Seven actions for the “digital me”

The CyberSecurity Place

by Guest Contributor , March 17, 2016 Expert Article

Link: https://thecybersecurityplace.com/seven-actions-digital/

By Dr. Ron McFarland, CISSP, PMP

We live in an electronically chronicled society. Like it or not, our recorded society, fostered by

computers, databases and analytics, provides each of us with many benefits and several potential

hazards. It’s a pretty well understood fact that emails, online shopping information, cell phone

calls, and Internet traffic is recorded – by someone on a database located somewhere. Whether it’s

your Internet Service Provider, Cell phone provider, your bank or utility company, someone is

storing your information, your data, and the “digital you” is recorded.

It is important for each one of us to understand the fundamental aspects of how much data is

collected, why it is collected and how it is generally shared. By developing awareness of how your

information is stored, collected, collated and shared, we can address any errors or assumptions

made by vast databases and programs about who we are, increasing our benefits for living in a

digital society and reducing the risks that can occur.

Many organizations record, save, and share pieces of data about you. Information and data known

about you and your buying patterns, web-surfing behaviors is retained by the conglomeration of

vendors where you do your online shopping, banking, credit card transactions, and a host of other

online activities. Collection of this information is necessary for organizations to provide you with

access to their large databases of products and services. Also, collection of your information is

essential to provide you with some level of information security that protects your information

from the prying eyes of highly trained and ill-intentioned hackers.

Demographics, Psychographics, and Trends – oh my!

Most of us may be familiar with the field of demographics. Just to clarify what demographics are,

it is the quantifiable characteristics about you. For example, your name, age, and address are

demographic attributes that are collected and stored in databases. Beyond demographics,

companies also save psychographic information about you. Psychographics is more formally

described as the collection of information about your interests, opinions, and even your lifestyles.

I’m interested in guitar playing, for example, so my psychographic profile indicated that I prefer

acoustic guitars.

Here’s another example how a company, say my local chain store grocery store might use my

information. When I signed up for a discount card at my grocers, they asked me to fill out a simple

form. The form asked for the usual information: name, address, phone number, email, and a few

other demographic pieces of data (data about me), which I gladly provided to obtain the weekly

discounts that the store offers. The demographic information that I provided is stored on a large

database file containing demographic information for everyone who signed up for the discount

card. In that way, the store can send out a weekly email flyer containing store specials to email

addresses or a printed flyer to the physical address of store customers.

Demographic and psychographic information can be used in a more robust approach to provide

the grocery store chain with marketing information for their customers. For example, when I go

into my local store every Friday to purchase my usual one-pound of wild-caught salmon and

favorite Irish beer, the grocery store’s database will recognize my purchasing trends and note these

as my shopping preferences. The store can actually send out a coupon to my email address when

salmon or my favorite Irish beer goes on sale.

The combination of demographic and psychographic information collected by our example

grocery store chain, can also help a grocery store chain with their overall individual store planning.

Trend information, what customers are purchasing at a given store, can provide a store chain with

valuable analytics to shape individual stores in a way to meet their customer needs. Have you

noticed that in the past fifteen years or so that some grocery store chains have created a few isles

of health food products as an offering to their customers? How this has been done is that grocery

stores recognized the trend for health food products over the past few decades. Several chains

examined their demographic information, which provided them with maps of where their

customers live for a particular store and cross-referenced this information with the stored

psychographic information that were trending in both the store and within the region. Analytics

revealed if a store could support a health food section by examining the trends. Demographics also

determine if the addition of a few aisles of health food products, which tend to run at a premium,

could be added to the store’s inventory mix.

Databases and Analytics – more of the techie stuff.

Databases are the essential background technology used by companies to store information about

you, transaction information about what you’ve purchased, consumed or traded. With today’s

technology, your information, saved by a given company, is usually not stored at one location.

Today’s highly sophisticated databases use analytics to meet the needs of their customers with the

intention to expand their customer base and consumer markets that the company serves. However,

the push is on for companies to share information about their consumers with each other to further

expand markets with complimentary products. So much information is shared about you between

companies with highly distributed databases located around the globe that organizations can with

reasonable accuracy, predict what you will purchase in the near future. This is referred to a

predictive analytics. Amazon, for example, is using predictive analytics (demographics,

psychographics and current trends) to predict or “shape” their inventory at their warehouses based

on projected future sales. Every Amazon warehouse has a particular mix of products kept on the

shelves for the area that the warehouse serves which will allow for quicker shipping. Imagine

Austin Texas and the music scene. Because of all of the guitar players around Austin, I can only

imagine that the Amazon warehouses that sever the area probably store more guitar strings than

many of the other Amazon warehouses around the country.

The cloud is everywhere.

Data about you is not only stored and shared on massive databases that organizations maintain,

but are also stored in large data pools hosted in diverse locations around the US and world. The

current method of storing and distributing data that many commercial organizations use is cloud

technology. Cloud technology allows for an organization to distribute your information anywhere

in ever-growing databases, typically in a private networks of databases that span United States or

even the globe. Your information is literally scattered around multiple sites that an organization

hosts.

The catch in cloud-based services is that not all organizations can afford their own vast ever-

growing networks of hardware to host and maintain their databases. Instead, many large, medium,

and small organizations will rent cloud space with a third-party cloud-based services company that

have the infrastructure to lease large amounts of space to companies. I liken this to my garage. I,

like many Americans, have quite a bit of storage in my garage. When I’ve run out of space, at

times, I’ve rented a storage space to hold my treasures. The catch is that with space for data or for

your things, you release control and trust of your assets to a third party.

Aside from the massive amount of data that a particular organization will keep and share about

you, whether on their own databases or on leased cloud-based services, information about you can

also be found on the various social media sites. Facebook, Twitter and YouTube, to name a few,

provide a rich source of data about you. We upload our pictures, videos, our poems and papers in

order to share these with our online friends and community. Our pictures, posts and papers provide

information about our preferences. I don’t know how many political posts I’ve responded to in the

past month, but this alone can provide certain information about my likes and dislikes as it pertains

to an event or political interest. In addition, files that are uploaded typically contain meta-data,

which is simply information about our location, earth coordinates, and other information about the

file, picture, or video. Meta data is like a fingerprint. In fact, the sheer volume of data that is

uploaded hourly on social sites is astounding. Over 300 hours of video alone is uploaded per

minute to YouTube. That’s a lot of video content that may contain telltale information about you.

And the social media companies, also willing to make a buck off of your information, gladly share

information about you to other social media companies and to businesses.

So where is the digital me?

The sharing of information about the “digital me” is at a fever pitch. Billions of dollars per year

are spent on sharing, collating, sorting, and relating information gathered from many sources. The

“digital me” is a composite of all data collected about my activities, purchases, preferences, and

activities scattered throughout social media, third-party cloud services and private organizations.

It is no wonder that security agencies have a hand into our profiles as they can project who may

be more prone to illegal and terrorist activities.

But there is a more fundamental problem with the conglomeration of information about the “digital

me.” Is the information about me accurate? A few years ago, I set up two profiles on my favorite

social media site. One of the account profiles I set up was for my very conservative side and

another account profile suggested that I was quite liberal. Of course, I pointed each of these

accounts to a different email that I had, and I used my first name for one account and my middle

name for the second account, so the setup was quite legit at the time. As I anticipated, based on

my profile information, I started receiving more conservative information to the conservative-

leaning account and more liberal information to the other account. The point is that marketing

companies obtained my preference information and my demographic information (email address,

age, etc.) from the social media website. My bet is that the social media site sold my information

for a few pennies and the digital me (both side of me) were sold to a third party company.

Decisions by algorithm, not people.

As noted earlier, many decisions are made by databases. Automated decision making and

predictive analytics is done by a set of programmed algorithms that most organizations use. When

I want to purchase a car, the credit agencies will use an algorithm that checks the “digital me”

including my credit risk and worthiness, with fairly good accuracy.

Algorithms are only as good as they are designed. Algorithms make an assumption that the data is

accurate. And there are bad algorithms that can be downright harmful. When an algorithm is

designed and used for decision-making, the algorithm will read in the data to its process that it has

access to. The algorithm typically does not determine the quality of the information, the accuracy

of the information nor the context of the information. In most cases, algorithms that make decisions

for us do not determine if mistakes have been made to the data that is being review if the data is

correct or not, the quality or verifiability of the accuracy of the information is, for the most part,

not considered. Imagine a scenario where your healthcare information is hijacked by a hacker. If

the hijacker can alter your information about who you are to your healthcare provide and receive

services, you may be on the hook for the services that you’ve received.

Keep the “digital me” clean.

Correction of data is difficult at best. It is hard to clean up our own digital data and to make

corrections. From this standpoint, digital data spreads like a disease. There are, however, some

precautionary measures that we can take to better assure that our data is more accurate. It takes

some effort and I recommend these actions:

1. Be security aware: Continuously be cautious about sharing your information with people,

emails, and organizations that ask for your information. Understand why they need the

information. If you receive an email, for example, from your bank asking you to update

your information, call the bank and ask them to send the request in writing.

2. Check your credit rating: I recommend checking your credit reports at least one time per

year. Credit reporting agencies, by law, must respond to your request to change credit

information in a timely manner. For example, if a credit card incorrectly reported that you

were late on a payment, you can request that (a) the credit card agency reverse the report

to the credit reporting agency and (b) request to the credit reporting agency that the report

on your file be corrected. Both the credit card company and the credit reporting agency

must respond to your request within a certain time limit or are required by law to change

their records about you.

3. Use pass phrases: Passwords are easy to crack. You can search the web and literally find

dozens of password crackers that hackers use to provide access to your account. The shorter

the password, the easier it is to use. Instead, many companies are giving you the option to

provide either a password or a pass phrase. Choose the pass phrase, if you are given this

option and insist that your bank or credit card company use pass phrases, if they do not. A

pass phrase, as you probably already guessed, is a much longer password and is something

that is unique to you. Because of its length, it takes a hacker who is running password

cracking tools a lot longer. An example of a pass phrase would be something that is unique

to you and can look like: “I lov3 the University of Arizona basket ball te4m because they

are $tellar” (notice the use of a long, unique phrase with numbers and special characters).

4. Remove your hard drive when donating: Take out your hard drive before you donate

your computer. When I taught computer forensics courses a few years back, I’d purchase

a few computers donated to Goodwill. I’d remove the hard drives and would scan each

hard drive for strings of 16 digits. A string of 16 digits might reveal a credit card number.

If the software that I used found a 16 digit number, it would mark it for further inspection

once the entire disk drive was scanned. Later, the program would examine more closely

the 16 digit number to see if the first four digits were representative of a bank or a credit

card number. I’d demo this to my class and would discover that most hard drives at the

time contained several credit card numbers. And, if you think that you’ve deleted the hard

drive contents before you donated it to a worthy cause, keep in mind that there is software

that can recover deleted files on a hard drive. The best practice is to donate your computers

and laptops without the hard drive. Then, take the hard drive down to a computer store and

have them physically shred your drive (look for a computer store that has a hard drive

shredder, which is similar to paper shredders, but can chew up a chunk of metal).

5. Do not loan your computer: This sounds a bit harsh, especially when your friend is

looking to borrow your computer. But keep in mind that your friend may not be as careful

with your computer, which contains your data, as you might be. They may be tempted to

download software or visit websites that will install malware onto your computer and

malware is often written to steal your information and transmit it to another computer on

the web. I’ve run into this situation when repairing and restoring computers, especially in

a school setting.

6. Update, update: This is an item that we’ve heard of continuously from both software and

hardware vendors, but warrants emphasis. Operating system, application software and

hardware companies continuously seek to patch their systems for vulnerabilities and will

release updates often. Aside from the necessary virus protection that needs to be updated,

please be sure to check that your operating system and applications are updated frequently.

Most operating systems including the MacOS and Windows OS versions, will allow you

to set an automatic update where the operating system checks periodically and will install

critical patches that can provide additional security to your system.

7. Clean it out: When your computer begins to run sluggish and you’ve performed the

suggested vendor maintenance, if your computer still runs sluggish, do not hesitate to take

it to your computer technician to have her or him perform deep cleaning and inspection of

files and browser software. One of the symptoms of a virus (or many) on your computer is

that your system runs slow, browser windows open slowly, extra windows seem to pop up

out of no where, and you are prompted mysteriously. While you may take all efforts to

clean your system as required by the manufacturer, deep cleaning and scanning may be

necessary and can be readily done by a certified computer technician.

As a result of the massive amounts of data collected by computers, we each have a digital profile

– a “digital me” that identifies who we are, what we do, what we like and how we interact in the

world. The “digital me” is rapidly evolving by the rapid collection of information that you’ve

provided over the Internet to your banks, favorite shopping web sites, social media sites, and other

web sites that you visit weekly. Large massive databases that operate in the background share your

demographic, psychographic and trend information as well as your location and other related meta-

data. The soup of information that is collected about each of us creates a unique “digital me.” It is

essential that we constantly monitor what data is put into the process and clean up any data that is

incorrectly stored on databases like credit reporting data.

About the author.

Dr. Ron McFarland, CISSP, PMP is the Dean of Applied Technologies at the College of the

Canyons in Valencia, California, that has a robust Computer Networking and Cyber

Security program. He received his doctorate from Nova Southeastern University’s School of

Engineering and Computer Science. He also holds multiple security certifications including

the prestigious Certified Information Systems Security Professional (CISSP) certification

and several CISCO certifications. Dr. McFarland can be reached at:

ronald.mcfarland@canyons.edu