Infosec Pros Reveal Their Best Cybersecurity Tips

""

For Women’s History Month, we’re highlighting women in cybersecurity and asking how they navigate the internet while keeping their data safe.

Going off the grid is becoming less of a viable option today, especially as we become dependent on tech to keep in touch with family and friends, go to school, and do our jobs. The best approach to navigating the internet, from social media to apps—and even just visiting websites—is an informed approach.

We asked three experts in the field of information security for their insight, including which browsers they’re using, how to know if an app is trustworthy, and how much they post on social media.


Rachel Tobac, hacker & CEO of SocialProof Security

Rachel Tobac is a white hat hacker and the CEO of SocialProof Security, a company that offers social engineering training and consulting for companies and individuals. SocialProof’s clients include PayPal, Snapchat, Facebook, the U.S. Airforce, and Uber. 

Has working in this field changed your personal approach to social media? 

Oh, definitely. I still post on social media every day. You’d be able to find me on LinkedIn, Facebook, Instagram, Twitter—I’m on all the social media platforms, but each of them I take a different approach for. My Instagram is completely private. I don’t share it with anyone except for close family and friends. My Facebook is just for my family, and a few of my friends. Twitter is for my public work, and what I post LinkedIn I consider to be public information. I think the more we try to imagine our worlds as private online, the more of an issue we run into. We kind of have to believe that everything we post is public and permanent on the internet. Even if that might not be the case, it’s good to operate under that assumption. 

Should everyone follow this protocol to ensure safety? 

I tell [my clients] it’s a choice they need to make. For instance, I post on Twitter every single day, sometimes five to ten times a day. It’s just that you’re likely not going to see me tag a service provider there, because then people know who to contact as me and gain access to my information. But I say all the time [on Twitter] that I love camping, and post a picture of my dog out in the woods. I’m not going to write, “This campground is the best—go here, I’m here right now.” 

We kind of have to believe that everything we post is public and permanent on the internet. Even if that might not be the case, it’s good to operate under that assumption. 

Rachel Tobac, hacker

So you never mention the location? 

That’s right. I don’t geotag and I don’t name a service provider. Let’s say I’m someone whose airline loses my luggage. I’m not going to publicly comment on their page. We see people do that all the time, or they tag a subscription box and say, “Hey, I love your service, your latest makeup samples are the best.” That’s a really strong avenue for attackers to determine who they want to contact on your behalf and attempt to get your information out of other people.

Want to hear more from Rachel? Read our full interview with her here, and view a recording of our digital event, Happy Hour with a Hacker, featuring Rachel and Diva! View the recording here.


Diva Hurtado, digital self-defense instructor & Product Manager at Dashlane

Diva Hurtado is a product manager at Dashlane and has a background in mobile gaming. She hosts digital self-defense classes for women and others who are disproportionately vulnerable to cyberattacks. 

How has working at Dashlane changed your approach to cybersecurity? 

The most radical change is in my mentality and awareness of the actual threat involved in lack of security. This mostly revolves around the idea of big business taking data from you and having ownership of that data. 

What steps do you take to protect your data online? 

I’ve switched browsers from Chrome to Firefox. Firefox is a privacy-focused browser that has a nonprofit component and donates a portion of revenue to helping individuals control their own data. That’s a radical change for me because I’ve been using Chrome for a long time. I switched to WhatsApp before Facebook owned it, and now I use Telegram, which is end-to-end encrypted. You have more ownership over deletion of messages. 

This is a universal ethical shift that I’ve had in general with big tech companies. You have to give up convenience a little bit. Amazon, for example, is super convenient. People need to realize that convenience is coming at a huge cost to the world. The society you’re furthering is [determined by] what you’re purchasing.

Do you have concerns about posting on social media? How do you manage those concerns?

I’m lowkey addicted to Instagram even though all of my ethics tell me not to be. Whenever I’m on my Explore Page, I select “Not Interested” on an ad, even if I’m interested. I do this systematically on random ads so that the algorithm is a little off.

Apps are never free—there’s no such thing as free software. If the app is free, you’re often paying a higher price; you’re paying in your personal information and your identity.

Diva Hurtado, Dashlane

What’s a common security threat we don’t think about, but should be aware of?

Visiting websites. There’s ad tracking, there is surveillance, and there is data being shared and sold. When you go on a website, you’re consenting to that website’s terms. In Europe because of GDPR, you have to consent to each of those terms, but in the U.S., you don’t.

Also be aware of downloading certain apps, like a face aging app that requires you to take a picture. If you’ve used these apps, your face is in a database. Facebook [which is often a host] has done very little to vet those apps. Facebook has everything about you in the world, and [if you grant the app permissions] it has all the same information about you that Facebook does.

What messages do you try to convey in your digital self-defense classes? 

It’s easy to feel powerless, but an important central message that we’ve had in the self-defense classes is that everyone has control. You just need to know what’s going on, be informed, and own your data. You’re the center of the story. You can’t move forward ignorantly online. Maybe you’re not going to make a radical decision to delete [your social media], but you should make the right decisions to at least limit the control of what you’re using.

When it comes to navigating life online, what is one thing you wish you had known as a consumer that you learned from the world of infosec and mobile gaming?

Apps are never free—there’s no such thing as free software. If the app is free, you’re often paying a higher price; you’re paying in your personal information and your identity. That’s more expensive than an app that [outwardly says] it costs $5. It’s a perception that people need to adjust to. Pay for your software because it’s going to cost you. It’s important to realize the covert charges that you pay for with “free” apps. I wish I knew that sooner.


Naya Moss, freelance infosec officer & founder of Frauvis

Naya Moss is a freelance infosec officer and the founder of Frauvis—a global platform focusing on elevating, retaining, and providing safe spaces for Black womxn in tech. In the past, she’s worked for companies such as Google, Morgan Stanley, Nike, J Crew, and The Brooklyn Museum. 

What’s your personal approach to social media? 

I am moderately careful! I can admittedly share that I wasn’t always this way. When I worked in IT I wasn’t so security focused, especially during my teenage years. I try my best not to share too much sensitive or personal information. 

When I was a nomad for about a year and a half, I was cautious, more than ever before, about protecting my data and privacy. I have a checklist of items I do when I travel, and part of this is ensuring my location is turned off, metadata is removed, and waiting to post on socials [until I’ve changed locations].

When you sign up for a new social media platform, what red flags do you look for from a security standpoint?

As a security professional, part of my job is overseeing vendor and third-party risk assessments, and reviewing subprocessors’ policies and security practices. This includes reading terms and conditions, privacy policies, and so on. I also used to work for a marketing tech company. Because of this background and experience, I have a keen eye for quickly reviewing terms and what to look for especially apps most likely to be sneaky with their policies and what they do with your data. For me, red flags are apps wanting to do anything with your data, photos, recording your voice, music apps asking for full access to everything in your storage, etc. 

Having worked with both major corporations and startups, what is one tool or practice that businesses should make part of their security culture?

I get asked this one all the time, and I always shock people when I tell them the best tool you can have is a human-first mindset: treating your employees with respect and providing them with the right knowledge and software. Many security folks focus on protecting the company’s compliance, avoiding breaches, and avoiding data leaks. While all very important, the real tool is you—how proactive you are, how you treat your employees. It is important to view employees as internal customers. I like to think of security teams as a sub-organization. 

It might sound weird, but I am happy when an employee admits they almost clicked on a phishing email. This lets me know that they trust me and they know that I won’t make them feel bad or stupid, and will give them the care and training they need. When I study big data breaches, most articles always say that employees are your biggest risk. And while that is very accurate, it is bad practice to say, “by default you are a problem and risk.” Do the opposite and let employees know that they are not personally the problem, but that not keeping a good security posture is the actual risk.

I always shock people when I tell them the best tool you can have is a human-first mindset: treating your employees with respect and providing them with the right knowledge and software. […] It is important to view employees as internal customers.

Naya Moss, infosec officer

We often think of tech fields as code-heavy and developer-focused, but of course, that’s not always the case. How does your work in infosec fit into your other passions? 

Outside of my day-to-day work as an information security officer, much of the work that I do is coding and no-code building. On the coding side, I like to do a bit of generative art or making music with Python. 

In IT and infosec […], it’s possible to be creative; [it’s] just more business- and strategic-focused versus the application-building side. Being creative in the workplace is still possible with infosec! One can get creative by providing gamified training, being human first, and proactive. Most important—exploring ways to balance compliance, security, and productivity, etc. 

Tell us more about Frauvis and how readers can support the platform. 

The work that I do with Frauvis has been amazing and rewarding. I started the business because I did not find other Black women in technical roles at any company I’ve ever worked at before 2018. Folks can support our newsletter by subscribing, post to our job board, or sponsoring our community.

    Rachael Roth

    Rachael Roth is a content creator with over a decade of experience in print and digital media. She is a longtime contributing writer for Dashlane's blog and is an Editor and Copywriter for NYC & Company, New York City’s CVB and marketing organization.

    Read More