Interview: Stuart McClure, CISSP, CNE, CCSE
Stuart McClure, CISSP, CNE, CCSE, is the co-author of Hacking Exposed 7: Network Security Secrets & Solutions which offers expert advice and defense strategies from the world-renowned Hacking Exposed team and shows IT security pros how to bolster their system’s security and defeat the tools and tactics of cyber-criminals.
Stuart is widely recognized for his extensive and in-depth knowledge of security architectures, platforms, and products. He is one of the industry’s leading authorities in information security today. McClure is currently the CEO of Cylance Inc., a new stealth security startup company. A well-published and acclaimed security visionary, McClure has authored many security books. He was founder, president, and CTO of Foundstone, ran the worldwide AVERT team at McAfee, and held leadership positions at Ernst & Young, InfoWorld, and a number of government agencies. You can keep track of Stuart at hackingexposed.com – the official website to Hacking Exposed, as well as Cylance.com. On Twitter you can follow Stuart at @hackingexposed.
1. The first edition of Hacking Exposed came out in 1999. Over the past 13 years what do you feel has been the most significant change in the way information the security professional deals with threats?
The most significant change in the industry has come from the realization that we need to evolve from a purely defensive stance into an offensive one. We have gotten so used to being victimized that we don’t know how to turn the fight back to the attacker. Many are frozen by fear of what to do and where to turn. While the latest Hacking Exposed 7th edition covers some of this, you should really visit hackingexposed.com regularly for updated viewpoints of the legalities of fighting back. We will be covering this topic frequently in our blog as well as posting resources to understand this complex challenge.
2. In Hacking Exposed 7: Network Security Secrets & Solutions you added significant coverage of mobile devices. What are some of the biggest threats out there for mobile users and what do you for see on the horizon?
The biggest mobile threats come in the form of insecure mobile applications and privacy leakage. The bad guys follow the numbers and the number of mobile devices is exploding so the bad guys are following mobile. They see an opportunity that even if they only get 1 percent to install their malicious application, they can still reach a large number of mobile users, and thereby, take over a large number of devices. They do this either to extract personal information for their own nefarious purposes, or to open a backdoor into the user device. They see the opportunity to gain access into the corporate network through personal devices as well. By attacking a user’s device connected to a corporate network (Bring Your Own Device – BYOD) they can extract corporate information as well. This is going to be a large vector of attacks in the coming years.
3. It’s said that in order to successfully protect your network, you must be able to step into a hacker’s mind to best understand the methods and tools used. How do you personally achieve this?
It’s true. In order to prevent a thief, you must hire a thief—or at least think like one—and the book is centered on this paradigm. I do this by constantly putting myself into that mindset. My background is in psychology so I understand how people think and work and by creating an empathy connection to that hacker I can think like them, predict their attacks and thereby prevent an attack.
4. What twists or problems has the increased use of social networks added to the ability to protect enterprise systems?
Social networks have added a whole new dimension to protecting corporate enterprise systems and networks. Not only do we as corporations allow far too much outbound activity from our corporate networks into these social spheres, but because it potentially leaks sensitive information to the bad guys, we also open ourselves up to inbound attacks. Let me explain by the use of an example: We had a client a couple years ago that had been hacked and asked us to come in to help them understand how the hacker got into their corporate network.
After all, they had firewalls, IPS systems, anti-virus and many other security technologies to prevent this. What we uncovered was that the client had literally “asked” to be hacked. One day an HR administrator was surfing LinkedIn for a particular candidate because they were getting pressure to fill a position in the particular department. One day she had stumbled on a resume that was perfect in almost every way. So she reached out to this candidate to gauge his interest. Once a connection was made, the HR administrator asked if he could send her his full resume which he happily provided in PDF format, as requested. Except, this PDF had a silent surprise in the form of a 0-day vulnerability that once opened took over the HR administrator’s computer system and provided Command and Control capability onto that device. After that was successful, the hacker could come and go as they pleased for many months stealing all kinds of intellectual property from the HR staff servers as well as anything she had been given access to view.
5. You write about the top 10 security vulnerabilities. If you had to pick the one (in your opinion) for an information security pro to watch out for, which would it be and why?
The 0-day vulnerability. They are the worst because you don’t know what to look for or what to expect. One of the only real preventative measures for this kind of attack is avoidance—don’t open links or files from people you don’t know or trust and can review the documents/links for signs of maliciousness.
6. In the years since you wrote the first Hacking Exposed book, the ability for hackers to gain access anonymously through TOR Networks has become easily achievable. How has this changed the way the industry looks at network security?
Anonymity is alive and well on the Internet. For many hackers, their true origins will remain a mystery for 99 percent of all incident responders. But there are ways to determine true origin and that is what we need to strive for. We cannot simply give up once a TOR exit node is discovered, we need to fight back and in the process learn their whereabouts and source. We need to use the same techniques detailed in the book to turn them against the bad guys.
7. You clearly recommend Foot-printing as one of the most important steps for security professional, yet it seems that it is often shortcut or totally overlooked. Why do you feel this happens?
Because it isn’t sexy. There aren’t any real simple tools to use or neon lights to prove its value. But I promise you, the bad guys are doing this to hack into your corporate and personal systems. So don’t you want to know how???
8. Advanced Persistent Threat (APT) usually refers to Internet-enabled espionage or hacking by a group. Why should an Internet security manager at a small to mid-size enterprise be worried about an issue such as state or terrorist sponsored cyber-attacks?
These attacks have no demographic. In other words they affect all companies big and small, rich and poor, tall and skinny. The attackers are blind to who they attack as they simply want numbers.
9. How can reading a book like Hacking Exposed 7: Network Security Secrets & Solutions change the way information security professional do their jobs better?
By understanding how the bad guys work, you understand how to prevent them from being successful. It is truly the only universal way of protecting yourself.
10. In what ways is the information security profession different today from when the first edition of Hacking Exposed 7: Network Security Secrets & Solutions was published in 1999?
Some things have changed (the tools, the targets, the sources) but everything else has pretty much stayed the same. There are no really new ways of hacking. It’s the same pig just dressed up with different lipstick.
11. What are some of the major misconceptions that information security professionals have in terms of best practices for protecting their enterprise networks and the information they contain?
The major misconception is that one solution fits all problems. Just because one guy knows firewalls, it doesn’t mean that firewalls stop all problems. Same with IPS, antivirus, and password management and authentication, etc.; You have to think of the problem holistically and bring whatever weapon to bear to fight the war.
12. How can your book benefit an Information Security professional who already has a lot of experience?
Keep them up to date with the latest techniques and mindset of the hacker.
13. If there is one thing you want your readers to remember after enjoying your book, what would it be?
Think globally, act locally. Think as if you will be hacked from some anonymous source around the world. Then act locally to protect yourself following the recommendations in the book.
14. In your role as CEO of of Cylance Inc., you are faced daily with trying to understand security threats and delving into a hacker’s criminal mind. How do you unwind and have fun when you are not at work?
I enjoy spending time with my two sons who are a wonderful handful but I also enjoy endurance sports like cycling and swimming. I have long been a competitive athlete – even though my body doesn’t always go along with my plan.
15. Do you have any career advice for someone just starting out in Information Security?
Get your hands dirty. But stay clean.