Safe at Home: CISOs on Security for Home PCs and Networks

CISOs are always pushing computer security policies. We asked three of them to forget the policies and show us how they handle security on their own home computer systems.

Once upon a time, home life and work life were completely separate for most employees. Well, that's what they tell us, anyway. Whether that's a true story or a fairy tale, it's clearly not the case today. More and more employees do some or all of their work from home. And they use those same home computers to surf, shop and bank on the Net. And for instant messaging. And to download music files and games and heaven-knows-what-all. And

this is the killereven when Jack the Accountant knocks off for the evening, often Jack Jr. hops into the desk chair and fires up the browser. So whatever scumware Jack Jr. dredges up off the bottom of the Web may very well get dropped onto the corporate network the next time Dad logs in.

Of course, every sane organization has a corporate policy in place regarding what employees should and should not do with their computers, mandating not just antivirus software but a host of other protections. But anecdotal evidence suggests, ahem, less than 100 percent compliance. A good number of workers fail to implement all those mandated safeguards, in some cases because they lack technical expertise, and in others perhaps because they simply think the threats aren't as threatening as security wonks would like them to believe.

So CSO thought it would be valuable to look at how CISOs handle the computer security needs of their own homes. We asked three infosecurity leaders for a highly detailed list of the security products and practices they actually usenot because policy compels them but because these are the tools and steps they consider necessary to keep their own computers safe. The three responses that follow represent a range, from mildly cavalier to extremely thorough. (Only the guy in the middle of that range, Dan Lohrmann, CISO of the state of Michigan, opted to let us reveal his identity.) CSO readers will find their responses valuable as pass-along material for corporate employees, who can identify the setup similar to their own and note how that CISO approaches home computing security.

1. CISO of a Fortune 500 transportation company

Straightforward Setup, Simple Solutions

Our first CISO, whose company requested anonymity, has a fairly simple home computing setup: two computers, which are not networked to each other. His kids are away at college, so there are no teenagers downloading and IMing on his systems.

These factors create a situation in which the CISO is comfortable using fairly limited security technology. However, he's religious about certain key measures: cautiously configured firewall software, frequently updated antivirus and antispyware programs, and great caution with e-mail.

Nontechnical employees with less complex home computing environments will find this example easy to emulate (and effective too) if they take their cue from his disciplined approach to antivirus, antispyware and procedural safeguards.The SetupWhat he has: One PC (Pentium 4) and one laptop (Dell Inspiron), both running Windows XP without Service Pack 2 (at least not yet). No local area network in place at home, although he is testing wireless.

How he connects: Broadband cable modem. Connects to work via a virtual private network (VPN).

About the family: Wife is a power user of Microsoft Office, Microsoft Print Shop and the Web, and the kids use the computer extensively when they are home from college. The family makes some online financial transactions using applications from their financial services supplier. They don't use instant messaging.

How he handles backups: Iomega products, a USB token and CD writer on the laptop.Tech TalkRelies on the security protection provided by his ISP, Cablevision's Optimum Online. Tried Norton AntiSpam but could not install it effectively on Windows XP. It was affecting broadband performance, so he removed it and relies instead on the broadband service provider's implementation of Brightmail Anti-Spam. The broadband provider also blocks most pop-ups.

Uses Symantec's Norton AntiVirus and Norton Internet Security on the laptop, and ZoneAlarm Pro and the Norton AntiVirus on the desktop. LiveUpdate runs automatically every Friday night to update virus definitions.

Uses PestPatrol and Spybot Search & Destroy to combat spyware and adware. Both automatically run at least once per week.

Web browsers at their default privacy and security settings.

Does not use any Web monitoring or ISP- blocking programs, because only adults live at home.PracticalsEncryption: The CISO encrypts only Quicken financial files.

Passwords: The family uses strong, frequently changed passwords for online financial accounts and "ease-of-use passwords" for online shopping and e-mail. "I don't really practice what I preach at work," he admits. "Users at home complain too much."

Policies: Has instituted a "just say no" policy to any program requesting to act as a server or to access the Internet that is not explicitly authorized to do so. Family members do not store sensitive personal information such as passwords and account numbers on the hard drive, nor are they supposed to open any e-mail unless they know who sent it.The Kid Factor"The kids understood ['safe computing' concepts] fine, but they used old Napster and Kazaa anyway, until they got burned. Now they are more careful," says this CISO. And what about when other people's kids visit the CISO's home? "We physically lock up the machines."

2. CISO, State of Michigan, Dan LohrmannOur second example ratchets up the complexity of the setup involved, both in technical and human terms: CISO Dan Lohrmann has three computers and two teenage kids who live at home.

More Systems, Kids, Defenses

And so he has more safeguards in place, including an RSA Security SecurID token required (along with a password) for logging in to work. He's big on patches and down on cookies; he does not allow websites to put a cookie on his machine unless absolutely necessary. Users with any degree of complexity should take a gander at Lohrmann's precautions, and anyone with kids will appreciate his smart advice for helping make family members part of the solution.The SetupWhat he has: Three standalone PCs, running either Windows XP with Service Pack 2 or Windows ME. All have Internet Explorer.

How he connects: Dial-up, due to his fairly remote location. Connects to work using a VPN and two- factor authentication. No wireless.

About the family: In addition to basics such as the Web and e-mail, the Lohrmann family uses Microsoft Money and does some online banking and E-Trade transactions.

How he handles backups: Symantec's Norton SystemWorks 2005 software.Tech TalkRelies on Norton AntiVirus (part of SystemWorks) along with the free version of ZoneAlarm personal firewall software. The systems are set up to check for automatic updates on these products as well as Microsoft patches.

Uses the spam filter built into his ISP's e-mail.

Runs a spyware removal tool, Spybot Search & Destroy, every two to three weeks.

Doesn't usually use a pop-up blocker; says "they've caused more problems than they've solved."

Uses ISP-blocking software to control his teenagers' Internet use.PracticalsEncryption: He encrypts some information, including the family's Microsoft Money files, though not nearly as much as he does on his work computer.

Passwords: He encourages family members to use alphanumeric passwords with at least eight characters. This includes special characters for some sites and two-factor authentication for work-related sites.

Web hygiene: Clears out cookies and temporary Internet files every two to three weeks. In general, he turns off cookies, unless he specifically needs them in order to use a particular website. As needed, he customizes his privacy settings to not allow scripts to run.

The rules: "Things at my home are very similar to what we tell employees to do. We inform state employees of cyberrisks through awareness training, and we do block porn and spyware sites with SurfControl. However, we still see violations of our security policy, and we enforce our security policies through HR discipline."

Don't overlook: "When I'm at conferences, I generally do not trust 'shared computers' that are available for e-mail in cybercafés."The Kid Factor "We watch our kids when they surf. Our computers are in common areas like our kitchen. I encourage my kids to ask questions, and I've taken them through some basic training on dos and don'ts. My daughters chat only with known friends and not strangers online. I find my war stories from work have a big effect on their online behavior. They know where they are allowed to go, and that's where they stay. I also show them newspaper articles and occasionally take them to security conferences with me. They become ambassadors for safe online behaviors at their schools and with friends."

3. CISO of a health-care company in the Midwest

The SetupWhat he has: Three desktops, one personal laptop and one business laptop. Home systems run Windows XP Home Edition and Netscape Web browser.

Complexity Breeds CautionOur third CISO has the most complex home computing setup and takes the greatest pains to keep intruders out. He pays detailed attention to each family member's computing needs and tailors his security setup to allow or ban various types of traffic. His setup may not seem practical for any but the most sophisticated computer user. Then again, anyone who needs a complex home network should be willing to invest the time to learn how to secure it.

How he connects: Cable broadband. Connects to work over a clientless, SSL-protected VPN. Home network is principally wired, but the laptop connects via WPA-TKIP (a version of Wi-Fi Protected Access with improved encryption). Network equipment includes Netgear FR114P firmware firewall in network box in basement, Netgear five-port hub and a Netgear wireless access point with virtual private network.

About the family: All family members use the computers and network. They shop extensively, bank and pay bills online. CISO doesn't allow instant messaging.

How he handles backups: CDs, flash disks, 2GB Iomega Jaz drive disks. Weekly backup of all security tool configurations.Tech TalkUses Spybot Search & Destroy, ZoneAlarm Pro, Ad-Aware SE Pro, SpyCop, AdSubtract Pro, Active Ports, Norton AntiVirus and Internet Security suite on laptop.

Does extensive tailoring and granular identification of acceptable traffic/activity to meet needs of family members. Default setting is "deny," meaning any type of Internet traffic the CISO has not explicitly OK'd will be blocked.

Uses Norton Internet Security as well as Netscape's filters for spam.PracticalsPasswords: Uses "temporal time key dynamic password for VPN wireless, complex transliterated foreign language phrases, more rapid changing of security device passwords." Security log-on information is different from e-business and work log-on information. Translation: Uses multiple, complex passwords and changes them frequently.

Maintenance: Runs antivirus and antispyware/ antiadware programs at least weekly. System vulnerability checker runs every three weeks or when updated or when suspicious activity is detected. Keeps Netscape and Windows patches up-to-date.

Web hygiene: Cookies filtered to the maximum extent possible. Browser set to not retain history of visited sites. Frequent cleansing of cache and other temporary log/tracking info directories is done using CyberScrub. Does not return "receipt requests" on e-mail.

Wireless: Uses AirMagnet and MiniStumbler to detect wireless vulnerabilities.

Shoppers beware: Family does lots of Internet shopping, but only with widely known and valid businesses. CISO logs in to online banking via an SSL Version 3.0 browser format, and checks bank statements online for any unusual purchase amounts.

Don't overlook: Disables the entire network when family goes on vacation.The Kid Factor"I try to keep security as transparent as possible, but I get the normal grousing about, 'Dad is always blocking me.' I sit down and show them the threats facing them and how [a security breach] can destroy their data. I find out how they use the Internet and PCs so that we can work together to build a secure format for them, showing them how to run each of the security tools and how to check their configs to see if any problems are noticed."

Copyright © 2005 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)