Category: Security Tips

It Starts With a Simple Question

0

Today, a family friend asked me, “Is it okay if I email a copy of my passport to this small business? They need it for registration.” A few weeks ago, another friend reached out—this time, asking whether it was safe to send their Social Security Number and driver’s license via email for some ‘official paperwork.’

These are not isolated incidents. These are smart, thoughtful people, just trying to get things done—sign up for a program, submit documents, move life forward. But they’re also unknowingly exposing themselves to serious risks.

That’s when it hit me: this problem is everywhere. From small businesses to afterschool activities, visa agents to insurance brokers, people are regularly asked to send highly sensitive documents over insecure channels. And most of the time, they do it, because they don’t want to delay the process or seem difficult.

This article is for them and for all of us. It’s time we talk about why sending your SSN, passport, or ID over email or WhatsApp can be a terrible mistake, and what safer alternatives look like.

How We Got Here
We’ve normalized risky communication habits without realizing the potential consequences.

  • Emails for Everything: Schools, doctors, after-school programs, and visa agents regularly ask for SSNs, IDs, and documents over email.
  • Messaging Apps as a Crutch: WhatsApp and Facebook Messenger are often used to exchange documents—but they aren’t truly secure for sensitive data.
  • Shared Email Accounts: Small businesses (especially local gyms, afterschool programs, and mom-and-pop shops) may use a single shared email account—leaving your personal documents open to whoever logs in.

Why It’s Dangerous
What feels like a simple action could expose your most personal information to attackers.

  • Man-in-the-Middle (MITM) Attacks: If you’re on public Wi-Fi or a compromised network, your email or WhatsApp message can be intercepted.
  • Email Account Compromises: If the receiver’s inbox is hacked, your SSN and ID documents are exposed.
  • Reused Credentials: Many small businesses and agents don’t follow security best practices and often reuse passwords across accounts.

Real-World Consequences
When your data lands in the wrong hands, the damage isn’t just digital—it’s personal and financial.

  • Identity Theft: SSNs are gold for cybercriminals—they can open credit lines, file false tax returns, and more.
  • Medical Fraud: Using your SSN and personal details, someone could receive healthcare under your name.
  • Immigration Scams: Agents asking for passport and visa information via email have been known to sell or mishandle documents.

Industries That Have Secure Guidelines (But Still Fail)
Even regulated industries fall short when individuals or agents take shortcuts.

  • Medical (HIPAA): Health providers are supposed to use secure portals—but many still ask patients to email records.
  • Finance (PCI-DSS): Credit card processors are bound by standards, yet small tax offices may ask for full details over email.
  • Immigration & Legal: Agencies know better but commission-based agents often bypass safeguards to close a deal quickly.

Why “WE” Still Do It (possibly)?

Even when we know better, we often give in—because getting things done feels more urgent than staying secure. We want to move forward quickly: book the ticket, start the class, submit the paperwork, or get approved without delay. The person asking for our documents may seem professional enough, or we assume “everyone else is doing it, so it must be fine.” On top of that, there’s often a subtle pressure to not be the difficult one—so we stay quiet, comply, and send off highly sensitive information without a second thought. Unfortunately, that’s exactly what bad actors and poor systems rely on.

So What Can You Do Instead?

You have safer options, you just need to know how to ask for and use them. Most organizations today have secure systems in place, even if the person you’re dealing with doesn’t mention it upfront. Always ask for a secure portal or encrypted submission method. Many institutions offer these but rely on the user to request them.

If no portal is available, consider sending your documents using encrypted file-sharing services like ProtonMail, SecureDrop, or cloud-based services like OneDrive or Google Drive with restricted permissions. For added protection, you can use password-protected ZIP files—but share the password through a separate channel, like a phone call or text message.

Also, be cautious about the network you use. Avoid shared or public Wi-Fi when sending sensitive documents, and always use a secure, trusted device. Most importantly, don’t be afraid to demand better. Whether you’re dealing with a tutor, immigration agent, or afterschool program—politely ask for a secure alternative. Your personal information is worth protecting.

How to Push Back (Respectfully)

It’s absolutely okay to ask for better—doing so not only protects you but also helps raise the standard for everyone. If someone asks you to email your SSN or ID, you can simply say:

“For security reasons, I don’t share my SSN or personal documents via email or WhatsApp. Do you have a secure portal or alternative method for document submission?”

This small statement is powerful. It signals that you’re aware of the risks and encourages the person or business to rethink how they handle sensitive data. And remember, if they mishandle your personal information, it could become a legal or reputational liability for them too. By speaking up, you’re not being difficult—you’re being responsible.

Categories , Tags , , , , , , , , , , , ,

Contingency Planning – Huh?

0

Before you start reading and understanding the core concepts in the context of BCP – Business Continuity Planning, DRP – Disaster Recovery Planning and Contingency Planning, make sure you understand that these are very important concepts and are interpreted differently by different organizations, individuals and security professionals. The main reason is that we as humans may think differently in terms of countermeasures, we have different risk appetite and so are the organizations that the individuals are made of and are in key positions to propose, accept and finalize on various business and operational contingency plans. 

Before we begin, let us understand some of the core concepts. 

What is a Plan?

Oxford Dictionary defines Planning as “an intention or decision about what one is going to do”.

So what is Contingency planning?

“A contingency plan is a plan devised for an outcome other than in the usual (expected) plan” – From Wikipedia. 

Before we get into what is included in each of the plans, let us look into some definitions.

According to the NIST Special Publication 800-34,  IT contingency planning refers to a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of IT systems, operations, and data after a disruption. 

Contingency planning generally includes one or more of the approaches to restore disrupted IT services:
ƒ- Restoring IT operations at an alternate location  (Example: Hot Site, Warm Site and Cold Site)
ƒ- Recovering IT operations using alternate equipment  (Example: Secondary Server, High Availability Configuration)
ƒ- Performing some or all of the affected business processes using non-IT (manual) means. (Example: Manually collect a customer’s credit card information through phone)

Because Contingency Plan includes broad scopes for recovery, continuity and response to business needs, business threats and emergencies, it is important to note that an organization may choose to implement the Contingency Plan in many different ways. This is when we start talking about BCP, DRP, COOP, IRP, etc. There are more. See Appendix A for expansion of these acronyms.

For a CISSP, it is important to understand the main differences between various types of plans.

What is a BCP?

Business Continuity Planning (BCP) is a process of creating or putting in place, systems and mechanisms for prevention and recovery of business systems to deal with potential threats to a business goal.

Business Continuity Plan is a formal document consisting of a set of processes, drawings, flow charts, ordered lists etc. that will help a business navigate through a business interruption(s) by providing tested and proven methods to recover and prevent a potential threat to the existence of the business. A BCP can have other plans included as part of its scope.

What is a DRP?

Disaster Recovery Plan (DRP) is a very detailed, hands on plan when compared to a Business Continuity Plan. It is highly reactive. It contains detailed instructions on how to respond to unplanned incidents such as hurricanes, flooding, earthquakes, power outages, cyber attacks and any other event that will cause disruptions to the business operations. The plan contains strategies on minimizing the effects of a disaster, so an organization will continue to operate – or quickly resume key operations.

CISSP Tip

Contingency plans help you continue to operate or sustain your business goals and can be reactive such as BCP, DRP and BRP. Parts of these plans can be proactive as well. For example, if you have servers configured in the High Availability (HA) mode, then you will limit downtime and improve performance. This is a proactive approach. If you have a backup server or a warm site, then you are making sure you can continue to operate when servers are down, this represents a reactive approach.

Appendix A

  1. BCP : Business Continuity Planning
  2. DRP : Disaster Recovery Planning 
  3. BRP : Business Recovery Planning
  4. COOP : Continuity of Operations Plan
  5. IRP : Incident Response Plan
  6. OEP: Occupant Emergency Plan

This was chapter 1 on Contingency Planning. If you have any comments or questions, leave them below or message me!

Over and Out! Stay safe, think before you click (anywhere).

DK

If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.

Categories , Tags , ,

Stop Posting Pictures of Your Certifications and Employee ID cards.

0

Post Views: 269
 

Congratulations! You made it! You achieved it. Now make sure you secure it.

If you just passed an exam and had an urge to post a picture with your certificate or if you just retired or were just hired by your dream company, you posted a picture of your ID card or your certification, then this article is for you. Hundreds of these pictures are now showing up online on websites that are soliciting fake degrees, certifications, jobs, and more.

While you are proud of your accomplishments make sure you do not post your photos publicly which reveals your name, certificate, and other details. A photo with a face and a certificate in your hands can be used to advertise anything and an acquaintance of mine recently shared a disturbing story.

This individual, whom I call Mr. Good. had recently passed his CISSP exam and like most of us, had posted it on LinkedIn. Mr. Good is a very private person normally but LinkedIn is a social community that he spends most of his time socializing. Thanks to tens of different controls on privacy on LinkedIn, it has gotten even more confusing when you post an update. So out of mere excitement and innocence, he posted his picture. He was proud. A few days later, he discovered, by accident, a photo circulating on Facebook with several others soliciting the sale of illegal certificates such as CISSP and other exams. 

That was it for Mr. Good, he immediately removed his picture from his post. But wait, his stolen photo from LinkedIn is being used by someone claiming to be him. Mr. Bad did not even bother to blur out Mr. Good’s name on the certification photo. This would take several attempts, which included contacting Facebook to remove this post. While Facebook is looking into his query, which by the way is probably 1 in a million. It will continue to be online until it is removed.

Here are some examples that I found online.

Real Example 1: 

John Cam (Fake Name) claims to sell CISSP Certificates on Facebook with the image on the side. He was a little generous and clipped the picture to remove the face. Image1 is taken from a publicly posted image on LinkedIn profile post, Image 2. 

I have pixelated the face to protect the individual. 

Image 1
Image 2

Real Example 2:

Here is the same individual who is selling illegal certifications, this time it is IELTS Certifications without writing the exam. Not sure how it works or if it is a money-making scheme by fraud.

I have already reported this individual on Facebook but upon doing a simple web search, I found this individual/group has posted at several popular web services such as TripAdvisor, Pinterest, Medium.

What can you do?

If you come across such advertisements or postings, simply report as Spam or use the methods provided. For example, TripAdvisor provides an option on a photo to report. Pinterest provides a feature on their pins and users to be reported.

Do not take photos of your employer ID cards, Certificates, and Degrees and post them publicly. I understand we all have a tendency to post on social media such as LinkedIn, Facebook, Instagram but think about the profound negative effects on your identity if these posts and images were exploited.

Over and Out! Stay safe, think before you click (anywhere).

DK

If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.

Categories Tags , , , ,