Interview with Eric Cole

Author of Hiding In Plain Sight

I recently did a review of the book Hiding In Plain Sight. Hiding In Plain Sight is the most recent book from security expert Eric Cole. Eric Cole is also the author of Hackers Beware and one of the primary authors of GIAC Certification: Security Essentials Toolkit (GSEC).

Eric spent more than five years working with information security for the CIA (Central Intelligence Agency) where he led a team in desiging and deploying secure communications systems.

He helped to develop some of the SANS GIAC (Global Information Assurance Certification) exams and the corresponding SANS courses. He continues to work in information security as the Chief Scientist for The Sytex Group's Information Warfare Center and he has appeared on 60 Minutes, CBS News and CNN.

Eric agreed to take some time out of his schedule to answer some questions and share his insights on certification, getting into information security, the current state of information security and more:

TB (Tony Bradley): How did you first become involved in Information Security?

EC (Eric Cole): I was accepted as an intern for the CIA and I was given the choice on which job I wanted to take. Before college I use to play around with my commodore 64 figuring out ways to make it do things it shouldn’t. I also took some security classes in college and the one job that offered security seemed interesting. I accepted the position and have been hooked every since.

TB: If you had to choose one book for someone to get started in Information Security, what book would you recommend?

EC: Definitely, Hackers Beware. Sorry I could not resist the temptation to recommend the other book I wrote. Actually that question is very hard to answer because it depends on a lot of things. The book that I recommend to all of my students when I teach Security Essentials as a must read book, is The Cuckoos Egg. It is not technical but probably a great place to start on your information security journey.

TB: Do you feel that certification has value in the job market? If so, which certification would you recommend first?

EC: Yes, because they validate that you have a certain skill level. So many people claim that they are security experts and very few are. However, on the flip side just because you have a certification does not mean you are an expert. A certification is a baseline showing you have a minimum subset of knowledge not a maximum subset. The SANS GSEC certification really provides a nice level of detail for the security professional and would be my recommendation for someone’s first ceritication.

TB: There is a lot of talk about Information Security in American business- do you feel that companies are doing enough to secure and protect their systems?

EC: Absolutely not. Very few companies really understand what it means to be secure. Security is not about spending money, it is about understanding and minimizing one's risk. The whole security paradigm needs to be re-defined because most people think that if you have a firewall and IDS you are secure and that is very far from the truth.

TB: What is the key area you would like to see companies improve on in terms of their Information Security?

EC: The area that needs the most improvement is true risk analysis. Not a long drawn out 9-month effort but a short 2-3 week effort that identifies that highest risks to an organization and what needs to be done to fix it.

TB: In your opinion do users have the right to secure and hide information so that even our own government can’t access it?

EC: This is a hard question to answer. My initial response would be that if you are doing nothing wrong then you do have a right to secure and hide information, but if you are trying to do something wrong or harmful to others then you cannot. Intent is really the dividing line but the problem is that it is impossible to measure. The unfortunate reality is that one of our greatest freedoms in the USA is that we have the right to have private communications, even if it can be used against us by adverse groups.

TB: Do you think that steganography will become increasingly used by businesses? Do you think business should use steganography as a security tool?

EC: Yes, as time goes on I think more and more companies will use stego to protect their information. With a lot of technology there are both good and bad uses to it. In this case stego unfortunately has been quickly adopted by criminal elements and I think it will take a little longer for the legitimate uses to become popular.

TB: What do you think is most exciting about steganography currently and how do you see it developing in the future?

EC: One of the most exciting and challenging areas of stego is stego detection. Figuring out the weaknesses in an algorithm and using that information to build better systems in the future. The problem/challenge is that this is still in its infancy and has to grow into a more structured discipline like crypto.

TB: Niels Provos, considered by many to be one of the best in this field and whose tools you have included on your CD, has recently made his tools unavailable in the United States out of fear of the State Super-DMCA laws (mainly the Michigan law). Do you feel that the Federal or State DMCA laws interfere with legitimate security research?

EC: Yes, I feel that the laws restrict research and will hurt us in the long run. The law was written by people that do not understand the value of research and was a knee jerk reaction to people doing things that they shouldn’t.

TB: Tim Mullen presented a concept of striking back at infected machines at the 2002 BlackHat conference and recently IRC operators created an anti-worm to automatically clean machines infected with the Fizzer worm without their permission. Do you think that the Internet community has the right to defend itself or is counter-hacking in the same ethical boat as the original attack?

EC: Yes, you always have the right to defend yourself but there is passive and active defense. Passive defense is acceptable and if it was done more often this problem would be a lot better. Active defense where you attack back is very dangerous because of relays. You never really know who your real attacker is.

TB: I think people like to know what products are used by people who do Information Security for a living- what antivirus software and/or firewall software do you run on your personal computer?

EC: I run no security software or virus checking on my system because I think it is a waste of time. Only joking, I just wanted to make sure you're still awake. I use ZoneAlarm and V-secure but I also have multiple firewalls that my systems sit behind.