Not long ago, I talked here about UAV Cloud Data: we are generating a ton of location data, and need some effective way to store it on the cloud. Two things have to be considered: it needs to be secure, so it cannot be accessed by just anyone, but it also needs to be available to those who are authorized to view and use it.
While this is a matter of transmitting large amounts of data to the cloud, it is also a matter of cybersecurity, and the subject has once again been highlighted by recent events. Not only do we, as GIS technicians, need to help make businesses ready for the next natural disaster, but we need to help them prepare for the next man made disaster as well. So what is Vault 7, and what does it mean for securing location data?
It’s not My Vault
Vault 7 is the “accidental” release by the CIA of thousands of pages and therefore lines of hacking code to several “freelance” hackers. One of them shared the data with Wikileaks.
While we don’t know everything that is in the dataset, we do know that as it is revealed, software engineers and manufacturers can patch the vulnerabilities. The bad news is that this stuff has been out there, and available to hackers for awhile. It can be used to breach everything from home computers and phones to connected cars.
So what do we, as GIS Technicians, do about it? Well, here are some quick tips to help encrypt your life and (hopefully) prevent you from being hacked.
Use Strong Passwords
You hear this one all the time, and it is first in the list because it is the most basic. However, the worst passwords of the year (1234, your birthday, abcdef) are nearly the same every year, and they continue to be used in some of the most secure environments.
Set password requirements for access to GIS, and insist that they be changed regularly. It is becoming more common to set up security and log-ins using biometrics like fingerprints and retina scans, however, most of these still have a password as a backup. Passwords are still the spare keys to your kingdom. Guard them closely.
Use Two Step Authentication on Your Emails–All of Them
This should be true for your work email as well as your personal email. All this does is add an extra step, like receiving a code via text message or sent to an alternate email address every time you log in to your email.
This way, a hacker has a more difficult time hacking into your email on a device or computer you have not authorized. With your email, a savvy hacker can reset your passwords on everything from banking sites to your ArcGIS account. If they can’t hack the password you have now, it is much easier to reset it via a link sent to your email.
Two step authentication is the first step in a number of processes to keep location data secure.
Request and Configure Your Own Server Certificate
ArcGIS Servers come with a self-signed security certificate designed to help you set it up quickly and make sure your installation was correct. However, leaving this self-signed certificate in place is a common and preventable security mistake.
In the healthcare industry, servers containing the latest digital imaging technology along with large amounts of patient data, similar in nature to GIS images and the accompanying data sets, come pre configured the same way. However, the first step once imaging or GIS software is installed should be to request a certificate from a trusted certificate authority (CA) and configure your server to use it.
Properly encrypted servers are nearly impossible to crack unless there is an inherent flaw in the security itself.
Restrict File Permissions
Even with the best passwords, restricting access to files is essential. The risk of a data breach, even an accidental one, increases dramatically with each additional person who has permission to edit files. The risk of errors like data deletion also increase.
From the start, restrict access to files to only essential personnel. Only grant editing and editorial permissions to those who must have that access to perform essential duties. Once a team member is no longer on a project, remove their permissions. Reduce the the risk of a security compromise by keeping files and sets of data carefully locked down.
Disable the Primary Site Administrator Account
User accounts in GIS are managed in your identity store. The primary site administrator account is separate from this, and is the account specified when you first create a site in ArcGIS Server Manager.
Once you have created user accounts and assigned them roles, it is recommended that you disable the primary site administrator account, so there is no way to manage ArcGIS Server outside of your group and the roles you have assigned. If you have not done this, or simply do not know how, you can find instructions here.
Define the Shared Key to Generate a GIS Token
The shared key is the encryption you use to create GIS Tokens. ArcGIS tokens can be shared to give permissions to those who are not authorized users like clients to consume data from the ArcGIS Server.
The shared key is another common way for malicious users to gain entry to your server. Here are some quick guidelines for your shared key:
- It should be 16 characters long
- You can use any characters, and it should be as random as possible
- Change the key often, especially in high security environments.
- When you change the shared key, update all applications. Old tokens will become invalid once it is changed.
Think of your shared key as a security system on top of the locks and deadbolt on your door. It is another layer of security that is really challenging to disable for any hacker who wants access to your system.
Securely Transmit Tokens
It goes without saying, but always use https to transmit tokens to clients, and if doing so via email, this is yet another reason to use two step authentication. Anyone with a valid token has access to your server. Be sure to keep tokens just as secure as the shared key you use to produce them.
If you find a token has been compromised, change the shared key immediately. This will ensure that access remains restricted and data remains secure.
Restrict Cross Domain Requests
Cross domain requests are a common tactic used by hackers. Cross Domain requests are also known as “Cross Origin Resource Sharing,” or “CORS,” a request that allows one domain to request use of the data created on another.
You can prevent this in ArcGIS by restricting these requests to only websites that you trust: any domain not on the list would have their request denied. If you need instructions on restricting cross domain requests, you can find it by clicking on the link here.
Vault 7 is frightening simply because it highlights an ongoing issue: cybersecurity threats are on the rise, and anything from ransomware to major security breaches can shut down a business in a matter of days. Protect yourself and your GIS data by following the steps above.
Author:
Troy Lambert is a freelance writer, editor, and non-profit consultant by day, and a suspense thriller author by night. He learned about the power of GIS while working as a researcher at a museum, and is always looking for ways to apply this technology and big data in new and innovative ways. Troy is an avid cyclist, skier, and hiker. He lives, works, and plays in Boise, Idaho. His work can be found at troylambertwrites.com, and you can connect with him on Twitter @tlambertwrites.