Sub

What AV software do you use?

What Vulnerability Scanners /do you use/ ?

Interview hakin9 5/2008

Interview with Michael Scheidell

Interview with Michael Scheidell

hakin9 team: Could you tell our readers a little bit about how you arrived at your present position?

Michael Scheidell: As long as I can remember, I’ve been gifted with the ability to visualize things that haven’t yet been created, and to figure out how to build them or make them better. My formal career in technology began in 1971, when I developed and sold my first computer software program to one of the original X.25 network providers. At the time I really had no inkling that this was the first of several entrepreneurial ventures that would ultimately define my career. In a few years I started up a company called Florida Datamation – a real-time network system integrator – where I wore all the executive hats and did everything from managing marketing and OEM sales to R&D and engineering. It was a very exciting time, and we grew Florida Datamation into the largest QNX distributor in the world. After selling that company, I formed SECNAP® Network Security Corporation in 2001, and spent the first few years developing the technology for our network security and email security products. I have three patents pending with the U.S. Patent and Trademark Office for some ground-breaking intrusion detection and prevention technology, and a revolutionary anti-spam product line that was named a Hot Product at the XChange Solution Provider 2008 conference and was also dubbed The King of Spam Filters by SC Magazine in May.

During my career I’ve discovered and resolved vulnerabilities that are currently represented on the Common Vulnerability and Exposures (CVE) list, and I've been a member of the FBI InfraGard program since 1996, working with other information technology experts to assist the FBI’s investigative efforts in the cyber arena.
h9: What’s the most difficult part of your job in security?

MS: I’d have to say that evangelizing is the toughest part – trying to convince businesspeople that an ounce of prevention really is worth a pound of cure. A lot of the IT professionals get it, because they live with the risk of security breaches every day and understand the importance of reducing that risk to the lowest possible degree. But too often C-level executives (and I am one, so I can talk) let budget, politics and religion drive security decisions, and those decisions end up being sub-optimal in most cases.

h9: That was the subject of your keynote at the HackerHalted Conference. Can you tell us more about those influences?

MS:The single most serious threat to the security of sensitive information today is not individual hackers or gangs of cyber criminals. It is not inadequate firewalls, lack of logging or missing patches. And it’s not found in OSI Layer 7, either – no amount of application filtering or testing can address it. In my experience, the single most serious threat to the security of sensitive information lies in the overlooked and undocumented layers of the OSI model, specifically Layers 8 (Politics), 9 (Religion) and 10 (Economics).

We’re all familiar with the impact that corporate politics can have on all kinds of decisions, including those involving the purchase of security products and services. Hidden agendas, special relationships, and other political machinery can cause poor decisions to be made. And everyone is aware of the huge impacts that budget, or the economic layer, can have on IT projects. The religious layer is a little less familiar but can be just as damaging. This occurs when executives have established preferences for certain brands or vendors, and impose those articles of faith on security and other IT endeavors regardless of whether it is the right decision, objectively, for the organization. If we had more time, I could cite dozens of real-life examples of the effects each of these layers has in generating sub-optimal decisions. It’s really amazing how widespread they are.

h9: Give us some examples of an effective strategy to improve security that you often suggest to IT Management.

MS:It’s always smart to know where you are before deciding where you need to go, so we believe a good first step is conducting external penetration testing, IT risk assessments, vulnerability evaluations, regulatory compliance audits – whatever applies to the situation. Once you review the reported results, you can identify the security gaps or risks. At that point, we recommend prioritizing the vulnerabilities by degree of risk so they can be addressed in phases. It is not realistic to expect an organization to tackle hundreds of security gaps as a single project – you need to address them in bits or bytes, not megabytes. And when you take your message to the C-team, avoid overkill. If you hit them over the head they’ll simply shut down and no part of your program will get approved. We also suggest considering outsourcing remediation in order to address the problems faster than you might be able to on your own.

h9: What is the average new client's "security state?" How bad/good is their security, generally speaking? What is the most common missing element?

MS:In our experience the average client ranks about five on a 10-scale. Generally, we find that the overall IT systems are good, with patches kept pretty current and servers maintained properly. The vulnerability really lies at the end-user or work-station level, especially when laptops are in use. Almost any employee can accidentally allow a virus into the system. Salespeople on the road using wireless sites unknowingly open the door to hackers, and businesspeople who plug into wireless networks at hotels can have the same inadvertent impact. So, security awareness is probably the #1 missing element. Another issue is what I call checklist security. That’s when a company feels protected because their checklist audit turned out well – but checklist audits are notoriously imperfect and fail to fully consider the human factor.

h9: What is the most unusual solution you have found in place at a client location?

MS:We have seen a lot of wild stuff out there. Maybe one of the oddest was a client who had absolutely no Windows assets at all. The fact that Windows OS is one of the most popular systems also makes it one of the most vulnerable. This one shop, a very high-tech firm, had banished Windows from the company and was using a mix of Linux, Sun and Macintosh instead, along with one-off software. They operated pretty effectively this way because most of their employees were geeks and could make it work. Interfacing with the outside world could be a little dicey, but you had to give them credit for creativity. Obviously, this type of left-field solution is not going to be practical for most organizations.


h9: What special technology underlies SpammerTrap to make it unique in the IT Security space?

MS:SpammerTrap® provides unrivaled accuracy and reliability in delivering legitimate email and filtering out spam, viruses and phishing emails – all at lightning speed, no waiting. Among its many technical features are more than 40 real-time blacklists, a revolutionary email sender reputation filter that uses four different sender reputation databases, a built-in enterprise-class anti-virus filter and a highly efficient email firewall. It also employs heuristics filtering and a self-training feature that leverages Bayesian logic. SpammerTrap receives software updates at least once every 24 hours (for non-critical updates) and hourly for critical and security updates (such as anti-virus signatures). It arrives preconfigured and ready for use, and is easy to customize and manage through a simple GUI.

Email passes through seven layers of SpammerTrap checks, consisting of more than 4,000 tests, before it is forwarded to the internal mail server to be delivered, quarantined, or deleted. The appliance-based solution blocks malicious email at the client’s network, while the hosted solution is for those who prefer to block unwanted email In the cloud.

h9: How do you relay security information like possible risks and threats to CISOs or CIOs?

MS:One way is through our reports, if we have just completed an audit or pen test. We provide an Executive Summary in addition to detailed, actionable reports for the at a glance snapshot most C-level executives need. We also offer a user subscription tool called First Alerts that provides real-time advisories about current hacking initiatives, worms, viruses and other threats. And if we are contracted to provide managed network security services, we monitor 24/7 and follow an escalation process in the event we witness attempted hacks. The process includes encrypted emails, cell phone contact and more, based on the severity of the attack. It is vital that the people responsible for information security be alerted instantly of events that could affect their operations or reputations.

h9: What’s one of your top open-source tools you use for pen-testing?

MS:We find the Nessus product to be very effective in generic vulnerability testing. It offers a large library of plug-ins to choose from to look for various vulnerabilities in applications and infrastructure, and its framework makes it easy to develop your own plug-ins for custom applications. There are any number of other fine open source products as well as commercial products on the market. Commercial products work well for novices because everything is done for you, although almost to the point of overkill since they tend to deliver huge lists of false alarms. Experts can get more out of open source tools like Nmap and Metasploit because they understand the underlying technology and vulnerabilities, and can isolate the serious gaps from the false alarms.

h9: What equipment do you use internally for defense, and do you have a preferred open source tool you’d recommend to our readers?

MS:In our case, we definitely eat our own dog food – and it is gourmet! We use our own proprietary managed IPS solution, powered by our ground-breaking HackerTrap™ technology. The HackerTrap system is unprecedented in its ability to (1) detect genuine attacks against a network, (2) automatically report minor incidents with a zero false positive rate, (3) monitor the possible leak of personal or private information, and (4) accurately identify a breached computer within a client company or an employee violating company policies. HackerTrap uses SNORT, which is the de facto standard among open-source tools. SECNAP is a Certified Snort Integrator, and as such we are licensed to distribute Snort rules in our commercial offerings. This enables us to deploy a huge pool of signatures that the average organization doesn’t have access to. Combine this advantage with our rich embedded technology and expert 24/7 monitoring and tech support, and our Managed Network Security Service is the ideal outsource solution for companies looking to reduce internal costs and ratchet up their protection. I’m very proud of what we are doing to continually improve IT and data security for our clients.