CIPS CONNECTIONSINTERVIEWS by STEPHEN IBARAKI, I.S.P.
A renowned expert in security...
This week, Stephen Ibaraki, I.S.P., has an exclusive interview with Richard Chadderton, a renowned expert in security.
Richard Chadderton is a data networking expert specializing in large-scale data network security design, defence, and investigations.
As the national manager for information security for a telecom company, he was instrumental in a number of successful initiatives, including a detailed security assessment of all corporate data systems and information assets, formation and acceptance of security policy, and the establishment of a framework for performing rapid computer forensic investigations.
Richard has worked extensively for companies in the financial, legal, and government sectors. Projects have included enterprise network design, project management, hands-on implementations, and training. He is active in various 'grass-roots' organizations such as the CIPS Security SIG, spreading the doctrine of good security practices.
Q: Richard, I know that you are extremely busy so we appreciate that you have taken the time to do this interview. Thank you for sharing your years of experience and extensive knowledge with our audience.
A: Thanks Stephen. It’s really quite an honour to have this opportunity. It’s rare that I get to address a large audience, as most of my time these days is spent in confidential information security work with my clients.
Q: You have such a remarkable history. Can you share some stories and lessons from your past?
A: Most of my successes (and indeed, my failures as well) can be traced back to a single driving ambition: to find out how things work. As a boy I was continually taking things apart and trying to put them back together again. Occasionally I was successful. In high school I was exceptionally fortunate to have access to both an HP minicomputer and a fledgling lab of Apple ][+ microcomputers. Almost immediately our small group was disassembling object code and teaching ourselves 6502 assembler. When the school installed a Corvus OmniNet[i] file sharing network, we set to work trying to break its security. The goal: remote system admin privilege. The prize: free pizza, courtesy of the school staff. My trojan-horse was successful. Ever since then, good network security has been an underlying component of all my professional work.
Q: You speak at conferences due to your expertise and are active in newsgroups. Can you describe some of your recent activities in these areas and what tips and ideas you have been passing on?
A: In June this year I had the opportunity to address the IT4BC[ii] conference in North Vancouver. There I spoke to delegates about the 5 most common failings identified through my work in network security auditing. Nearly every audit I’ve done over the past two years has revealed vulnerabilities in at least two of these common areas. I feel quite strongly that a company’s network security can be improved considerably when proper attention is paid to the basics of network security.
When time allows I also involve myself in various technical forums and informal groups. I try to maintain close association with a network of fellow security professionals I’ve met at conferences. Usually this is through private e-mail lists and encrypted member-only chat rooms. Most of these people are also active on BugTraq[iii], which I also read regularly.
Q: From a context of past, present and future, what drives you to do what you do?
A: My desire to understand ‘how things work’ is very strong. I’m not satisfied solving a tricky networking problem unless I completely understand the ‘why’ and ‘how’ of the problem. I love thinking up innovative solutions and bold new ideas.
My motivation is knowing that by personal action, I can actually make a difference. My customers are typically involved in the kinds of business that I personally believe in, like critical infrastructures, medical and technology research, education, local governance, etc. By helping make their systems better, I make what I feel is a worthwhile contribution to a healthy, functioning society.
Q: Can you tell us more about your work in the security area and where you see your work heading in the future?
A: A large portion of my work at the moment is auditing and reporting on the security of corporate networks. In this, I draw upon my experience building secure networks and in the process help others to secure theirs. Often I’ll also have the opportunity to implement the changes suggested. This is challenging work that is also very educational and quite rewarding.
Additionally, I am involved in research & development for a Canadian software company, where I advise them on state-of-the-art security techniques and best practices.
I also am working on my own ambitious development project, which aims to dramatically reduce the global spam problem by making it much more time-consuming and costly for abusers to send their millions of unwanted messages. The idea is innovative, and builds upon many of the new anti-spam technologies now being used. Success here will depend on the ability to raise R&D money and bring the product to market. This idea has been simmering for several years now, and is now approaching the prototype stage.
Q: Generally, where do you see the whole security area heading in two years and five years?
A: Since 1998 I’ve talked about a 10-year marketing cycle in the field of information and network security (referred to by some as InfoSec.) The cycle starts slowly, with some of the more enlightened technical operators seeing the need for change and starting to make systematic improvements to their networks. As the groundswell increases, more new technologies and products appear. In the middle of the cycle, the market begins to saturate, and innovation is gradually replaced by commoditization. At the end, most everyone is doing security properly, and dramatic security breaches become very rare. At the moment I believe we are about halfway through this cycle.
Q: What’s the story behind your company?
A: I started Vigilans.net in 2002, after two years of gruelling work handling the network security for Group Telecom, a start-up telecommunications company. With the experience on very large networks I gained there, I am now able to provide select clients a range of discrete and highly specialized InfoSec services, such as network intrusion detection, systems integrity monitoring, penetration testing, and forensic incident analysis. Some call my work ‘ethical hacking’. I call it ‘incident preparedness and response’. However you refer to it, I find it rewarding and exciting to be working on the cutting edge of network security.
Q: What’s the best way in which to ensure that a company has sufficient security to protect against all threats? What are the different threat areas to consider?
A: The best security posture to defend against all threats is to disconnect network connections, cut the power, encase the hardware in concrete, and bury it at the bottom of the ocean. Unfortunately your users may find this approach interferes somewhat with normal system operations. A more appropriate response is to follow industry ‘best practices’[iv] and to support rational, cost-effective decisions with effective budget allocations. I find that often management will not support a security initiative until after a damaging event has occurred. The challenge is to convince executives that InfoSec budgets should be considered as insurance, rather than just another IT expense.
When considering the amount to spend, it is important to recognize that each organization will have a unique data asset that requires protection. Therefore specific budgets and the technologies will necessarily differ from one to the next. In all cases, however, it is important to measure the degree of threat before making InfoSec purchasing decisions. This way, one can avoid buying a $100 fence to protect a $10 horse.
Q: Is one operating environment more secure than another?
A: Is that a trick question? OK, the MAC+ with OS 7.5 was more secure than the Amiga 1000. But I’m not going to say that Windows 2000 is more (or less) secure than Solaris 7. All operating environments can be made insecure. The degree of vulnerability on any particular operating environment rests upon the individual system administrator’s training and skill, not on the vendor’s packaging and marketing decisions. Although OpenBSD is considered by many to have the most secure[v] default installation, deliberate misconfigurations could render it less secure than that of a default Windows NT Server 4.0 system.
Q: If you were to design a perfect system of security, what would it look like?
A: No security can be perfect, but reasonable efforts can be made. The common wisdom is to use a “defence in depth” strategy[vi]. Often this is implemented as nested security zones or rings, with each level providing increasingly better protection from the outside layers. The Internet is outside, leading into remote access facilities, and on to the general user network. At the innermost layers are located the core data assets, such as central databases, network monitoring and control, and security functions. Traversing to a deeper layer requires increasing levels of authentication, authorization, and auditing.
Q: What are the ten biggest traps or pitfalls or common mistakes with regards to security?
A: To borrow from my IT4BC[vii] presentation, I see the following:
· Network Design Errors
o Insufficient separation of security zones
o Poor remote access methods
o Insecure access to network control points
· Insecure SNMP usage
· Poor Password Management
o Easily guessed passwords
o Clear-text password transmission
· System Software
o Out-of-date Software
o Patches not installed
o Poor configurations
o Unnecessary services running
· Unprotected Wireless LANs
o Insecure access points
o Attached to trusted networks
Q: Based upon your years of experience working at the highest levels, what advice would you give to IT professionals on security issues?
A: No matter what efforts you take, there will always be security failings in your network. It is unwise to be complacent about security or think you don’t have a problem. Success comes from understanding the level of risk and the cost associated with mitigation of that risk. Spend money to fix those things that will measurably lower your risk, and try to keep a long-term vision to implement security at every level. Don’t ignore a risk because you don’t understand it. If you decide to take a security shortcut, do so after you fully understand the risk you are accepting.
Q: What 10 tips that helped you in your path to success can you provide to others? What would you do different looking back in hindsight?
A: My top-ten list for success:
1. Think twice, send once
2. Act quickly, not hastily
3. Never test new processes on live systems
4. Never do system upgrade the night before vacation
5. Ask questions
6. Be helpful
7. Be curious
8. Be paranoid
9. Always backup
10. Always be learning new stuff
Q: Businesses are seeing many technologies in their strategic paths? What advice, regarding security, would you give to businesses as they plan their own evolution in the next five years? Do you have specific technologies and processes they should watch out for and implement?
A: Individuals can make as much of a difference in security as any technology you might install. Plan on making Security Awareness part of the training budget, especially if employees handle customer information or other sensitive data. New and rapidly changing technologies that IT staff should be evaluating are intrusion detection appliances, centrally managed distributed firewalls, network policy control devices, and desktop management systems. Businesses should also be budgeting to re-engineer the design of their staff and production data networks to provide better partitioning and to protect them from abuse.
Q: Can you comment more about the Open Source Movement—its current position, its philosophy, the major innovations, and where it’s going?
A: My main attraction to Open Source[viii] is that I can have direct access to the source code. If something is not to my liking, I can see it, fix it, and implement it within a very short timeframe. I find this especially important when working with sophisticated security analysis tools. A secondary benefit is that I can submit my improvements and help everyone else out there too. I like this. No-cost distribution lowers the barrier to participation, encouraging others to develop their own innovations for the benefit of all.
Q: What are the best resources in the security area? What are the best tools, the best sources of information, best books, web sites, and so on?
A: Google, Google, and Google. My apologies to the other search engines, but I really haven’t had a reason to switch in the past few years. I always find what I need there.
I also tend to refer to several O’Reilly publications[ix] for syntax, examples, techniques, and other historical trivia. I also find the “Hacking Exposed[x]” series quite good for helping to explain to my clients some of the more elaborate hacker techniques.
Q: What do you see on the horizon that businesses and IT professionals “must” be aware of to be competitive?
A: Industrial espionage is ugly, and it is also very cheap when Internet tools are added to the arsenal. I fear it is on the increase. I’ve had the opportunity to handle a couple of investigations, but it is very difficult to trace. Most organizations are not at all prepared for this when it happens. In order to have any chance of catching someone, preparations need to be made in advance. This includes robust document management systems, excellent access control systems, detailed event logging, an incident response procedure, and of course, regular audits.
If your company has a valuable data asset, you need to be thinking of this. First, try to calculate the value of this data, and then develop a plan to protect it properly.
Q: If you were doing the interview, what five interview questions would you ask of someone in your position and what would be your answers?
A: How can someone tell the difference between the good guys (white-hats) and the bad guys (black-hats)?
Someone once told me that the only difference was the number of zeroes on the cheque, inferring that everybody can be bought for a price. Personally I don’t believe this. I think that the main difference here is ethics, and that this is exposed in their every activity and practice. It cannot be easily faked. A quick Internet search will usually reveal clues to where they stand. Decide if you like what you see. Personally, I rely on a face-to-face meeting before making a final decision on whether to trust someone.
How do your clients know you aren’t a black-hat selling their secrets?
It’s a matter of trust. Often it will come from word-of-mouth or a direct referral from another person or agency they trust. Once again, the face-to-face meeting plays a large role in establishing this trust.
Should a company hire a “reformed” black-hat hacker?
The standard answer is ‘no’. But in individual cases there may be reasons to do so. Perhaps you want to test your defences, or exercise your incident response process. Whatever the reason, you’ll still need to establish a level of trust that is acceptable. (Refer to previous questions.)
Which is more important, certification or experience?
Both are very important. Certification provides a standardised benchmark. Experience indicates competency. In my professional life I have chosen experience over certifications, and have been reasonably successful doing so. In most cases though, I would recommend that people obtain certifications in addition to experience, as it opens doors to many more opportunities.
How do I become a hacker like you?
I’m amazed at how often I get asked this. It actually takes years of work, spending 12 hours a day or more staring at a monitor and typing away all night long. It’s a tremendous time investment. But I believe there’s a hacker in each of us, just waiting to get out. Every time you reinstall Windows or tweak the registry or manually edit a config file, you are hacking. If you ever wonder what makes all this technology work together, or wonder how it fell apart, you are a hacker. To start playing around with serious hacker stuff, I recommend installing RedHat Linux on that old unused Pentium you have collecting dust in the closet and start fiddling with it. Get the Linux for Dummies[xi] book, and you’re on your way.
Q: It’s a blank slate, what added comments would you like to give?
A: I believe that network and information security is everyone’s business. It should be present at all levels in an organization, and the responsibility of everyone. It should never be “somebody else’s problem”, or solely the responsibility of an IT staff member.
Q: Richard, we are very appreciative of the time you have taken in doing this interview. Thank you for coming in to share your views and experiences with our audience.
A: My pleasure, Stephen. I hope your readers have found my comments interesting. I really enjoy talking about my work, so if anyone has any follow-up questions, please direct them to my e-mail address: Richard@Vigilans.net. Thanks!