Interview: George Kurtz, CISSP
George Kurtz, CISSP, is the co-author of Hacking Exposed 7: Network Security Secrets & Solutions. George is co-founder and CEO of CrowdStrike, a cutting-edge big data security technology company focused on helping enterprises and governments protect their most sensitive intellectual property and national security information. He is also an internationally recognized security expert, author, entrepreneur, and speaker with almost twenty years of experience in the security space. He has served as McAfee’s Worldwide Chief Technology Officer and was Chief Executive Officer and co-founder of Foundstone, Inc., which was acquired by McAfee in October 2004.
You can follow George on his blog at http://www.securitybattlefield.com. You can also follow me on twitter @george_kurtz or visit the companion website for Hacking Exposed 7 at http://www.hackingexposed7.com. On the companion website readers can sign up for quarterly Hacking Exposed Live webcasts, where George and team go through the latest hacks and countermeasures. The first webcast will be on September 12th, 2012. You can also follow George’s mission as CEO of CrowdStrike at www.crowdstrike.com, a company set to change the security industry.
1. The first Hacking Exposed came out in 1999. Over the past 13 years what do you feel has been the most significant change in the way information the security professional views and deals with threats?
When the first Hacking Exposed was released in 1999, the threat landscape was vastly different than it is today. It was a time period of youth, exuberance and exploration for many. If you contrast that time period with 2012, security as a discipline is much more mature. Companies, security professionals, and attackers realize that the hacking games are over and security is all business. Protecting an organization’s intellectual capital can mean the difference between staying in business or losing billions of dollars in intellectual property.
2. In Hacking Exposed 7: Network Security Secrets & Solutions you added significant coverage of mobile devices. What are some of the biggest threats out there for mobile users and what do you foresee on the horizon?
Similar to when the masses first started using computers, people don’t believe that anything bad could happen to their mobile devices. Most ask, “Who would want to attack my mobile device – I don’t have anything of value?” To compound this problem, the average user believes their mobile devices are secure because Apple or Google is policing the App stores. The reality is that a mobile device is the ULTIMATE platform for an adversary to attack. It is almost always on, has high-speed connectivity (3G&4G), has a microphone, a camera, stores your most sensitive information like email, stores your virtual wallet, and can track your every move via GPS. While mobile devices have more security today than early computers, they will be attacked, compromised, and rooted with devastating consequences. As mobile technology matures, the adversary’s capability to compromise these mobile devices will evolve in concert.
3. It’s said that in order to successfully protect your network, you must be able to step into a hacker’s mind to best understand the methods and tools used. How do you personally achieve this?
One of the things that we did in 1999 was to throw out the old boring formula of writing a technical security book. Our first edition threw the security industry on its head because we took an “open kimono” approach to discussing how attackers worked. In very raw terms we outlined exactly what an adversary does to compromise your system and network. Rather than dance around the issue, we “exposed” what the attackers already knew. This paradigm shift had a dramatic impact on the defenders. For the very first time the defenders had the adversary’s proverbial playbook so they could better protect themselves when the attacks were executed. The hack / countermeasure format was critical in achieving our goal, and has been copied many times by other books.
4. What twists or problems has the increased use of social networks added to the ability to protect enterprise systems?
Social media has had a dramatic impact on trying to secure an enterprise. It has added an additional element to “footprinting.” Today, not only do companies have to worry about an adversary footprinting their external networks, but they also have to worry about the massive amount of data that is put on the social web, and that it can be used against the enterprise. Many users talk about the projects they are working on, where they are traveling, and expose all kinds of personal information that is typically used in password recovery situations. “Social Footprinting” is an art unto itself. The adversary will often spend months learning about an executive’s habits well before a crafted targeted attack is planned and executed. The likelihood of success increases dramatically when more information is gleaned about each person in your organization. The social web is quickly becoming a literal “public enemy number one” for many companies that are focused on security.
5. You write about the top 10 security vulnerabilities. If you had to pick the one (in your opinion) for an information security pro to watch out for, which would it be and why?
I would say #8 – Inadequate logging. It isn’t if you will be compromised, it is when. Having adequate logs will help to quickly identify when there is an issue and help sort out the damage. There is nothing worse than having an incident and wishing you had turned on logging for a particular device or network segment.
6. In the years since you wrote the first Hacking Exposed book, the ability for hackers to gain access anonymously through TOR Networks has become easily achievable. How has this changed the way the industry looks at network security?
Over the last decade, it has become increasingly difficult for defenders to track down attackers given the tools that provide anonymity on the net. TOR is an example of technology that can be used for good in helping dissidents communicate with the outside world under oppressive regimes. TOR is also used by adversaries to mask their attacks. Unfortunately with TOR and anonymous proxies, playing defense will continue to become increasingly harder!
7. The book clearly recommends Footprinting as one of the most important steps for security professional, yet it seems that it is often shortcut or totally overlooked. Why do you feel this happens?
I can assure you an attacker does not overlook footprinting. A sophisticated adversary will spend months mapping out an organization and will know a network better than the defender in many cases. I have seen this concept employed firsthand by the adversary on a majority of the incident response engagements we perform as CrowdStrike. The adversary’s initial homework assignment of basic footprinting allows them to gain a significant advantage out of the shoot. The network defenders need to take this basic step more seriously so that they understand their footprint and network edge so they have a chance at defending what they are tasked to protect.
8. Advanced Persistent Threat (APT) usually refers to internet-enabled espionage or hacking by a group. Why should an internet security manager at a small to mid-size enterprise be worried about an issue such as state or terrorist sponsored cyber-attacks?
Many small and midsize companies believe they have nothing to steal of value to be considered a target for attack. This simply is not true. Almost all small-businesses have some interaction with large enterprises. For example, consider the average corner gas station. Nobody would think a gas station would be a target for attack. Now think about the fact that their Point of Sale (POS) system has connectivity to a massive oil conglomerate. If your company is part of a larger eco-system, then you are in fact a target for attack – it is that simple. In addition, fraudsters will be all over a small business trying to pillage them blind. Don’t think the bank will protect your small business when your checking account is drained.
9. How can reading a book like Hacking Exposed 7: Network Security Secrets & Solutions change the way information security professional do their jobs better?
I am proud to say that our book has helped hundreds of thousands of people become better security professionals. By demystifying a topic that was only discussed in underground bulletin boards, we have introduced people into the fascinating world of computer security. In my travels, many security professionals have come up to me and thanked me for helping them either get into the field of security or help them better protect their systems.
10. In what ways is the information security profession different today from when the first edition of Hacking Exposed 7: Network Security Secrets & Solutions was published in 1999?
Information security has matured tremendously since 1999. First, there are many more people in the community. Second, technology is much more complex today than it was when we wrote the first edition. While advancing technology is a good thing, it does make securing that same technology much harder. We witness more people specializing in certain areas of security rather than trying to be generalists. It is just too hard to achieve broad depth in all the different areas of security in 2012. Focus is key.
11. What are some of the major misconceptions that information security professionals have in terms of best practices for protecting their enterprise networks and the information they contain?
The biggest misperception is that “our company has nothing of value that someone would want.” That is just a big #FAIL. Everyone has something of value. It might be intellectual property, it could be credit card data, or it could be the bandwidth that your systems have available to perform DDOS attacks. Hope is not a strategy. Putting your head in the sand and trying to fool yourself that you will not be the target of an attack – or worse – have not already been compromised in some way is just illusory.
12. How could this book benefit an Information Security professional who already has a lot of experience?
I think we have done a great job of updating the book over the years. With each edition we cut outdated material, while adding new sections on the hot topics of the day. I can almost guarantee there is something of value for any security professional. It might be the mobile security update, the new section on targeted attacks, or even embedded systems security. Plus, the new black cover makes for a great coffee table book.
13. If there is one thing you want readers to remember after enjoying the book, what would it be?
Security is a journey – not a destination. You can never achieve 100 percent security, you can only aspire to learn, apply your craft, and try to stay one step ahead of your adversary. Enjoy the ride.
14. In your role as co-founder and CEO of CrowdStrike and a well-known speaker on security issues, you are faced daily with trying to understand security threats and delving into a hacker’s criminal mind. How do you unwind and have fun when you are not at work?
I am an avid amatuer racecar driver. I love the competition and the rush of taking a turn at 3Gs. You have to have 100 percent focus and commitment and be relentless on the track if you want to win. The same attributes hold true in building a world-class company like CrowdStrike. You have to pay attention to every detail in order to win. Execution is key on and off the track and the stopwatch and finishing order never lie.
15. Do you have any career advice for someone just starting out in Information Security?
Yes. If you are curious, inquisitive, and like to outsmart the bad guys, information security is a fantastic career. You won’t win every battle, but I can think of no other profession that is so dynamic, ever evolving, and has a mission and purpose. For me, the mission is to help protect others and their intellectual property. That is the reason I created CrowdStrike – because the security mission I am on is greater than just one person. It is about helping to change an industry and empowering people and companies to secure themselves. We all have a role to play, and each and every reader of HE7 can step up and become part of the solution.
16. Anything else you care to add?
When the first edition of Hacking Exposed went to press, I underestimated the demand for the information in the book. I thought we would be lucky to sell 10,000 copies – which would be a hit for any technical book. Embarrassingly, we have sold over 600,000 copies in 30 different languages. I have travelled internationally extensively and have seen our creation in countless bookstores and companies. It never gets old walking into a company and seeing Hacking Exposed on a shelf with the pages dog-eared from constant reference. The pride I feel for having helped just one person one time – when I know there are many – is a feeling that is hard to describe. I am truly a computer enthusiast sharing my craft with those that share the same passion as I do about this mysterious yet ever changing industry. I truly owe all the credit for the success of the book and all of the Hacking Exposed offshoots to the readers of the series – for without the readers, Hacking Exposed would be nothing more than black ink on a dead tree. So until the next edition, stay secure, and use your newfound powers for good – not evil. Thank you – George.