News Stay informed about the latest enterprise technology news and product updates.

Winning the cyber arms race in the classroom

In the struggle for cybersecurity, Lenny Zeltser's most important weapons are the classroom and the pen.

For the past few years he has taught part-time at the SANS Institute, creating a course on how to analyze malicious software,. He's also directed security efforts for several organizations as a consultant and employee. As a writer, he co-authored Inside Network Perimeter Security and contributed a few chapters to the book Malware: Fighting Malicious Code.

In this Q&A, Zeltser outlines his latest course offerings and book projects, and what he sees as today's greatest threats.

Describe the perfect IT security professional
The strength of an information security professional lies not only in his technical skills, but also in his understanding of how data protection efforts contribute to the organization's larger goals. A company is rarely concerned with confidentiality, integrity and availability of its information assets per se. Its focus is succeeding as a business entity. That's why we see security professionals becoming more interested in business-related disciplines that have traditionally been associated with "pointy-headed" managers. If we are to protect information in a world where perfect security is not achievable, we must understand how our efforts tie into sales, marketing, product management and other business aspects of our companies.

Lenny Zeltser

What is the main focus of your courses?
One of the responsibilities I've had involved protecting information systems from malicious code. When doing this, I periodically encountered malware specimens -- worms, viruses, and Trojans -- that I could not identify using mainstream antivirus tools. In other cases, I was able to identify the specimen, but I could not find much information about it from publicly available sources. As a result, I had to figure out how to analyze malicious code to learn about its threats. Going through this process has led me to create a course that teaches security professionals to reverse-engineer malware.

What are your latest offerings?
I teach a course at SANS Institute titled Reverse-Engineering Malware. It discusses tools and techniques for analyzing malicious software, so that security professionals are more effective at defending systems against malware. Knowing how to reverse-engineer malicious code is useful when students have to respond to an incident that involves an unknown specimen. Moreover, examining malicious software helps students understand how malware works, so they become better at building infrastructure resilient to malware-based attacks and at recovering from incidents that involve malware. The course includes hands-on exercises that allow students to experiment with real-world malicious code under carefully controlled conditions. For this purpose, the course explains how to set up an isolated laboratory environment, and how to use behavior monitoring and code analysis tools to learn about a specimen. The course is not offered at all SANS conferences; I'm scheduled to teach it next in April in San Diego and Boston. (More information is available here.)

Is reverse engineering the right way to teach?
Zeltser teaches IT professionals how to analyze malicious code by taking apart the work, not unlike malcode writers who reverse engineer patches to create exploits.  Use SoundOff to let us know if this is the proper approach? What's the best way you've learned to counter an Internet-borne security threat?

Which security threats worry you the most?
My biggest concern at the moment is the change in financial incentives behind attacks. As the Internet matures, it becomes a more attractive platform for conducting legitimate business, and therefore it becomes a more profitable target for intrusions. As a result, we are beginning to see a greater occurrence of organized and carefully orchestrated attacks that target personal financial data, conduct corporate espionage, or lead to extortion. It will take companies some time to adjust their threat models to account for the greater likelihood that an attacker will have the necessary funding, time and desire to compromise their defenses. For example, attractive financial incentives make it more feasible that a sophisticated attacker will bother developing a custom Trojan or a zero-day exploit when targeting a particular organization. Malicious software is often at the heart of such attacks, whether it acts as a spyware agent on a compromised system, or whether it assists in locating and exploiting a targeted vulnerability.

Are you working on any new book projects?
I am working with a great team of co-authors to release the second edition of Inside Network Perimeter Security. The book covers such essential aspects of network security as firewalls, routers, VPNs, host hardening and intrusion detection and prevention systems. Given the porous nature of a modern defense perimeter, we spend quite a bit of time explaining how to tie these components together to achieve defense-in-depth. The newly updated and expanded edition of the book is almost done. It should be available in stores in mid-March.

Dig Deeper on Secure software development

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.