In this edition of Secure IT! we profile a group of individuals brought together from diverse areas of IT by a common interest in information security: the Brown Security Round Table. The members of the BSRT meet regularly to discuss information security items relevant to the Brown community. As part of formalizing their vision, the BSRT created a website to provide resources as well as a forum for others with similar interests.
As stated in their charter, the volunteer committee exists to “provide a forum for discussion and investigation of security issues important to CIS and Brown IT as a whole”, collaborating closely with the CISO to address security concerns and raise security awareness at Brown.
The BSRT currently consists of nine members — Paulo Baptista, Jesse Coutu, Margaret Doll, Marc Doughty, Bob Fletcher, Patrick Laverty, Elvis Seth, Lea Snyder, and Nate Wood – representing a variety of areas within as well as external to CIS. Paulo, Lea, Marc, Bob and Jesse were available to answer some questions about themselves. In addition, Patrick and Lea are also guest contributors to this edition of Secure IT! (“Be Wary of Oversharing” and “Your Phone and Privacy“, respectively).
Q. What got you interested in security?
Paulo: My job. As a systems administrator, one should establish absolute trust with the system.
Lea: I have been interested in IT security for the entire time I have been working in IT. For me it is appealing because the field is a constant moving target (even more so than some areas of IT). I like that it is constantly changing and evolving because it forces you to do the same. There is always a new challenge awaiting you around the bend.
Marc: I’ve always been a tinkerer. When I was in fifth grade we had a lab of Apple II machines that were connected to a small server. It was the first time I was able to do stuff on one computer and have it affect another. It was fascinating. My peers quickly found out how to modify the boot messages displayed on all the machines, and were told by the computer teacher that ‘if anything goes wrong, we know that it was you’. I guess that was my introduction to computer security; before that, ‘security’ meant not letting my little sister drool on the audio tapes that held my computer games.
Bob: That’s hard to say precisely. As best as I can recollect I have always had an interest in some form of security, hence my interest in detective shows and movies. My favorites tend to be Holmesian by design.
Jesse: My interest in security is a fairly new development. With the developments in mobile technology (phones, tablets, etc.) security becomes a greater and greater concern.
Q. What’s your biggest security pet peeve?
Lea: One of my biggest pet peeves is when websites send along user credentials (username and password) in email instead of forcing users to change passwords when they request a password reset. I will not send passwords over email as I do not think it is a good practice. Furthermore, I think training users to think this is OK is not good. It sets up the expectation that sending credentials over email is acceptable and thus people send along credentials to the wrong people without even really thinking about it.
Marc: My biggest peeve is when people make a big deal out of something in security’s name, but the end result is either wasted time, or a system that’s not really more secure, or a system that’s so oppressive to users that it drives them away. I see it all the time, and find it incredibly frustrating.
Bob: Password security. So much relies on using a password and so often the password is one of the weakest links. With today’s technology and tools many passwords that an average user thinks are secure can be broken in minutes.
Jesse: My biggest security pet peeve is when a browser is set to “remember” passwords and credentials. This could lead to a devastating security breach.
Paulo: Tailgating at card access doors. I’ve noticed the majority of folks do not pay attention when they use card access doors. They gain access to open the door, go through the door, and do not realize that the door is slowly shutting behind them and will never notice if someone sneaks in behind them.
Q. What would you personally like to see the BSRT accomplish in the next year or two?
Marc: I think we really just need to get a footing and establish a culture in the group. I think we’re most of the way there, but we haven’t really issued many hard-core critiques or recommendations yet.
Bob: I would like to see us taking a more active role in two areas: Providing technical education or guidance to the Brown community, and researching potential solutions to various security issues at Brown.
Jesse: I would like for the BSRT to begin launching training seminars.
Paulo: Have good conversations, publish security information, learn about new trends in security and ultimately implement new security measures to protect Brown’s resources.
Lea: I would love to see it become a go to resource on campus and expand its reach into all areas of security and across the campus community. It would be fantastic if we could mature the model enough to have people call in and listen to the monthly meetings. Finally, I am very committed to expanding the BSRT’s use of social media as another communication vehicle.
Q. Finish this sentence. Privacy is …
Bob: … and always will be a double-edged sword. It protects us from being robbed of our finances and identity but it can also be exploited to conceal criminal activity. Preserving privacy, therefore, means we have to assume certain risks. The most “secure” nations are also the most oppressive and privacy, at least from the government, doesn’t really exist.
Jesse: … disappearing from everyday life. With social media, mobile apps, and all of the “terms of service” that most people accept without reading, privacy is a thing of the past.
Paulo: … essential to live in a civilized society.
Lea: … a difficult balancing act. It is hard because we all want convenience but with convenience we give up bits of our privacy. You have to decide through the lens of protecting your privacy (or private data) what you actually need versus what you actually just want. This is especially critical with social media and mobile apps.
Marc: … an important right that needs to be expanded and defended, but not particularly important to me individually… I’m an open book. I don’t bite my tongue in meetings, and I don’t do too much to ‘filter’ my real life from spilling out into the Internet. I guess I could mangle some Voltaire and say “I will defend your right to privacy to the death, but check out these pictures of what I did last weekend!”
Q. What security tip for mobile devices (whether laptop, table, smartphone) would you like to pass along to our readers?
Jesse: Read what you’re agreeing to when you install mobile apps. Many mobile apps are requesting permission that you may not be prepared to grant.
Paulo: Here’s a good one. Change your 4 digit iPhone password to a longer one. Settings, General, Passcode Lock, Turn off Simple passcode. Why this important? I can shoulder surf someone entering their passcode fairly easy. In other words, folks aren’t very private when they enter in their passcode when unlocking their iPhone.
Lea: Something I learned about this year that I found quite helpful for my work laptop, is that the Department of Public Safety participates in the program Operation Identification. DPS will apply a decal to your devices that clearly marks the property as owned by Brown University. It’s free and easy. I strongly recommend it for any devices that could easily walk away. And always add a password to a mobile device!
Marc: Enable the passcode, automatic locking, and encryption on your phone/tablet. These things are just gateways right into our personal lives. I trade stocks, transfer money, send work and private emails, text shopping lists, and store pictures of my family on my phone, there’s no way I’m just going to let someone hook it up to a diagnostic device and dump its contents. I might be comfortable sharing pictures from my night out with the world, but my banking information and personal correspondence needs to stay private.
Bob: At present, your biggest vulnerability is theft. Ideally you should not keep or process confidential information (your financial information, passwords, SSN) through a mobile device. If you do, your device should be password protected with a strong password and, if it’s an option, enable the “self destruct” which wipes it back to factory default after 10 failed logins.