Who is Steve Kalman?

I've been in MIS since 1968, when I learned to program in Fortran at Ohio State University. Over the years I've been a programmer, systems analyst, systems programmer (IBM Mainframes), database administrator, project leader and Data Processing Department manager. In 1982 I started my own consulting practice and in 1990 I added technical training to the mix. I wrote my first article in 1985, I was a contributing editor to Network Var magazine in the mid '90s and I've been technical editor for several Cisco Press books. Currently, I consult, write and teach technical training courses in security and routing. I hold current CISSP, CCNA and CCDA certifications (and a list of expired ones, too).

How did you gain interest in computer security?

When I was working for a major New York City hospital (in 1977) I helped track down an employee who was selling confidential medical records information to tabloid newspapers. That opened my eyes to the need for built-in security and audit trails, neither of which was common in those everyone-trusts-everyone days.

What operating system(s) do you use and why?

I'm a Windows user because of its overwhelming market share. As a consultant, I go where the business is. End users and their managers run Windows and as a group they're not at all security conscious. I make my living showing them how to protect themselves.

How long did it take you to write "Web Security Field Guide"? Any major difficulties?


I spent about 100 days, spread over a twelve months. It was a smooth process, in large part due to the high caliber people working at Cisco Press.

If you could start working on the book all over again, would you make any major changes?

I'd enhance the section on remote access by making it into its own chapter and expanding the discussion on VPN strategies.

In your opinion, what are the most important things an administrator has to do in order to keep a network secure?

Once you've done the basics such as hardening the operating system, installed the firewall and so on then the main task is to keep training the users on the need for security. They're the weak link. Miscreants depend on and take advantage of users' desire to be helpful. They trick them into running unsigned applets, unwittingly installing Trojans, and falling victim to social engineering ploys. We have to make computer security as second nature to users as locking the doors on their homes and cars is.

What's your take on the full disclosure of vulnerabilities?