Stuart McClure has already put hackers in the spotlight. Now he’s ready to shine it on himself.
As the former president and chief executive of security software firm Foundstone, McClure’s profile rose even higher earlier this year when the company was acquired by McAfee, Inc. McClure, author of the book Hacking Exposed, has chosen to stay on with McAfee as a vice-president of risk management and product development.
McClure was in Toronto this week to discuss his transition to the larger firm and the evolution of IT security in the enterprise.
ITBusiness.ca: Security has been a No. 1 IT issue for quite some time now. Why does it continue to be top of mind?
Stuart McClure: First, it’s nothing that you can actually achieve and determine that you are successful. Because security is evolving and changes all the time, and the fact that it is a process, and it’s not something that you can buy or make — I just don’t see it ever going away.
ITB: Do you then see the threat escalatings and should we be more worried than ever?
SM: It depends on how you look at security. If you look at it from the perspective that vendors are better at making their products more secure, the answer is yes. If you look at it from what it means to me, and how it will affect me on a day-to-day basis, you have to be more worried.
ITB: Identity theft, spyware and phishing are the security threats de jour, but how real are they?
SM: Spyware is one of the biggest plagues of this decade. It’s a big threat because there is money to be made. You have businesses that make a lot of money from understanding and tracking people that buy and sell, and that use the Internet. And they are getting more and more sophisticated with technology so low-level that it makes it difficult to remove. It will only go away if we are regulated at some point and say,””You cannot do this.””
Phishing is something that will hit any company with an online presence of some sort where they have user names and passwords into these systems. This is money-driven as well. I got one this week (that appeared to be from) Citibank. People will send out blanket e-mails that spoof a bank, for exampe — “”We are having problems with your account and log into this server and make sure it works.””
What do nine out of 10 people do? They’ll click it. It looks incredibly legitimate.
ITB: Most of these scams, though, can’t you spot them from a mile away?
SM: They’ve gotten very sophisticated. If you weren’t savvy, it would by very hard to tell. The one from Citibank, which I checked out, is from a server in China, and there is a lot of speculation whether this is a government-sponsored effort or a commercial effort. It’s a big problem, they want to get your password so they can take over your identity. I myself have been a victim of identity theft. I know it’s real.
ITB: How long did it take for you to realize this?
SM: It was a matter of weeks. It came out of an (industry) event. I moved from San Francisco to Los Angeles, and during the move, I lost everything in the truck. As soon as that happened, I panicked. I’m at the new house with no truck. I go through the inventory of everything in the truck — passport, social security card and backup driver license — you name it. I think to myself I could get hit with identity theft. I figure out a week later this is a big problem, I notify all the credit card companies, everything you are supposed to do. Multiple attempts were made about two weeks after that event. A number of our employees were hit as well. The speculation was that it had to be a targeted effort because there were five or six of our employees that had that problem. It’s very real, it happens a lot. It’s so simple to do this.
ITB: Your book, Hacking Exposed, is now in its fourth edition. Is the feeling also here that we should be more concerned than ever?
SM: I do think we need to be more aware than ever, but not because there are more vulnerabilities. It’s pretty static now. We are actually seeing a dip. The bigger concern is that a lot of companies are trying to consolidate and reduce expenses. So they standardize. When you have a homogenous environment, it’s much easier for a worm to get around.
ITB: Meanwhile, the act of hacking itself has gone from more of a sporting exercise to an act of corporate espionage.
SM: In the last five years, there has definitely been an increase in organized government hacks and international hacker groups. Oftentimes you wouldn’t even know it. The hacker has been sitting there for months or it’s from the inside. We still get tons of calls, we come in and clean up a mess, and try to help prevent it happening again in the future.
ITB: There’s a trendiness to computer security violations, isn’t there? A year or two ago, it seems all we heard about were denial of service attacks.
SM: Or maybe you are hearing less about it. I have a friend at an Internet Service Provider and he says they are still getting quite a lot of these. In it’s simplest form, it is a cat and mouse game, and it’s trying to be smarter than the hacker. The old adage, “”You don’t need to be the most secure house on the block, you just need to be more secure than your next door neighbour,”” really holds true here. You don’t have to be perfect — there is no such thing anyway. You need to be the company that says, “”We may have hackers that hang around a door for an hour or two, but then they give up.””
ITB: So does this also mean that if a hacker wants to go after a bank, they’ll go out and find the easiest bank to hack.
SM: There are two types of attacks — direct and random. Random will self-propagate while directed attacks are very difficult, slow and could take a long time to produce. They are often monetarily or politically motivated. But again, because hackers get more sophisticated, it is a cat and mouse game.
ITB: Does Windows continue to be the most vulnerable platform?
SM: That’s actually a bit of a presumption. Earlier this year, I did a study. I put together a spreadsheet with all vulnerabilities since 1999. You always get the question that Microsoft Windows must be the least secure because there so many vulnerabilities. I don’t know if that is true. I looked at Linux, Novell and Windows, and once I normalized the data — which means if there is an Internet Explorer vulnerability in Windows, there could be a Mozilla vulnerability in Linux — once we normalized that out, Linux had more.
ITB: What should CIOs be thinking about a year out or so?
SM: In terms of future threats, I believe one hundred per cent that we are going to have a zero-day incident, probably in months, which means that a worm will hit the Internet or your business where you will not be able to fix the worm. It will continue to take out more and more systems. The reason I say that is I looked at all the research I got from 1999 to 2004, and all the worms, and all the core vulnerabilities and how quickly the worm came out. It went from vulnerability-to-worm in 280 days in 1999, to 10 days in 2004, and one of those worms was in 48 hours.
ITB: So they are being developed a lot faster. Could this mean that some corporations will be ground to a halt?
SM: I’m seriously worried about this. And it will happen, probably next year.
ITB: But corporations have huge networks with thousands of people and thousands of access points. Are you saying it could all shut down?
SM: It will probably target Windows or it could target Cisco and it will exploit something that will keep it spreading. Even if you have redundant systems, it’s not going to matter because if you bring up the new system, it will just get re-infected.
ITB: So how do you prevent this, besides awareness?
SM: There is only one thing to do, and this is to try to mitigate the threat as much as possible before it comes out. The problem, though, is you don’t know all the mitigating factors, you can’t get 100 per cent. You can say, ‘I’m going to make sure all my firewalls are blocking a certain port and all my anti-virus is up to date, but the bottom line is that it will happen.
ITB: What else should we worry about?
SM: On the worm side, you also need to worry about the multi-platform variety of some of the worms that are coming out. Some of these worms are going to very virulent, and they will be known by how well they change or morph and still survive. We are seeing viruses and worms getting more sophisticated and more cross-platform. This is not rocket science, they are not very hard to do.
ITB: They used to be considered nuisance threats, now they seem to be potentially global enterprise destroying threats.
SM: They certainly have that potential. And if the overstatement gets the attention to fix it, then it’s okay to overstate it. The absolute reality is that it could happen. I could write it myself. Will somebody else write it? Yes, Eventually.