Why did you write Hack I.T.? Who is the intended audience, and what are you hoping to share with them? What was the writing process like?
The goal of Hack I.T. is to share with the audience a methodology for performing penetration testing in order to help secure the network by finding and eliminating all vulnerabilities.
That's the "textbook" answer. Really, in our travels (mine and my co-authors), whenever we performed a penetration test, the clients would invariably want to learn a little bit about the process and we found ourselves giving them ad hoc lessons. Therefore, we decided that writing down a lot of what we said on paper and wrapping it into a structured, organized methodology would be a beneficial thing.
What is the biggest threat to business networks today?
The biggest threat is really a disgruntled insider (employee, contractor, etc.) who abuses his or her privileges to compromise the network, steal data, or just cause havoc.
Of course, the threats that are on everyone's minds are denial-of-service attacks, hack incidents that knock out all or portions of the critical resources required for the network to run, or terrorist attacks that remove either the network or its underlying physical infrastructure.
Has the threat of terrorism changed the way organizations are protecting their information assets?
I think it has made businesses more serious about securing their networks by raising awareness of existing vulnerabilities. It has certainly forced businesses into paying more attention to their business continuity and disaster recovery plans.
While I suppose this can be considered a silver lining to this new era of terrorism, it's the worst way to get corporations interested in securing their IT assets.
The threat of terrorism doesn't necessarily change the way an organization protects its information. They still need to follow due diligence in assessing risks, develop countermeasures that follow best practices and conform to their particular environment (and budget), and follow secure policies and procedures.
Are you ever afraid of the power of technology?
Sure; afraid of the power of dirty bombs, nuclear missiles, anthrax powder, chemical weapons and the like in the hands of terrorists. Afraid of governments with too much power to monitor and surveil their own citizens.
Are privacy and security mutually exclusive concepts in IT?
No. And, well, Yes.
Sounds confusing, I bet. This is because these concepts mean different things depending on perspective. In the commercial world, "privacy" and "security" concerns are dominated mainly by the handling of personally identifiable information (PII) or any collection of information that can either be used to uniquely identify a particular individual out of a group, such as the combination of name and home address and work address. It's unlikely that there will be two people with the same name living and working at the same addresses.
There are statutory and regulatory guidelines in place at the federal and often at the state level for ensuring that an individual's PII is used only for its intended purpose, kept secret from those who don't need to have it, and basically respected like the Holy Grail. In this sense, privacy and security can go hand-in-hand. In order to keep data private, it needs to be securely maintained.
In national security matters, "privacy" is used to refer to communications more than PII. And security refers more to national security than data or information security. For the purposes of our homeland defense, law enforcement and counter terrorism agencies want the ability to listen to, collect, and disseminate amongst themselves any and all communication, breaking the privacy of Internet and telephone users. However, this would be done in an effort to identify (and eventually thwart) credible threats to our nation. Here, a trade-off will have to be made between individual privacy and our collective security.
What advice would you give to someone starting out as an IT security professional today?
I'd say two things. First, understand the relationship between privacy and security. Much of today's security requirements are driven through government-sponsored privacy regulations, or laws that speak to both privacy and security, such as GLB and HIPAA. This will, of course, involve taking part in the discussion of the tradeoff between national security and individual privacy mentioned above.
Second, it is also important to realize that America is unique in that so much of our nation's critical infrastructure, especially including our IT assets, is held by the private sector. So, corny as this may sound, security professionals today really have to be on the ball; for even if we are working for a banking, agriculture, health care, or retail company, or consulting for a large financial organization, our efforts are helping to secure some portion, however small, of America's critical infrastructure.
If you weren't doing what you're doing now, what would you be doing instead?
I love what I'm doing right now. Helping people secure their networks. I also love to teach and am a big rock (actual rocks, not hard rock) fanatic. If I weren't a consultant, I'd probably teach or study geology.
Have any cool new gadgets that are currently improving (or ruining) your life?
Handhelds. I am a late convert to the Handheld PDA revolution. I won one at a recent security conference and have found it quite useful. However, there is a downside to the immediate availability of limitless information that these devices provide. And that is that the day you don't have it (forget the PDA at home or in the car), you feel like you are completely helpless and ineffective. All of a sudden, without that information available at the touch of a stylist, it feels harder to function.
Still, I wouldn't want to give it up. And I'm getting really good at solitaire.
What's your favorite technology of all time?
Air conditioning. I keep the AC pumped up all day (and pay for it at the end of the month) because I don't like living in heat. I actually use the AC in the winter as well; just keep the temperature not as low.
I think what I like best about it is that through air conditioning, we have the ability to control and maintain the environment within our own boundaries.
What's next for you?
I'm currently working on an exciting project -- building an information security and data privacy consulting firm, Gsecurity. We focus on serving all levels of the government, as well as the health care and banking sectors. Also, I'm starting a series of columns on InformIT that will be both interesting to write and informative to read. I'd also like to continue speaking about security issues and am interested in writing another book.
At the end of all of this, I'd like to retire to a wonderful, quiet place on the beach.