Interview with Judy Novak, co-author of "Network Intrusion Detection 3/e"
by Mirko Zorz - Friday, 20 February 2003.
Introduce yourself.

I'm currently a senior security analyst for a consulting firm - Jacob and Sundstrom, but I'll be changing jobs in about a month to become a research engineer for Sourcefire. I've been involved with computer security for about eight years and it's been the most rewarding time in my career. I've worked with computers my entire career as a programmer, systems programmer, administrator, etc. and always enjoyed the work, but I've found security, particularly intrusion detection, fascinating.

I've been teaching and writing courseware for SysAdmin, Audit, Networking and Security (SANS) for over three years. That has kept me pretty busy and left little spare time, but I still manage to do some cycling in the more clement months. In years past when I was more active and fit, I biked in Colorado, Montana, Arizona, New Mexico, and Vermont in pursuit of finding mountains. I enjoy the challenge of a good climb and the thrill of getting to the top. It's about the only time my mind isn't preoccupied with 50 million other annoying thoughts since you pretty much have to concentrate all your effort on being in the correct gear, keeping hydrated, not falling over and taking in the awesome scenery.

How did you gain interest in computer security?

Actually, it was a rather fortunate accident. I've been doing computer-related work since graduating from Jurassic Park University years ago. I was doing UNIX system administration about eight years ago at a site that had over forty computers compromised due to lack of security awareness and protection. Computer security wasn't really an issue back then and the site had a packet-filtering router that was more a sieve and less a barrier to traffic for their perimeter defense. The site only learned of the compromises from a more security-aware site that discovered our compromised computers attacking theirs - how embarrassing. As an aftermath to the whole horrible incident, I was asked to join a computer security team that they formed. We were pretty naive and ignorant at the time, but you can't stay that way for long and defend your site!

Which are your favourite security tools and why?

We'll I'm going to show my roots by declaring the Naval Surface Warfare Center (NSWC) Shadow as one of the first and favorite intrusion detection systems I used. I'd installed this at the urging of Stephen Northcutt and discovered a great tool in Shadow and a great friend in Stephen. It is based on tcpdump; and using tcpdump and Shadow required that I become very familiar with TCP/IP otherwise I would be totally clueless. To this day, even though IDS' have made phenomenal advances, I still like using Shadow along with the more modern IDS' to collect background traffic.

Snort is another favorite tool since it rivals a lot of commercial IDS' and is easy to install and configure. It's pretty easy to write simple or complex rules and I like that you see the offending packet when it alerts. If you don't have access to the guts of the rule that triggered the alert and the dump of offending packet, you don't know if an alert is real or a false positive. Too many commercial IDS' don't let you see the signatures, rules, etc. and don't dump the packet. You are at the mercy of the IDS with no way of validating the accuracy of the alert. You can end up crying wolf if you believe the IDS all of the time or you end up simply ignoring it if you don't.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th