Internet Security for Mere Mortals

I interviewed Hector Diaz of Diaz Consulting on the importance of security for everyday users on the internet and what we can do to be aware and secure. Here is a digest of that interview. This is part one of a series of interviews called Business for Mere Mortals. Notices of upcoming interviews will be posted on this blog, my Twitter profile and my LinkedIn profile. Soon we will ad a hashtag for participation in these discussions.

@lisadiaz: Hello, I’ll be interviewing Hector Diaz of Diaz Consulting.

Hector will be telling us about how trust for e-commerce is established through passwords, digital certificates and encryption

He will also tell you how you can get a digital certificate to secure your e-mail

Hi Hector, can you tell us about your background?

@diazconsulting: I am an IT executive w/extensive experience running multiple data centers in international environments. That includes internet security.

@lisadiaz: Where have you worked in the past?

@diazconsulting: 21 years at Hewlett-Packard/Agilent Technologies and most recently at CaridianBCT, a medical technology company.

@lisadiaz: OK, so why is security important?

@diazconsulting: Trust is a necessary pillar for commerce and in particular electronic commerce. You have to trust the identity of the parties involved.

@lisadiaz: Interesting. Any other thoughts on trust?

@diazconsulting: Yes, you must trust the transaction to be private, that is safe from prying eyes.

@lisadiaz: Like credit card information?

@diazconsulting: Right, credit cards, bank account numbers, SSN numbers and other such data must be kept private and secure.

@lisadiaz: How do you go about establishing trust? Can anyone do this or is it just for the big companies?

@diazconsulting: Basically by setting up the ability to conduct e-commerce that allows for authentication, privacy, and non-repudiation.
This applies to big companies, small companies, and you as an individual. I’ll explain shortly.

@lisadiaz: Good! First, how do you define those terms you just used?

@diazconsulting: AUTHENTICATION is all about proving you are who you say you are. This applies to both vendors and customers.
PRIVACY has to do with keeping sensitive information (like credit card numbers) safe from prying eyes.
NON-REPUDIATION keeps buyers/sellers from lying about legitimately placed orders/shipments. An electronic fraud-prevention paper trail.

@lisadiaz: About non-repudiation. Do you mean proving you really meant to purchase or transact?

@diazconsulting: Repudiate is to deny. A vendor should be protected from someone ordering goods and then refusing to pay claiming they did not place the or..

@lisadiaz: OK, that helps. Thanks! so, how do you establish your identity on the web?

@diazconsulting: Web-sites use digital certificates to establish their on-line identities. They verify identities of individuals upon account creation.
Vendors buy digital certificates from companies like VeriSign. They provide a branding logo for your site.
Individuals “prove” their identity when they supply a password. They too can get for-pay digital certificates from VeriSign.
Free digital certificates are also available from companies like Thawte. They require showing an ID to a notary.

@lisadiaz: I send emails and make purchases all the time. Why would you want to go through the trouble of doing that as a consumer or vendor?

@diazconsulting: W/ a digital certificate you can “sign” your e-mail to prove it actually came from you and was not forged (authentication, non repudia..
W/ a digital certificate you can encrypt your e-mail to keep it from prying eyes (privacy).
Modern e-mail clients like Outlook and Mac Mail allow you to use these certificates to secure your e-mail.

@lisadiaz: So, if I want to send an email to someone with a password, I should consider this authentication system. Right?

@diazconsulting: Yes. I would use e-mail encryption to send someone a password in an e-mail.

@lisadiaz: And if I’m not encrypting my e-mail, does that mean anyone can read it if they know how to hack my email?

@diazconsulting: In a nutshell, Yes. No hacking required. System administrators at any site your mail goes through can read your e-mail.
You should NEVER assume e-mail is private unless it is encrypted.

@lisadiaz: So, to send encrypted emails, get that taken care of at a site called Thawte?

@diazconsulting: At Thawte you can get a digital certificate that will allow you to sign all your e-mails and encrypt e-mails to users who also have certs.

@lisadiaz: Cool. What is the link to Thawte?

@diazconsulting: http://www.thawte.com/

@lisadiaz: Thanks. One more question about purchases. Does that mean I need a digital certificate to buy with confidence or do e-banking?

@diazconsulting: No, those transactions are encrypted “on the fly” Look for a small padlock or other indicator on your browser.

@lisadiaz: Thanks. So, the security takeaways here are: “thawte” for emails, “security lock” or “https” for purchases and “Verisign” for vendors. Is ….that accurate?

@diazconsulting: Yes. A small clarification, I’d say encryption for e-mail. In order to encrypt, you need a digital certificate. Thawte is a source for that.

@lisadiaz: Thanks for clarifying. And thank you for taking the time for this Tweeterview.
Thank you everyone! This concludes the Tweeterview.

This digest will be posted on the iDiaz Blog at http://www.idiaz.org/Blog/?p=96 and at the Diaz Consulting Blog at http://hdiaz.org/Blog.

Comments (2) | Trackback

2 Comments to “Internet Security for Mere Mortals”

  1. Hector Diaz says:

    Not too long I recommended getting a free personal e-mail certificate from Thawte for e-mail security. It has now come to my attention that Thawte will stop offering Personal Email Certificates on November 16, 2009. This is now posted on the Thawte web-site. According to their web-site, Thawte is offering a free one-year VeriSign Email Certificate for each active Thawte Personal Email Certificate you own as of 24 September 2009. If I remember correctly those normally go for about $20 US.

  2. Lisa Diaz says:

    Thanks Hector, for keeping us current on this topic!

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>