts from identity theft to financial penalties, fines, and even consumer loyalty and confidence. This results in both a shared risk and therefore shared responsibility for individuals, businesses, organizations and governments. The following product is intended to facilitate awareness of one’s digital footprint as well as offer suggestions for a unified approach to securing that data. This is not an all-encompassing product, but rather offers discussion points for all that hold a stake in the security of our data.

Digital Footprint: Assuming Risk

The rapid growth of new technologies continues to make accessing information and resources faster and easier. Though increases in convenience and efficiency are often obvious, it is important to be aware that the interactions between a user and the internet become a part of the user’s digital footprint. A digital footprint, often classified as active or passive, refers to the traces left by a person’s activity in the digital environment. Active footprints are those created when an individual intentionally releases information. Examples include posting information or images to social media sites like LinkedIn, Facebook and Twitter. Alternately, a passive footprint is one that is created when data related to an individual is collected without that individual actively or intentionally sharing the information. Examples include the public posting of court records, marketing sale of home addresses, collection of web-browsing habits, and even through comments or pictures posted by others to social media. While there are methods that can be used to limit or reduce an individual’s digital footprint, there is no practice that can be used to delete it altogether.

A digital footprint is useful in some instances, such as the convenience of linking certain web accounts for online payments or allowing a site to ‘remember you’ which avoids entering user names each time someone wishes to log in. However, a digital footprint is also valuable to parties interested in monitoring their website traffic or for use in targeted advertising. During the course of normal web-browsing an end-user may notice that the advertisements being displayed align closely to items they have recently searched for or purchased. There are several methods by which end-user information is collected to specifically target advertising; some include:

Third Party Cookies – Cookies are small data files that are placed on an end user’s computer after visiting a website. First party cookies are from the actual entity that owns the website, which allows them to recognize your browser/computer when you return to their site. Third party cookies, however, may belong to ad agencies associated with the visited website. Ad agencies pay websites to allow them to place their cookies on the end-users system as they collect data on a user to form a record of browsing habits, computer settings, preferences and so on. This information is often used for targeted advertising.

Search Engine Marketing – Most commonly used search engines analyze users search terms to determine which advertisements will populate within search results and which will appear in the paid space. Information and ads that have been paid to populate for specific end users will generally appear in the page margins.

Past Purchases – Purchases made both online and in brick and mortar stores often result in collected information such as zip code and regularly purchased items. This info1mation is then used to suggest products for your next purchase or offer coupons for items similar to those you have purchased in the past.

Profile information – Information that users include as part of a social media profile may be used by ad agencies to display targeted ads.

…

Consumer Impact: Risk Acceptance vs. Avoidance

In order to have more control over the risks of your sensitive data being exposed, it is important to asses one’s digital footprint. Individuals may begin to assess their footprint by querying their own name in a search engine. Search engines use programs called spiders that crawl web content and catalog keywords. Even information that has been removed from the web can still be found in a search engines cataloged cache. There are also various tools that can be used in this assessment such as like Pipl, Spokeo and 123people, which aggregate information about an individual. Tools like the WayBack Machine allow individuals to browse over 390 billion archived web pages dating back to 1996. By entering a name and location, these engines can return family information, phone numbers, previous addresses and date of birth. It is critical to understand which data collection scenarios could result in the greatest negative impact, what forms of information sharing an individual can participate in will minimizing or avoid the risk of impact, and which scenarios must come with a level of risk acceptance. When evaluating the choices made on a daily basis, it is useful to note the types of impact that may result from unintended exposures of one’s digital footprint. Some impacts include:

• Identity theft – Criminals who acquire digital records that include an individual’s social security number may attempt to assume that person’s identity with the intent to make transactions or purchases. Combating identity theft can lead to lost time and money.

• Employment – Information posted to social media accounts like Facebook, Twitter, and LinkedIn are increasingly being used to screen new applicants and have been used to dismiss employees from their current jobs.

• Court Cases – Lawyers may use information found in an individual’s digital footprint to discredit them based on what may be argued as evidence of their character. Information or behavior captured today may be used years later.

• Education – Depending on an institution’s policies, information in a student’s digital footprint (most often from social media) may impact their education status including suspension, expulsion or loss of scholarship opportunities.

Financial Theft or Fraud – Credit and debit card information may be stolen from retailer database or payment system and used for fraudulent purchases. Cyber criminals may also use other tactics such as phishing, where a malicious actor uses bank themed e-mails to trick the end user into revealing their bank account user name and password.

Phishing – Individuals supply their e-mail addresses when making a purchase, signing up for coupons, applying for jobs or loans and establishing a social media or payment account among other activities. These activities place this contact information in a multitude of databases. Whether malicious actors breach these databases or locate your e-mail address on a publicly available business or personal website, it can be used for spam, phishing, or spearphishing campaigns; all of which can result in theft of other credentials as well as malware infections.

Risk can be defined by threats, vulnerabilities, likelihood a threat will occur, and impact should the threat occur. Consumers may then address the impact using the concepts of mitigation, transfer, avoidance and acceptance.13 Almost any activity that contributes to the creation of a digital footprint has associated risks. In every case possible, consumers may want to take a more active role in determining if the benefit of taking the risk outweighs the potential impact. Some may determine the convenience of receiving coupons while in a store, or using a particular mobile app outweighs the loss of a certain level of privacy. Others may decide the time and effort to browse the internet privately and increase the security of their accounts through complex passwords and multiple factor authentications outweigh the convenience of speed.

Choosing to entirely avoid risk associated with a digital footprint most often means not creating one (e.g. refraining from starting social media or online pay accounts, purchasing goods and services with cash, never giving your contact information, including your e-mail, to anyone). Therefore, individuals may want to take a more realistic approach to protect their data. Some proactive steps include:

Browser Privacy and Security Settings and Ad-ons: These settings and ad-ons offer options to control how the browser handles history, what sites can send you cookies and remove the cookies sites have sent you, browse privately and prevent websites from tracking your behavior. Some browsers also offer security and privacy add-ons with options for Firefox, Chrome, and IE for things like Ghostery, Adblock Plus, and Web of Trust.

Cookies: Clear your cookies; Most browsers offer step by step assistance for users that wish to adjust their cookie and site data permissions.

Software: Always update anti-virus software and install patches when available to all software. Update security patches and hotfixes are issued to address or resolve known vulnerabilities or performance issues.

Multi-factor Authentication: Always opt-in to multi-factor authentication when offered. Many accounts either offer multi-factor authentication or require it. A user name and password combination is considered single factor authentication. Multiple factor authentication requires two or three of the following categories: something you know, something you are and something you have. Some examples include Facebook’s use of mobile notifications. If a user chooses the option, Facebook will restrict a user from logging in to an unknown device until the user enters a onetime security code/number that was sent to the registered user via text. Other examples include Google similar account recognition service, Microsoft Office 365 log in requirements, and the use of U.S. Federal Government personal identity verification (PIV) cards or Department of Defense common access cards (CAC) to access computer systems.

Location-based services: Location based services include but are not limited to geo-tagging pictures, generating coupons based on stores a consumer is near or in, locating businesses or services nearby and generating directions based on current location Some services continue to collect location information and store indefinitely even when you’re not using the service. Deselecting the location based services option while not in use is best practice for consumers interested in the highest level of privacy.

Verify Security Level of Sites Requesting Data Entry: Generally pages that require a user to log in or enter sensitive information like payment card numbers will be displayed as “https” indicating the use of Secure Socket Layer (SSL) for data encryption. Be wary of login pages whose URL are displayed as “http”.

Consider Full Disk Encryption: on all laptops to prevent data theft in the event the device is lost or stolen.

Read the privacy policies and guidelines: as they sometimes change and often inform individuals if and how their personal information may be shared with other parties.

Use complex passwords: that are not based on personal information, cannot be easily guessed, and cannot be found in any dictionary. Also, to avoid being exploited under multiple accounts use different passwords on different systems and accounts.

Routinely change debit card PINs: Contact or visit your financial institutions website to learn more about available fraud liability protection programs for debit and credit card accounts. Some institutions offer debit card protections similar to or the same as credit card protections.

Accessing Public Wi-Fi: Whether via cell phone, tablet or laptop, consumers should practice caution when accessing public Wi-Fi. When possible, VPN into the hotspot to encrypt your communications. When not possible it’s best practice to avoid online shopping or other activities that require payment card data or log in credentials.

Home Wi-Fi Settings: When an internet service provider (ISP) technician installs the hardware necessary for home internet access, they often explain the use of the modem and whether the modem is also a Wi-Fi router or if the consumer must purchase one. In any event, either the ISP associate or the user documentation with the router may also aide the consumer in the following:

o Change default/administrator passwords: used during setup; these default device credentials can often be located online and therefore used to compromise commercial devices.

o Encrypt the data on the network: using WEP (wired equivalent privacy) or WPA (Wi-Fi protected access). WPA is more secure than WEP and should be used if available.

o Change and/or do not broadcast the network’s SSID: This may make it more difficult for unauthorized users to easily access the network.

o Install a firewall: Installing a host based firewall directly onto wireless devices add an extra layer of security.

Mobile Devices: It is best practice to secure mobile devices via many of the same methods that are suggested for desktop or laptop computer security. Some best practices include:

o Device Privacy Settings: Consider using the privacy settings available on smart phones or other mobile devices.

o Lock: Take advantage of the lock feature on the device (common examples include: password, PIN, fingerprint recognition or sequence).

o AV Software: Install anti-virus software; there are multiple free and paid versions available for all devices and operating systems. Most companies that offer antivirus solutions for personal computers also offer them for mobile devices. The following graph lists the top antivirus vendors according to independent software management and security technologies provider OPSWAT. Only antivirus products with real time protection (RTP) enabled are included in this comparison.

Share this: