A lot has changed in the information security landscape in the years since that interview. Skoudis addressed some of those changes and more when he recently teamed up with Tom Liston, a Senior Analyst with Intelguardians, to write Counter Hack Reloaded, a 2nd edition of Skoudis' 2001 book Counter Hack. I managed to steal some of Skoudis' time to get his input on how things have changed and his insight on where information security is heading.
TB: What made you decide to write this updated version of Counter Hack?
ES: The world of computer security has changed an incredible amount since the original Counter Hack was published, way back in mid-2001. We've seen an avalanche of new tools and techniques released since then that have really revolutionized the attackers' abilities. For just a handful of new topics that have emerged into the attack mainstream since the original Counter Hack, consider Google hacking, the Metasploit Exploitation Framework, extremely covert channels, and the rise of spyware. Each of these new topics and more are included in Counter Hack Reloaded. The threat has also expanded, going beyond script kiddies to organized crime and terrorist groups. Attackers have ramped up their game in amazing ways. If we don't ramp up our game as defenders, we will surely lose.
TB: Two years ago you named patch management and deployment as a key area that companies needed to improve on. Have they succeeded?
ES: While the battle to keep our systems patched is hardly over, we have seen huge improvements in the speed of patch deployment in the last two years. It's been wonderful, and we need to pat ourselves on the back as an industry for this major accomplishment. Back then, it wasn't unusual to see a company that would take a month or more to get critical patches on very important machines. Today, most organizations can push a critical patch in days or even hours.
But, we're not out of the woods yet. While organizational patching has improved, the free-range consumer users are still not getting patched quickly enough, which leads to these massive bot-nets we see growing daily around us.
TB: What is the key area you feel companies need to improve on in terms of their Information Security in the next couple of years?
ES: Given that many organizations have dramatically improved the patching process, we now face an even more difficult problem: user awareness. With targeted phishing and Trojan horse attacks, an unwitting user can be duped into running an attachment, surfing to a happy-looking-but-evil website, or entering information into a form that pops up on the screen. Such attacks represent a real threat to most organizations. And the real problem here is summarized well in that wonderful T-shirt: "Because there is no patch for human stupidity" Our entire culture needs to come to terms with the risk of computer crime and how to identify and avoid its common forms. Pretty much everyone that uses computers has to learn about e-mail and website con jobs, phishing, Trojans, viruses, and other scams.
