Safe at Home: CISOs on Security for Home PCs and Networks

CISOs are always pushing computer security policies. We asked three of them to forget the policies and show us how they handle security on their own home computer systems.

By Derek Slater

March 01, 2005 — CSO — Once upon a time, home life and work life were completely separate for most employees. Well, that's what they tell us, anyway. Whether that's a true story or a fairy tale, it's clearly not the case today. More and more employees do some or all of their work from home. And they use those same home computers to surf, shop and bank on the Net. And for instant messaging. And to download music files and games and heaven-knows-what-all. Andthis is the killereven when Jack the Accountant knocks off for the evening, often Jack Jr. hops into the desk chair and fires up the browser. So whatever scumware Jack Jr. dredges up off the bottom of the Web may very well get dropped onto the corporate network the next time Dad logs in.

Of course, every sane organization has a corporate policy in place regarding what employees should and should not do with their computers, mandating not just antivirus software but a host of other protections. But anecdotal evidence suggests, ahem, less than 100 percent compliance. A good number of workers fail to implement all those mandated safeguards, in some cases because they lack technical expertise, and in others perhaps because they simply think the threats aren't as threatening as security wonks would like them to believe.

So CSO thought it would be valuable to look at how CISOs handle the computer security needs of their own homes. We asked three infosecurity leaders for a highly detailed list of the security products and practices they actually usenot because policy compels them but because these are the tools and steps they consider necessary to keep their own computers safe. The three responses that follow represent a range, from mildly cavalier to extremely thorough. (Only the guy in the middle of that range, Dan Lohrmann, CISO of the state of Michigan, opted to let us reveal his identity.) CSO readers will find their responses valuable as pass-along material for corporate employees, who can identify the setup similar to their own and note how that CISO approaches home computing security.

1. CISO of a Fortune 500 transportation company
Straightforward Setup, Simple Solutions

Our first CISO, whose company requested anonymity, has a fairly simple home computing setup: two computers, which are not networked to each other. His kids are away at college, so there are no teenagers downloading and IMing on his systems.

These factors create a situation in which the CISO is comfortable using fairly limited security technology. However, he's religious about certain key measures: cautiously configured firewall software, frequently updated antivirus and antispyware programs, and great caution with e-mail.

Nontechnical employees with less complex home computing environments will find this example easy to emulate (and effective too) if they take their cue from his disciplined approach to antivirus, antispyware and procedural safeguards.The SetupWhat he has: One PC (Pentium 4) and one laptop (Dell Inspiron), both running Windows XP without Service Pack 2 (at least not yet). No local area network in place at home, although he is testing wireless.

How he connects: Broadband cable modem. Connects to work via a virtual private network (VPN).

About the family: Wife is a power user of Microsoft Office, Microsoft Print Shop and the Web, and the kids use the computer extensively when they are home from college. The family makes some online financial transactions using applications from their financial services supplier. They don't use instant messaging.

How he handles backups: Iomega products, a USB token and CD writer on the laptop.Tech TalkRelies on the security protection provided by his ISP, Cablevision's Optimum Online. Tried Norton AntiSpam but could not install it effectively on Windows XP. It was affecting broadband performance, so he removed it and relies instead on the broadband service provider's implementation of Brightmail Anti-Spam. The broadband provider also blocks most pop-ups.

Uses Symantec's Norton AntiVirus and Norton Internet Security on the laptop, and ZoneAlarm Pro and the Norton AntiVirus on the desktop. LiveUpdate runs automatically every Friday night to update virus definitions.

Uses PestPatrol and Spybot Search & Destroy to combat spyware and adware. Both automatically run at least once per week.

Web browsers at their default privacy and security settings.

Does not use any Web monitoring or ISP- blocking programs, because only adults live at home.PracticalsEncryption: The CISO encrypts only Quicken financial files.

Passwords: The family uses strong, frequently changed passwords for online financial accounts and "ease-of-use passwords" for online shopping and e-mail. "I don't really practice what I preach at work," he admits. "Users at home complain too much."

Policies: Has instituted a "just say no" policy to any program requesting to act as a server or to access the Internet that is not explicitly authorized to do so. Family members do not store sensitive personal information such as passwords and account numbers on the hard drive, nor are they supposed to open any e-mail unless they know who sent it.The Kid Factor"The kids understood ['safe computing' concepts] fine, but they used old Napster and Kazaa anyway, until they got burned. Now they are more careful," says this CISO. And what about when other people's kids visit the CISO's home? "We physically lock up the machines."

2. CISO, State of Michigan, Dan Lohrmann

• Print