Personal Privacy & Security for CISOs

This post is centered on YOU and your family’s safety. As a CISO, you become a potential target, and it’s essential to practice good safety hygiene. I will share my personal journey, explaining how I transitioned from standard practices to completely changing my habits to enhance safety.

The catalyst for my focus on safety began with the simultaneous occurrence of two significant events. First, I experienced a scare involving a potential breach of my personal life, displaying signs of a sophisticated attack. Second, my wife, a celebrity chef, began starring in a TV show featuring our family. Both events underscored the importance of our family’s safety, prompting me to develop a plan. But where to start?

In developing a plan, I began by constructing a threat model, similar to what I would do within a company. My goal was to identify our fears and the level of attackers we needed to protect against. As the CSO of a prominent company, and with my wife already facing challenges from stalkers, I quickly identified several key concerns:

1. Simjacking: This common attack is something to which we are both very vulnerable, given that neither of us has changed our phone numbers for decades, making them easily identifiable.
2. Data Breaches: With companies being breached by the hundreds, our information is widely disseminated. How can we prevent our details from being exposed when we have no control over these companies?
3. Unauthorized Access: We’ve seen cases where people gain information through friends-of-friends or by bribing support staff within companies. How can we prevent this?
4. Zero-Day Attacks: Part of the concern I had could have stemmed from something like a zero-day attack. Is it even possible to safeguard against that?
5. Stalkers: Many of the potential attackers could be stalkers who are extremely persistent and somewhat sophisticated.

Based on these fears, I concluded that we needed to protect against an Intermediate Attacker. But the question remained: how could we achieve that?

I realized that a two-phase approach was necessary.

Phase One: Lockdown — This phase required a comprehensive analysis of everything we do online from a security perspective, leading to a systematic lockdown. It went beyond simply using a password manager, delving into our life model, security architecture, and necessary processes. For a security professional like me, this part was relatively straightforward, and many of you may already have experience with it or know what to do.

Phase Two: Disappearing — This was the phase where I learned the most, focusing on how to maintain our family’s privacy online. The goal was to figuratively ‘disappear,’ safeguarding our personal information. Achieving this was challenging and quickly became complex.

One significant lesson I learned through this process, which I want to highlight, is the following…

An essential lesson I learned is the importance of Security through Privacy, or what is often referred to as Security through Obscurity. As security practitioners, we may tend to dismiss this concept, not because it’s invalid, but because relying solely on it is a mistake. Through this exercise, I have come to appreciate how Privacy and Security are deeply interconnected. I used to say that you can’t have privacy without security, but now I understand that you can’t have security without privacy either.

For CISOs, this realization leads to a greater appreciation for regulations like GDPR and the privacy aspects of business. The synergy between Privacy and Security is the only path to true safety.

With that essential point made, let’s continue with the story…

Phase One: Lockdown

  1. Creating an Ultra-Secure Root Account: I started by creating a root account completely unassociated with me, to act as a vault for all sensitive information. This included its own phone number, email address, and data storage, with both a primary admin account and a read-only account for certain emails.
  2. Two-Factor Authentication (2FA) Everywhere: Implementing 2FA on all accounts was more complex and frustrating than anticipated, especially given the limited control options available to consumers. This covered all important accounts, from finance to social media, utilizing hardware/passkey options, OTP, and SMS as priority.
  3. Managing SMS and Email Recovery: All SMS went to the root account, and email recovery was directed there as well. I worked around VOIP number blocking by using a prepaid eSIM, turned on/off only when needed.
  4. The Long Tail of Locking Down: Tasks included migrating my well-known number to a VOIP line and using an auto-filled prepaid data-only eSIM. I also ensured false answers for security questions, and random strings where possible, using a password manager.
  5. Helpful Tools and Surprises: Vendors like Cloudflare (for zero trust and browser isolation) and Material Security (for personal use) were key in my security process. I was surprised by the number of platforms authorizing apps and the challenges in managing them.
  6. Additional Safety Measures: Living in San Francisco and concerned for my wife’s safety, I found the Citizen app helpful, providing immediate access to an agent when needed.
  7. Estate Planning Consideration: This process is also excellent for estate planning since there is a single vault that can be used. A helpful tip is that for your trusted estate holders you can hand the yubikey to one holder and the password of the account to the other. This would now require both of them to access it.

This lockdown process was just the beginning and laid the groundwork for the more challenging phase: disappearing. The steps taken were not only about securing our digital lives but also enhancing our physical safety. It was a complex task, but it provided valuable insights and tools for security that many can utilize.

Now, let’s explore the next phase: disappearing.

Prepare for an eye-opening journey into the world of privacy. When you begin to question, ‘Who really needs to know who you are?’ you discover that the list is surprisingly short. The depth of this exploration depends on how far you’re willing to go down the rabbit hole. Here’s a glimpse into the spectrum of what you can do without revealing your identity:

1. Basic Online Services: This includes platforms like Uber, DoorDash, and note-taking apps. There’s no need for these services to know who you are, and a breach in their data could lead to someone knowing where you live, your travel patterns, and more.

2. Intermediate Anonymity: Moving up the spectrum, there are less obvious areas where you can remain anonymous. This includes car and home repairs, hiring contractors, making reservations, eating out, and even paying utilities.

3. Advanced Anonymity: You can delve even deeper and explore areas like purchasing a car or home without revealing your identity. I’ve personally experimented with this, and I’ll share the details at the end of this presentation.

Understanding and applying privacy in these varying degrees can be a complex task, but it’s a vital part of enhancing your security. By questioning the necessity of sharing personal information, you can better protect yourself and your family.

When it comes to privacy, the question becomes, ‘What is the threat model?’ or as I like to phrase it, ‘How paranoid was I?’ The spectrum ranges from trusting no one to trusting everyone. Being at the ‘trust no one’ end is unrealistic unless you’re willing to live in the woods, which certainly wasn’t an option for my family.

So, I had to make choices:

Trust the Government: With certain reservations, of course.
Trust Financial and Medical Institutions: Essential for daily life.
Trust Specific Enterprises: In my case, mainly Apple and Google.

Everything else fell into the ‘do not trust’ category by default.

Knowing where I stood was the first step, but the execution was where things began to get intricate. It’s a complex process, balancing privacy with practicality, and one that requires careful consideration and planning. Get ready, as we delve into the details of how I put this privacy model into action…

First, I established various personas, something we do in everyday life, but translating this into the digital realm is an intriguing task.

Personal Persona: This represents my true self, seen only by close friends and family. It’s private and includes its own contact information such as email, phone, and address.
Professional Persona: This is what work and professional settings see, encompassing legal work, health/medical interactions, and more. It has its own contact information, and if we were to speak after this presentation, I would provide you with my professional details.
Social Persona: This persona is used for social interactions, like going out and meeting new friends. For instance, when I joined a car group, I used my social contact information.
Alias: Last but not least is the alias, a persona completely separated from the others and thought of as quarantined. It has no associations with me and is what I spend most of my time as. This is your digital disguise, or “sock puppet.”

To begin gaining privacy within the established structure, I first set up some prerequisites:

  1. This allowed me to generate limited-use/multiple credit cards that accept any name.
  2. Private Mailbox (PMB): Unlike a PO box, this service provides a real address, accepts mail, and can either scan it for you or forward it directly to another address. Google for PMB or good article on why they are useful here
  3. VOIP Service: I used this to host the numbers for the various personas. Lots of services for this: burner, googlefi, googlevoice, dialpad, openphone, mysudo
  4. Fastmail and Apple: These were used for masked emails, forwarding to the appropriate persona email.

Once these were in place, the hard work began. I had to create or update accounts for EVERYTHING, a grinding process that took considerable time. At least 90% of the accounts were directed to the alias persona. A tip: using a bare Google account for the alias made signups and testing new services much easier.

Lastly, I signed up with services to help clean up existing information online, though my focus was more on staying clean moving forward rather than erasing history.

This process was labor-intensive and challenging, but it provided a comprehensive framework for digital privacy. So, what were the results of all this effort?

Reflecting on my original threats, I found that security through privacy became a powerful tool. From simjacking and cyber breaches to bribed internal employees, operating under an alias made the target unclear. While it doesn’t mean I’m invulnerable to these threats, the effort required for an attacker to succeed has been significantly increased. I now have a set of clean, federated identities that contain the potential damage within controlled boundaries. The techniques used were mostly beginner and intermediate level, but I wanted to push further and experiment with something more advanced. Let’s explore that next.

Have you seen the Netflix series “Beef”? It’s a dark comedy about road rage, detailing how a simple disagreement can escalate into an all-out war. In one episode, a character uses an online service to look up a license plate and get the other driver’s name and home address, setting off a chain of events. I found it quite funny and highly recommend it.

This scenario prompted me to wonder: How could one prevent such an invasion of privacy? As I was in the market for a new car, I decided to push the limits and see if I could purchase a car anonymously. After extensive research, some stress, and plenty of perseverance, I succeeded. Running the tag on my car won’t reveal my name or direct address, and the dealer only knows me by my alias. *Note: the car is not anonymous to the government, insurance or bank only to the dealer and running the tag*

A funny anecdote around this experience: My car was in the shop while I was out of town, so I asked a friend to pick it up. I forgot to tell him it was under my alias name, leading to quite a bit of confusion when he went to retrieve it. It was a lesson learned that even with the best-laid plans, slips can happen.

I hope you enjoyed the story of my journey into the realms of privacy and security. If you have any questions or would like to know more, please don’t hesitate to reach out to me.

I want to note that I relied heavily on the book by Michael Bazzell – Extreme Privacy . I consider it the bible for privacy and would not even be close to where I am without it.

Please follow and like us:

2 responses to “Personal Privacy & Security for CISOs”

  1.  Avatar

    Awesome article!

  2.  Avatar

    Good read, and I am certainly going to setup something like this as well. One thing: How do you handle parcels? I am receiving in between 5 and 10 parcels a month. A typical PMB company (where I live, Europe) will charge for the cost of accepting (4 euro) and passing the parcel on (5 euro) to UPS (variable, but let’s say 4 euro). I guess it is down to how secure you want to be, but paying between 65 and 130 euros a month just for forwarding services is a bit steep for our budget. Any ideas?

Leave a Reply

%d bloggers like this: