In the press: Infosecurity – Do you eat your own dog food?

/ Security
January 17th, 2012

infosecurity do you eat your own dog food?

How many traffic policemen never exceed the speed limit when off duty?

How many vicars don’t swear? And how many IT security professionals practice what they preach? No, seriously, do you eat your own dog food? That’s the question Davey Winder has been asking of infosec professionals in an attempt to determine just how secure security experts really are away from the office?

An Inconvenient Truth

Surely, at home, the infosec professional will sometimes opt for convenience over absolute security? For example, what about mobile banking? It offers great convenience, but everyone in the security field knows there are risks attached.

Robert Rutherford is Chief Executive of IT consultancy QuoStar Solutions and was very honest when he admitted that he does risk analysis on the fly, telling us that “you just have to balance the impact of something happening against the likelihood of that something happening. If I need to connect a personal device to an unsecured wireless network while on holiday or in a hotel to do some internet banking, then I will, and I don’t think about it”.

That said, Rutherford also revealed that it’s unlikely he would access his internet banking at a shared cyber-café, due to the blatant risk of keyloggers, screen recorders and other spyware – so all is not lost.

“At the end of the day there is a risk in everything”, Rutherford concludes. “You can argue that nowhere is truly safe, but that’s life, and you can’t be paralyzed by fear. I don’t take unnecessary risks, of course, and do take sensible precautions. For example, I’ll VPN into work with two-factor authentication, nothing is stored locally on my devices unprotected, the devices are firewalled, encrypted, have protection systems in-place, and so on.”

John Knowles, MD of DMW Information Security, also admits to using online banking via a hardware token for authentication, which reduces the risk, but not completely. “I bank only from one device, which I don’t use for other purposes”, Knowles explains. “This reduces the risk again. I don’t keep any passwords or account details on a PC, instead I use a secure USB stick with Password Safe on it. I bank with a bank that has online banking guarantees, and I read my statements carefully”.

Knowles also makes a point of not using cloud services for primary storage of key stuff like photos or home videos, although his home backups are cloud-based and encrypted. “Backup is so essential”, Knowles warns. “The automation and the fact the data is out of the house even caters to the doomsday scenario of house fires.”

Mobile Mayhem

Being informed goes pretty much hand in hand with being mobile these days, to the point where we put it to our panel of experts that it isn’t really advisable, or even possible, to separate home from work when it comes to information security. Robert Rutherford was first to answer, responding that “you shouldn’t typically be using home devices to access corporate systems, neither should you allow others to use your corporate devices for personal use.”

He argues that the consumerization of IT is, as far as uncontrolled BYOD (bring your own device) is concerned, “typically madness”. After all, Rutherford says, “how do you enforce encryption from the corporate level on someone’s personal phone? How do you know that the home PC you are connecting into the business on isn’t riddled with trojans and spyware?” He concludes that “on virtually every level, it’s better to split home life and work.”

See the full original article here: