The Internet is a fragile ecosystem. There is no guarantee the good guys will win. As an executive at a global security firm, I have seen Nimda, Blaster, and Fun Love wash over organizations like a blitzkrieg. The first critical hours of those attacks are a chaotic swirl, as security experts struggle to crack the code. When the attack begins, corporate security and vendor research teams scramble. Every conceivable communications channel crackles with news from those who are safe and colleagues whose networks have been hit.
For those of us at the center of the storm , the process is simultaneously exciting and a bit frightening. In the first critical minutes, everyone wonders if this will be the one that we couldn't stop. Yet in all the attacks so far, the tide has turned in a few hours, and the attention shifts to cleaning up the mess and thwarting the inevitable copycat variants. Within a week, the security team does a final debrief, goes out for a beer, and finally gets some well-earned sleep.
So far, the good guys have won every contest, and the war seems to be going in our direction. The nontechnical business executives I work with are becoming used to winning these cyber-skirmishes. They have faith in their security teams and are spending basketfuls of money on them. Extrapolating the past success seems naturalwhy shouldn't we keep "winning"? Occasionally, however, one of the more thoughtful executives will ask, "What should I tell our board's audit committee about the risks in the future? Can we continue to keep the damage to a minimum?"
I sometimes refer these execs to the analytical paper "How to Own the Internet in Your Spare Time," by Weaver, Paxson, and Staniford. That paper concludes: "Better engineered worms could spread in minutes or even tens of seconds rather than hours, and could be controlled, modified, and maintained indefinitely, posing an ongoing threat of use in attack on a variety of sites and infrastructures ." The candid answer to the board's audit committee is, "We don't really know. The skill and organization of the bad guys is increasing at a alarming rate. The best we can do is understand the risk in detail and make sure the investment we make really reduces the risk."
Confronted with this sobering reality, the next question is typically, "So what are the most important things I can do to keep winning?" As a vendor exec , I clamp down on my parochial desire to peddle the latest technology gizmo and give them the only proven answer: Invest in your technical staff and understand what it is really worth to you to keep the various parts of your business functioning.
This book addresses the first need and prepares for the second. Understanding the potential mechanisms of attack is critical, and Hacking Exposed, Fifth Edition is the authoritative reference. The range of potential vulnerabilities and attacks is humbling. Even students of earlier editions will find critical new insight on the more modern attacks. I suggest to technical managers that a disciplined skills development program with this type of content, reinforced by group discussion and application to your environment, is important to do at least yearly.
For the business managers paying for the books and the students' time, my recommendation is that they challenge the technical teams to stretch incredibly. The technical teams need to understand the full spectrum, from vulnerabilities to attack mechanism, to the vulnerability "map" of the organizations they protect, to the specific business value of the assets protected. When all of these factors are brought together, an organization can start to manage its risks in a way that can be explained in the boardroom and actually withstand daily pounding from competent attackers . I know of no other IT technical specialty that requires such a broad range of technical knowledge and range of knowledge of value and structure of a business.
Modern security technology, especially intrusion prevention, can help immensely in defense. Without a disciplined and well-supported set of policies and processes, it's impossible to respond as needed in the "moment of truth." But megabucks of technology and volumes of policy and procedure are worthless without a solid foundation in people, and trained security experts are clearly the cornerstone of that foundation.
To my knowledge, there has been no loss of life or damage to heath from cyberattacks to date. But, the ecosystem grows every day. In a few years , voice conversations will be VoIP based and will travel over the Internet. As core infrastructure systems in power generation and transportation modernize, they ironically face increasing risk through planned or inadvertent connection to the ˜Net. Soon, the call you place to 911 for help or the heat on a cold winter's night could depend on Internet availability.
Clearly, the stakes are rising . If you want to ensure you have the technical skills and the business vision to keep your organization safe, keep reading Hacking Exposed, Fifth Edition. It's the first and most necessary step to ensuring that every day, as a global security team, we keep winning.
President, McAfee Inc.