Interview with Eric Greenberg, author of “Mission-Critical Security Planner: When Hackers Won’t Take No for an Answer”
Who is Eric Greenberg?
I’ve been kicking around the Internet for quite a while. Around 1981, while in college, I worked at the National Institutes of Health as a “computer specialist”. At the time, I was amazed at how careless system designers, users, and so forth were with regard to security. I used to demonstrate to my managers how easy it was for me to get access to information I shouldn’t. It was there that I became interested in security, networking, and distributed computing in general. Remember at that time, the IBM PC didn’t exist (it would soon come into existence). We used IBM Mainframes, Commodore computers, and 8 bit CPM machines. Through my career I became heavily involved with the Internet and distributed computing in general and, in the early 1990’s, led the deployment of Global SprintLink, a large international Internet backbone. Hackers made themselves known then, some in good ways and some in challenging ways ;-). At that time, groups of hackers were particularly bothered by the fact that the Internet was being commercialized, so they attacked our network backbone regularly. Remember all of those statements coming from various Internet providers that claimed their 24 or 48 hour outage was for an equipment upgrade failure? Think *** not ***. Often the outage was the result of hackers at-work. In building-out the Internet, I became convinced that it wouldn’t go anywhere without a very heavy focus on security. This was around 1995, that’s the time that I decided to join Netscape where I led the security product group. There we were able to endlessly innovate in security and put that work to action, it was a great time. I was group product manager for the Secure Sockets Layer (SSL) protocol and other Netscape security products and features including smart cards, replaceable crypto, digital certificates, code signing, and PKCS #11. Around this time I finished my first book, Network Application Frameworks. That book was my statement that networks, applications, and security are one problem set, not two or three. It has always struck me as odd that network people and application development people (and now security people) put such walls up between their work and areas of study within an organization– it’s all one problem. After taking some time off and helping another company prepare to go public, I co-founded NetFrameworks, Inc. with Tom McKnight in 1998.
How did you gain interest in computer security?
Since the time I first started working in a shared computing environment, in my case an IBM mainframe, I became very interested in security. It was completing the initial build-out of Global SprintLink and staring back over the expanse of the Internet and pondering its potential that fueled what would be come my obsession with the importance of security in distributed computing.
What are your favorite security tools?
I have a number and I’ll list them. But as I often note when I speak and in my book, security is not strictly about the best tools. Being proficient in security tools is just one part of being good at security– in fact, while it’s a fascinating and important part, it’s a smaller part. Understanding security is about understanding distributed computing technologies in breadth and, where necessary, great depth and how those technologies relate to security. It’s an art form, a process, and a mind set. It’s about understanding precisely how networks, applications, people, business, information, and infrastructure come together, along with the life cycle management of those things. By analogy, someone can have all the tools of a great car mechanic and know how to use each tool, but can’t do much with them if they don’t understand the car. So security knowledge of security tools by themselves is not enough. With that said, some of my favorite tools include Snort, NetCat, NMAP, Sam Spade, Protocol Analyzers in general (Ethereal, others), Nessus, dsniff, Tripwire, OpenSSL, PGP, Chkrootkit, and about 1000 other tools!
What operating system(s) do you use and why?
For servers exposed to the Internet, my personal choice is Linux. However, for the NetFrameworks consulting practice, Microsoft Windows server products are of course a marketplace reality and we work to secure that technology, and implement with it, if a client’s business needs dictate such a requirement. We work with all of them (Solaris, mainframe operating systems, etc). On the desktop, I run Linux and also Windows. It’s difficult to survive today without using Windows on the desktop since it’s everywhere. I admit I’m a big Linux fan, but I understand the marketplace role of Microsoft and, on the desktop, their role in the marketplace leaves me with few choices. I do remember the day when I could go to the store and actually choose from several different word processors and operating systems. I miss those days. I wrote Mission Critical Security Planner using a wonderful product, Adobe Framemaker. I then converted at the end to Microsoft Word, as required by the publisher’s post-processing tools. Fortunately Wiley accomodated me through that entire process, they allowed me to do that.
How long did it take you to write “Mission-Critical Security Planner: When Hackers Won’t Take No for an Answer” and what was it like?
The book took a little over two years to write. Writing a book is a very exciting and somewhat spiritual process for me– I feel as though writing is something I’m “supposed” to do in this life. At the same time, it’s incredibly exhausting. This particular book required a great amount of up-front conceptual forethought. From the beginning, the goal of Mission Critical Security Planner was to make the life of the reader easier. Myself, and Carol Long (the fantastic Wiley executive editor I worked with), kept the pressure on ourselves throughout the writing/editing process, making sure we never forgot that goal. Whenever I wrote anything, we asked ourselves 1) will this make a security person’s life easier and how and 2) is this an actionable/workable/usable approach because if it isn’t, go back to the drawing board. We set-out to provide a workable, actionable security planning approach. Since no such approach existed (my reason for writing the book), I needed to find answers to problems that didn’t exist. I would spend endless hours going over and over various approaches to modelling secure distributed computing and, very importantly, ways of synthesizing that model into something the reader can immediately use. As we applied the principles of Mission Critical Security Planning in our NetFrameworks security consulting work, we went back and refined the book’s content to reflect our experiences. We didn’t just write about mission critical security planning, we lived it.
If you could start working on the book all over again, what changes would you make?
There are no changes, this book was a great journey from start-to-finish and a very enjoyable process working with Carol Long and Wiley, the publisher.
In your opinion, what are the most important things an administrator has to do in order to keep a network secure?
Boy, that’s a tough question. As folks working in security, we keep seeing so many areas for improvement, not just one thing. At the same time, I can say one thing comes to mind, right at the top– disablement. Administrators don’t disable enough. Software developers don’t disable enough. Security is disablement. Disable network protocols, applications, and features of all kinds that you don’t need. Software comes shipped by vendors today with too much enabled, that’s one of our biggest problems in security. There’s too much focus on getting things working (maximum enablement) and not enough on security, wherein security, by my definition, implies maximum disablement.
What is, in your opinion, the biggest challenge in protecting information at the enterprise level?
Folks in the enterprise still have a difficult time understanding what the statement “security is a business problem” really means and what to do with it. One of the things we tried to do with Mission Critical Security Planner was to provide a quantifiable and actionable way to communicate that. From the topic of selling security, to impact (risk) management, and security quality management, these are all areas that the enterprise struggles with. Security professionals need help pulling together a comprehensive security plan that is both actionable (sufficiently technical) yet fully understandable from a business standpoint by the rest of the organization (up to the CEO). This is the challenge of the enterprise and we worked to address that with the book. The other common problem in the enterprise is the belief that a firewall really provides full protection, so they believe that behind a tight firewall (even one only allowing one port through, say http), they are secure. This is absolutely not true. It’s this mind set that is making so much of today’s networked-world vulnerable. Security is a systemic challenge, you need to go deep into the organization and apply security. Security practitioners should always remind folks in the organization that security is value, not overhead– in the book, the “Selling Security” worksheets show specific examples of how to do that.
What are your future plans? Any exciting new projects?
On a personal level, I hope to find some time this year to take a breather and visit more of the world. I’ve been around Europe and Asia but there are still a number of places to see. The book consumed a great deal of my free time over the past two years, but I’m happy to have written it, it was a great journey. From a technical standpoint, we (NeFrameworks) continue to develop our own suite of products that our security consulting clients can choose to use (or not) as part of the security planning and implementation process. It’s exciting to develop useful security products, it’s something I enjoy. For example, we are working on an innovative secure content management platform called PortalLock that seamlessly integrates with our other service offerings around identity management (IDValidate) and privacy management.