Bulletproof IT Security

Gary Miliefsky

Tue, 15th January 2013


Speaker Bio 1:
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.

As a member of ISC2 and a CISSP, Gary sits on the Advisory Board of the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. A dynamic speaker, he's presented at two White House Summits on cyber security, the RSA Conference, CSI, and many others.He served as an informal advisor to President Clinton and helped the President's Critical Infrastructure Protection Board, under the Bush Administration, which is now known as the National Infrastructure Advisory Council (NIAC) and operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace. Miliefsky is a Founding Member of the US Department of Homeland Security, serves on the advisory board of MITRE on the CVE Program and is a founding Board member of the National Information Security Group.

Questions and answers

Max, Concise Courses:
We had a show last week about starting your own information security consultancy, and from a marketing perspective, what are you finding is working in regards to actually promoting the urgency of having bulletproof IT Security? Typically I find that people are more reactionary rather than proactively taking BYOD seriously for example. So I am curious from your perspective what’s working from a marketing perspective for consultants to really emphasize really how important these issues are?

Gary Miliefsky:
Well I think there’s two things that consultants should do, and Max, that’s a great question. First, get these tools that you can bring to a customer. You may already have a tool set of things that you have paid for, or you may use free tools, there are even VoIP auditing tools that you can use for free. How do you know that your VoIP networking for your client is secure? What if hackers are eavesdropping on VoIP? Can you do the customers site and offer them a free security assessment and show them some holes for free? Then when you have shown them the holes, if they really care they are not going to leave without paying you your hourly rate to fix it.

That’s one, number two is Fear, Uncertainty and Doubt (FUD), whats the FUD factor here? So, a lot of people react as you say, because ‘hey’, I just heard my neighbor bank was hacked and I am a bank and I don’t want that to happen to me, so if you find local news that, like privacyrights.org, you can show recent events in your industry that show breaches in your specific industry and bring those to your customers attention ,as frequent as you can without annoying them and say, ‘listen, its going to happen to you one day, and I’d rather it not.”

A lot of IT people get fired after a breach, they get blamed and fired, ‘why didn’t you do more?’ and yet the CEO runs around with an iPad that he bring back home and lets the kids play with it and gets on a wireless network at work, so whose fault is it right? Well, its really the IT person’s fault for not being more proactive and fighting for the right thing in their organization and showing to the CEO, ‘hey, we dont want unencrypted devices coming and going.” So educating your customer about what going to happen to them and training them to be more proactive – you have to train them to be more proactive. I know that someone called this an alien concept and it shouldn’t be, its like Will Smith said, “the aliens are out there, Men In Black, but come’on this shouldn’t be an alien concept!”


Max, Concise Courses:
That’s funny! OK, lets touch upon training, what are the key training topics that you feel – its a pretty generic question and obviously it depends on the vertical but – what are the key training topics that you would suggest companies deploy?

Gary Miliefsky:
For this year I’d say the top two or three are, number one: phishing training. Train your people not to open emails that look so good – you’ve got to get more intelligent about being phished. A lot of people have been phised lately with well spelled intelligent phishing emails where they are asking for security violations to take place and the person trusts them to enough that appears to be a valid source so they give them away a password or a spreadsheet or they give away some data. Data leakage is from phising is a big problem right now. The second one I’d say is passwords. Let’s take a simple password – lets take the word ‘password’ – how quick can we hack the word ‘password’ in all lower case? A password cracking tool can do that in nine seconds. If we put a dollar sign in there or changed the letter ‘a’ to the number ‘3’ then and we put in several other strange characters and in an uppercase and a lowercase it could take thousands of days to crack that word ‘password’ because you’ve mangled it. So if users start to mangle passwords intelligently in their own private way that they will understand: lets train employees to use passwords they will remember and learn how to do mangling of passwords so that they cant be cracked. These are two important things.

The third is of course, don’t trust anyone! We are all to friendly and too trusting. Its all too human nature, when you answer the phone to give away information or open the door for the person who walks in behind you – i.e. tailgating – you come in through the backdoor because ‘you forgot your ID.’ So. don’t let that kind of stuff happen. So there are three levels of education. Number one, lets train them about phising issues, number two lets fix our password problem, number three lets teach them [employees] to be less trusting when it comes to protecting the corporate assets.


Max, Concise Courses:
What do you think about Bug Hunters? Should more be done to encourage ethical hackers to penetrate systems in a gray hat sense as long as they audit their findings? That kind of circles back to what we were saying before – what are your feeling on that?

Gary Miliefsky:
That’s great – that’s a whole new industry. Google pays money for that. Microsoft pays for that, so if there are hackers watching this presentation and they are ethical and they want to make a little extra money on the white side of hacking rather than the black hat hack, then the white hacker can make a lot of money. It’s not even gray – if you break a system and you tell the vendor under confidentiality, then they can fix it. This makes life better for all of us because we don’t get our identity stolen. So I think its a great way of getting things done. You cant take Microsoft security team to fix Microsoft, it takes people out in the wild who think creatively and ‘out of the box’ who don’t work for Microsoft to find the vulnerabilities and weaknesses and zero day holes that can be fixed.


Max, Concise Courses:
Do you have any comments on the Red October malware which was discovered recently. Was that really undetected for so long?

Gary Miliefsky:
I don’t know much about Red October, I am still dealing with Stuxnet version 2 and why the second version of it didn’t expire like that first was supposed to, which has surprised folks at the DHS and who knows what is going on in Israel today! So, I don’t have an answer on that but Id be happy to look into it – maybe get an email exchange going.


Max, Concise Courses:
Sounds good Gary. That was truly brilliant. I appreciate your time and sharing all of that fabulous content and it was great to see Will Smith and the Chihuahuas as well, I didn’t realize they were going to be dropping in on the Hangout today so its always great to have some more celebrities with us.

Gary Miliefsky:
Have a great rest of your day and I hope we can get you back on really soon. Appreciate it thanks.