Closing the Gender Gap: Assured Identity and Personal Privacy Take Center Stage

By Michelle Hansen

This year’s International Women’s Day theme, “Balance for Better,” calls for gender parity. Closing the gender gap, according to a 2017 World Economic Forum report, is a key to economic development and “the growth, competitiveness and future-readiness of economies and businesses worldwide.”

The report estimates that closing the gender gap in economic participation by 25 percent between 2017 and 2025 will result in a US $5.3 trillion increase in the global GDP. A key factor in women’s ability to contribute to the global economy is their ability to access mobile technology, including handheld devices and wireless Internet connectivity.

Such access can empower more women to become part of the global business world. But leveraging mobile technology to advance the world economy requires an information-managed process focused on security.

The ubiquitous nature of mobile devices provides the paradigm by which our society works, plays, communicates and stays connected. The paradigm with mobile computing involves the computation of information based on user movement and encounter. Smart devices are both personalized, as with smartphones and wearables, and embedded, as with sensors and Internet of Things appliances. All these connected conveniences create pervasive information systems that go where we go, record what we do, and easily connect to any wireless network in range—all without most people knowing it is happening.

Secure human behaviors empowered by publically available information will guide the users of smart technology in protecting their identity and privacy. Human behavior is repetitive and predictable; therefore, people need to be diligent in using mobile devices, downloading apps and content, and wirelessly connecting to the Internet by using prevention, deterrence, and defense. (PDD).

Protecting personal data from nefarious activity starts with choosing behavior over technology. Users who practice personal security tradecraft techniques to mitigate exposure will develop secure habits and behaviors. Furthermore, this practice alleviates a false sense of security based on technology alone. There are four truisms that can be exploited:

  1. Each of us has a distinct pattern of behavior.
  2. If another party has access to your data, you must assume a compromised posture.
  3. Increasing the levels of security, both in behavior and technology, will increase probability of threat detection.
  4. When it comes to defense, simplicity is good, as complexity induces vulnerability.

The use of mobile devices and smartphones in particular exposes both data we have stored and data that is captured by installed apps, towers and networking hardware, and the devices themselves. Hackers can access user data while in transit along insecure connections, as well as through apps that have been installed on personal devices. In 2018, T-Mobile reported that millions of its users had data stolen, including passwords, home addresses, email accounts, and address books.

Assured identity and privacy is protected by authentication and access control systems used to verify account credentials. Email services and apps, device PINs, and network resources including the Internet of Things and real-time systems all use accounts for access and validation.

In constant balance is the need for confidence and trust of users and online entities, with the need to protect the privacy rights of these users and entities. Researchers and businesses continue to look at options for strengthening systems, including using role-based access control (RBAC), biometrics, pervasive surveillance (“Panoptic Effects”), privacy-protecting transformations of data, privacy-protecting data mining methods, privacy regulation (e.g., HIPAA and COPPA), oblivious multiparty computation, and trusted proxy research.

One promising new technology is the use of flexible signatures, whereby a verification algorithm is used to validate credentials in a systematic manner that is quantifiable and trusted. Ultimately, the level to which a person can be confident that their data, identity and privacy are protected is a direct correlation to their own efforts to stay informed of threats and vulnerabilities, and actions to minimize vulnerabilities based on behavior.

March is Women’s History Month, an appropriate time to highlight the link between technology and gender parity. Access to all information systems, technologies and connectivity is essential to women’s full economic participation in the global economy. According to USAID, providing online and mobile access to 600 million women could contribute $18 billion to GDP growth in 144 developing countries. But arriving a full participation must go hand in hand with building awareness around behaviors and threat vulnerabilities, and establishing identity and privacy through trusted authentication and access control systems.

As more and more women adopt mobile technology to advance their position in the global economy, they also can have a significant influence on individual privacy and identity by demonstrating safe behaviors and choices, including choosing secure connections to the Internet, safeguarding confidential information, and avoiding malicious third-party apps.

HansenAbout the Author

Michelle Hansen is collegiate professor of cybersecurity and computer forensics at University of Maryland University College.

Staying Protected While Connected to Social Communities

This week’s theme for National Cyber Security Awareness Month is about connected communities. Social media sites such as Facebook, LinkedIn, Twitter and Instagram allow users to communicate and share information and events with friends, family, co-workers and others. As you connect to these types of sites it is critical to be aware of the potential privacy and security issues that could surface without proper safeguards and knowledge of application privacy settings, encryption, strong passwords, two-factor authentication, and phishing schemes.

Most popular social media sites provide the ability for a user to modify their privacy settings. These privacy settings are the key to who is allowed to see the information, pictures and events posted on the site. For example, in Facebook, the privacy settings are found in the upper right corner of the interface by selecting “settings” and then privacy. Here you can determine who will see your posts along with the timeline for viewing those posts. You can also control photos that may have been tagged by someone. Before you start posting and using the social media sites, be sure you understand and set the privacy settings appropriately.

Don’t share private information on social media sites. Many hackers use social engineering techniques to gather information from you from multiple social media sites. Private information such as birth dates, social security numbers, children’s names, banking locations, and even pet names can be used to guess passwords and other information to gain access to financial or other sensitive accounts.

When logging on to any account, be sure you are using strong passwords or two-factor authentication. Strong passwords consist of numbers, symbols and mix of upper and lower case letters. Longer passwords are also more difficult to guess than shorter passwords. Two-factor authentication adds an additional layer of security by requiring two-forms of identification to access the system. For example, if you participate in Google’s two-step verification process you will be asked for your password and then for an additional piece information such as a code sent to you via text. Also, be sure the data being sent between your computer or mobile device and the web site or server is secure. HTTPS should be the default connection when accessing any accounts on remote machines.

Finally, be sure you carefully review hyperlinks provided to you in an email before you click on the link. Phishing schemes attempt to steal your account information by pretending to be your bank or another vendor and request you to login or reset a password. These emails can be quite convincing so have your IT or security expert review the email before you provide any information. These schemes have been around for quite some time and some people still fall victim to this scam.

In summary, use computer security best practices when connecting to any sites. Hackers love easy targets who share all of their private information on social web sites and use simple passwords. Don’t make their job easy. Always work to protect yourself while you are connected.

jrphoto2 Dr. James Robertson is a collegiate professor and Chair for Computer Science and the Software Development and Security programs in the undergraduate school at UMUC. Prior to joining UMUC, he worked as a Principle consultant for the Oracle corporation. Dr. Robertson has more than 20 years of technical, engineering, and information systems experience with progressively increasing responsibilities in the areas of education administration, software development, application security testing, database design and development, modeling and simulation, and data mining. He has designed and developed secure software, algorithms, and techniques for image and signal processing in federal, health and commercial industries within all phases of software life cycle.

Creating a Culture of Cybersecurity at Work

With it being National Cyber Security Awareness Month, one of the most important things to think about is whether or not you are practicing good cybersecurity habits at work. Here’s a top ten list of ideas that can help foster a culture of cybersecurity in the workplace:

  1. Institute quality cybersecurity training. Teach employees cybersecurity policies, procedures and best practices such as managing passwords, how to recognize a breach or attack and respond accordingly, and proper web browsing procedures. If there is a breach, they should know what actions to be taken such as who to contact. Training should be provided for new employees and refresher training should be conducted at least annually for regular employees. Include self-assessment security quizzes to test their knowledge of cybersecurity threats, vulnerabilities and countermeasures.
  2. Create a dynamic cybersecurity awareness program. These could include cybersecurity posters, newsletters, email reminders, token gifts with security reminders and computer log-on displays. Messages should change at least monthly to keep the information fresh. Include fun and informative events such as cybersecurity fairs, guest speakers and brown bag lunches.
  3. Gain managerial support. The CEO, other executives and managers need to announce their support and full commitment toward cybersecurity. They should also participate in cybersecurity activities. Employees will recognize that they mean business when it comes to cybersecurity.
  4. Establish sound cybersecurity policies, procedures, controls and practices. This is a basic requirement for any organization that wants to establish a culture of cybersecurity. If these policies, procedures and controls are weak, outdated and/or impractical, employees will not see the importance of cybersecurity.
  5. Ensure cybersecurity employee performance. Due to its criticality, the need for cybersecurity should be considered for inclusion in the employee’s performance appraisal to ensure that it will be addressed.
  6. Certify employee accountability. Require employees sign “acceptable use policy” statements that address requirements for cybersecurity and outline penalties for not complying with these requirements.
  7. Relate to the employee. Employees often think that they will never be victims of a breach. Share recent cybersecurity breaches that occurred in similar environments so employees can relate to possible attacks. This information can be conveyed through email or newsletters.
  8. Tie cybersecurity to every business process. Every new and existing standard operating procedure for each business process should be reviewed for possible security breaches and appropriate adjustments be made in a timely manner.
  9. Establish a cybersecurity community of interest. Have a team of employees who are well versed and/or interested in cybersecurity share information and experiences with each other and the rest of the organization. This can be accomplished through social media if there are adequate security measures.
  10. Conduct informal security checks on employees. For example, have an outside third party perform social engineering attacks to see how many employees give up their passwords.   These will certainly grab the attention of your employees. Of course, employees should not be disciplined for these actions since the security check is meant as an educational experience.

Have anything to add? Post it in the comments and keep the conversation going!

 

pangDr. Les Pang, CISSP, is a Program Chair and Associate Vice Dean in the UMUC Graduate School.  Besides several technical classes, he teaches Cyberspace and Cybersecurity (CSEC 610), the first course in the Master of Science in Cybersecurity Degree Program.  He is a former professor at the National Defense University where he taught both information security and technology courses. He was the 2004 recipient of the Drazek Teaching Excellence Award, the 2011 United States Distance Learning (USDLA) Faculty Teaching Excellence Award – Platinum, and the 2012 University System of Maryland (USM) Board of Regents Teaching Award.