September 08, 2006, 11:29 AM — David Geer recently spoke with Fred Cohen, an early and principal inventor of computer virus defense techniques, a widely sought information protection consultant, and author of the popular Chief Information Security Officer's Toolkit series of books. Following is an edited transcript of that conversation. You may also listen to the original interview here, or visit our Podcast Center for more audio interviews.
David Geer: We're going to start off with a basic question and see where we go. In your view, what are the primary information protection policies and practices?
Fred Cohen: That's a big, complicated area to cover. Information protection covers a very broad range of factors from HR, people-related issues through legal issues. It deals with risk management. It has to deal with testing and change control and technical safeguards, both physical and logical, has incident management aspects. It has auditing aspects. It has to do with awareness and such things and documentation. So it's really a very broad subject area. So typically, the number of policies involved for a large enterprise is on the order of 40.
Geer: And I assume then, that just protecting information is far from plugging the holes?
Cohen: Well, we do a lot of what some people call red teaming, or penetration testing, to look at companies to assess their protection posture. It involves a broad range of things, typically starting with external intelligence to try to find out information. People very often use telephone elicitation techniques. They might try to get a job. They might visit physical facilities. We have one thing that we've been doing lately with Apple-based wireless access points -- they have [something called] Wireless Extreme. It's about two inches in one direction, three inches in the other direction, and one inch in the other direction. It has a plug built into it and an Ethernet cable, so as part of our test, we've been walking into facilities, plugging one of these things into the network and into a wall plug and leaving. That takes about 30 seconds to 60 seconds end-to-end. You walk outside the building and you can have remote access to their network. So if you don't have physical security, you're not going to have effective protection.
Personnel is another major area. So your people are the key to your effective protection. If they can't follow the processes and the procedures you have, they can't do their jobs right. So a lot of companies, for example, make password requirements that say you have to have an eight-character password that has upper and lower case and special characters and isn't like anything you know and you have to change it every 30 days. That means people can't remember it, so they write it down, so you can find the next guy's password by looking at their desk where they wrote it down. So there's a lot of complexity in getting a large-scale system to work right and there's also globalization problems. The things that will work in the US, because our culture, if you want to call it that, is one way, just won't work in China or India.
Geer: What are some of the latest examples that some of our listeners may not have heard of, of really massive holes in some of the policies and practices at places where you've done some of this testing?
