What I Learned About Leadership During A 24-Hour Adventure Race

Originally posted on July 7, 2020 @ 10:25 pm

Recently I competed in a 24-hour Adventure Race designed to test your physical, mental and emotional fortitude and abilities.  I signed up months ago with a good friend to compete in the 2-person coed category. We’re both in good shape, and figured with some training, a practice race (shorter) and the right gear, we’d do well. In the end, we raced for 25+ hours and didn’t finish the race! During that time I learned a lot about myself, my teammate and leadership in general.

Let me start with a little background on the Adventure Race.  I’m sure by now that unless you’ve been living under a rock, you know someone who’s done a mud run, Spartan Race, Tough Mudder, Ragnar or some other race that involves obstacles, mud and running. Those races generally are between 3 and 10 miles, have a predetermined course, well supported with aid stations, and confined to a small campus, park or field. The type of adventure race I’m talking about, is in a whole different category of racing. This race had three disciplines, Running/Trek, Mountain Bike, Paddle and covered over 80 miles of trails and river. Another unique aspect of this race is that there is no “pre-determined” course. Each team is provided a map(s) and race rules. The race rules lay out the legs of the race and how each is to be accomplished, e.g. “Bike – Collect checkpoints in order”. Each leg as a series of checkpoints that the team must visit (the teams are provided an electronic e-punch to prove they were there). There is no determined path or other guidance given to the teams. It is expected that the teams will determine the best path to get to the checkpoints in the least amount of time.  The winner is determined by the number of checkpoints collected (some are optional), finish time is then used to break a tie. The race organizers provide a list of mandatory items each team and team member must carry and outlines some items that are forbidden (yes, a GPS device is strictly forbidden).  The only navigation aid that is generally permitted is a compass, I guess if you wanted to carry a sextant you could, but that’s a lot of weight for very little benefit.

I’m sure a lot of you reading this are thinking that this is insane, Why would anyone do this?  Though I know my Special Forces Friends are thinking, “sounds like a good Tuesday workout”.  Throw in a little weather and this goes from a very difficult race to place to one where just finishing is a struggle.  This year the race started with about 8 hours of rain, overflowing streams and making the trails mud pits. Of the 93 competitors who started the race over 30% dropped out after 12 hours and even more, my team included, didn’t finish the race before the 24 hour time limit.

Out on the trail, we heard and saw a lot from each other and other teams.  That’s where the leadership learning really took place and I wanted to share.

1: Helping others is always the right thing to do.

One team in particular exemplified this, they had already qualified for the world championships and were out on this race for “practice”.  They had nothing to prove to anyone, in the pre-race brief, everyone on the room knew who they were, and excited that they were part of the race.  Every time we saw them on the course they were always smiling, talking, and ALWAYS without exception, asked if we were ok, how we were doing and if we needed anything. We never did, but just hearing that kept us moving, kept us focused on the task at hand and made us feel like we weren’t on our own. To be honest, just seeing this team coming from where we were headed gave us hope that we were on the right path.

Now take that example to your business experiences. Have you ever been working on a project that you felt all alone in? it’s your responsibility to get done and you’re just not sure that you can do it? You’ve gone down some rabbit hole in the code/process/document and it just wasn’t what you expected?  Then someone comes along and asks how you’re doing, checking in, is there anything they can help with?  It breaks you out of the rut you’re in, maybe it just helps get you back on track or you can bounce some ideas on your friend.

As a leader, it’s our responsibility that those we lead understand they aren’t on their own.  We will help when we can, offer advice if possible, and always listen.  Sometimes that’s all they need to get back on track.

2: Negativity brings everyone around you down, halts progress, and can make you look like a fool

The contrast to the team above is one we saw towards the end of the course.  You could hear them from 500M away. “I can’t believe anyone hikes this for fun”, “No one could do this course in the estimated time”, “It’s impossible for anyone to fine all the checkpoints in 24 hours”,  “This is the worst race ever, by the worst race company ever”, “I can’t believe they didn’t provide water”.  This team was clearly unprepared for Virginia mountains and the rocks that are everywhere in the Appalachian Mountains. They were from a southern state who’s highest natural point is probably 90ft above sea level. We had over 3 miles of ascent in this race!  They were blaming everyone but themselves and being very negative about the whole thing. You could see it in some of the team members, they were tired of hearing about the problems, they just wanted to be done and away from the negativity.  To be honest, we took a break and sat down on a rock for some food, water and rest just to let them get far enough ahead of us that we didn’t have to hear them.

In business, attitude is contagious and spreads like wild fire.  If you or your staff is negative, it just becomes a huge drag on the organization.  It affects productivity, moral, retention, customer satisfaction, attendance, and corporate performance.  At times, it’s important to be the CCL – Chief Cheer Leader be the positive voice among the negative ones  “Let’s learn from this lost contract and we’ll win the next.”.  As for that team I mentioned above, A pair of runners passed us and were running the trail for fun, Another competitor completed the leg in under the estimated time, the winning solo male competitor “cleared the course” visiting all checkpoints, and the race company was chosen to host the world championships, this year and next!

3: Sometimes you have to carry the team

Late on Saturday night, after some really grueling hiking and riding through the rain and mud, we were pretty exhausted.  We were both a little discouraged, we expected to be about 10 -15 miles further into the event than we were, and the trails were just un-ridable for our skills.  My teammate was exhausted and I could tell that we were on the verge of collapse. We had mountain bikes, beautiful machines designed to be ridden across a variety of terrain, but we had been pushing them for hours because they just couldn’t be ridden.  The trails got steeper and had more rocks, roots and mud.  The only way was forward, there was no turning back, and I don’t think either of us wanted to just sit down, in the middle of the woods, and quit but exhaustion and frustration were setting in.  That’s when I asked for her bike too and started pushing both.  Not to be a superman, or macho or anything like that, it’s because that’s what the team needed at the time.  Those little breaks, from pushing the bikes, kept her going and the team moving forward.

As a leader, sometimes we just have to pickup the ball (or bike) and help move it forward. I’ve found that employees and staff respect a leader who’s not afraid to get their hands dirty.  I’ve worked with people on both ends of the spectrum, those who think “I’m the boss so I need to be in there helping get the job done” and others who figure “I’m the boss so I don’t have to do the work”.  In the end, the ones who help get the job done, have more loyalty, and better connections with their employee’s.

4: Sometimes you have to let others take charge

Towards the end of the race, we were both pretty beat up, physically and mentally.  My knee finally gave up after hours of complaining.  I started to limp a little, then a lot, then could barely move.  I figure I was moving about as fast a slow snail. After being lead for most of the race, I had to have my partner lead, identify the right path, the best way to the next checkpoint (CP).  She did great!  She found the easiest (if there were such a thing) path down that I could follow with a bum knee.

As a leader, you can’t always be in charge of every program, project or effort within your organization.  You need to trust those around you to do the right thing, even if it’s not exactly what you would do. Delegation is one of the most important things any leader must learn.  Without it, you’ll never take vacation, grow beyond a small organization, or have a successor (if you with the lottery or want to retire). Don’t be afraid to hand over the reins, you’ll often be pleasantly surprised by what happens next.

5: If conditions change, so should you

Going into this race, we had high hopes.  So high, that we packed a camp stove and soup to heat up because we thought we’d have the time and need the calories and warmth.  In the end, we didn’t have the time for either the calories or warmth, we just had to keep plowing on.  The terrain and weather played a huge role in our progress through the course.  By the time we hit the second Transition Area, we were 4 hours slower than we expected!  We had to reassess the optional points we were going to get so we’d have time to continue the race.  In all, we eliminated 7 optional points we wanted to get, because of time.  We realized if we even tried, for a few minutes to find these points, we put our finishing in jeopardy.

As leaders, we need to be able to assess the market, identify trends and adjust accordingly to make our business successful.   Mike Tyson once said, “Everyone has a plan ‘till they get punched in the mouth”.  Somedays it seems that every time you turn around you’re getting punched in the mouth.  Adaptability is one of the key components needed to keep moving forward, even if it’s slower than expected.  Know what has to be done, and when and keep those in mind as you push for the end goal.  Everyday, or even multiple times during the day, reassess where you’ve been, where you’re headed and make sure your still on track, otherwise you could lose days, weeks or even months heading in the wrong direction.

6: Learn from your mistakes so they aren’t repeated

As I said earlier, this wasn’t our first Adventure Race, it was just our longest, most complex and grueling one.  In our most recent warm-up race, we learned a lot, mostly through our mistakes. The first one we made in the warm-up is not having an agreed upon long term plan, and sticking to it.  We haphazardly looked at the map, said “we should be able to get all the CP’s except these two”, and were ready to go.  Well in the end, there were a lot more we couldn’t get to, and wasting time looking for those hurt us in the long run.  I spent the following days after this last race evaluating where we went, when and why.  Looking for alternative routes, re-living decisions before and during the race and making plans for “next time”.  I’m sure I’ll make mistakes on the next race but they won’t be the ones I did on this one.

One of the most important tools we can use in business is an After Action Review (AAR).  That’s a simple process to capture lessons learned focused on improving future performance.  The most basic AAR answer’s 4 simple questions: 1. What was supposed to happen?; 2. What actually happened?; 3. What caused the differences?; 4. What have we learned?  Theses sound like simple questions and many people will gloss over the details.  Those people are destined to repeating the same mistakes over and over again.

7: Never, Never, Never give up!

In one leg of the race we were required to find 2 mandatory points on the map on foot, in the woods, at night.  These weren’t necessarily right on easily identified trails and we ended up off trail, wandering through the woods with headlamps and flashlights.  Visibility was only a few feet because of the vegetation and we wandered for 30 minutes looking for the CP.  At that point, we had been racing for over 12 hours, we were cold, wet and tired.  It was after midnight and if we didn’t find this point, we’d be disqualified (it was mandatory after all). We had to decide, press on or give up.  In the end, we continued to search and with a little help from another team, we found the point and quickly made it back to the transition area and finished that leg.

In business, there are times that it seems impossible to achieve the goal you’ve set for yourself.  If you give up once, the next time it will be a little easier, and easier every time after that.  Successful businesses don’t easily give up, many times, the most successful will simply pivot their goal and keep moving forward.  If it is submitting a proposal as a prime, and it’s just not going to be a winning proposal, join forces with another team. If it’s a major release of software that is riddled with problems and going to be delayed by several months, consider adjusting for incremental feature releases instead.

Whether running a race, leading a business or simply trying to be self-sufficient: Help others, be positive, step up if needed, be a good follower, adapt, learn from your mistakes and never give up!

In the end, we didn’t finish the race.  That was a disappointment.  It was an unbelievable challenge and I’m glad I tried, because in the end, I never would have known how far I could go.  I learned a lot along the way, I’ll study my mistakes, and if I can convince someone to do this race with me next year, I might just give it another try!

Introducing Cyber Centurion

Originally posted on June 26, 2020 @ 5:00 am

Over the past 22 years, I’ve developed a passion for helping clients identify and remediate cyber and systems challenges.  That passion can be seen in the demonstrated successes in IT and security across Education, Commercial, International, Federal, Department of Defense and Intelligence Community markets and clients. I’ve worked in large and small companies and learned a lot.  Now I’m taking that passion, experience and knowledge and funneling it all into a new company.   I’m pleased to announce that Cyber Centurion Corporation is now open for business! We provide security focused cyber solutions to ensure mission success. For our clients, we put your mission first, add an understanding of the business goals, architecture, risk posture, industry capabilities and trends to develop a holistic approach to meet the mission needs and incorporate the appropriate and most effective risk mitigation mechanisms to enable success. Employees are rewarded with a chance to build something from the ground up and satisfaction knowing that Cyber Centurion invests back into its employees with 401K, generous holidays and PTO, education, health, dental and vision coverage and other benefits.

For more information visit cybercenturioncorp.com or email info@cybercenturioncorp.com

If you’re interested in the positions available, visit https://cybercenturioncorp.com/recruiting/

Cyber Security During A Merger or Acquisition

Originally posted on October 14, 2020 @ 4:50 pm

In my professional career, I’ve seen several mergers and acquisitions from the inside. Whether it was from the acquiring company or acquired, as an individual contributor, manager or executive, each had one thing specifically in common: it was the most dangerous time for both organizations’ information and data.  Long before any public announcement, there are a lot of moving parts to make the M&A happen, Leadership from both companies, IT professionals  and security for both companies are directly involved.  Then there are all the people unofficially “in the loop” who happen to be connected directly to the pulse of the companies. After the announcement, there are the usual suspects interested in the announcements, competitors, bankers, lawyers, etc.  But in addition, to the legitimate and expected interested parties, hackers are paying attention to any changes to your organization.

Managing risk during M&A activities can be a full time job.  There are many factors and motivations to consider, not to mention the rapidly changing environment as two different companies and cultures collide. Step usually taken to minimize or reassign risk are signing non-disclosure agreements (NDA), implementing corporate communication firewalls (not the network device), and insurance. There are many threats associated with an M&A, some external, other’s internal, some risks you’ll just have to accept, other’s you can take steps to mitigate or eliminate. In addition to mitigation, there are ways to significantly reduce certain internal risks associated with the M&A activity.

Internal threats are those within an organization, and can be looked at in two broad categories, unintentional and intentional. The intentional threats are no different than what might be included in a typical insider threat program and under normal operating procedures so I’ll not address them here.  The unintentional threats primarily occur through poor or limited communications.  The unique environment created by M&A makes your organization ripe for phishing and social engineering attacks.  Generally, people are unsure of who’s in charge, who has organizational authority, and where responsibility lies.  This uncertainty, creates an opportunity for attackers to use various attack vectors to compromise your new company.

Given the complexities, uncertainties and issues surrounding information security during an M&A, there are some practical solutions that can make a significant impact to these internal threats.

  1. Publish the high level corporate structure as soon as possible. The sooner your employees understand at least the high level structure, the faster they will understand who should have information and where corporate authorities lie.
  2. Establish a process for validating requests by the transition team and senior leadership. Any requests for PII, money transfers or other corporate decisions should be validated by multiple methods, E-mail, phone, face to face, etc. No single communication should trusted.
  3. NEVER use an e-mail or phone number that isn’t validated through the corporate Global Address List (GAL) or directory to provide any corporate data. A common practice is to request the victim to call the hacker on a different number to validate the request, giving the victim a false sense of security.
  4. Train your employees to question all visitors to your facilities, work with security to issue badges for all new employee’s immediately. It is too easy for an attacker to impersonate an employee of the partner company and wander around the new office, asking questions, getting printouts and files.

Remember, during M&A everyone is nervous, people worry about their jobs, they are trying to impress their new management or just save their jobs.  This nervousness can lead to mistakes or major data breaches.  Keep vigilant, communicate across the organization and establish rules to validate requests and you can avoid some of the most common pitfalls of data protection during a merger or acquisition.

Will SolarWinds become the new CCleaner?

Originally posted on December 16, 2020 @ 6:19 pm

New Evidence Suggests SolarWinds’ Codebase Was Hacked to Inject Backdoor

As a Cyber Security professional for over 25 years I’ve seen a lot over the years.  One thing that stands out is the hack of CCLeaner in 2017.  Which appears now to have some similarities to the SolarWinds compromise.  The result of the CCLeaner compromise has had lasting effects.  Anyone who participates in CyberPatriot knows, CCLeaner is one of the first things to be removed from an image as it’s assumed to be compromised.

With this new evidence, will SolarWinds become the next security tool that’s considered more of a risk to run it than to not?

http://feedproxy.google.com/~r/TheHackersNews/~3/HPHQs0YyzEs/new-evidence-suggests-solarwinds.html

Baking in Cyber Security through Cyber Patriot

Originally posted on August 11, 2020 @ 11:04 pm

I’m sitting here in the airport after finishing a 1 week Risk Management Framework (RMF) Security Controls Assessment (SCA) and reflecting on the week.  This week the team and I reviewed nearly 30 hosts and over 3000 individual controls.  I remember throughout the week there were many times thinking “this is pretty basic stuff, why aren’t they (the client) following the security guidance?.” and I remember that to many system administrators security isn’t “baked in” like we’ve always claimed it should be.  It also underscores the need to get more Information Technology (IT) professionals trained in cyber security.  That’s why Cyber Centurion is proud to sponsor Civil Air Patrol NC-162 Squadron’s first CyberPatriot Team.

CyberPatriot is the National Youth Cyber Education Program created by the Air Force Association to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM) disciplines critical to our nation’s future.  At the core of the program is the National Youth Cyber Defense Competition, the nation’s largest cyber defense competition that puts high school and middle school students in charge of securing virtual networks.

The cadets on our team, who range in age from 13-16 began practice in April with basic computer skills and cyber hygiene concepts.  Over the past several months they’ve progress through the basic materials absorbing the information at an incredible pace.  For many, this is their first exposure to managing operating systems and advanced concepts of computer security.  They are excited to begin their first scored round and put their knowledge to the test.

Throughout the week, there were many times that I thought: “Gee, I wish ‘R’ was here.  He could do this in his sleep” or “Wow ‘E’ would have known what to make this setting” or “I wish ‘A’ was here to explain why the system needs to be configured this way”.  I highlight these examples because the cadets in this program have in most cases at least 7 years before they’re in the workforce.  Regardless of what they do in their careers, many will stay close to technology and one thing I am sure of; with these cadets I know security will be baked into whatever they do!

The competition round begins this coming weekend, October 25-27, 2019.  If you are so inclined check out the Cyber Patriot website (www.uscyberpatriot.org) or your local Civil Air Patrol (https://www.gocivilairpatrol.com/) both are great organizations for engaging our youth in Cyber Security and Aerospace Engineering.  If you don’t have a local team or squadron, reach out to me, most of the cyber security training I do with our cadets is virtual and I’m always looking for help!

Workforce diversity and growth starts early, and with you!

Originally posted on August 5, 2020 @ 1:56 pm

At RSA this year there was a big focus on diversity in the workforce.  There were many sessions about how to increase women and minorities in the workforce.  I attended most with hopes of gaining insights on not only how to hire these demographics but ALL demographics.  In my last session of the week, one of the panelists said what I’ve been thinking all week.   “ I’m lucky to get 2 resumes’ to choose from, diversity never enters my mind.  I’m focused on what’s between the eyes and back of the head!” I paraphrased a little but that’s the gist. 

Depending on which website you read (and when) the shortage of Cyber professionals is somewhere between 500K and 3.5Million.  That means that Cyber security is one of the few professions today with 0% unemployment.  According to investopia.com “In 2016, there were 1 million job openings, with two openings for every available job candidate. The rapid job growth is expected to reach 1.5 million positions by 2019.”  From other research I expect we will exceed that 1.5 million and by 2021 be closer to 3.5 million.

As of 2017 there were 780,000 cyber professionals in the U.S. with about 350,000 openings.   The sessions I was in this week talked about increasing the female workforce from 10% to 20% or more.  So that means the speakers were advocating moving from 78,000 women in the workforce to 156,000 still leaving nearly 200K in unfilled positions (there are a lot or assumptions in these numbers, I know.) That still doesn’t close the gap in positions to talent.  We need to be looking at other areas and at building the “pipeline” of candidates.

In my mind, one of our biggest challenges is that our career field is 100% in the abstract.  If your child wants to be a Doctor, she knows she’ll be working with people, things she can touch.  Or if they’re goal is to be a lawyer, they know they’re helping people.  But lets face it, cyber security professionals, no matter what the specialty, work in the abstract. We don’t build anything, we don’t create software or apps (that’s left to the developers), we don’t arrest people (that’s the FBI and other Law Enforcement Officers), in my daughter’s mind all we do is sit in meetings and stare at screens all day long!  Maybe we make a few phone calls.  How do you attract the upcoming generation to such a boring career?  We’re not Kate Libby (Angelina Jolie) and Dade Murphy (Johnny Lee Miller) in Hackers, or Neo (Keanu Reeves) and Trinity (Carrie-Anne Moss) in the Matrix. Heck we’re not even Elliot Alderson (Rami Malek) or Darlene Alderson (Carly Chaikin) in Mr. Robot.  BTW that’s one of the most realistic ‘hacker’ programs coming from Hollywood I’ve seen).

So, how do we attract new talent to such an abstract and boring profession?  Part of it is the money.  A friend from a long time ago told me that the only requirement she would place on her daughter going to school is that whatever the daughter majored in, she could make a living on.  With Cyber Security, regardless of the discipline, the rising professionals can make a living, with 0% unemployment they can make a good living!  The other part is education, people think that only the smartest people on the planet can do cyber security “stuff”.  Yes, you have to be smart, but we all started at the bottom and worked our way up building our knowledge.  No one is born as a cyber guru we all need to be taught and mentored.

Where was I going with this?  Well if you’re reading this, chances are you’re a cyber security professional.  I encourage everyone who sees this to get involved at the level closest to the children that your comfortable with.  What does that mean?  If you’ve got children, get involved.  The GirlScouts have a cyber badge now,  your school likely has a CyberPatriot Program (if they don’t, start one),  take your kids/grandkids to work, show them what you do. 

If you’re a manager of people within your organization, get to know your staff.  See what they’re interested in.  If they’ve got the drive and desire to move up and into the cyber security profession, encourage it.  One of the many success stories I’ve seen is someone who’ve moved from Administrative Assistant to Information Security Engineer.  She came back to the workforce after having children and knew she wanted to do more than manage someone’s calendar.  She came back into an entry level position and got the training and certifications to move up in the organization.  She took advantage of the training and education benefits of the company and is a highly successful Information Security Engineer. 

The workforce problem isn’t just a one dimensional problem, as cyber professionals, take the lead and start working with youth to “build” the pipeline.  If your kids are grown, work with the local HS, College, Civil Air Patrol, JROTC, Girl Scouts, Boy Scouts etc.  Your example can help built the next generation of cyber professionals.

Are you as good at following as leading?

Originally posted on July 29, 2020 @ 9:29 am

I’m sitting here between sessions at the 2019 RSA conference looking at all the marketing materials and listening to the vendors touting their “Market Leading” cyber security tool and I’m wondering if they can all be leaders?  Especially if all the people who are using their tools are also leaders in their respective fields.  Seems like everyone is or wants to be a leader.  We should all have goals, Heck, I want to be one of the premier cyber security leaders in cyber risk analysis and mitigation.  The problem that many people run into with wanting to be the leader is that they must start with being a good follower and maintain those habits as they move through leadership. Let’s face it, in today’s IT environment, everyone has to be both a follower and a leader.

I read an article recently about the principles of followership and how it relates to everyday leadership.  I never really thought about it, and certainly never heard it articulated that way.  The basic ideal is that followership is more fundamental to organizational success than developing leaders.  Followership is difficult, it requires self-discipline and the willingness to learn from others.  Bottom line is without effective followership, a leader can fail to achieve the organizational goals.

There have been several studies that define the following characteristics and behaviors as those commonly sought in effective followers:

  • Positive Attitude
  • Effective Team Member
  • Loyalty to the Leader and Organization
  • Volunteerism at Work
  • Willingness to Accept Assignments
  • Actively Offering Suggestions for Improvement
  • Respectfulness in All Aspects of Work
  • Supporting of Group Decisions

So why am I thinking about this right now? 

Well, to be successful leaders, and to make our leaders successful, we need to be good followers. We need to set the example and display the behaviors above.  We need to encourage these behaviors in the people who work for and with us.  When we’re hiring, these are the intangibles that we should focus on.  I’ve always said when hiring, give me someone with a positive attitude and a willingness to learn and do what’s needed, and we can train or teach them the technical parts of the job.  I can send someone to training on the latest tool or technology.  There’s no class to fix a negative attitude!

Looking for people who want to make a difference

Originally posted on April 1, 2021 @ 4:25 pm

If you’ve got the skills and desire to make a difference in the security and mission of our military and IC clients then we’ve got the opportunities for you. 

Checkout our hot jobs:

HOT – Senior Data Scientist – HOT

HOT – Data Scientist – HOT

HOT – Computer Engineer, Data Systems – HOT

HOT- Computer Scientist, Data Analysis – HOT

HOT – Computer Engineer, Data Administration – HOT

We are Hiring!

Originally posted on July 21, 2020 @ 3:30 pm

If you’ve got the skills and desire to make a difference in the security and mission of our military clients then we’ve got the opportunities for you.  We are changing the way RMF compliance assessments are done in the Army and you can be part of that.

Check out our hot jobs:

Security Control Assessor/Validator (Policy)

Security Control Assessor/Validator (Technical)

Network and Security Researcher/Data Scientist

What are you risking on public WiFi?

Originally posted on July 14, 2020 @ 7:23 pm

We’ve all been tempted at one time or another to connect to that public WiFi connection at the airport, Starbucks or the hotel. Whether it’s because you’ve reached your data plan limit, or the cellular signal is just too poor to get a decent data rate it; crosses everyone’s mind from time to time. That’s a dangerous decision that many people make every day without thinking of the potential consequences and inherent risks.

Public WiFi, by definition, is easy for the public to access and use. Because of that, administrators rarely put significant security in place to protect the users connecting to their networks.  The danger of connecting to the public WiFi is who’s listening.  The technical term is Man-in-the-Middle (MiTM) attack. A MiTM attack is where an attacker intercepts the communication between two parties and sometimes alters it or uses it (in the case of username and password) later. When connecting to your corporate WiFi network, there is generally more security including stronger passwords, and encryption for those who access the system. On your home network you are protected by the passwords and encryption you’ve setup on the network and the number of users who can physically connect to your network (based on proximity).  Of course, if you live in a Condo, TownHouse or Apartment, there are many more people who can receive the WiFi signal than if you live in a single family home, but I’ll discuss home/corporate WiFi security at another time.

A real world example of a MiTM attack was uncovered by Kaspersky Lab in 2014 called “Dark Hotel”.  Dark Hotel operated for more than seven years before being discovered and is believed to be a sophisticated economic espionage campaign by an unknown country. Dark Hotel targeted CEOs, government agencies, U.S. executives, and other high-value targets while they were in Asia. When executives connected to their luxury hotel’s WiFi network and downloaded what they believed were regular software updates, their devices were infected with malware. This malware could sit inactive and undetected for several months before being remotely accessed to obtain sensitive information on the device.

This all sounds terrible and I HIGHLY recommend, NEVER connect to a public WiFi. But I know that sometimes it is just impractical to do anything else.  So if you must connect, here are some precautions and recommendations:

  1. Don’t do online shopping, log into your financial institution or other sensitive activities on public networks.
  2. Use 2-factor authentication when logging into sites when possible (including Gmail).  2-factor authentication ensures that malicious users cannot log into your account at a later time without both authentication mechanisms (like your password and cell phone)
  3. Whenever possible, use HTTPS for websites.  It encrypts the data and makes you a harder target.
  4. Turn off File sharing, automatic connections, and other services that would transmit your password or open you up to an attack.
  5. Use a Virtual Private Network (VPN) service.  This encrypts your data from the computer to another device on the Internet and ensures that no one connected to the local network can eavesdrop on your communications.

Even doing all of these steps could still result in a compromise when connecting to a public network if someone is determined to attack your device.  Implementing these steps will ensure that you’re more protected and a harder target than the guy sipping the latte next to you and hopefully, the attacker will go after them instead. Your best bet is to buy a MiFi, implement personal hotspot capabilities on your cellular phone or buy an unlimited data plan so you don’t have to use someone else’s network to get to the Internet or other online resource.