Interview with Ken Cutler, Vice President, Information Security, MIS Training Institute
by Mirko Zorz - Wednesday, 12 January 2005.
What do you see as the biggest online security threats today?

Today’s biggest online threats come from malicious software (e.g., viruses, worms, and ad-bots), phishing scams, and direct attacks by hackers.

Malicious software typically exploit unpatched software bugs in widely used software such as operating systems, browsers, and office software. These malware agents are often propagated through email attachments, often associated with SPAM, or by leveraging unprotected file shares used like frogs jumping from one object to another. Spyware from freeware and software suppliers that plants unwanted “monitors” and system operation alterations (e.g., interfering with normal web browser operation and “homesite” selection on end-user systems is a constant headache for both end-users and desktop security software suppliers. Using built-in web browser safeguards and vigilantly keeping current anti-virus and anti-spyware software is a way of life to ensure secure web browsing and workstation software reliability.

Phishing is accomplished through the copying of prominent financial services sites (e.g., major banks, PayPal on E-Bay) to create bogus sites. The victims are lured to the bogus web sites by phony emails requesting that the customers need to update their accounts and then proceed to login to the bogus sites while their account numbers and passwords are being captured. User awareness is an important countermeasure against this sinister threat.

Direct hacking of website continues to be a problem associated with vulnerabilities created by a combination of unpatched software bugs and failure to use bundled security features in the software. Security and network software from prominent vendors, such as Cisco, Internet Security Systems (ISS), Symantec, and Zone Labs, have also come under attack during the past year. Attack objectives range from denial of service, web site defacement, and privilege escalation to direct theft of credit card information and other valuable electronic information. Being proactive with intensive web and database application coding guidelines and testing along with the use of up-to-date intrusion prevention systems is an absolute must in today’s Internet environment.

Direct attacks on recently implemented wireless LANs are also prevalent, but usually result in only the theft of high-speed Internet service or possible relaying to “interesting” targets. Use of strong authentication, encryption, firewalls, and ongoing audits, such as wired and wireless vulnerability testing, are critical safeguards to protect wireless network access points.

What are the people that come to the MIS Training Institute most worried about?

In recent years, the human resource and financial impact of trying to document internal controls and comply with regulatory security laws such as HIPAA, Graham-Leach-Bliley, and most recently Sarbanes Oxley are top priorities in most businesses. A major area of internal security controls associated with regulatory compliance issues is the “bread and butter” area of identity and access control management, in past years just simply referred to as “access control”. Accurately identifying users, their privileges or entitlements, and having an accurate record of what they did while using computerized resources is no longer just a “best practice” but a legal issue with serious non-compliance consequences to the senior management of all publicly owned businesses. All that, is in addition to dealing on a day-to-day basis with frequent software patches to address the major online threats we mentioned in response to the previous question.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th