Amrit Williams, BigFix CTO, discusses how to work remotely while maintaining a secure online environment with Mike Rothman, founder of Security Incite.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter. Today I am joined by Founder, President, and Principal Analyst with Security Incite, Mike Rothman.

Hey Mike! How are you doing today man? It’s good to talk to you again.

Mike Rothman: I am doing great, I am doing great.

Amrit Williams: So I wanted to just sort of jump into a couple of things. One of the things, you wrote a post recently on Security Incite about where you work in the afternoons, and a lot of your work probably is done out of the house. I know when I worked from home I had to get out of the house a lot too to distract myself and sort of detach myself from the personal stuff.

But I was thinking as I was reading that, what does a guy like you, or telecommuters, independent consultants, how do you guys think about security, improving your security, maintaining the health of your systems; you clearly are relying on technology? So I wanted to start going down that path and have you talk a little bit about what your experience has been and give some advice to folks that are in a similar situation.

Mike Rothman: Yeah. Sure. That’s actually a great point, because — obviously I am reasonably technical. I am not going to sit like mobile with my evil twin setup, to kind of hijack folks’ Wi-Fi connections while I am at a coffee shop or the like. But obviously I am pretty sensitive to making sure that, one, my data is protected, my machine isn’t compromised, and ultimately, that the customer data that I have is not at risk.

So I take a couple of different precautions that I use, and a lot of it will depend on where I am. Part of it, I would say, gets into the security discussion. I think a lot of it gets into what I will call business continuity, because that’s something that’s also very important, especially for independent contractors and folks that don’t have a big IT department behind them.

So we can kind of hit these in a number of different terms. But from a security standpoint, I take some reasonable precautions. I have my machine; and I happen to use Mac, so I have it reasonably hardened, meaning kind of — I use a firewall. I use both the built-in application firewall, as well as kind of a network layer firewall to make sure I am blocking connections that go in and out.

I do not use antivirus, but obviously I am pretty sensitive to not clicking on things. Phishing emails and those kinds of activities, I tend not to do on just a daily course of business.

But from a connectivity standpoint, in many cases I actually do use the Wi-Fi, but I use a VPN service behind that. So what that does is that connects my machine to a place out into the Cloud, that then obscures my IP address, provides an encrypted tunnel between my device and the traffic I am sending out on to the Internet, into that VPN service. I use a service, I think that’s called Anchor. So from that standpoint, again, I am taking some reasonable precautions, but I am not going nutty.

Now, let me contrast that to when I go to a security conference. At a security conference I would not connect into a Wi-Fi type of network. so I have a remote wireless 3G service that I use from Verizon, and obviously I only connect exclusively through that when I know that there are people around that can hack my stuff.

Amrit Williams: It’s interesting when you are talking about the Wi-Fi and the VPN service, I kept thinking, why isn’t he just using a 3G card?

Mike Rothman: Well, it gets back to performance. I mean, a lot of the 3G networks, and if anybody has used say AT&Ts, it’s pretty crappy on a daily basis. Verizon, certainly, depending on where you are, has its issues as well.

So again, I will. I am not one of these guys that’s religious one way or the other. I think there is a huge amount of convenience to some of these public Wi-Fis, but I use the VPN service to, again, obscure where I am going and encrypt the traffic that I am sending.

Amrit Williams: Yeah, that makes a lot of sense, and I have got to tell you that running around the world with my 3G card is spotty at best.

Mike Rothman: Right, you bet.

Amrit Williams: It’s not there.

Mike Rothman: So that’s the security. Now, again, if folks are using Windows, obviously I would have some kind of Windows Security Suite on there, and we can debate back and forth as to whether AV works or not, but I think having some anti-spam and email stuff in there, having a personal firewall that’s activated on machine, these are all important things. So if you do use Windows, I would look at that kind of stuff also.

Amrit Williams: Now, what about, you mentioned earlier backup and recovery or  business continuity. How do you deal with basically data storage, data archival, and data retrieval?

Mike Rothman: Yeah, I actually have a number of different machines. Since I am kind of an independent contractor so to speak, I have a desktop machine, I have a laptop that I travel around with, and I have, we will call it a server, it’s an old PC, but I use it pretty much for file servers. I use basically replication technology to keep my important folders in sync across all three of those different machines.

So one, obviously if I am sitting at my desk and I am using my desktop, I have got the same files as when I am sitting in front of my laptop, because all of these things are replicated and synchronized in real time. But I also replicate to that server device, that then I have backed up into the Cloud using — I personally use a service called Carbonite, but there is Mozy, and a number of others ones. Dropbox is another one of these synchronization tools that some folks use.

But what I found, and this is actually saved my behind on a number of occasions, listen, if you do enough of this stuff, and you travel around enough, you are going to lose drives. Having all of that data replicated means that I can pretty much do, in effect, a bulk copy and be up and running and productive, probably within an hour with the new drive install.

So for me, it’s really about business continuity more than it is about security, and that means I have got to be able to get my file, so I keep them in a number of different places to minimize the chance that I will have just a catastrophic data loss.

Amrit Williams: Now, this may sound like an odd question, but there was actually a series of, I don’t know, high profile thefts of laptops in coffee shops, and these guys were getting quite aggressive, they were literally waiting for a guy to sit down with a laptop and then going up and stabbing them.

Mike Rothman: Okay, that’s pretty aggressive.

Amrit Williams: Yeah, I am not sure it gets much more aggressive than that. So I guess my question is around physical security, because you spend probably the majority of your time outside of your own perimeter, so to speak, traveling around. How do you think about physical security? How do you think about, you are sitting in Starbucks, you are sort of tethered to your device, you have got to take it with you everywhere, you can’t just leave it there as you go to the bathroom or whatnot.

Mike Rothman: Although, it really does amaze me that people will just get up, they will walk outside, they will take a call, they will go to the loo, just leave their laptop there.

Amrit Williams: Quite shocking. People leave their laptop open, they walk away.

Mike Rothman: Anybody that does what we do it’s just like — I mean, that’s heresy. But what I do, I take reasonable precautions. So if I have a choice — today I wrote about the fact that half the time I can’t get a seat in Starbucks anymore, because either this whole telecommuting thing is either working, or there are so many folks that can’t find jobs, all they can do is sit at Starbucks all day.

So if I have a choice to seat obviously, I would go as far away from the door as I can. I always sit towards the door, so I can see what’s coming at me. Again, typical personal safety things that you can do.

And ultimately, again, I look at the asset, Amrit, I look at it and say, okay, my machine is pretty high-end, it costs me $2,000, I think, it’s not worth getting killed over. So if somebody says, I want your device. Great man, have at it. I mean, I use encryption on the device, so I use the Mac version of that, that works on your device. I have a very strong password to access the machine. It’s always locked. So I think the timeout is like two minutes, so if I am not using it for two minutes, it will lock up.

So those are the simple things that you can do. It all gets back to risk analysis and kind of figuring out how much you want to go, how deeply do you want to go to restrict your access or your ability to do things, versus what the true attack vectors and security risk happen to be. Again, I tend to be pretty mellow about that, especially for a security person, but ultimately I just — to me, I think, it’s a pretty small risk.

Amrit Williams: So sort of shifting gears a little bit, but on that same topic, what about just personal family use online. Do you bank online, you do credit card transactions online, you are buying presents online?

Mike Rothman: All of the above.

Amrit Williams: Any concerns, any extra precautions you have started taking over the last couple of years?

Mike Rothman: Yeah, I do. I do. So obviously I have parental controls set up on the kids’ machines. My oldest daughter, when she started to read, happens to be into science fiction and stuff, so she would find on StarWars.com, for example, some movies that I wouldn’t say were really appropriate for a six-year-old or a seven-year-old.

From a data protection standpoint, obviously I am always checking the validity of the certificate; not that, that can’t be spoof, but it’s hard to do, and fairly unlikely that you would do that.

If the bank, if my bank or my credit card company has an option to use some kind of either Two Factor, or more likely a Passface type of thing, which would provide an additional layer of authentication, I would do that.

But mostly what I do Amrit is I use extraordinarily strong passwords. So for anything that’s important I use anywhere from a 25 to a 35 digit random number that I use with an application on the Mac, that’s called 1Password, that I can’t recommend highly enough. I know there is one called RoboForm for Windows users. That gives me the ability to, one, have individual passwords for every one of those sites. So it’s not, if somebody compromises 1Password, I am not at risk so that they are going to pretty much run the table for all of my personal accounts, but it also just takes brute force off of the table. It would take an unbelievable amount of computing power to try to do a brute force attack on a 25-digit random password. So that’s pretty much what I do on that front.

It’s funny, my wife is just like — she wanted to buy something on Amazon and I have the prime membership, she is like, what’s your password, let me get on Amazon and buy something? And I am like, I don’t know. What? Then it became this big fight, because she thought I was holding out on her. You are not telling me your password, what are you hiding? And I am like, no, no, no, no.

Then I actually opened up the application and showed her, I am like, here’s my password, and it was like 40 characters or something like that. So for the two minutes, it was brutally painful, for the next five minutes as I was explaining the situation, it was interesting, and then she sort of understood.

But I think for most of the common folks out there the best thing you can do is use separate passwords and make them as strong as possible to protect your financial application. But it’s too convenient. Again, for a guy like me that really doesn’t like people, the more I can do either anonymously in a coffee shop or from the comfort of my own desk, the better that’s going to be, I think, for everybody.

Amrit Williams: Well, it’s interesting, when I am asked about online banking from friends and family, I just tell them not to do it. I can give them a whole list of things that they can do to be secure. I bank online myself, but the level of sophistication that some of these folks have in terms of trying to manipulate and get access to your money, I mean they are doing man-in-the-middle of attacks, where they are basically riding the back of your current transaction and transferring. They are even figuring out ways to manipulate the payout, so you don’t notice when you look at your bank account that anything is even happening.

I mean, it’s pretty scary, and for me and you and folks like us, I think we have got a level of sophistication. They will probably sniff some of my stuff out, and if it happens, we would probably limit the impact. But I am certainly not suggesting to my mom she should do anything but stay offline as far as banking is concerned, because I just don’t think she has any of the capacity to deal with it if something were to happen.

Mike Rothman: Yeah. I mean, that’s certainly a legitimate perspective. Just to give another example. My in-laws don’t have an ATM card, so there is a continuum there Amrit. I think my in-laws are maybe on one end of it, there are other folks that are probably on the other end. As with most things, I think that there is somewhere in the middle where we should probably try to find a path.

Amrit Williams: Well, I know my grandpa is still trying to barter goats and cows, so I don’t know. Hopefully one day he will move to paper money.

Mike Rothman: That’s right. It’s all good.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.