Posey's Tips & Tricks
IT Pros: Don't Forget To Protect Your Personal Security
Don't be the IT pro who spends way too many hours each day keeping their users secure only to neglect their own home networks. Brien describes the two steps he took to avoid this trap.
Growing up, I can recall stories of a handyman who had the worst house in the neighborhood. Supposedly, he spent all his time helping other people with their houses, and at the end of the day, the last thing in the world that he felt like doing was fixing up his own house.
As IT pros, we may sometimes fall into a similar trap. We spend way too many hours each day keeping our users secure only to neglect our own home networks.
I have to confess that I have been guilty of this, at least on some level. Sure, I keep my Wi-Fi network secure and am diligent about applying security patches as they become available, but there were other areas in which I definitely could have been doing a better job.
After spending quite a bit of time assessing the security of my own home network, I made two simple but effective changes. While I am hesitant to share too many details about my own security practices for obvious reasons, I wanted to tell you about these two changes in case they can help anyone.
The first change I made was to isolate all of my Internet of Things (IoT) devices. I have been hearing a lot of stories lately about consumer-grade connected devices being hacked and used as a way to gain access to the rest of the network. Since you can't usually do much to improve the security of an IoT device, I moved everything to a dedicated network segment that is not attached in any way to my primary network. That way, if someone were to hack my TV, they might gain access to my thermostat or perhaps to the vacuum cleaner, but they won't be able to access my file server.
The second change that I have made is to adopt a password manager. Admittedly, I have always been a little bit apprehensive about using a password manager, because I thought of the password manager as being a single point of failure. After all, if you lock yourself out of the password manager or if the password manager fails, you could potentially lose access to everything. The key to keeping that from happening is to make sure that you have some sort of workaround.
In my case, I decided to protect myself by violating decades of security best practices and printing out a master list of passwords in case the password manager were to fail. However, this master list is stored in a secure vault at another location.
You may be wondering what happened to make me suddenly decide to use a password manager even though I have long had reservations about doing so. The short answer is that password-cracking has seen a recent resurgence, and compromised passwords are being sold on the dark Web. You may have heard about an e-mail extortion scam that has been going around in which the perpetrator sends potential victims e-mail messages with the subject line, "Your password is," followed by a real password. Most of these threatening e-mails are not credible even though they list a real password in the subject line. The messages do, however, underscore the importance of adhering to good password-management practices.
The problem is that most of us use so many online resources that it is nearly impossible to remember passwords for all of them. As such, many people use the same password for every site or stick to using weak, easy-to-remember passwords. A password manager gives you the ability to use really strong, random passwords for all of your online resources. By using this approach, you reduce the chances of a password being cracked, and even if a password is compromised, the password is only valid for a single resource.
If you do decide to use a password manager, keep in mind that password managers are not all the same. Be sure to pick one that is provided by a reputable vendor, rather than some fly-by-night operation. After all, a free or open source password manager could conceivably be a tool that has actually been designed to steal passwords under the guise of being a security tool.
The features found in commercial password managers are widely varied, so I would encourage you to look around and find the password manager with the feature set that best meets your needs. The two features that I would consider to be indispensable, however, are a mechanism for backing up your passwords and a password generator (for creating long, random passwords).
Brien Posey is a 16-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.