Monday, January 15, 2007

Interview With Ed Skoudis

Author of The Hack-Counter Hack Training Course

On the heels of my recent Product Review of The Hack-Counter Hack Training Course by Ed Skoudis, I have asked some questions of the author / lecturer.

Besides the CD video training course mentioned above, Ed Skoudis is also the author of the book Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses as well as the upcoming release Malware: Fighting Malicious Code. Mr. Skoudis is one of the faculty of lecturers for the SANS Institute and teaches at seminars around the country.

Read the interview questions and answers below to find out more about this respected security expert- how he got started, what he thinks of information security today and where he sees things moving toward in the future.

TB: What was your first computer?

ES: My lovely Commodore Vic 20. It rocked with a whopping 5 k of RAM, and cool games, almost as good as the arcade version of Space Invaders. I miss that little box. And it booted in about 2 seconds! Solid state, baby… no moving parts!

TB: What made you decide to write your first book?

ES: I had been doing presentations for several years, but wanted to reach a larger number of people. I figured a book was a good way to help get the information security message propagated to a bigger audience.

TB: How long did it take you to write it?

ES: One year. One very long year of intense work. But it was fun! The folks at my publisher (Prentice Hall) were wonderful to work with.

TB: When did you start teaching with SANS?

ES: In May 1999, I did my first 90-minute talk for SANS. I had always wanted to present at SANS, but didn’t get an invite to do so until 1999. At the talk, there were about 300 people watching, standing room only. I was quite worried about how it would go, but I tried to really have fun with the audience. About half way into the talk, someone in the first row told me that my shoe was untied. After apologizing to the front few rows about any potential odors, I kicked my shoes off and just kept rolling. We all had a good time.

TB: Has teaching helped you learn more as well?

ES: I’ll say! It’s helped in two ways… first, I am motivated to keep up so I can present new materials in the class. Secondly, students constantly come up with new ideas or new takes on issues that help me to see things in a different way. I really enjoy it when a student points out some item I hadn’t seen before. That’s how we all grow. And, if I help that student out as well, we’ve got a great exchange going!

TB: Do you feel that your books or CD training might cause more harm than good by teaching the next generation of blackhats?

ES: I get that question a lot. Actually, a lot of the bad guys already know this stuff. If they are determined enough, they can learn to hack without my materials. I try to keep my materials focused on giving people the info they need to stop bad guys, without turning them into blackhats themselves. It’s a fine line, I admit. However, if you look at all of my work, I very carefully make sure to discuss the defensive strategies associated with each attack.

TB: How did you first become involved in Information Security?

ES: My first job out of college was at Bellcore, the company that did research for the Baby Bells. After cutting my teeth working on Operator Services and Payphones, I moved into the security group. Our team focused on two areas: telephone network security and data communications security. As the Internet started growing in the mid-1990’s, I jumped into that side of the team. What a great ride it’s been since then!

TB: If you had to choose one book for someone to get started in Information Security, what book would you recommend?

ES: There are lots of good books out there. Not to be too biased, but I wrote my Counter Hack book so that it would help new people develop the technical skills necessary to jumpstart their careers as information security professionals.

TB: Do you feel that certification has value in the job market? If so, which certification would you recommend first?

ES: Certification is definitely important. Otherwise, as an employer, how can you be sure someone has the skills you are looking for? The hiring process is already complex and costly, so an employer cannot test each applicant’s skills. In a sense, they outsource this to certification organizations. Of course, to be valuable, the certification has to have some teeth to it. That is, to receive the certification, individuals must have demonstrated real-world technical skills.
My favorite certification is GIAC. I am biased, in that I write materials for GIAC and present for SANS. That said, the GIAC certification really makes people work to get and maintain their certification, giving it value. GIAC-certified people have to take an exam, as well as write a research paper (called a practical) to help improve the state of information security across the community. Some of these papers are tremendous! Check out www.giac.org to see how valuable some of these practical papers are.

TB: What are your thoughts regarding the University of Calgary course where students will create new viruses as a part of learning to combat them?

ES: I’m kind of uncomfortable with the concept. There are already enough malware specimens out there right now for us to analyze. You can certainly create some solid protective software based on the stuff in the wild, without writing new malware. Encouraging people to develop new attacks, exploits, and malware sends the wrong message, in my opinion.

TB: What is the key area you would like to see companies improve on in terms of their Information Security?

ES: As pedestrian as it may sound, we need better patch deployment and management. Most of these worm attacks come down to just unpatched systems. If there’s only one thing you do to fight off worms, make sure you just patch your system every other week. You’ll be in far better shape!

TB: What area of information security do you see growing the most over the next 5 years?

ES: We need security-savvy system administrators. The security groups of most organizations are overwhelmed with tasks, and need to rely on system administrators to help secure the enterprise. System administrators are really on the front-lines, and they need to be well-equipped to deal with attacks. Reflecting this, I think we’ll see a big increase in the security skills needed in system administrator roles. The most valuable system administrators (and the best paid) will be those who can help maintain and secure their systems.

TB: The timeframe from vulnerability alert to full-blown worm seems to be decreasing- do you think we’ll see more zero-day (or 1 to 2 day) exploits as time goes on?

ES: Yes. Certainly. There are huge numbers of vulnerabilities out there, and some rather unscrupulous people disclosing them to the whole world. I expect to see this problem worsen over time.

TB: With vulnerabilities coming as fast and furious as they do it is becoming a full-time drain on resources to implement and manage patching. Is there anything you think companies can do differently or instead that might help them stay one step ahead of the latest malicious code?

ES: Hardening the configuration of boxes in advance certainly helps. Shutting off unneeded services is absolutely crucial. Educate system administrators so that they know their responsibilities and how to apply patches. Remind system administrators that it is their responsibility to keep their machines updated.

Postscript: This interview is rather old and incomplete.

No comments: