In this age of identity attack vectors
, protecting one’s identity cannot be done stand-alone. There are plenty of opportunities for a threat actor to steal your identity using the very information technology that we embrace every day. We have covered that in detail in previous chapters. However, there is another mitigation approach called Privacy Filters that can limit a threat actor’s ability to create that critical linkage between account, identity, and data and craft identity obfuscation.
Privacy Filters are typically application features, dedicated software, or even physical additions to devices to shield your data and protect your identity. They are required by law in some cases (e.g., GDPR) to obfuscate a user’s identity in order to collect performance and analytic data. They can have far-reaching ramifications in the form of financial penalties if they breach regulatory compliance requirements for data and identity collection. And, they can shield your identity from many physical and electronic threats a threat actor may utilize to gain an advantage. Consider the following Privacy Filters:
- Incognito Browsing Mode (Private Browsing) – The ability of a web-based browser to block cookies, browser version information, history data, and other sensitive information that could be used to determine your persona and identity or even launch a targeted attack based on runtime data submitted by your computer during the course of a browsing session.
- Identity Obfuscation – The ability for software to collect performance, analytic, event, and support information and automatically scrub it for personally identifiable information about the user, applications, or even environment before submitting to a vendor or installed solution. This type of technology is typically used to protect data from being sent over a regional or country boundary when data privacy laws prohibit a company or organization from storing or sending it with granular identity information.
- Screen Privacy Filters – These are physical polarized filters added to computer screens to prevent threat actors from viewing a screen from obtuse angles. A user can clearly see the screen when operating directly in front of it or from very small angles off a perpendicular axis. This is designed to stop shoulder surfing and the errand linkage of information that could be present on a user’s machine and visible to inappropriate users.
- Guest Shopping Carts – While not directly considered a privacy filter, allowing the purchasing of items anonymously by an online retailer (or using a guest account) is a form of a privacy filter. The user’s identity is restricted to the transaction, and an account, with detailed identity information, is not stored for future use. This reduces the risk of an identity account by not having an account created in a potentially untrustworthy retailer. For frequent online shoppers, using a guest account for shopping is highly recommended for merchants that you infrequently (or one time) visit.
Therefore, depending on your organization’s requirements, you may consider implementing privacy filters in order to minimize risk and meet regulatory compliance requirements. For example, information technology owners may install computer-based privacy filters on all laptops to prevent data leakage as employees travel or on desktops in a financial institution to limit privileged information. Security teams may request data obfuscation on Windows Events Logs for a solution to prevent identity information from showing up in a SIEM. And businesses may use guest accounts on operating systems to allow many-to-one usage of computing devices vs. creating accounts for every identity in order to save costs. While this last use case may sound extreme, many applications are licensed by user, and if the data can be represented in a generic nonsensitive fashion, then protecting someone’s identity (by not making an account) can have profound outcomes in lowering cost too.
Privacy filters and other forms of obfuscation technology can help mitigate the threats of identity attack vectors
. If you consider every place an identity may be exposed, other solutions may be available to obfuscate it from reporting, management, and collection without diminishing the mission at hand.