This is a great opportunity for awareness. Every time a systems administrator gets a Wells Fargo email when they don't have a Wells Fargo account, they should copy a screen shot and send it out to the entire organization and warn people that this is the latest phishing scam. Show people what the threat looks like. Once a month, you can send these out and make people aware. And tell your mother. A new item on this year's list is the VoIP threat. What is the SANS Institute doing to bolster awareness in this area?
This is my single-greatest failure. We don't have the kind of intensive "here's what the packets look like" training that's needed. The problem is just massive. A technology like this never should have been rolled out without more thought to security. If I had my way, I would have the creators of VoIP stop everything and redesign this with security in mind from the get-go. What could the institute do in the short term to improve the VoIP security training?
We teach the importance of having a VoIP firewall. You want a barrier between the Internet and your phone system. You should also use hardware encryption between your building in the U.S. and your building in France. The benefit is that the VoIP data is encrypted in a tunnel and the bad guy can't intercept your voice sessions. It gives you a little more protection. And if you're going to do VoIP, do it as much as possible out of band from the rest of the network. Run VoIP as a separate cable, where you'd have one cable for data and another for voice. That way, if someone hits you with a denial of service (DOS), you still have voice and the ability to keep functioning. Or, if VoIP is hit, you still have the rest of the network. VoIP is very susceptible to DOS, so you need to make sure that if one goes down you have the rest.
Some people think the idea is economically stupid. The advocates of VoIP always say the beauty is that you can run your phone with everything else. I say yeah, but you can also kill everything together. The increase of zero-day threats made the list as well. Do you think IT professionals are adequately keeping up? If not, what could they be doing better?
This is one of those unhappy examples of progress. Two years ago we were talking theoretically on zero-day threats. The only thing you can do is isolate and minimize your footprint. IT professionals have to get really serious about the software they allow on their system. System lockdowns are unpopular, but it's important to only allow the 10 business functions users need to do their jobs and nothing more. Smart users know to use an alternative browser like Firefox. Talk about some of the key skills IT pros need to keep up with today's threats. In a previous interview, you mentioned the need for them to be better report writers.
Communication is definitely an overlooked skill. As a manager, I need to be able to give the board the information they need packaged in a way that helps them understand the needs. I also need management skills so people underneath know what to expect from me. Those are some important aspects of the training. It's been said that IT people don't always have the best management or people skills. Is that something you try to address?
That's actually a politically incorrect part of my course. I talk about how you can stereotype technical people. Your Cisco router jocks tend to be a certain sex, age and disposition. They never do well in management because they can't write. They're great at the tech stuff but they talk funny. We talk about these stereotypes and how those who do end up in management must be able to communicate to the people above and below them.