Fred Touchette has a lot of letters that come after his name, including CCNA, GSEC, GREM, GPEN, and Security+. As a senior security analyst for AppRiver, Fred spends his days playing defense, researching cyber-security threats and flipping them on their heads, ninja-style. The Wall Street Journal picked his brain last year, and now it’s our turn! 
What does a senior security analyst do at AppRiver? How do you spend your day?
Well, we’re a messaging security company, so we handle email filtering as well as encryption, web filtering, Office 365, hosted Exchange, that sort of thing. And what my team does is sit on the front lines of all the traffic coming in, whether it be email or web searches. We see all of the malicious traffic, as well as the good traffic, that comes through, so we’re able to see in real-time what the new trends and new campaigns are. In response to that, we can create new tools or tweak existing tools in order to best combat what we’re seeing.
Sounds like a big job! How did you come to be in that particular position?
When I started here at AppRiver six years ago, I was in support. I was troubleshooting for people, but I just had a drive for the security side and an interest in what the bad guys were up to all the time. And now here I am.
I’m sure you’ve seen a lot of SMBs turning from in-house to hosted email. Do you think hosted email will eventually be the default?
Over the past several years, since the economy has done what it’s done, we’ve seen a huge number of people leave the in-house servers and go to a cloud service such as ourselves, just because it made sense financially. You’re not having to pay for an entire staff in-house when you can hire a company that has that specialty. They’ve got the security, they’ve got the equipment, and they can update that equipment – and that’s a big problem for a lot of SMB markets. You’ve got to change your hardware every few years or it’s going to start showing and affecting your business.
There are still some that keep it in-house. It really depends on what their business is and which market they’re in. But yes, I definitely see a lot of self-hosted Exchange going to and remaining in the cloud.
What are some of the advantages and disadvantages of hosted email, especially when it comes to security?
As far as disadvantages, a lot of people who prefer to be hands-on or have always been hands-on tend to feel that there’s a big unknown in the cloud. You’re giving up what you feel is your security, your comfort zone, to someone else, and on servers that are somewhere else – and you don’t always know where they are. But the major advantage is that, even though you’re giving up control in that sense, you’re giving it to people who do that for a living, who create a secure environment for your communications, and take full responsibility for the security of the servers and everything along the way.
So how do you address this sense users have of losing control?
Essentially we just walk them through the process and show them the granularity of control they still have over it. It really depends on what their concerns are, but we just have to show them that you still have control over your filtering, for example, and you can tweak it as you feel necessary. It’s a case-by-case basis because everybody’s concerned about something different.
Especially for small shops where there’s one IT pro, maybe two, trying to handle everything, what advice do you have with regard to security training?
Continuing education is really important. In our department, we do research all day long when we’re not tweaking tools. So getting on some of the news feeds is pretty important – SecureWorks, Internet Storm Center, the security blogs, etc. You can read those to remain current. And of course Spiceworks! There are tons of free resources, and I’m sure I’m missing a million of them, but those are a few that popped into my mind. For subscription services there are things like CBT Nuggets, where you can get different certification tutorials and that sort of thing.
As far as certifications are concerned, go for anything that’s security related. CISSP is good, of course, and Security+ and Network+. As long as you’re continuing your education. The threats are changing constantly, so you really need to remain at the forefront of knowledge as far as what they’re using. If you’re not, you’re not going to be able to tweak your firewall or keep up with your IDS or IPS systems if you don’t know what the attacks are.
How should SMBs be budgeting for security? A lot of them don’t have much budget to begin with.
That’s always a fun one. Budgeting for security generally involves trying to convince the CEO that you need a budget for security because they don’t realize how necessary it is until after an incident. So that’s always something very difficult. Just getting a budget in the first place is a good step in the right direction. Making sure you’ve got the ability to have minimal security is a great start, and anything on top of that is even better. You want to make sure you can budget to have all operating systems up to date, and to make sure your equipment and your servers are secure.
You’ve got to really weigh the cost versus the benefit. Obviously you can spend too much on security and it’s kind of pointless. If you’ve got a really small staff and you try to implement something like an IDS, well, an IDS is really pointless unless you can configure it and keep up with it properly, and a one-man IT staff isn’t necessarily going to be able to do that. So you really have to find that balance in what you do and what your company requires.
Inquiring minds want to know . . . Which countries’ spam do your filters catch the most?
That’s a great question. We AppRiver analysts release a spam threatscape report once a month – this information is in there and it’s free on our homepage. I can tell you that the U.S. has been in first place. It has a lot to do with the targets, because most of this spam is botnet driven, and we have a lot of tasty targets in the U.S. that people from other countries want to hit.
I would have said Nigeria. Good thing this isn’t a game show.
No, but we get a lot of direct email from them!
What’s the most exciting thing about your job?
For me, it’s always exciting to see the new attacks. There are always two or three of the big guys that are most prevalent, and they’re always throwing in something that is intricate and interesting, in my opinion. So I’m thinking, “What are they gonna do next?” There’s a lot of talent on both sides of this battle.
Do you still see images being used to get malware and other unsavory things into a system? Like last year’s TIFF attack on Blackberry?
That was one of those things that was kind of interesting to me, because it was actually an executable, and all it had to be was opened. As far as Trojan images that actually link to malware, we see less of that as compared to image spam. But it’s still out there. It’s not as prevalent as it used to be because we’ve got the ability to block images in a proper manner to be able to detect that stuff. But they still try. They still try everything. As long as it still works, they’ll keep doing it.
Is there any particular threat you’ve come across that has kept you up at night?
No, I used to worry a lot more, but part of our job is to analyze this malware so we can reverse-engineer it and see what its actual intent is. We’re not allowed to be on the same network as the rest of the company, because we click on everything. So nothing really scares me anymore, but some things like certain targeted attacks that are really complex and intricate, they would scare me if I were on the other end of them. Luckily I haven’t been.
Some of these like the banking Trojans – they can do some very specific tasks. There’s one that’s able to bypass single-factor authentication in automated wire transfers, and it’s still out there. And those things are kind of scary because it doesn’t need anybody’s help, and there are over 30 major U.S. banks that are still susceptible to this attack. I said these things don’t affect me directly, but I’m sure my money is in one of those accounts somewhere.
That’s why I keep all mine in a mattress! But other users may not be as savvy as I am. What can SMBs do about the issue that lies, shall we say, between the keyboard and the chair?
Well, going back to budgeting for IT security, security awareness training for your staff is one of the cheapest and most effective things you can do for security. I believe it needs to be done fairly often and everyone needs to go through it. If users can’t spot something that’s malicious or out of place, or they’re just not privy to what the dangers are, then humans, as they say, are going to be the weakest link in the chain here.
And now for a real toughie. What’s your preference when it comes to peanut butter – crunchy or smooth – and why?
Smooth. Seems obvious!
Thanks, Fred! SpiceHeads, you can check out other interviews we’ve done with Spiceworks vendor partners. Know someone who would make a great IT interview? Pitch it to us at contentninjas@spiceworks.com.