I've been in MIS since 1968, when I learned to program in Fortran at Ohio State University. Over the years I've been a programmer, systems analyst, systems programmer (IBM Mainframes), database administrator, project leader and Data Processing Department manager. In 1982 I started my own consulting practice and in 1990 I added technical training to the mix. I wrote my first article in 1985, I was a contributing editor to Network Var magazine in the mid '90s and I've been technical editor for several Cisco Press books. Currently, I consult, write and teach technical training courses in security and routing. I hold current CISSP, CCNA and CCDA certifications (and a list of expired ones, too).
How did you gain interest in computer security?
When I was working for a major New York City hospital (in 1977) I helped track down an employee who was selling confidential medical records information to tabloid newspapers. That opened my eyes to the need for built-in security and audit trails, neither of which was common in those everyone-trusts-everyone days.
What operating system(s) do you use and why?
I'm a Windows user because of its overwhelming market share. As a consultant, I go where the business is. End users and their managers run Windows and as a group they're not at all security conscious. I make my living showing them how to protect themselves.
How long did it take you to write "Web Security Field Guide"? Any major difficulties?
I spent about 100 days, spread over a twelve months. It was a smooth process, in large part due to the high caliber people working at Cisco Press.
If you could start working on the book all over again, would you make any major changes?
I'd enhance the section on remote access by making it into its own chapter and expanding the discussion on VPN strategies.
In your opinion, what are the most important things an administrator has to do in order to keep a network secure?
Once you've done the basics such as hardening the operating system, installed the firewall and so on then the main task is to keep training the users on the need for security. They're the weak link. Miscreants depend on and take advantage of users' desire to be helpful. They trick them into running unsigned applets, unwittingly installing Trojans, and falling victim to social engineering ploys. We have to make computer security as second nature to users as locking the doors on their homes and cars is.
What's your take on the full disclosure of vulnerabilities?
The current environment is an unfortunate one. Researchers report security holes and the vendors either claim that the lapse is only theoretical or don't respond at all. The result is that those researchers write and circulate proof of concept code in order to force vendors to respond. In the time between release of concept code and installation of the patch everyone has a higher degree of exposure than they would have had in the absence of the disclosure. As an example, the Klez virus topped the charts in 2002, yet the fix was released a year before a virus based on the concept code began circulating.
However, this is an area where the ones complaining the loudest have the power to make it stop. If the vendors acknowledged the vulnerabilities, kept the researcher involved in the solution, and released a fix (not just a patch) in a timely manner then the problem would go away. There'd be no need to force the vendors' hand and we'd all be better off.
What are your future plans? Any exciting new projects?