Infosecurity: Do You Eat Your Own Dog Food?

How many IT security professionals practice what they preach? Do you eat your own dog food?
How many IT security professionals practice what they preach? Do you eat your own dog food?

Starting with the most obvious question, we first asked Marc Vael, who is director of the Knowledge Board and chairman of the Cloud Computing Task Force at ISACA, if he really practices what he preaches in the workplace when he gets back home? “Yes, because the home environment actually is a good place to challenge certain security behaviors – both preventive and detective”, Vael insists, continuing, “I have a special paper shredder to make confetti out of confidential paper info, and I use ERASER from Tolvanen to erase digital data 35 times”.

Vael also has a 2-TB backup system for his digital data, and rents a vault in the bank for his essential paper information and digital backups. That’s not all. “I have eight digital security cameras around the house”, Vael reveals, adding “and a physical alarm system connected to a 24/7 alarm dispatching”. Perhaps unsurprisingly, all the Vael family members have their own login and passwords as well.

Talking of passwords, Richard Hollis – who is MD of product-independent information risk consultancy Orthus – believes that passwords are a good example of how he professionally preaches the gospel of process over product at work, and continues his faith at home. “I have configured my family’s devices personally and ensure they change their online passwords monthly and device passwords every three months”, Hollis explains. “I am a fanatic about ensuring our home devices do not take cookies, and lecture my family about online identity discipline”.

In case you were in any doubt, Hollis tells us that background and credit checks are carried out on all new staff in his business, and security metrics are tied to performance bonuses. “I know it sounds hokey”, Hollis admits, “but I would never recommend a process to one of my clients that we are not following at Orthus”.

An Inconvenient Truth

Surely, at home though, the infosec professional will sometimes opt for convenience over absolute security? For example, what about mobile banking? It offers great convenience, but everyone in the security field knows there are risks attached.

Robert Rutherford is chief executive of IT consultancy QuoStar Solutions and was very honest when he admitted that he does risk analysis on the fly, telling us that “you just have to balance the impact of something happening against the likelihood of that something happening. If I need to connect a personal device to an unsecured wireless network while on holiday or in a hotel to do some internet banking, then I will, and I don’t think about it”.

That said, Rutherford also revealed that it’s unlikely he would access his internet banking at a shared cyber-café, due to the blatant risk of keyloggers, screen recorders and other spyware – so all is not lost.

“At the end of the day there is risk in everything”, Rutherford concludes. “You can argue that nowhere is truly safe, but that’s life, and you can’t be paralyzed by fear. I don’t take unnecessary risks, of course, and do take sensible precautions. For example, I’ll VPN into work with two-factor authentication, nothing is stored locally on my devices unprotected, the devices are firewalled, encrypted, have protection systems in-place, and so on.”

"I used to think monitoring of use was necessary, but actually in practice that erodes trust. Informed people are the best defense"
John Knowles, DMW Information Security

John Knowles, MD of DMW Information Security, also admits to using online banking via a hardware token for authentication, which reduces the risk, but not completely. “I bank only from one device, which I don’t use for other purposes”, Knowles explains. “This reduces the risk again. I don’t keep any passwords or account details on a PC, instead I use a secure USB stick with Password Safe on it. I bank with a bank that has online banking guarantees, and I read my statements carefully”.

Knowles also makes a point of not using cloud services for primary storage of key stuff like photos or home videos, although his home backups are cloud-based, and encrypted. “Backup is so essential”, Knowles warns. “The automation and the fact the data is out of the house even caters for the doomsday scenario of house fires.”

Starting Young

How about your kids? Do you educate them about information security practice, and from what age? Not all the infosec professionals we spoke with had children, but those who did were quite clear on this point: security education is vital.

Take Richard Hollis, for example. He has an 18-year-old son who started learning about online security when he was about 12. “This was right about the time that his interests turned from online gaming, where the security threat he faced was largely from spam, adware and potentially botnets”, Hollis recounts, “to social media, where the threat morphed into identity theft and online predators”. When he was younger than 12, the Hollis family largely relied on anti-malware to protect him, but when he hit adolescence the game changed and so they became more involved in educating him to online threats.

"At the end of the day there is risk in everything…you can’t be paralyzed by fear"
Robert Rutherford, QuoStar Solutions

It’s a similar pattern for John Knowles, who tells us that his kids have absorbed IT security best practice over the years, and without preaching. “We have teenagers, and I believe if they are informed, they will act in the right way”, Knowles insists. “I used to think monitoring of use was necessary, but actually in practice that erodes trust. Informed people are the best defense.”

Mobile Mayhem

Being informed goes pretty much hand in hand with being mobile these days, to the point where we put it to our panel of experts that it isn’t really advisable, or even possible, to separate home from work when it comes to information security. Robert Rutherford was first to take the bait, responding that “you shouldn’t typically be using home devices to access corporate systems, neither should you allow others to use your corporate devices for personal use”.

He argues that the consumerization of IT is, as far as uncontrolled BYOD (bring your own device) is concerned, “typically madness”. After all, Rutherford says, “how do you enforce encryption from the corporate level on someone’s personal phone? How do you know that the home PC you are connecting into the business on isn’t riddled with trojans and spyware?” He concludes that “on virtually every level, it’s better to split home life and work”.

"The only secure computer is the one still in the box. Plug it in, turn it on, and the game begins"
Richard Hollis, Orthus

Hollis, however, actually likes the fact that the line between work and home has become blurred with the meteoric rise of mobile device use. “It gets smart people to focus on what’s really important and why” he reasons, continuing, “they are now tasked with answering the question that they have successfully dodged up until now: What is it exactly that I am trying to protect?”

Hollis recently spoke with a client who after 50 years of being in business, has now decided that ‘perhaps’ they needed a classification scheme to identify information that was sensitive to the organization. “They would have never arrived at this conclusion if they had not lost an iPad with some extremely sensitive information on it”, he reveals.

Business Infosec Principles for the Home

But surely there are some workplace information security principles that are absolutely essential for the home environment? Knowles believes that defense in depth is a pretty good one to transfer between the two – not relying upon a single security tool or process – along with everyone deserving their own privacy and requiring strong passwords to help achieve this.

Marc Vael, meanwhile, nods in the direction of backup being essential in either environment, properly configured routers and shredding (either physical or digital) of all confidential data before disposing of it. Perhaps Travis Spencer, senior technical architect at Ping Identity, sums it up best when he says “in the personal space, the information security principals of confidentiality, integrity, availability, authenticity, and non-repudiation are all important, but to a different – often lesser – degree. This is primarily because the stakes are lower.”


 

THE VENDOR PERSPECTIVE

Travis Spencer works for a vendor, so naturally we asked him if he uses his own technology at home? “The vendor I work for sells single sign-on (SSO) software. I use it every time I log into various SaaS apps that use it for SSO”, he replies, adding “a while back, I was at a bank applying for an auto loan and the banker’s intranet application SSOed into a different company’s loan origination application via a federation made possible by our software. In general, I use SSO whenever I can because the fewer passwords I have the better”.

Richard Hollis, on the other hand, works for a product-independent consultancy and as founder, was largely responsible for this approach. “Quite frankly I don’t believe in product”, he reveals. “Our industry is led by vendors, and the message they sell is buy this widget and you’ll be secure. I believe computer security is an oxymoron. The only secure computer is the one still in the box. Plug it in, turn it on, and the game begins – the game to identify, minimize and manage the ever-changing threat landscape. The irony is that most of my peers working for security vendors believe this as well.”

 

What’s hot on Infosecurity Magazine?