Security Experts at Home: No Downtime
There's no rest for computer security professionals, assuming they have one or more computers at home. TechNewsWorld polled some experts in the field to find out how they safeguard their personal systems, and we were surprised at the wide range of responses. Some experts really batten down the hatches, while others rely more on common sense than on security software.
If you want to reach Jim Walden by email, you'll have to ping him at work. Three months ago, he ditched his personal email account because he was concerned about the security implications.
Walden knows security. He's currently the cochair of the white collar practice at Gibson, Dunn & Crutcher and once served as chief of the computer crimes and intellectual property section in the U.S. Attorney's Office for the Eastern District of New York.
Unlike some professionals, Walden never emailed confidential documents to his home account. His concern was that his own personal information that could possibly be maintained on a server outside his control. "So I gave it up -- it makes me feel easier," he told TechNewsWorld.
In short, Walden actually practices what he preaches: Maintain vigilance with home security applications. Practice safe computing. Never send anything confidential unless it is in a password-protected encrypted format that the IT department structured. Double delete -- always double delete.
Walden's precautions aren't particularly surprising, considering his background in Internet security. What's a bit of an eye-opener is that not all computer security professionals share his views on what makes a computer truly secure. One only has to look at the measures a cross-section of such professionals have taken to secure their own home PCs.
On one end of the spectrum, there is Walden. On the other, there is Abe Kleinfeld, CEO of nCircle, who does not like any of the packaged security applications on the market.
"Probably they are good for protecting against 5 percent of what is really out there," Kleinfeld told TechNewsWorld.
"It's more important to practice safe computing and just plain common sense," he said.
Few would argue against safe computing, but is it possible to achieve it without the use of any packaged security software? Yes, suggested Scott Stevenson, founder and CEO of Eliminate ID Theft.
Stevenson works on a Mac.
"Apple computers are not as prone to malware," he told TechNewsWorld. "Also, Macs have layers of protection that also provide security."
For example, a user has to turn on the file-sharing option -- it is not turned on by default, he noted. It is also more difficult to log in as an administrator on a Mac.
Professionals are more inclined to tilt toward Walden's end of the security spectrum with respect to safeguarding their home systems -- especially when it comes to a family computer used by children.
"I watch where I go and make sure I watch where my family goes," said E.J. Hilbert, president of Online Intelligence and former director of security enforcement at MySpace. Hilbert also uses antivirus and antimalware software.
Hilbert has three small children between the ages of two and seven, and he monitors what they do online by setting up profiles that restrict their Web surfing to age-appropriate sites only.
Rob Fitzgerald, founder and president of the Lorenzi Group, maintains a separate computer for his children. Like Hilbert, he monitors it to make sure they are not being contacted by strangers.
For security in general, Fitzgerald said, "I've had good success with SpectorSoft."
Craig Munson, director of support services at Shavlik, has five machines at home that he treats like a corporate network.
"I make sure my firewall is turned on, my AV is current, my wireless is locked down, and that all of my machines are patched," he told TechNewsWorld.
Munson monitors what his kids do online -- he has access to their email and IM accounts.
"I have also taught them to have a healthy fear of what I will do to them if they surf to malicious Web sites, get into chat rooms, or download items they don't have my permission to download," he said.
They learned a valuable lesson recently when one of them downloaded items that corrupted their machine, Munson recalled. "I intentionally let the computer sit unusable for a week before rebuilding it."
Even taking children out of the equation, it is difficult to imagine many professionals in the field taking a relaxed attitude toward security.
Jason Miller, security data team manager at Shavlik goes the usual route: he enables AV, installs a personal firewall, hardens his system , and -- most important, he said -- makes sure his machine is patched.
Also, Miller doesn't let anyone else -- neither family nor friend -- touch his computer. "Better to be safe than to become infected and have to spend hours rebuilding my machine," he told TechNewsWorld.
"I also make sure I don't browse to evil Web sites and that my passwords are fully encrypted and include random characters that are not easy for a hacker to guess," he said.
"The reason home users get hacked is because they often don't have their machines secured," explained Miller. "They are missing patches, their AV is out of date and they don't know it, and they are not careful about the sites they are going to on the Internet. They also often use passwords that are easy for people to guess."
West Coast Labs Director of Research Lysa Myers approaches security with a combination of tools: "There's protection at my ISP level; there's a firewall at the router level -- plus AV software. And then there's the choice of software. I use Firefox, as well as OS X, which really decreases the number of malware [exposures]."
Most importantly, Myers said, she maintains a healthy sense of online paranoia, sometimes taking it to what might seem like an extreme.
"A friend of mine from overseas was trying to be sneaky and send me a present," she told TechNewsWorld. "He was trying to 'socially engineer' my address out of me, and -- not because I objected to him having it but because it's such second nature for me to avoid giving out personally identifiable information -- I ended up giving him a geography-of-my-town lesson instead."
While some security professionals do not appear to have much faith in packaged or SaaS security applications, many put great faith in them.
"My experience has been that F-Secure has the absolute fastest response times to new threats, and their application automatically updates at startup, so I never need to worry about whether my systems are protected," Crosley told TechNewsWorld.
Some of the competing desktop products seem to be real resource hogs, but F-Secure is very streamlined, he added.
"I also like that F-Secure Internet Security includes a firewall that is sometimes easier to deal with than the one built into Windows. I don't tend to use the built-in antispam features, as I often want to see what interesting new types of spam are coming in to my personal accounts, but I do configure it such that email gets scanned for malware -- which is essential, given how aggressive today's blended threats have become."
Ondrej Vlcek, CTO of Alwil Software uses his company's Avast antivirus tool, together with a browser virtualization application for an extra layer of protection.
Vlcek takes other security measures as well, such as using Firefox 3.0 as his main browser and reading email on Microsoft Outlook --- configured so that all the messages are rendered as plain text.
"I also have a HIPS-type application installed, but I keep it disabled most of the time," he told TechNewsWorld.
"Last but not least, I use the firewall built into Windows Vista, which I have manually tweaked to provide two-way protection -- inbound and outbound," he said. "For backups, I have a Windows Home Server in place that takes care of everything nightly."
Richard Stiennon, chief research analyst at IT-Harvest uses Windows XP on his Dell laptop -- along with two additional protections to the embedded Windows firewall: antivirus from AVG and SpySweeper from Webroot software.
"Between the two of them they catch everything," Stiennon told TechNewsWorld. "Of course, I allow Microsoft updates and install them as soon as they are available. I also use the 3G access from Verizon when I am on the road to avoid issues with hotel networks and public WiFi access."
As president of NISG, Dinerman occasionally hears about colleagues who don't feel the need to use anything other than their own wits when surfing online," he told TechNewsWorld.
"They think they have locked down their systems tight enough that they just don't need it," he said. "I don't agree with that -- things happen, new viruses or malware comes out and so on. I will always want a firewall and antispyware if for no other reason than to test a system."