ITSPmagazine recently caught up with Joe Gray, Enterprise Security Consultant at Sword & Shield Enterprise Security. Joe shared his views on personal information sharing, privacy, and the value of community service for information security awareness throughout society.
ITSPmagazine: Please tell us a little bit about yourself.
Gray: I am a veteran of the US Navy Submarine Service. I have worked in various government and government contractor roles. I am now a consultant working with businesses to enhance their security as well as measure it from time to time. I hold the CISSP-ISSMP, GCIH, and GSNA certifications and was awarded a Master of Science in Information Technology (Focus in Information Assurance and Security) from Capella University.
ITSPmagazine: As a consumer of technology, what excites you most but, at the same time, also gives you pause given the security implications it may have?
Gray: I am excited to have the ability to start typing a sentence in Google and Google finish it for me. The privacy side of me shudders in dismay. The algorithm used to collect that information probably knows more about me than myself or even my own mother.
I also like a lot of the Internet of Things (IoT) gadgets, in theory. Seeing how insecure they are and the perceived lack of concern from manufacturers, I am frightened. In some extreme scenarios, this begs Dr. Malcolm’s question from Jurassic Park, “[they] were so preoccupied with whether they could, they didn't stop to think if they should.” Seeing Season 2, Episode 1 of Mr. Robot certainly painted IoT in a worst case scenario and really put it into perspective. I guess it was the visual aspect beyond what I visualized in thought. Did you know that the “S” in IoT stood for security? I will be here all day folks.
ITSPmagazine: Do you use technology (online services, retail services, connected devices, etc.) at home different from others in your family who are not in the industry? If so, how?
Gray: I wish the answer were no, but I do. Because of my awareness, profession, and research, I know what can go wrong and many places that have higher risks. For example, I use a VPN and Password Manager. I have been known to activate the VPN on my phone to access my banking apps. I do not even know my social media passwords. All I know is my master password for my password manager. I also avoid public wi-fi, which is something that I have been trying to engrain into the minds of my family, with little forward progress. If I have to use it, I will enable my VPN.
I had some family listen to the “Complete and Privacy Security” podcast with me once. It is hosted by Michael Bazzell and Justin Carroll. My family scoffed at some of their ideas both before and after I told them why they are as extreme as they are. They do implement some things more aggressively than I do, but they also have excellent tips as well.
I refuse to use store applications like the Walmart Savings Catcher. Nothing personal against stores that have apps, but I have completed academic coursework in Applied Statistics and Business Intelligence. I know what the endgame of the data collection is. It may be mostly benign, but I would rather control what data I provide. Seeing “People I Should Know” on Facebook based on people who send me emails is more than enough for me.
I am also a major supporter of encryption. I am trying to encourage everyone I text/chat with routinely to make the jump to Signal. This is an app with end-to-end encryption. The same algorithm is used in Whats App and Facebook Messenger. I recently discovered that Keybase, the site that originally acted as a directory for PGP keys, now offers end-to-end encrypted chat and secure file sharing. While PGP may not be the strongest encryption, it is certainly stronger than none at all.
ITSPmagazine: Do you do any community outreach to help raise awareness for infosec and/or privacy? If so, can you tell us what you do?
Gray: I blog a lot. I also have my own podcast. While I have been slacking on both as of late, I have been taking on more public speaking engagements. I try to talk to “normals” or non-infosec practitioners frequently. I try to understand their points of view then (if welcomed) provide advice on how to better secure themselves.
I also try to keep an eye out for my friends on social media. Many of my older friends (namely around my Mom’s age and older) are starting to use social media and are unaware of some of the pitfalls and dangers. Alternatively, many share “warnings” that are false or contradictory to best practice.
Of course I also participate in the local security community: ISSA, (ISC)², Defcon, OWASP, conferences, and Slack channels. This allows me to work with other professionals to solve problems for business and people. We also collaborate on ways to reach the masses.
I make every attempt within reason to educate society about security and their role. I try to relate it to something they value and reasonable assurances that they should expect.
ITSPmagazine: On a professional level, what do you enjoy most about the work you do?
Gray: I enjoy working with clients that value my work and expertise and I also enjoy knowing that I have made a difference in making someone's life a little easier. While I am fairly new to my team as I only recently started, the thing I like best about my team from what I have seen thus far is the collaborative culture and weekly training for technical employees.
ITSPmagazine: Can you share with us some recent accomplishments you've had? What inspires you to do what you do?
Gray: I would start by saying I am please to see my podcast and blogs (personal and guest) grow over the past year or so. I used to have to beg people to be on the show, now it is much easier and I enjoy the feedback from listeners and readers.
I am inspired by the feedback from listeners and readers in terms of the podcast and blogs. I am inspired in a general sense by my passion for information security and knowing that it can help make the world a somewhat better place.
ITSPmagazine: Any final thoughts to share with our audience?
Gray: I now view the world in a different sense. I am more cautious about my words, actions, and behavior online. I have a better understanding of how it comes together to enable attackers and phishermen.
About Joe Gray
Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword and Shield Enterprise Security in Knoxville, TN.