Behind the Firewall: How 9 execs implement cybersecurity at home


Editor’s note: This article is part of Behind the Firewall, a recurring column for cybersecurity executives to digest, discuss and debate. Next up: How did you get started in security? Email us here.

When 5 o’clock hits, many professionals log off to spend their evenings focused on anything but work. Personal and professional worlds are siloed from one another, with nary a care for the office until the next morning. 

But working in cybersecurity, even after clocking out, it is difficult to shake the threats in cyberspace. For some cybersecurity leaders, the security itch follows them into their personal lives, informing which tech gadgets come into the home or what Wi-Fi networks are safe to join. 

It makes sense — high-profile consumer data breaches and phishing attacks on personal email accounts happen regularly. Add in a year of remote work, school and socializing, bringing cyber hygiene into personal lives has become more standard. 

For a glimpse into how security professionals translate their expertise outside of work, Cybersecurity Dive asked security leaders which cybersecurity practices are prominent in their personal lives. 

(The comments below have been lightly edited for length and clarity.)

George Gerchow, chief security officer at Sumo Logic


“My beautiful 81-year-old mother … is really savvy in tech and leverages multiple devices in her daily routine. However, she’s unfortunately been known to fall for phishing attacks and social engineering tactics.”

George Gerchow

Chief security officer at Sumo Logic

Education and training are two key elements of cybersecurity best practices that have been prominent in my personal life.

My beautiful 81-year-old mother, she is really savvy in tech and leverages multiple devices in her daily routine. However, she’s unfortunately been known to fall for phishing attacks and social engineering tactics. About five years ago she got a fake email from Apple support letting her know that the devices she had been using had over 100 viruses and malware.

With her password and a nominal fee of $500.00, this “service” said they could clean it up and prevent it from happening again. Needless to say, that was a big lesson for all of us and it really opened my eyes to how little I shared about my job with my parents.

Given my close relationship with my mother, she and I chat every week and we discuss the following:

  • Do not open any links from unknown sources.

  • Do not engage in phone conversations with anyone trying to sell you anything.

  • Passwords should be changed at least every 90 days and should never be shared with anyone. Most importantly, passwords should never be re-used.

  • Lastly, try to stick with phrases that contain mixed characters and numbers and if possible, use a password vault.

Another area of focus is two-factor authentication (2FA). I got this concept embedded into my kids’ authentication processes years ago. My favorite time educating was with my son who has an account on every gaming platform imaginable, Steam, Twitch, XBOX, the list goes on and on. 

We have it all set up to where he gets challenged every 30 days to reauthenticate into those platforms and the 2FA push comes to my email. The same goes for any in-game purchases or upgrades. It gives him a layer of protection that we discuss all the time, which encourages him to call me so I can give him the code while giving me the visibility I need to ensure he is doing the right things.

Bruce Potter, CISO at Expel.io


“We have a very strict ‘no-voice control’ code in our house for any device that is powered by Alexa, Siri, Cortana or similar tech.”

Bruce Potter

CISO at Expel.io

I think I might be a little different when it comes to the security practices that are important in my personal life.

For starters, I do two-factor authentication on everything I touch and use, which I guess shouldn’t be surprising.

I run my own mail server and recommend others do the same when possible.

A VLAN protects me from IoT devices that tend to be sketchy, particularly from a privacy perspective. Many consumer wireless products allow you to do this today via “guest networks” and similar configurations.

Never use voice-controlled devices! We have a very strict ‘no-voice control’ code in our house for any device that is powered by Alexa, Siri, Cortana or similar tech.

Never configure smart devices like TVs, refrigerators, etc. These embedded systems often lack the necessary security and privacy controls and rarely get updates over their lifetime.

Fleming Shi, CTO at Barracuda Networks


“I try to establish a clear divide between work and home so one doesn’t interfere with the other.”

Fleming Shi

CTO at Barracuda Networks

Like work-related online access, I’ve stopped relying on passwords for authentication. As a result, I’ve adopted multifactor authentication (MFA) for all of my personal accounts. In my personal life, I always make sure I’m practicing vigilance when using my own email accounts and never click on links until I am 100% confident they are safe.

To me, this includes researching site reputation and verifying site certificates. In addition, I’m always trying to make sure that I stay current with security patches for my operating systems and always backup important files. 

Lastly, I also practice “social-distancing” between work and personal computing activities. More specifically, I try to establish a clear divide between work and home so one doesn’t interfere with the other. We all know that we can make the most costly security errors when we’re not paying attention so I always try to be mindful of that.

Brandon Hoffman, CISO at Intel 471


“By and large, I think having security permeate my life has allowed me to understand effort versus outcome in a very meaningful way.”

Brandon Hoffman

CISO at Intel 471

As a lifelong (adult life) security practitioner, it’s hard to say how much security permeates my personal life versus work life. I think it is fair to say that the longer you spend in this industry, the more paranoid you become, yet also we all become a bit jaded as well.

 

A favorite, and common, occurrence is directly related to credit card and identity fraud. As you become more exposed to the cybercriminal trade and what the prices are of goods and services on the dark marketplaces, it makes you realize two things.

The first is that it’s only a matter of time before your credit cards and possibly your identity will be for sale. The second is that they will both be staggeringly cheaper than you thought (or, oddly, than you hope they would be). The result of this experience has two diametrically opposed outcomes. One is that you become super paranoid about all your data, or you become exceedingly complacent about it and rarely bother to even protect it anymore.

 

While many of us fall on the complacent/jaded spectrum, the security practitioner in us lives on in frequent scenarios. Anything, and I mean really anything, goes odd with my phone or laptop, and I immediately go into super paranoid responder mode. I start digging into logs, downloading utils and running security processes. This can consume anywhere from an hour or two, or possibly carry me on through dawn. There are just some habits that truly die hard.

The practitioner in me (and many of us) rears its head too during casual conversations with friends. Topics like investing in crypto and being subsequently horrified that anybody would consider using a hosted wallet on an exchange. Or better yet, discussions with other friends who work in non-security related technology that start to talk about security and the “dark web” and our continuous yet unsuccessful attempts to clarify the situation.

 

By and large, I think having security permeate my life has allowed me to understand effort vs. outcome in a very meaningful way. Certain parts of my life that touch security and that I can have a direct effect upon, I will put in effort. The areas where I know beyond a shadow of a doubt that really, I have little to no control, I have let go worrying about. If I can’t change/fix it, why stress about it?  

I don’t think this parallels work life in a meaningful way. From a work perspective, there are more people to help and more resources to utilize. Ultimately, you know at work that the fight is never over and more effort can always produce a positive outcome.

J.C. Vega, CISO at Devo Technology


“I wish I could place a N95 equivalent mask on my Wi-Fi connections.”

J.C. Vega

CISO at Devo Technology

There are several practices that I bring home that my family tolerates:

  • Zero trust — I do not allow visitors or friends of my children to log into my primary network and I do not connect to public Wi-Fi. I have no idea what someone is bringing into my home network, and in turn, can be used to infect and pivot to my managed enterprise. The same goes with public Wi-Fi, I bring my own hotspot. I wish I could place a N95 equivalent mask on my Wi-Fi connections.
  • The mind of a hacker — I’m always looking at my environment through the lens of an adversary to see how they can gain a competitive advantage from my situation. I turn off “extra” services and features. Not everything needs to be connected.
  • Secure the ecosystem — I share best practices with my neighbors so the community can be safer. If I see a Wi-Fi signal that is configured with default settings, I show them how to update their system. This is especially true of less tech-savvy individuals and the digital natives as well, who understand technology but don’t necessarily apply security.

Brian Johnson, chief security officer at Armorblox


“I have found discussing what’s going on in the news — such as the Colonial Pipeline ransomware attack — a useful primer to discuss the impact of cybersecurity and why and how to be prepared.”

Brian Johnson

Chief security officer at Armorblox

It’s not always good to bring work home, but being in the information security business has some positive impacts at home. I have been able to set up a safe home environment, guide my family on internet best practices and use security news to discuss the impact that my chosen field has on the world. 

Phishing and email impersonation attacks are not just an enterprise business issue. We have all seen these attacks arrive in our personal inbox. My experiences in dealing with these threats have been a great teaching guide to share with my family.  

URL blocking is a technology that has followed me home. URL blocking has a great impact on gatekeeping known malicious sites, adware and unwanted content. This was achieved with basic anti-virus, trusted DNS providers and network controls. I will admit that this is a little advanced for the basic home internet setup, but it was not very difficult and security vendors have made setting this up accessible for home environments as well.

Discussing Trust and Safety at home is a balance. As an information security professional, it’s easy to see all that’s wrong with the internet and miss the basic good. I have found discussing what’s going on in the news — such as the Colonial Pipeline ransomware attack — a useful primer to discuss the impact of cybersecurity and why and how to be prepared. Events like these are tangible teaching aids to help families understand how the technical world impacts the lives of millions of people.

Lucia Milica, global resident CISO at Proofpoint


“Passwords are critical barriers between a consumer and a threat actor. And it’s vital to avoid using the same ID/email address and password login across multiple online services.”

Lucia Milica

Global resident CISO at Proofpoint

It may seem so simple, but the best cybersecurity practice I take home is fully protecting my login credentials with a password manager.

Passwords are critical barriers between a consumer and a threat actor. And it’s vital to avoid using the same ID/email address and password login across multiple online services. But we all have so many accounts in so many places, it’s nearly impossible to keep track of all the different passwords floating around in our heads.



Source link