If you want to reach Jim Walden by email, you’ll have to ping him atwork. Three months ago, he ditched his personal emailaccount because he was concerned about the security implications.
Walden knows security. He’s currently the cochair of the white collar practice at Gibson, Dunn & Crutcher and once served as chief of the computer crimes and intellectual property section in the U.S. Attorney’s Office for the Eastern District of New York.
Unlike some professionals, Walden never emailed confidential documents to his home account. His concern was that his own personal information that could possibly be maintained on a server outside his control. “So I gave it up — it makes me feel easier,” he told TechNewsWorld.
In short, Walden actually practices what he preaches: Maintain vigilancewith home security applications. Practice safe computing. Never send anything confidential unless it is in a password-protected encrypted format that the IT department structured. Double delete — always double delete.
Wide Range
Walden’s precautions aren’t particularly surprising, considering his background in Internet security. What’s a bit of an eye-opener is that not all computer securityprofessionals share his views on what makes a computer truly secure. One only has to look at the measures a cross-section of such professionals have taken to secure their own home PCs.
On one end of the spectrum, there is Walden. On the other, there is Abe Kleinfeld,CEO of nCircle, who does not like any of the packaged security applications on the market.
“Probably they are good for protecting against 5 percent of what is really out there,” Kleinfeld told TechNewsWorld.
“It’s more important to practice safe computing and just plain common sense,” he said.
Few would argue against safe computing, but is it possible to achieve it without the use of any packaged security software? Yes, suggested Scott Stevenson, founder and CEO of Eliminate ID Theft.
Stevenson works on a Mac.
“Apple computers are not as prone to malware,” he told TechNewsWorld. “Also, Macs have layers of protection that also provide security.”
For example, a user has to turn on the file-sharing option — it is not turned on by default, he noted. It is also more difficult to log in as an administrator on a Mac.
Kid Safe
Professionals are more inclined to tilt toward Walden’s end of the security spectrum with respect to safeguarding their home systems — especially when it comes to a family computer used by children.
“I watch where I go and make sure I watch where my family goes,” said E.J. Hilbert, president of Online Intelligence and former director of security enforcement at MySpace. Hilbert also uses antivirus and antimalware software.
Hilbert has three small children between the ages of two and seven, and hemonitors what they do online by setting up profiles that restrict their Web surfing to age-appropriate sites only.
Rob Fitzgerald, founder and president of the Lorenzi Group, maintains a separate computer for his children. Like Hilbert, he monitors itto make sure they are not being contacted by strangers.
For security in general, Fitzgerald said, “I’ve had good success with SpectorSoft.”
Craig Munson, director of support services at Shavlik, hasfive machines at home that he treats like a corporate network.
“I make sure my firewall is turned on, my AV is current, my wireless is lockeddown, and that all of my machines are patched,” he told TechNewsWorld.
Munson monitors what his kids do online — he has access to their email and IM accounts.
“I have also taught them to have a healthy fear of what I will do to them if they surf to malicious Web sites, get into chat rooms, or download items they don’t have my permission to download,” he said.
They learned a valuable lesson recently when one of them downloaded items that corrupted their machine, Munson recalled. “I intentionally let the computer sit unusable for a week before rebuilding it.”
Active Paranoia
Even taking children out of the equation, it is difficult to imaginemany professionals in the field taking a relaxed attitude toward security.
Jason Miller, security data team manager at Shavlik goes the usual route: he enables AV, installs a personal firewall, hardens his system, and — most important, he said — makes sure his machine is patched.
Also, Miller doesn’t let anyone else — neither family nor friend — touch his computer. “Better to be safe than to become infected and have to spend hours rebuilding my machine,” he told TechNewsWorld.
“I also make sure I don’t browse to evil Web sites and that mypasswords are fully encrypted and include random characters that arenot easy for a hacker to guess,” he said.
“The reason home users get hacked isbecause they often don’t have their machines secured,” explained Miller. “They aremissing patches, their AV is out of date and they don’t know it, and they are not careful about the sites they are going to on the Internet. They also often use passwords that are easy for people to guess.”
West Coast Labs Director of Research Lysa Myers approaches security with a combination of tools: “There’s protection at my ISP level; there’s a firewall at the router level — plus AV software. And then there’s the choice of software. I use Firefox, as well as OS X, which really decreases the number of malware [exposures].”
Most importantly, Myers said, she maintains a healthy sense of online paranoia, sometimes taking it to what might seem like an extreme.
“A friend of mine from overseas was trying to be sneaky and send me apresent,” she told TechNewsWorld. “He was trying to ‘socially engineer’ my address out of me, and — not because I objected to him having it but because it’s such second nature for me to avoid giving out personally identifiable information — I ended up giving him a geography-of-my-town lesson instead.”
Packaged Software
While some security professionals do not appear to have much faith inpackaged or SaaS security applications, many put great faith in them.
Keith R. Crosley, director of market development atProofpoint, uses F-Secure Internet Security 2009 on all of his machines — currently a desktop, laptop and a netbook.
“My experience has been that F-Secure has the absolute fastest responsetimes to new threats, and their application automatically updates atstartup, so I never need to worry about whether my systems areprotected,” Crosley told TechNewsWorld.
Some of the competing desktop products seem to be real resource hogs,but F-Secure is very streamlined, he added.
“I also like that F-Secure Internet Security includes a firewall that is sometimes easier to deal with than the one built into Windows. I don’t tend to use the built-in antispam features, as I often want to see what interesting new typesof spam are coming in to my personal accounts, but I do configure it such that email gets scanned for malware — which is essential, given howaggressive today’s blended threats have become.”
Ondrej Vlcek, CTO of Alwil Software uses his company’s Avast antivirus tool, together with a browser virtualization application for an extra layer of protection.
Vlcek takes other security measures as well, such as usingFirefox 3.0 as his main browser and reading email on Microsoft Outlook —configured so that all the messages are rendered as plain text.
“I also have a HIPS-type application installed, but I keep it disabledmost of the time,” he told TechNewsWorld.
“Last but not least, I use the firewall built into Windows Vista, which I have manually tweaked to provide two-way protection — inbound and outbound,” he said. “For backups, I have a Windows Home Server in place that takes care ofeverything nightly.”
Richard Stiennon, chief research analyst at IT-Harvest uses Windows XPon his Dell laptop — along with two additional protections to theembedded Windows firewall: antivirus from AVG and SpySweeper fromWebroot software.
“Between the two of them they catch everything,” Stiennon told TechNewsWorld. “Of course, I allow Microsoft updates and install them as soon as theyare available. I also use the 3G access from Verizon when I am on the road to avoidissues with hotel networks and public WiFi access.”
For his part, Brad Dinerman, president of Fieldbrook Solutions and founder and president of the National Information Security Group, uses Sunbelt Vipre.
As president of NISG, Dinerman occasionally hears aboutcolleagues who don’t feel the need to use anything other than theirown wits when surfing online,” he told TechNewsWorld.
“They think they have locked down their systems tight enough that theyjust don’t need it,” he said. “I don’t agree withthat — things happen, new viruses or malware comes out and so on. Iwill always want a firewall and antispyware if for no other reasonthan to test a system.”