Careers: Interviews
Renowned expert in security...
This
week, Stephen Ibaraki, I.S.P., has an exclusive interview with Richard
Chadderton, a renowned expert in security.
Richard Chadderton is a data networking expert specializing in
large-scale data network security design, defence, and
investigations.
As the
national manager for information security for a telecom company, he
was instrumental in a number of successful initiatives, including a
detailed security assessment of all corporate data systems and
information assets, formation and acceptance of security policy, and
the establishment of a framework for performing rapid computer
forensic investigations.
Richard has worked extensively for companies in the financial,
legal, and government sectors. Projects have included enterprise
network design, project management, hands-on implementations, and
training. He is active in various 'grass-roots' organizations such
as the CIPS Security SIG, spreading the doctrine of good security
practices.
Discussion:
Q: Richard, I know that you are extremely busy so we
appreciate that you have taken the time to do this interview. Thank you
for sharing your years of experience and extensive knowledge with
our audience.
A: Thanks Stephen. It’s really quite an honour to
have this opportunity. It’s rare that I get to address a large
audience, as most of my time these days is spent in confidential
information security work with my clients.
Q: You have such a remarkable history. Can you
share some stories and lessons from your past?
A: Most of my successes (and indeed, my failures
as well) can be traced back to a single driving ambition: to find
out how things work. As a boy I was continually taking things apart
and trying to put them back together again. Occasionally I was
successful. In high school I was exceptionally fortunate to have
access to both an HP minicomputer and a fledgling lab of Apple ][+
microcomputers. Almost immediately our small group was disassembling
object code and teaching ourselves 6502 assembler. When the school
installed a Corvus OmniNet[i]
file sharing network, we set to work trying to break its security.
The goal: remote system admin privilege. The prize: free pizza,
courtesy of the school staff. My trojan-horse was successful. Ever
since then, good network security has been an underlying component
of all my professional work.
Q: You speak at conferences due to your expertise
and are active in newsgroups. Can you describe some of your recent
activities in these areas and what tips and ideas you have been
passing on?
A: In June this year I had the opportunity to
address the IT4BC[ii]
conference in North Vancouver. There I spoke to delegates about the
5 most common failings identified through my work in network
security auditing. Nearly every audit I’ve done over the past two
years has revealed vulnerabilities in at least two of these common
areas. I feel quite strongly that a company’s network security can
be improved considerably when proper attention is paid to the basics
of network security.
When time allows I also involve myself in various
technical forums and informal groups. I try to maintain close
association with a network of fellow security professionals I’ve met
at conferences. Usually this is through private e-mail lists and
encrypted member-only chat rooms. Most of these people are also
active on BugTraq[iii],
which I also read regularly.
Q: From a context of past, present and future,
what drives you to do what you do?
A: My desire to understand ‘how things work’ is
very strong. I’m not satisfied solving a tricky networking problem
unless I completely understand the ‘why’ and ‘how’ of the problem. I
love thinking up innovative solutions and bold new ideas.
My motivation is knowing that by personal action,
I can actually make a difference. My customers are typically
involved in the kinds of business that I personally believe in, like
critical infrastructures, medical and technology research,
education, local governance, etc. By helping make their systems
better, I make what I feel is a worthwhile contribution to a
healthy, functioning society.
Q: Can you tell us more about
your work in the security area and where you see your work
heading in the future?
A: A large portion of my work at the moment is
auditing and reporting on the security of corporate networks. In
this, I draw upon my experience building secure networks and in the
process help others to secure theirs. Often I’ll also have the
opportunity to implement the changes suggested. This is challenging
work that is also very educational and quite rewarding.
Additionally, I am involved in research &
development for a Canadian software company, where I advise them on
state-of-the-art security techniques and best practices.
I also am working on my own ambitious development
project, which aims to dramatically reduce the global spam problem
by making it much more time-consuming and costly for abusers to send
their millions of unwanted messages. The idea is innovative, and
builds upon many of the new anti-spam technologies now being used.
Success here will depend on the ability to raise R&D money and bring
the product to market. This idea has been simmering for several
years now, and is now approaching the prototype stage.
Q: Generally, where do you see the whole security
area heading in two years and five years?
A: Since 1998 I’ve talked about a 10-year
marketing cycle in the field of information and network security
(referred to by some as InfoSec.) The cycle starts slowly, with some
of the more enlightened technical operators seeing the need for
change and starting to make systematic improvements to their
networks. As the groundswell increases, more new technologies and
products appear. In the middle of the cycle, the market begins to
saturate, and innovation is gradually replaced by commoditization.
At the end, most everyone is doing security properly, and dramatic
security breaches become very rare. At the moment I believe we are
about halfway through this cycle.
Q: What’s the story behind your company?
A: I started Vigilans.net in 2002, after two
years of gruelling work handling the network security for Group
Telecom, a start-up telecommunications company. With the experience
on very large networks I gained there, I am now able to provide
select clients a range of discrete and highly specialized InfoSec
services, such as network intrusion detection, systems integrity
monitoring, penetration testing, and forensic incident analysis.
Some call my work ‘ethical hacking’. I call it ‘incident
preparedness and response’. However you refer to it, I find it
rewarding and exciting to be working on the cutting edge of network
security.
Q: What’s the best way in which to ensure that a
company has sufficient security to protect against all threats? What
are the different threat areas to consider?
A: The best security posture to defend against
all threats is to disconnect network connections, cut the power,
encase the hardware in concrete, and bury it at the bottom of the
ocean. Unfortunately your users may find this approach interferes
somewhat with normal system operations. A more appropriate response
is to follow industry ‘best practices’[iv]
and to support rational, cost-effective decisions with effective
budget allocations. I find that often management will not support a
security initiative until after a damaging event has occurred. The
challenge is to convince executives that InfoSec budgets should be
considered as insurance, rather than just another IT expense.
When considering the amount to spend, it is
important to recognize that each organization will have a unique
data asset that requires protection. Therefore specific budgets and
the technologies will necessarily differ from one to the next. In
all cases, however, it is important to measure the degree of threat
before making InfoSec purchasing decisions. This way, one can avoid
buying a $100 fence to protect a $10 horse.
Q: Is one operating
environment more secure than another?
A: Is that a trick question?
OK, the MAC+ with OS 7.5 was more secure than the Amiga 1000. But
I’m not going to say that Windows 2000 is more (or less) secure than
Solaris 7. All operating environments can be made insecure. The
degree of vulnerability on any particular operating environment
rests upon the individual system administrator’s training and skill,
not on the vendor’s packaging and marketing decisions. Although
OpenBSD is considered by many to have the most secure[v]
default installation, deliberate misconfigurations could render it
less secure than that of a default Windows NT Server 4.0 system.
Q: If you were to design a
perfect system of security, what would it look like?
A: No security can be
perfect, but reasonable efforts can be made. The common wisdom is to
use a “defence in depth” strategy[vi].
Often this is implemented as nested security zones or rings, with
each level providing increasingly better protection from the outside
layers. The Internet is outside, leading into remote access
facilities, and on to the general user network. At the innermost
layers are located the core data assets, such as central databases,
network monitoring and control, and security functions. Traversing
to a deeper layer requires increasing levels of authentication,
authorization, and auditing.
Q: What are the ten biggest
traps or pitfalls or common mistakes with regards to security?
A: To borrow from my IT4BC[vii]
presentation, I see the following:
�
Network Design Errors
o
Insufficient separation of security
zones
o
Poor remote access methods
o
Insecure access to network control
points
�
Insecure SNMP usage
�
Poor Password Management
o
Easily guessed passwords
o
Clear-text password transmission
�
System Software
o
Out-of-date Software
o
Patches not installed
o
Poor configurations
o
Unnecessary services running
�
Unprotected Wireless LANs
o
Insecure access points
o
Attached to trusted networks
Q: Based upon your years of
experience working at the highest levels, what advice would you give
to IT professionals on security issues?
A: No matter what efforts you
take, there will always be security failings in your network. It is
unwise to be complacent about security or think you don’t have a
problem. Success comes from understanding the level of risk and the
cost associated with mitigation of that risk. Spend money to fix
those things that will measurably lower your risk, and try to keep a
long-term vision to implement security at every level. Don’t ignore
a risk because you don’t understand it. If you decide to take a
security shortcut, do so after you fully understand the risk you are
accepting.
Q: What 10 tips that helped
you in your path to success can you provide to others? What would
you do different looking back in hindsight?
A: My top-ten list for
success:
1.
Think twice, send once
2.
Act quickly, not hastily
3.
Never test new processes on live systems
4.
Never do system upgrade the night before vacation
5.
Ask questions
6.
Be helpful
7.
Be curious
8.
Be paranoid
9.
Always backup
10.
Always be learning new stuff
Q: Businesses are seeing
many technologies in their strategic paths? What advice, regarding
security, would you give to businesses as they plan their own
evolution in the next five years? Do you have specific technologies
and processes they should watch out for and implement?
A: Individuals can make as
much of a difference in security as any technology you might
install. Plan on making Security Awareness part of the training
budget, especially if employees handle customer information or other
sensitive data. New and rapidly changing technologies that IT staff
should be evaluating are intrusion detection appliances, centrally
managed distributed firewalls, network policy control devices, and
desktop management systems. Businesses should also be budgeting to
re-engineer the design of their staff and production data networks
to provide better partitioning and to protect them from abuse.
Q: Can you comment more about the Open Source
Movement—its current position, its philosophy, the major
innovations, and where it’s going?
A: My main attraction to Open Source[viii]
is that I can have direct access to the source code. If something is
not to my liking, I can see it, fix it, and implement it within a
very short timeframe. I find this especially important when working
with sophisticated security analysis tools. A secondary benefit is
that I can submit my improvements and help everyone else out there
too. I like this. No-cost distribution lowers the barrier to
participation, encouraging others to develop their own innovations
for the benefit of all.
Q: What are the best resources in the security
area? What are the best tools, the best sources of information, best
books, web sites, and so on?
A: Google, Google, and Google. My apologies to
the other search engines, but I really haven’t had a reason to
switch in the past few years. I always find what I need there.
I also tend to refer to several O’Reilly
publications[ix]
for syntax, examples, techniques, and other historical trivia. I
also find the “Hacking Exposed[x]”
series quite good for helping to explain to my clients some of the
more elaborate hacker techniques.
Q: What do you see on the
horizon that businesses and IT professionals “must” be aware of to
be competitive?
A: Industrial espionage is ugly, and it is also
very cheap when Internet tools are added to the arsenal. I fear it
is on the increase. I’ve had the opportunity to handle a couple of
investigations, but it is very difficult to trace. Most
organizations are not at all prepared for this when it happens. In
order to have any chance of catching someone, preparations need to
be made in advance. This includes robust document management
systems, excellent access control systems, detailed event logging,
an incident response procedure, and of course, regular audits.
If your company has a valuable data asset, you
need to be thinking of this. First, try to calculate the value of
this data, and then develop a plan to protect it properly.
Q: If you were doing the
interview, what five interview questions would you ask of someone in
your position and what would be your answers?
A: How can someone tell the difference between
the good guys (white-hats) and the bad guys (black-hats)?
Someone once told me that the only difference was
the number of zeroes on the cheque, inferring that everybody can be
bought for a price. Personally I don’t believe this. I think that
the main difference here is ethics, and that this is exposed in
their every activity and practice. It cannot be easily faked. A
quick Internet search will usually reveal clues to where they stand.
Decide if you like what you see. Personally, I rely on a
face-to-face meeting before making a final decision on whether to
trust someone.
How do your clients know you aren’t a black-hat
selling their secrets?
It’s a matter of trust. Often it will come from
word-of-mouth or a direct referral from another person or agency
they trust. Once again, the face-to-face meeting plays a large role
in establishing this trust.
Should a company hire a “reformed” black-hat
hacker?
The standard answer is ‘no’. But in individual
cases there may be reasons to do so. Perhaps you want to test your
defences, or exercise your incident response process. Whatever the
reason, you’ll still need to establish a level of trust that is
acceptable. (Refer to previous questions.)
Which is more important, certification or
experience?
Both are very important. Certification provides a
standardised benchmark. Experience indicates competency. In my
professional life I have chosen experience over certifications, and
have been reasonably successful doing so. In most cases though, I
would recommend that people obtain certifications in addition to
experience, as it opens doors to many more opportunities.
How do I become a hacker like you?
I’m amazed at how often I get asked this. It
actually takes years of work, spending 12 hours a day or more
staring at a monitor and typing away all night long. It’s a
tremendous time investment. But I believe there’s a hacker in each
of us, just waiting to get out. Every time you reinstall Windows or
tweak the registry or manually edit a config file, you are hacking.
If you ever wonder what makes all this technology work together, or
wonder how it fell apart, you are a hacker. To start playing around
with serious hacker stuff, I recommend installing RedHat Linux on
that old unused Pentium you have collecting dust in the closet and
start fiddling with it. Get the Linux for Dummies[xi]
book, and you’re on your way.
Q: It’s a blank slate, what added comments would
you like to give?
A: I believe that network
and information security is everyone’s business. It should be
present at all levels in an organization, and the responsibility of
everyone. It should never be “somebody else’s problem”, or solely
the responsibility of an IT staff member.
Q: Richard, we are very appreciative of the time
you have taken in doing this interview. Thank you for coming in to
share your views and experiences with our audience.
A: My pleasure, Stephen. I hope your readers have
found my comments interesting. I really enjoy talking about my work,
so if anyone has any follow-up questions, please direct them to my
e-mail address:
Richard@Vigilans.net.
Thanks!
[i]
http://www.old-computers.com/museum/computer.asp?st=1&c=653
[ii]
http://oak.kwantlen.ca/apps/it4bc.nsf/
[iii]
http://www.securityfocus.com/popups/forums/bugtraq/intro.shtml
[iv]
http://www.sans.org/rr/catindex.php?cat_id=8
[v]
http://www.openbsd.org/security.html
[vi]
http://www.nsa.gov/snac/support/guides/sd-1.pdf
[vii]
http://vigilans.net/~rchadder/IT4BC/InfoSecAudits.ppt
[viii]
http://www.samurajdata.se/opensource/mirror/docs/definition.php
[ix]
http://www.oreilly.com/catalog/top25.html
[x]
http://www.hackingexposed.com/
[xi]
http://www.dummies.com/WileyCDA/DummiesTitle/productCd-0764516604.html
|