So in my mailbox a few weeks ago there arrived the following:
I was wondering whether you'd mind doing me a small favour. It'd be great if you could punt out a quick top 5 / top 10 tips for sensible data security practices for freelance developers (encrypted backups, being mindful of client data dumps from production systems - am sure you get where I'm coming from) [...]
It's a question that I hear a lot and the challenge is keeping my response down to a reasonable, memorable minimum; let's try, though this will assuredly be an incomplete list...
1) Can you maintain reasonable self-discipline?
Security is boring - advice like always fasten your seatbelt when driving even the shortest distance comes over as trite but it reflects that good safety habits may one day save your life; you should never need say "This one time I forgot my seat belt..."
So what follows is reasonable advice but it will be all the more effective if you actually stick to it, which will mean occasionally doing tedious stuff without shortcutting just because "it's the right thing to do". You will make mistakes - nobody is perfect - but shoot for perfection and never give up; the results will be better that way.
2) Use separate hardware for personal-life and work-life. No exceptions.
This one is easy to explain:
buy a separate work laptop from your personal laptop
buy a separate work phone from your personal phone
perform work tasks exclusively upon "work" hardware
perform no non-work tasks on "work" hardware - this means: no porn, no downloads, no sports results, no shopping, no betting, no IM, VOIP or E-mail with friends; you have a "personal" system for all that.
no linking your "work" laptop web browser to your "personal" Google account - it leads to cross-contamination; similarly no linking of Chrome Bookmarks, Dropbox, Amazon or other personal resources.
Hardware is cheap and if you are a sufficiently empowered geek then you should have no problems with maintaining two systems; if you've ever wanted an excuse to buy a MacBook Air then having it as a personal system is the perfect excuse. If you are a private contractor then you are probably already using a limited company to keep personal assets from being at risk should disaster strike - so why risk personal data by mingling it with work, or vice-versa?
Having purchased a work machine then try to live as if it were entirely possible for your "work" hardware to be seized or stolen by a third party at a moment's notice. It's good discipline.
3) Choose good passwords for everything. No exceptions.
XKCD has now taught every geek how to choose a good password; the days of "six or more characters, including 1 digit and 1 punctuation" are long gone and everyone should now be using long phrase-like passwords instead.
You should follow suit, and ideally use different passwords for different accounts and a reputable password-management tool to keep them all safe for you; and if your bank, blog or website does not accept long pass-phrases then nag them to improve their service.
This also means that your laptop login password should be a phrase of some form; we mean it when we say "no exceptions".
4) Encrypt disks and data and manage the passwords properly.
If you run Mac then you should use FileVault, ideally the most up-to-date version (FileVault2) under Lion.
If you run Linux then look to your software documentation.
In any circumstance you should be encrypting your hard disks and shutting your machines down cold when in transit; machines in sleep-mode are vulnerable to a bunch of interesting attacks, including extraction of filestore encryption keys which thereby defeat your other protections.
Machines which are switched-off for transit tend to be safest.
As above, you should choose good passwords for your encryption; don't write them on a sticky-note and leave it glued to the hardware in question.
5) Take backups of everything and keep them safe.
You will need data replicas in case somebody steals your laptop - so you need to back up frequently; this is easily achieved with TimeMachine on Mac but I am not fit to suggest solutions for Windows and Linux - for the latter I tend to create homebrew solutions based on rsync.
Your backups should also be encrypted if at all possible, and that you should make special efforts to keep the backup passwords safe-and-offline; you don't want them to be stolen along with the laptop.
It's a bad idea to make rules like "I will make backups every 24 hours" - if it's a manual process you will only break such rules, leading to disillusionment; either automate your backup process or get into the habit of doing it multiple times per day - little but often, eg: to an encrypted thumbdrive - so that you never lose much work.
Do not leave your primary backup drive in the same bag as your laptop where both can be stolen at the same time.
6) Regular Software Updates
The second biggest thing you can do for your own protection - after good passwords - is to keep your software bang up to date; whatever your platform it should check for security updates daily and you should download and apply them when you are in a place with reasonably trustworthy networking.
The chances of receiving malware disguised as a legitimate software update are quite slender but not zero, so try to ensure you perform updates while attached to a reasonably trustworthy network.
If you have and use anti-malware then you should also update that daily; treat it like the rest of your operating system.
7) Be careful what you put into the Cloud
Each time you put something onto Dropbox or Google Apps, stop to ask yourself: would it be a problem for me if everyone in the entire world could see this?
There are a bunch of ways of addressing the risk of data being in the cloud:
avoid it - when you don't need to put something into the cloud, then don't.
minimise it - archive old mails and data when they are no longer relevant, and delete them from the cloud
encrypt it - only use Dropbox / GDrive / etc, for storage of files which are either trivial, or encrypted
There is a certain irreducible minimum of data that is required to be exchanged in order to do business - but the above three techniques can help reduce exposure.
Do not share the contents of your Dropbox via static URLs - permitting access without authentication is a bad habit to get into.
8) "Am I safe behind my firewall at home?"
I can't answer that - you would have to tell me how safe you need to be?
However I can advise that your firewall should have up to date software (see above) and use good WPA2 encryption with a long password (see above) and that you should sanity-check its configuration, disable any features that you don't need and then back it up (see above).
Also: Google your router's model number along with the word "security" and see if anyone is talking about bugs that it suffers.
9) What do I do if my security is compromised?
This is a toughie; in theory you should not suffer too badly if you're following the rules above: stolen hardware should be encrypted - with the passwords unavailable to the thief, hijacked accounts should expose the minimum of customer data. If one of your servers has (or appears to have) been hacked then you should seek professional advice from a security consultant who understands your business sector; hacking attacks are too diverse to summarise solutions for in a paragraph.
You will have to write your own policy on how to clean up after an incident, but be assured that you should tell the impacted individuals - as Steve, my original questioner put it:
[...does] one need to admit to clients (and the ICO) that you've lost their data?
...it would appear very unwise to hide the intrusion from impacted third parties (though it is not a given that you will always have to tell the ICO).
In a nutshell the best advice I can give is:
don't delete or rebuild stuff
get professional help before you do anything to the afflicted systems
prevention - doing all of the above - is far better than the cure.
If you have a security question, drop me a line; see the sidebar for contact details.