Thursday, November 30, 2017

Private data in public places


Professional social engineer and open source intelligence expert Stephanie "@_sn0ww" Carruthers makes a living out of (mis)using what people and companies share publicly, so when she talks I listen. Her talk at the Lonestar Application Security conference in October was captivating in showing how such information can be used to infiltrate a business (in her case, for the purposes of showing the business their weaknesses and how to defend themselves against someone with actual malicious intent). She made an observation this week that sparked some lively discussion:

Don't leave your resume public on google docs.

She has an excellent point. It's not hard to find resumes shared publicly on Google Docs, many with personal data. Hey - it's convenient. Write up a document, drop it in Google Docs, share a link with prospective employers, and done. It avoids the hassle of sending email attachments that may or may not be blocked, and that may or may not be in a format compatible with the prospective employer's HR system.

By the same token though, anyone with the link can read it.

So can anyone that takes a few seconds to craft a suitable Google query.

However, "don't do this" isn't exactly helpful. I've been through a couple of job searches recently. It's not always practical to seek employment while hiding out of sight. In many circles a positive "personal brand" can be a strong asset, and a personal brand cannot be developed entirely in the shadows. Australian security expert Troy Hunt has written several times about using the potential benefits of an online identity as a personal brand. I can assure you I did indeed share my resume publicly, in several forms and in several locations.

Instead of not sharing, be conscious of what you share, and where.

The key though is that I am conscious of what I share, and with whom. My public resume identifies my public social media aliases, where in the country I reside, enough detail about my work history to demonstrate my body of work without revealing specific products used by my former employers, and a way to contact me.

Throwaway email addresses and virtual phone numbers are great for this purpose.

There is a great parallel between this and social media. I've written before of the privacy decisions inherent in social media, and made the point that ill-advised sharing has cost many a person their job, their family, their freedom, or even their life. My approach is to decide for each social platform how I will use it - then tailor privacy settings along with what I share to that purpose.

Likewise, there is a parallel between this and consumer loyalty programs. Perhaps I may be willing to share some information with a business in exchange for freebies and "members only" specials. Or perhaps not. The point is, it's a conscious decision.

What works for me may not work for you, and what works for you may not be right for me - and that's great. We each have different priorities and different perspectives. Perhaps Jessie Irwin said it best: data privacy isn't about not sharing. Data privacy is sharing on my terms

Data privacy means making a conscious decision about what data I share, with whom, and for what purpose. Which sounds an awful lot like the European General Data Privacy Regulation taking effect across the European Union next May. 

So before you put your resume in a public share, or sign up for a customer loyalty program, or post on social media, or answer a survey, make sure you are sharing on your terms.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.