You’re in biblical scholarship, not information security.1 But the two go hand in hand. You won’t get much research done if what you do gets wiped out by a bad actor.
I knew that even before I had it reinforced to me with unnerving clarity. But I hadn’t thought carefully enough through some key holes in the strategy I had adopted for protecting my research.
Having been through that experience (thankfully without losing any files), I settled on two key elements that needed to be central moving forward. These were expanding and hardening my usage of multi-factor authentication and restricting access to critical files.
Multi-factor authentication (MFA; or second-factor authentication, 2FA) is the practice of requiring multiple proofs of identity before granting access to an account. Often, one proof is a password, but in the event a password gets stolen, requiring yet another form of proof helps protect access to an account.
Some 90% of online account breaches occur because of stolen login credentials. That means that, by and large, “Hackers don’t break in. They log in.”2 To work their mischief, they don’t break through security; they bypass it by stealing usernames and passwords.
Why MFA Matters
But your research isn’t vulnerable to this, is it? Unfortunately, if you keep it in one of those cloud storage services we’re all so fond of, those services are online accounts. And as such, they’re susceptible to the same kinds of threats as are accounts on Facebook or at your bank.
In addition, like the example I described, your work might be endangered by a mistake from someone you’ve implicitly trusted with it. So, the safer you are, the safer those you work with will also be, and vice versa.
How My MFA Practice Has Changed
Before what happened to me, I’d already been using MFA with an app on my phone, which would generate a 6-digit code to allow me to log into an account.
That’s better than nothing, but there’s nothing unique to those codes that, in principle, prevents them from getting phished too. (And in fact, this was one of my worries when OneDrive asked for one of these codes in order to restore my files to a point before they started getting encrypted.)
What’s much better that I’m now using is an “unphishable” physical token like a Yubikey.3 Because its a purpose-built physical token, a Yubikey isn’t susceptible to malware like authentication apps are.
For online accounts that support it, a “universal second factor” (U2F) security key creates a unique “cryptographic key pair for each service.”4 That means that, in the future, only physical device can unlock the service.—For this reason, Yubikeys come best in pairs so you always have at least one backup.
How You Can Use Yubikeys for MFA
You can use a Yubikey as a U2F for an unlimited number of accounts.5 And for accounts that don’t support U2F, each Yubikey 5 series key can also provide one-time codes for up to 32 different accounts with the help of the companion authenticator app.6 If you have more than that, you can always use another key. (I’m currently working with sets of two.)
Of course, for any accounts where you might use a Yubikey to generate a one-time password, it’s still up to you to keep that password safe until it expires. But by comparison to an authentication app, a security key is a safer place to keep the secrets that generate those codes.
If all of this sounds great but it’s a bit confusing where to begin, Yubico has a helpful catalog of compatible services with instructions about how to start using a Yubikey with each one.7
Restricting File Access
MFA helps safeguard you and others you work with safe from intrusions that could threaten your research. But how can you protect it against threats that do get onto your system despite your best efforts?
Controlled Folder Access
Of course, you always want to have any appropriate security software updated and configured properly. Beyond that, you can give your research some additional protection by restricting access to the directories where you keep it. This step is another important expression of the “zero trust” principle.8
The idea is that you only allow applications that you specifically whitelist to modify those files. By definition, malware would be a new application that you wouldn’t want to whitelist. And without that permission, it shouldn’t be able to damage your files.
On Windows, this feature goes by the name of “Controlled Folder Access.” When you first enable it, it might take a few tries to open a file in a protected directory as you approve the different applications that are involved in that process. But if you’re able to use it, it does give you markedly more control over what might be meddling with your work.
Even if you’re not able to use Controlled Folder Access or something similar, however, you can still use Macrium Reflect to protect your backups of your data. (I’ve found the Home version plenty sufficient since starting with the free trial license.) In many ways, Reflect works similarly to other backup tools. But it has one feature that sets it apart.
This feature is Reflect’s “Image Guardian” functionality. Image Guardian essentially works by allowing only Reflect to modify Macrium backup files. You can even configure Reflect so that, if another application tries to modify a Macrium backup file, you’ll get an alert email.9
As with the selection of any tool, your own situation might call for different tools than the ones I’ve described adopting here. But whatever tools you select, the principles remain key. To protect your research, you need to have a clear plan for protecting access to it. And that plan needs to address how you’ll protect your work even from generally trustworthy sources.
Header image provided by Markus Spiske. ↩
Stina Ehrensvard, “Creating the Unphishable Security Key,” Yubico, 3 October 2017. ↩
Ehrensvard, “Security Key.” ↩
“Macrium Image Guardian,” Macrium Software, n.d. ↩