Personal Security Preparedness & Risk Management for All

i'm live you're live okay i have a visible on my phone so i was curious if i would see it flush over okay well if that's the case i guess i'll go ahead and get started howdy y'all my name is victoria i'm here today to talk about personal security and risk management for all people anyone uh if you exist uh you probably care about your privacy and if you don't you probably should so that's kind of what we want to cover today so quick disclaimer that my presentation is of my own creation and my personal capacity and does not reflect any organizations i work with or represent so a little about me before the talk my name is victoria

wixon i've been a consultant and a biso in fintech and other organizations on twitter i go by v or vanity or vanity devil my handle um i started my own llc a vwxn consulting llc so i could do consulting on the side for cyber security and i just recently passed the cissp um i have some my contacts right there if at any point you need to ask me questions after the presentation is complete and i'm unable to answer them a little bit of my background and what led me into creating this talk is that i was really interested in creating consistency from my experience working in governance risk and compliance working with regulations identifying risk vulnerability threat modeling

creating policy strategic planning among a lot of other things in my previous work and having been in these areas i really wanted to try and continue being a biso and business information security officer what we do is we translate information security to our business lines and explain in plain english ideally what they need to do to remain and be compliant or become compliant and really with the personal capacity i want to change it from vista business information security officer to just information security for anyone because i feel like it's relevant today and a lot of people don't realize how valuable their own information is and aren't always aware on how to protect it so in this talk i really wanted to

discuss privacy risk management uh how a framework a risk management framework around a personal uh a person's personal information in life to help you understand the scope and begin to be able to control your own security uh and enable them to protect their families as well and i want to go beyond just awareness training in particular so this next slide i'll just describe you don't have to read it or anything it really goes into talking about how awareness training we do it every year oftentimes at work and sometimes you'll just click through those slide decks just to get that 80 mark and pass those tests whenever it's saying all those basic questions i'm like how

do you react to a phishing email what do you do and you know what to do uh in a work uh context but what people practice at work doesn't always translate to what they practice at home for uh cyber hygiene uh or privacy and i feel like that's where awareness campaigns can fall short and if we implement some form of framework i'm using the nist privacy framework as a reference if we use this framework it can help anyone understand risk management and try and go through step by step and not just be aware of oh i know what phishing is or i know that there's credit card skimmers but how to method methodically go through the steps of

understanding your scope of information and then identify how to protect it and then how to respond in the case of it being compromised so again why should you even care um the targets of hacking is wide it affects internet of things so those might be things in your home like your home alexa google smart plugs smart thermostats some people have smart fridges nowadays even certain medical devices on your body i've seen wi-fi enabled diabetic stick-on machines as well as lots of other things uh small businesses are often victims of being hacked and a lot of a lot of small businesses don't have the resources to recover sometimes from things like ransomware so if they're able to

understand their threat landscape better up front they might be able to deter or prevent potential hacks that could affect them young children and young adults using a social media again they may not fully comprehend their online privacy or online footprint and what's really attached to pictures when they post them on social media it's really attached to videos or geo-tagging and metadata um the ways it affects individuals this right here is the opposite of confidentiality integrity and availability it's the disclosure the alteration unauthorized alteration and destruction of information or assets that being said these are the things we want to avoid we don't want to compromise our confident confidentiality of something saying you're a social security number you

don't want people who shouldn't know to know it um you don't want people to alter your information say on a website uh without you knowing it say your login credentials if someone changes your password uh we don't want the inability to access your information in cases such as ransomware or your information physically being destructed and that can include physical copies of information such as birth certificates an example i wanted to kind of show as far as part of me as far as what we understand growing up i feel like as most i'm probably speaking predominantly to americans is we grow using fire drills in elementary middle school high school these are commonplace routines um you know how to identify a fire exit

you know what to do when there's a fire you know who to alert and who to communicate to um and you know how to potentially recover or we have established processes on how to stop a fire put out a fire stop drop roll etc so we want to really have this mentality towards cyber security and security in general for the individual starting very young because not everyone's going to see a fire in their lifetime and hopefully you don't and if you have hopefully you've been able to uh go through your process and recovering from that but i believe one in five people today are hacked so like 20 of people are uh affected by uh

some form of disclosure of information um nowadays and that's an enormous amount of people and there are ways we can prevent that by reducing risk in particular and by identifying risk before it becomes an actual active threat so this is an example of a picture example of what risk actually is so this is from christian espinosa's book the smartest person in the room and i highly recommend this book to anyone who works in information technology or in a large corporation in particular because it really helps you learn how to better communicate with other people not just your immediate team but to really try and have that holistic view of an organization and others uh skills so

you can see low risk on the left side and low it it's a combination of low probability and low impact medium risk high probability more likely to fall into that puddle but low impact you could still step out of it then you have another medium risk off to the right where you can probably jump over it low probability but if it does affect you it's a high impact and that's a bad thing then you have high risk high probability high impact what we want to do is reduce the impact and reduce the probability of these events from occurring to get to that top left one low risk so here's a matrix trying to really show what the

likelihood if you quantitatively apply risk and then try and identify the probability so risk is just solely probability times impact how much is this going to hurt you by losing this information or this information being disclosed or destroyed um or your asset and how likely is that to actually happen is it likely for us in dallas to have a hurricane maybe not but it's possible to have fallout from hurricane um is it likely to have a earthquake in certain parts california highly likely therefore that's why we have certain uh regulations on building codes to try and prevent that from being as big of a impact as a real life example you calculate risk every single day that you're

driving um if you drive um when you see a light turn yellow and you're still going say the speed limit say 40 miles per hour down the road um you look up and you see the light just turned yellow and you're just a few feet away you're probably going to drive through it because you have a low probability of it turning red you're making that judgment call and you probably see oh maybe there's no one around you have a low impact if someone were to try and fly through uh right as their light turned green uh whereas if you're further away from the light then you might say you know what i see there's a lot of other

people at the other intersections maybe i'll just stop at this red line wait so you're making risk judgments every single day we just need to also apply that to how we use our cyber security and use our information so what is a risk uh management framework um this nist privacy framework is a core five steps um the last one being broken down into three and what it does is it groups logically different actions activities to perform and go down and help create a strategy for the individual so we have identify govern control communicate and protect protect is broken down into detect respond and recover so of these not all of these are going to be applicable to every individual and

just as in businesses these are not always applicable to every single business this framework is a skeleton if you will that you choose what's applicable to you and then apply those steps to it so let's say you never travel internationally international travel might not be part of your risk framework you may not have to worry about um losing certain things in airports or your airport security if you're never in airports or let's say you do travel on a frequent basis and that is one of your concerns uh so that might be something you would use out of the framework so breaking it down into identify we have um what information or assets should be protected you have to create your scope

so you have to see yourself and your information and try and look at it holistically and say okay i have this type of physical information birth certificates social security cards passports maybe medical history financial information all kinds of things that could be physical and those same things could be in a digital format as well as pictures other confidential information to yourself or your own businesses then you also have to understand where are these information items these assets located physical or digital and actually where are they just on your standalone laptop or are they on the cloud which is simply someone else's computer and you're relying on them as a service and their security control so you should

understand their uh security precautions if possible uh to understand how your information is being protected if it's encrypted etc so again where is it uh located but then trying to understand some of the value and again that impact what would happen if i lose my social security card what would happen if i lose some of my pictures that might be let's say pictures for example high probability of me accidentally deleting the wrong pictures one day but i haven't backed up so low impact high probability but that's okay losing my social security card probably a low probability because i keep mine locked away in a safe and i do not carry with me on a daily

basis but it would be a very high impact if that card was stolen because i would not only have to worry about going through and making sure my identity is not stolen but also recovering getting a new social security card which can be a pain because if you lose one item you might be losing multiple at once you have to keep that in mind if you you know if you say keep your all your eggs in one basket you shouldn't keep all your information uh behind just one set of controls because you can create what's called like a single point of failure um so again that's kind of going into risk assessment and classification figuring out

how you're protecting it who's protecting it how should it be protected or thinking about that starting to based on your risk assessment of how risky would these things um be if it's lost and then looking into your lifestyle and how that may change how you protect your information an example of working for certain types of corporations if you work for a healthcare informa organization they might be concerned about hipaa and pii health related information and personally identifiable information but they may not be as concerned about payment card information pci unless they are say a company taking other people's payments um but there's many cases where not everything again within that big stack is going to apply to you and that's okay

um that's why you just have to analyze with what information you do have in value how to best protect it based on those activities so going into pii in particular that really is like the core of a person um you know you got your social security card you got contact information your addresses um your birth date um let's see what else does it say geolocation medical records again some of these things i've already mentioned but this this can make up the whole picture of you and losing pieces of these or pieces of these being compromised can be a very frustrating activity for an individual to try and recover or even find out if they've been

compromised which is why it's important to try and understand the earlier the better being prepared to know what you have to protect um and it's a shout out um this actually uh came from quantum cheap on twitter mike thank you very much for referring me to this resource um i really appreciate it so i'm going into governing this is where you get into that risk management strategy how do you want to address this risk those uh those pits that you saw the person wanting to jump over are you going to avoid it by going around it or going a different route are you going to transfer the risk by asking for help to jump over

as an example maybe an example of transference in real life is insurance you're transferring the risk to an insurance company uh mitigating uh risk so trying to again lessen that risk make that giant pit more shallow by adding other controls uh lessening that impact um or lessening the probability or just accepting the risk if you trade stocks you may understand if you're more of risk adverse and you know you don't want to take big risky moves on things day trading-wise or risk acceptance of like no i know i'm going to lose money so i'm going to go in with x amount and accept the risk that if i lose it all i lose it all

as an example another way you that falls under govern is awareness and training so that is a portion of the risk management frameworks um and which is why i want to kind of get away from just doing awareness and training i feel like it's not um sufficient enough for individuals yeah again you may know what phishing is you may know if you get a weird text on your phone with just a link to like 20 people you probably know not to click on it but not everyone will and so training other people about new activities that are going on in the threat landscape is really important to stay up to date on how to best protect or continue protecting or

change your strategy and again going into monitoring and reviewing verify you are doing what you plan to do this is kind of self-checking quality assurance you know um in the case of a fire uh preparedness monitoring review you're gonna wanna make sure that each room has smoke detectors fire extinguishers uh option to fire exit um things like that so again checking that you're doing what you're saying you're doing protection wise let's say checking you're doing your backups on a monthly basis on your phone to make sure it's backed up checking um that your safe is still securely located where it is and uh maintaining some of those logins maybe by changing your password every once in a while

so controls so this is where we get into kind of defending your actual information your assets so creating processing policies procedures creating processing policies processes and procedures that's getting into how you actually use your data maybe you only use as an administrative processing management control you only use certain privacy settings in social media maybe you're on private in all of your social media maybe you're on public because of your job and then you administratively have to keep in mind oh i don't post x on social media uh physical controls an example uh of that would be changing the screws in your door your door jam and your front door because the standard screws that come with anyone's door security

wise can actually probably be kicked in by someone strong enough um but if you switch it to a specific type of screw that lessens the the probability um and their fourth lessons your actual risk um another example would be uh if you have a safe uh let's say it's just a small one and you have uh your important paperwork um maybe a firearm in there and let's say you keep it by the front door for whatever reason that's maybe not the safest place to put it so maybe physically you should locate it to somewhere else and to even lessen the likelihood further of someone not just breaking into your safe but taking it because again of certain size

sure it's a safe and it's hard to get into quickly but if it's a smaller size you can pick it up and just walk out with it so encouraging people to bolt down safes with important things in it if you can or to studs and again creating uh rules for account usage only using certain emails maybe for work only using certain emails for online shopping versus social media and that might be done because let's say you've seen um you were potentially compromised from say the home depot or the target hack a few years back maybe your your payment card information or something was potentially taken then but if you segregate those emails and those credentials from your

other types then you kind of create a gap between your likelihood of your other accounts being affected but if you use the same email for every single thing you log into you're also probably likely to be using the same password and so if someone were to exploit a weak security website let's say it's just a shopping website for your favorite store it's like an indie brand and your credentials are taken from that and they go and run those credentials through a bunch of different websites via online tools um then you could potentially have a lot more information taken but if you create that segregation between what you use certain emails for again that will help lessen the likelihood

these can also be considered sometimes compensating controls that may not fully cover your risk but to help compensate where you can let's say again third parties rather than anything within your direct control the communication section wasn't as key in this framework in regards to the personal individual but if you're doing this for you and your family just as you would with a fire evacuation plan you should communicate that plan with them and as part of your monitoring and review ensure that you're all adhering to what you've agreed to otherwise if someone's not if you're not following the rules you set then it's not really helpful you may also consider communication though with third parties let's say credit card

bureaus or state and government for when you do know you've been affected uh by a hacking or some sort of event and trying to potentially freeze your credit so getting into protecting again we have detect respond and recover under detecting the ways you can detect you are being attempted to be hacked or exploited in some way or actually identifying that you were would be identifying fishing and fishing phishing is the online um solicitation to potentially like click links in your emails you know from princes across the ocean or fishing maybe uh the uh what is it the they keep calling for my on my car's extended warranty which i don't own a car i lease a car but i

don't have an extended warranty uh so there's potential wishing or at t calling me surprising saying hey if you update your information and verify your information with us we'll give you a 50 discount on your next bill that's wishing phone voice phishing seeing weird emails pop up in your friend's emails and them saying hey i'm getting a weird message from you on facebook um you may have been compromised in some way uh credit alerts for accounts you've never opened messages and letters from companies that your information may have been compromised through their um info through their data um being locked out of your accounts but not using the wrong password or um knowing that you did not change your

password and there's been a lot of instagram accounts lately i've seen that have been hacked and people are trying to sell them off for their handles it's really interesting and there are even specific websites you can enter your specific emails uh just your email from my understanding not your credentials um and to see if your credentials have been uh compromised across the board um learning how to respond so you see some of these things change your password uh if you can we're relevant again if unique passwords are used this makes it a lot easier to actually respond and recover it lessens what you have to respond to if you use the same password for everything and you know you got

hacked on your email you're going to have to really go change your your password on every single other thing that you've used that password on that's really painful and less painful than using unique passwords in my opinion or encouraging people to use potential password managers if they trust the services of the password manager personally i do like password managers because i like having unique passwords but that is to say if the password manager company were compromised then you might still be in a pickle um and another part of responding is reporting to authorities if you think your actual safety in some form is threatened if you know you've been doxxed for example doxa meaning you

your address and your physical location of your home has been said to the internet and you're our target of uh say some form of discrimination or hate speech or you're afraid of being stalked those are instances where in a response is appropriate to definitely contact authorities um and understand how to best defend yourself um recovering do a root cause analysis figure out why if it was something in your control of why your information may have been compromised or your assets or if it was outside of your control and if it's outside your control how can you create compensating controls uh and if it's within your control what can you change within it to avoid that

and then recovering if any fraudulent charges have been made on your behalf be it changes to your information trying to remediate that or any money taken trying to recover that a quick example of that would be if your credit card gets skimmed say at a gas station and you start getting weird charges if you have a credit card you're more likely to be able to call the credit card company and say hey i didn't do this i just used it at this gas station i started seeing these weird things pop up and it doesn't have to be a gas station it could be anywhere um credit card companies are more likely to actually be able to return that money

because it's a there's an insurance behind it but if it's a debit card and there's a pin associated with it and your pin is also compromised it's a lot harder to recover that money so keep that in mind as part of your risk management governance to determine as part of your rules where you're going to use debit versus credit if you want to use either of those if you want to just use cash and decide what your threat tolerance around that is so again this kind of is broken down into those five sections and what you first need to do in that first identify stage is really create a profile your current state between identify govern and protect and

then identify where you want to be say i know i don't protect x information very well to this date and i want to make it to this step so then you add those controls in there so you can then actually fill that gap and create get to your target state let's see so maybe a bit of a short talk but in conclusion um risk simply it cannot be fully eliminated you can't just get rid of your information and assume that it can never be stolen um you're still going to have information attached to you assets and your own personal safety to consider so it's really hard to in a business sense be in business with

no risk because that's how you make money but as an individual you cannot fully eliminate it unless you're just not existing cyber security and privacy concerns really affect everyone today no matter what age you are including even infants and making sure that you're protecting your children's information to the best of your ability and that they don't have their identity stolen and it's important to see the value of these non-tangible information items and assets so we can actually appropriately defend it if we know what something is worth we know how much effort we should put into protecting it you shouldn't insure a ten thousand dollar car with a million dollar uh insurance policy as an example

but you probably also shouldn't do it with like say two thousand dollars you then you have eight thousand dollars potentially to lose unless you want to accept that risk um it's also crucial that we really uh not just educate but also prepare ourselves go through a process go through some form of checklist to ensure to be able to protect yourself your families better and also encourage your own family and friends to do the same whether they work in tech or not because it will still hurt to lose your information whichever way you work it doesn't matter so i think the questions are going to be on discord but thank you very much for y'all's time

and attention today again feel free to reach out to me directly if you have questions at on linkedin and at gmail vwixon at gmail or even on twitter at the vanity double so thank you very much