Jason Bittner (CEO): Hi everyone, I’m Jason Bittner, CEO of Triple Helix Corporation and welcome to our Helix Insider podcast. Today I’m joined in studio by my two colleagues, Sam Sheldon, one of our senior developers and Sean Coover, who is our senior systems engineer. Welcome everybody. Today we wanted to talk about computer security and in general, what is computer security? Computer security is the act of maintaining a safe environment for your computers. This can be ranging from your servers to your PCs. We store a whole bunch of personal information and pertinent information and information that needs to be secured on our PCs and we really need to keep those maintained and secure. Now computer security obviously, from your perspective guys, is obviously very important especially in the work that we do. We also maintain that computer security is actually a responsibility of both individuals and companies. Sam, why don’t you give me your thoughts on why it’s important both from a personal and from a company perspective to maintain good security?
Samantha Sheldon: From a personal perspective, even outside of your work, maintaining security is going to be important just because there are things that you do not want people accessing on your computer. You might store your passwords in a password manager on your computer, you might have your banking information, your tax documents, things like that. Very important to make sure that nobody can access those that you don’t want to see them. Now in a company perspective, it’s basically the larger version of that. Your workplace is going to have a lot of proprietary information, they’re going to have their confidential financial information, you might have other people’s confidential information on your network. It makes it very important both for keeping your company secure and also other people’s companies secure.
Jason Bittner (CEO): I guess it would go without saying too is that your individual security practices when you’re working at a company impact the company because if you’re not following good security it could actually create a leak, right?
Samantha Sheldon: Yeah, if you fall for a phishing attack, for example, while you’re at work or go to a site and download a malicious file, you’re opening up your work network to attacks.
Jason Bittner (CEO): Right, very good point. Shawn, what are your perspectives on that?
Shawn Coover: On track, if you’re working and you find yourself vulnerable to any attack, then you’re definitely going to open up the network for that and that’s going to be the entire internal network for your company, not just your edge network where you may be intaking information.
Jason Bittner (CEO): Yeah, from your perspective, it impacts you directly because you’re the guy that has to make sure everything’s locked down for us, right?
Shawn Coover: That’s right. I’ve got a slew of firewalls to maintain and a slew of networks to maintain, so we definitely need to get those security policies just right so that only the information that needs to get out into the wild of the internet is getting out there.
Jason Bittner (CEO): Bottom line is don’t make your systems engineer angry. Got it.
Shawn Coover: Exactly. Please don’t.
Jason Bittner (CEO): Sam, you touched on just a moment ago about passwords and good password management. In fact, talking about a password manager, talk to our guests, our visitors, about what a password manager is and why it’s a great option for helping with maintaining security.
Samantha Sheldon: Yeah. So a password manager is basically a program, whether it’s using an online tool or one that’s local to your machine, which is preferred, to store all of the passwords that you might use for different sites and keep them locked up under one master password with the idea that you only have to personally remember your master password and can then use much more complex passwords for all the different sites you might go to. So like your banking information, your email accounts, or in the case of your workplace, having your passwords for different internal tools as well. It means that you can use much more complex, difficult to crack passwords and it also helps you prevent password reuse if you only have to really remember that one master password.
Jason Bittner (CEO): That’s an excellent point because I know I’m guilty of this is that before we started using a password manager, you would tend to use that same password in all different locations and it got very problematic.
Samantha Sheldon: That’s a big danger point because it means that if any of the sites that you use that password on, if their passwords are compromised, then even if they have good security, you could be open to if somebody managed to crack that password either on that site or elsewhere, anything that uses it might be impacted by that password reuse.
Jason Bittner (CEO): That’s an excellent point. Related to physical device security and like your desktop computers, earlier in the internet, I was aware of computer viruses and things like that and we use software called antivirus to prevent computers from being infected. It detects a pattern or a file that might be infected and preventing it from running and whatnot. But I’ve noticed a trend in the security world these days where you’re not actually buying antivirus anymore. You’re actually now buying an entire security suite. The suite now includes antivirus, anti-spam to prevent things coming in to your inbox on your email, malware prevention, so something that could potentially infect the computer, but not actually visibly infected to the point where you knew something was going up. It’s not damaging your computer, but it may be sinking underneath the underlayer and actually stealing data and sending it somewhere. So from that perspective, we now buy these software security suites and there’s very, very many of them out there. Just a perspective, I’ll pass this back to you, Shawn. With security suites, what have you seen in your work about using suites and do you recommend using them and why?
Shawn Coover: I definitely recommend using them. One thing that not a lot of people know is that viruses, malware, and malicious software are all three different things. Viruses tend to infect a computer in a way that’s going to steal information. Malware tends to infect a computer in a way that’s going to either take control of it or use it as a node for a larger network of computers. And we need to keep our computers safe from those. You can pop malware by just clicking on the wrong link, and then all of a sudden your browser’s downloaded a whole package that you may not know is running on your PC. And when it becomes active, it could place your computer as a part of a botnet that’s just attacking others.
Jason Bittner (CEO): Right. So safe to say these security suites are put in place for the strict purpose of actually detecting an incoming threat and preventing it from infecting you, correct?
Shawn Coover: Right. And exactly. A lot of these antivirus and anti-malware softwares are putting plugins and browsers now just to prevent you from going into malicious links that you may happen to click on. We all do make mistakes, but it’s important to be very, very vigilant when you’re opening your email and just when you’re browsing the internet, definitely. I get a lot of email that basically says, warning, accounts payable, click here to see payment details, et cetera. And it’s so very innocuous yet very basic, almost to the point of laughably simple. But I mean, because of that, the tendency might be that, oh, I’ve got money coming in. What is it? Click and all of a sudden your payload’s been released and so you’re in trouble.
Jason Bittner (CEO): So a very good point you bring up, Shawn. Sam, any perspectives on your end related to security software seats, any personal stories you recall?
Samantha Sheldon: I don’t know that I have any particular personal stories, but I was going to ask your average user, what level of security software do you think it makes sense to have running on your PC? It was actually a question that I was going to have because I know I’m not, I’m guilty of kind of just relying on things like Windows Defender, the built-in stuff.
Shawn Coover: I recommend personally anti-virus, anti-malware, and anti-spyware, a suite that encompass all three. Spyware is becoming a big thing because a lot of these bad actors on the internet, they want to know what information you’re passing out into the wild. And so keyloggers are a big thing, they’ll grab your password without ever having to brute force them. Just because you’ve clicked on a bad link that’s now monitoring your keyboard for every keystroke. With ransomware, which that’s a big problem for companies these days. We saw last year, or it may have been earlier this year, the colonial population had an issue with ransomware and they went ahead and paid it in Bitcoin because that was the only way to get it off. These actors and these programs are becoming more complex and more convoluted to deal with on a daily basis. So these security suites are essential in maintaining our distance from these bad actors.
Jason Bittner (CEO): That’s a good point and I’m glad you mentioned the keylogger situation because keyloggers have been around for a very, very, very long time. And the idea behind them is that it just takes all of the keystrokes on the keyboard or what you’re typing into like cut paste and what the browser is getting from you and actually then sending all of those information directly to a third party site offline. And then they’re actually taking all that information and they’re literally everything you’re typing, everything you’re writing is actually being sent somewhere for someone to interrogate and potentially find the username and passwords inside of that. So having a security suite is so very important to make sure things like that aren’t running underneath. And the other thing about these suites too I’m aware of is you want to make sure that you’re scanning regularly on your computer. They do do automated scans, but sometimes those are a little bit more superficial. It’s recommended that you run the actual deep scan at least once a week, if not more often if you’re doing something more sensitive. So all good feedback guys. Shawn, I wanted to talk to you now about, you mentioned earlier about the edge security versus internal security. Could you give our listeners an idea of what that means?
Shawn Coover: Edge security versus internal security is essentially your edge is where you’re able to connect to the internet as a company, as your internal network connects out into the internet. That’s your edge. Any servers that you have on a demilitarized zone, any port forwarding you have on your internal network that has traffic coming in, connecting to your IP addresses, that’s your edge. Any traffic that’s passing along inside the network itself, say you’re at your workstation and you’re connecting to the server that’s holding the time clock, that’s an internal policy. That’s an internal connection. And usually those can be less strict when it comes to firewall policies, but you also want to segregate out where your employees are and what those employees can connect to as well.
Jason Bittner (CEO): You mentioned earlier just now, like the demilitarized zone and what does that actually mean in terms of the security?
Shawn Coover: Let’s take the term, let’s take a home network, for example. You’ll have your basic modem, then you have your router built in or separate. These personal residential routers are set up so any information coming in trying to connect to your IP address, it’s completely rejected unless you have any sort of port forwarding around, but a demilitarized zone will expose one PC or set of PCs on your network to the internet itself. So if they have information coming in, like a connection over port 80 is made, it’s sent to that computer. That’s a demilitarized zone.
Jason Bittner (CEO): I wanted to talk about, you know, we do a lot in our programming world with servers and our own machines that are in our remote offices, and yet we still have to be efficient. And I wanted to understand like what kind of security infrastructure gets put in place to make sure if you’re like a development team like us where you have to work on remote machines that we still are able to do our jobs and yet we’re still maintaining good security for both our internal network and our customers. One of the main things about that is maintaining a uniform level of access across all the developers and maintaining images of that access so that when instances are spooled up so the development team can get started working on a project, they already have all their permissions and all the necessary access they need to get started with very little in front of them that they need to wait on. So the idea that you restrict the access but not so much that it prevents them from doing their job, I guess, correct?
Shawn Coover: Exactly. But you want them to be able to get going relatively quickly with nothing that’s going to block them unless that’s something specific to that project.
Jason Bittner (CEO): Got it. Sam, any comments on related to the internal versus external network security that we’ve been talking about?
Samantha Sheldon: I feel like VPNs is probably a thing that comes up with that as well. I know that as developers often to work on something on say another company’s, you know, if I’m working on something for another company, I often have to log into their VPN in order to actually access anything at all if I’m not on their VPN.
Jason Bittner (CEO): What’s a VPN?
Samantha Sheldon: Yeah, so a VPN is a virtual private network. And from my perspective, in order to get access to, you know, a VPN, all I have to do is open up a network client, such as, you know, we often use NetExtender, OpenVPN, things like that. All I have to do is log in with my credentials, and then I am functionally on their network. And I think Shawn can probably speak more to the actual details of what goes on with that.
Shawn Coover: Yeah, a VPN is a powerful tool for any tech company who’s managing their edge and internal networks. So what it allows is a server sitting on a DMZ that’s connectable from the internet, you’ll log in using to that server using your virtual, your VPN clients such as NetExtender. And what that will do is that will make an edge connection to their network and allow you on to their internal network, because that server is running a dynamic host control protocol and handing out IP addresses for their pool to allow you to get internal to their network.
Jason Bittner (CEO): Wow. This is obviously a lot of interesting perspectives on security. We went over quite a bit today. So what I’d like to do is I’d just like to wrap up with final comments and feedback, and maybe I’ll start with you, Sam, and I’ll pass it off to Sean for final feedback.
Samantha Sheldon: So final comments on this, I mean, from my perspective as a developer and someone who’s not deeply involved in the security of, you know, either workplace, you know, or personal um, password manager, change your passwords on a regular basis, use things, don’t reuse your passwords, you know, be vigilant about links, you click emails, you open everything in that vein.
Jason Bittner (CEO): Got it. Shawn, any final comments and thoughts about what our listeners should be thinking about for their, their network security and for their companies and for their personals?
Shawn Coover: One of the best things that I’ve always recommended for companies to do is to start moving away from a password system entirely and start using keys instead. If you, uh, a lot of password managers these days, you can, you can, uh, encrypt your information with either a master password or a key or both. And that key is just something you’ll want to keep, um, very secure, maybe on the cloud and, uh, in an encrypted file.
Jason Bittner (CEO): Got it. So a new way of kind of locking down your systems then?
Shawn Coover: Yes. Uh, it’s, it’s, it’s not new, but it’s, it’s definitely taking hold where you’re, you, you won’t use passwords as much as you will a passphrase that unlocks your key. So, uh, keys are the way to go from my perspective.
Jason Bittner (CEO): Okay. Well, I think that’s all the time we have for today. I want to thank my two special guests, Sam Sheldon and Sean Cooper for my team. And this is the Helix Insider podcast. Thank you for listening until next time.