EDGE: Security has been a No. 1 IT issue for quite some time now. Why does it continue to be top of mind?
McClure: First, it’s nothing that you can actually achieve and determine that you are successful. Because security is evolving and changes all the time, and it is a process,
and it’s not something that you can buy or make, I just don’t see it ever going away.
EDGE: Do you see the threat escalating ?
McClure: It depends on how you look at security. If you look at it from the perspective that vendors are better at making their products more secure, the answer is yes. If you look at it from what it means to me, and how it will affect me on a day-to-day basis, you have to be more worried.
EDGE: Identity theft, spyware and phishing are the security threats du jour, but how real are they?
McClure: Spyware is one of the biggest plagues of this decade. It’s a big threat because there is money to be made. You have businesses that make a lot of money from understanding and tracking people that buy and sell, and that use the Internet. And they are getting more and more sophisticated with technology so low-level that it makes it difficult to remove. It will only go away if we are regulated at some point and say, “”You cannot do this.””
Phishing is something that will hit any company with an online presence of some sort where they have user names and passwords into these systems. This is money-driven as well. I got one this week (that appeared to be from) Citibank. People will send out blanket e-mails that spoof a bank, for example: “”We are having problems with your account and log into this server and make sure it works.”” What do nine out of 10 people do? They’ll click in. It looks incredibly legitimate.
EDGE: Most of these scams, though — can’t you spot them from a mile away?
McClure: They’ve gotten very sophisticated. If you weren’t savvy, it would by very hard to tell. The one from Citibank, which I checked out, is from a server in China, and there is a lot of speculation whether this is a government-sponsored effort or a commercial effort. It’s a big problem. They want to get your password so they can take over your identity. It’s so simple to do this.
EDGE: Your book, Hacking Exposed, is now in its fourth edition. Is it your feeling we should be more worried than ever?
McClure: I do think we need to be more aware than ever, but not because there are more vulnerabilities. It’s pretty static now, or we are actually seeing a dip. The bigger concern is that a lot of companies are trying to consolidate and reduce expenses. So they standardize. When you have a homogenous environment, it’s much easier for a worm to get around.
EDGE: Meanwhile, the act of hacking itself has gone from more of a sporting exercise to an act of corporate espionage.
McClure: In the last five years, there has definitely been an increase in organized government hacks and international hacker groups. Often, you wouldn’t even know it. The hacker has been sitting there for months or it’s from the inside. We still get tons of calls. We come in and clean up a mess, and try to help prevent it happening again in the future.
EDGE: There’s a trendiness to computer security violations, isn’t there? A year or two ago, it seems all we heard about were denial of service attacks.
McClure: Or maybe you are hearing less about it (now). I have a friend at an Internet service provider, and he says they are still getting quite a lot of these. In it’s simplest form, it is a cat-and-mouse game, and it’s trying to be smarter than the hacker. The old adage, “”You don’t need to be the most secure house on the block, you just need to be more secure than your next-door neighbour,”” really holds true here. You don’t have to be perfect. There is no such thing anyway. You need to be the company that says, “”We may have hackers that hang around a door for an hour or two, but then they give up.””
EDGE: So does this also mean that if a hacker wants to go after a bank, they’ll go out and find the easiest bank to hack?
McClure: There are two types of attacks: direct and random. Random will self-propagate, while directed attacks are very difficult, slow and could take a long time to produce. They are often money- or politically motivated. But again, because hackers get more sophisticated, it is a cat-and-mouse game.
EDGE: What should we be thinking about let’s say a year out or so?
McClure: In terms of future threats, I believe 100 per cent that we are going to have a zero-day incident probably in months, which means that a worm will hit the Internet or your business where you will not be able to fix the worm. It will continue to take out more and more systems. The reason I say that is I looked at all the research I got from 1999 to 2004, and all the worms, and all the core vulnerabilities and how quickly the worm came out. It went from vulnerability-to-worm in 280 days in 1999, to 10 days in 2004, and one of those worms was in 48 hours.
EDGE: So, they are being developed a lot faster. Could this mean that some corporations will be ground to a standstill?
McClure: I’m seriously worried about this. And it will happen, probably this year. It will probably target Windows or Cisco, and it will exploit something that will keep it spreading. Even if you have redundant systems, it’s not going to matter because if you bring up the new system, it will just get re-infected.
EDGE: So how do you prevent this, beyond education?
McClure:There is only one thing to do, and that is to try to mitigate the threat as much as possible before it comes out. The problem, though, is you don’t know all the mitigating factors. You can’t get 100 per cent. You can say, “”I’m going to make sure all my firewalls are blocking a certain port and all my antivirus is up to date,”” but the bottom line is it will happen.
BIOStuart McClure
Senior vice-president of risk management McAfee Inc.
The author of the best-selling Hacking Exposed explains why organizations should be more worried about security than ever.