A note on business security practices

Given that a translation business relies on the protection of its key digital assets (sensitive documents, client lists, accounts information), it is worth spending a moment considering security best practices. The section does refer to technical concepts but they are very straightforward and require no additional research to understand.

Passwords

Summary - Increase password complexity by using groups of words, preferably non-English words, non-standard characters, initials of a song lyric or line from a poem and coupling this with two-factor authorisation where possible. Feel free to skip this section if that is enough detail for your needs.

Firstly, I get so many spam Tweets and emails from friends and colleagues that I can’t help but think their passwords must be incredibly basic in order for automated hives of hacker-programs to be able to systematically log in and send messages from their accounts.

Not so important between friends, but as a business it does not look good to send a key client an email on the latest Viagra offer, bank details scam or attempt to lure them to a virus-laden website.

As a member of several IT-enthusiast communities (read: geek sites), I thought I’d mention the latest in password security ideology that I see discussed. You can use these tips to avoid most breaches in your accounts and professional reputation.

The tips given for password security often defy conventional wisdom, i.e. mixed-case-word+number is not the safest format for a password. A safe password takes longer to crack because it has random elements known as ‘bits of entropy’. The more bits there are the longer it takes to crack, and so the less likely it will be cracked.

The first is to use different passwords for different accounts. One way to do this without forgetting the many passwords is through a password manager. These store your passwords for you in an encrypted file and can insert them automatically on websites. KeePass offers this for all operating systems in an open source application.

Another memorable way to use different passwords is through using a root password and appending site names to the end. Or alternatively you can use various passwords of different ‘strengths’ for sites with varying levels of sensitivity. A basic password for your ecards website password and a secure one for your professional networking site, for instance.

As for the password itself, it’s best to use a sentence or phrase that’s easy to remember. Adding a new letter to a password will add one bit of entropy, but adding whole new words adds many, so one idea is to couple four random words together for a long and memorable password:

translator cat tool lawnmower

The use of foreign words or special characters is an efficient way to further protect your password. The goal is to avoid single English dictionary words where possible, as these are where most hacks are likely. Password crackers use dictionaries containing millions of word and number combinations to repeatedly and automatically test accounts.

Lists of the most popular English passwords are often published, and they typically feature:

123456, password, 12345678, qwerty, abc123, 111111, monkey, consumer, 12345, letmein,  trustno1, dragon, jesus, writer, ninja, iloveyou, princess

Avoid these. Password length itself is a great factor for adding entropy to passwords, so an alternative to the four-words strategy is to think of a long sentence, preferably non-English, and to take only the first letters of each word and try to build something from there. Song lyrics are useful here, or favourite sayings:

aistmylyllacitw

This is a line from the song ‘Candle in the Wind’ by Elton John.

Best-practice does vary from place to place, but given the real-world problem of memorisation, these guidelines introduce a much higher level of protection than using a single dictionary word coupled with a number. Anything that takes you ‘off the dictionary list’ is a good thing.

Unfortunately, many companies force users and staff to set insecure or hard to remember passwords, driving up the costs of IT departments and potential risks. Forcing a password change every 2 weeks usually results in a staff member changing the number at the end of their standard password. This is not the best of practices. Neither is requiring a complicated password (more than 8 characters in length with non-alphabet characters, upper and lower cases and numbers); these become hard to remember and usually lead to more password recovery calls which can be a further drain on resources.

Another point to remember is that humans are often the weakest link in the password chain. Staff often leave passwords on post-it notes stuck to their monitors or just give them out over the phone to callers claiming to be from the IT department. Remain vigilant in your password storage and don’t underestimate their importance.

Finally, using internet café’s or public computers poses a significant risk to your password being intercepted from the keyboard (by a device known as a keylogger) or on the computer in use. I recommend using 2-factor authorisation where possible, which sends an additional temporary password to a mobile device when logging in from a new computer. Google currently offers this with their Gmail product.

Protecting sensitive information

Summary – Be sure to encrypt sensitive client data, use special tools to truly delete that data and transfer that data over encrypted channels where possible. If that is enough detail for your needs, feel free to skip or skim over this chapter.

The main information risk we face as freelancers is in the protection of client documents, and of our own records and assets. The current best practice on this front is to use encryption to secure file transfers and file storage.

Starting with securing file storage, using the open source software TrueCrypt you can encrypt a whole PC or just a folder on a computer or USB stick and secure it with a passphrase. The encryption used is reported to be unbreakable with current technology, requiring many years of high-level computation to crack the keys used.

This was put to the test in 2008, when a Brazilian banker suspected of financial crimes (Daniel Dantas) had his TrueCrypt-secured harddrives seized by the Brazilian National Institute of Criminology. After 5 months of efforts they then enlisted the help of the FBI who spent a further 12 months of resources trying to access the encrypted files. Neither were successful.

The fact that the software is open source offers some further reassurance as we’re safer in the knowledge that the application code has been (and can be at any time) checked over by any member of the public. It is a transparent approach in contrast to a single company keeping the code secret, perhaps introducing insecure elements or ‘backdoors’ to the application. The main concern is to make sure the application download is from the true source, and that it has not been tampered with.

There are legal considerations to be taken into account with encryption; for instance you may be required to surrender your password or keys to an encrypted volume by law (as in the UK) or even prohibited from using encryption at all. Please check your local regulations, or those of countries you may be travelling to, before putting encryption into use. In the US it has been ruled (in 2012) that TrueCrypt users can not be compelled to decrypt their hard-disks.

On the performance front I can testify that encrypting a whole PC, even with a slow hard-disk drive, does not affect productivity or load times in any noticeable way. It takes around 5 hours to encrypt 300GB of data, so it’s best to perhaps start the process overnight or on the weekend. It is very easy to do, but you must be absolutely sure that you will remember your password. If you forget it, you will effectively lose all data stored on the PC, with no way to recover it. This is a risk to be weighed against the risk of your PC falling into the wrong hands and your identity/business being compromised.

One further risk of disk encryption is that a laptop in ‘sleep mode’ will not ask for an encryption password when it is ‘woken’. The encryption data held in RAM is susceptible to a technical (but possible) attack using a USB stick to dump the RAM contents for later decryption. This makes it worthwhile, then, to consider file-by-file encryption, or completely shutting down your encrypted machine when not in use.

When it comes to deleting information, it should be known that when you hit ‘Delete’ the operating system typically only switches the file data section on the disk from ‘used’ to ‘unused’. To actually remove the data beyond retrieval it needs to be ‘zeroed’ or overwritten. As this is impractical in terms of time and processing power for each individual deletion, setting the ‘unused’ flag is the standard method for operating systems. This is why files accidentally deleted from hard-disk drives, USB sticks, SD cards or any media can be usually systematically recovered (using free tools) if they have not been overwritten. It is always worth considering this when disposing of confidential data or old computers.

The equivalent of shredding documents on PCs can be done on a file-by-file basis with tools such as Eraser (open source), or for whole disks by using a tool such as HDDErase provided by the University of California. Deleting files that are already encrypted mitigates much of the risk of data remanence, but is somewhat impractical on a day-to-day basis.

This level of security borders on, and often exceeds, that employed by governments, so you can be sure of doing the best you can to protect sensitive information when employing these practices. Given that certain industries require compliance with security policies as standard, you may open new opportunities if you let clients know about your security procedures.

When it comes to encrypted file transfer for file receiving or delivery you can use:

1.   PGP Keys for email and attachments

2.   File encryption before emailing over HTTPS (see below)

3.   File encryption before transfer over FTP

4.   FTP over VPN, FTP over SSH, FTP over SSL (FTPS)

5.   Secure FTP (SFTP)

The first four are the most cumbersome and error-prone methods. PGP keys, despite their great potential, are rarely used by clients. Encryption before transfer doesn’t protect against interception and replacement of the file (a distant risk, but still a valid concern). Network errors may also occur with methods 1-4 if firewalls and protective zones are set up on either network.

Using method 5, SFTP, you can make sure that everything from your login details to the file and its transfer is fully encrypted. And all this with the minimum of network error, configuration and interception concerns.

An application such as FileZilla or WinSCP will offer this level of protection and can be set up in minutes. Documentation and instructions for this are available on their respective sites, and I recommend you spend time reviewing this if best practice file-transfer security is a priority for you.

Using public networks

Summary – A discussion of various solutions for working in public over secure connections. In light of 2013’s ‘Summer of Spying’ whistleblowing, this section is ever more applicable to translators working with sensitive client data. Skip over if you are satisfied that these requirements do not apply, or read to find out how to protect your online activity.

If you ever use the internet from public connections for private work,  you can set up a ‘Virtual Private Network’ to log-in to when working away from trusted networks. This VPN will encrypt your web traffic through a ‘tunnel’ that connects to your home network. It offers a good level of protection against ‘sniffing’ carried out by potentially malicious users on the network you’re connected to. These ‘sniffers’ scan for passwords and sensitive information which can then be misused or sold on for profit. When encrypted, this is no longer possible.

VPNs can be set up by using either a server (a dedicated, always on computer at home) or with just a standard router. The server will consume more power, but offer more flexibility in terms of file sharing (Windows Home Server currently costs under £50, Ubuntu Server is free). Servers themselves cost from £100-£500 and often come in packages that optimise for quietness and low power consumption. A very smart solution is the TonidoPlug, which costs around £100 and lets you attach a hard-drive to back up files locally and serve them securely over the web. TonidoPlugs can then be modified to allow for VPN usage, with plenty of instructions on how to do this available publicly. Alternatively there is the Raspberry Pi at £35, acting as a full and complete server at 2-3 Watts of power, costing only pence/cents per month to run. It is less of a consumer product than the Tonido, but there is great support from its community to learn with.

The router method for VPN benefits from extremely low-power consumption.This method is much more technical and requires replacement of the internal software (the firmware) of your router. It can give a £20 router the features of a £500-1000 device, but requires extensive documentation reading and research if you are unfamiliar with the concepts. Tomato or DD-WRT are the standard options here if you are still interested! If using one of these on low-memory routers you can create an encrypted SSH tunnel as they often cannot manage a full VPN with their memory capacity. I’ve tested this and it works very well to secure browsing while on a public connection, it just requires a little more configuration in the browser to finalise the arrangements.

If this is not an option for you, there is a practice that you can employ immediately when browsing the web on public (and private) networks. Just always be sure to find the https version of a site where available. This encrypts passwords and information as they pass back and forth between you and the several computers in between the website’s own server. You can tell if a site is using https or not by looking for the padlock symbol, which shows that the site’s security certificate (known as an SSL cert) is approved by the relevant internet authorities for secure transactions. Or you can see it in the address bar, with https:// being used instead of http://. This practice will not hide which sites you are using (your bank site, your client’s site etc.) so bear in mind that it is only the credentials and in-site browsing data that is encrypted. Using a browser plugin such as HTTPS-Everywhere, provided by the Electronic Frontier Foundation, ensures that when you visit sites offering https it is enabled, as this is not always the case. This particular plugin is available for Firefox and Chrome.

So hopefully after implementing as much of the above as you can, your business assets will be as secure as humanly possible and the chances that your business will have long life will increase in turn. Clients may well appreciate the conscientious approach to file security in certain industries, so do remember to communicate this on your website or in general exchanges with them. Unfortunately, going into detail on how to implement most of the above security solutions would not be possible without knowing the various individual situations of readers. If you would like any further information on these technical aspects, please do get in touch and I’ll be happy to help where I can.

Since the above was written, while the information still stands, widespread government and commercial ‘monitoring’ of personal and private data has been confirmed by Edward Snowden’s whistleblowing.

Assuming that these capabilities are widespread among goverments and corporations, client data privacy has never been so weak. Employing these methods, and letting clients know this, can stand you in good stead among those with intellectual property to protect, or just as general good practice to help them maintain competitive advantages. This could be in source code, company reports and plans or internal documentation.

The next section deals with the most useful of marketing tools we have at our disposal, and aims to guide you through the potential minefields of website setup, optimisation and client conversion.

Previous:
Next: