Canadian Information Processing Society (CIPS)
 
 

CIPS CONNECTIONS

INTERVIEWS by STEPHEN IBARAKI, FCIPS, I.S.P., MVP, DF/NPA, CNP

David Woods, Accomplished Security Authority, Microsoft Developer Security MVP

This week, Stephen Ibaraki has an exclusive interview with David Woods.

David WoodsDavid Woods, President and Founder of Solidhouse (www.solidhouse.com), is an accomplished independent contractor and .NET developer specializing in security and enterprise applications aimed at meeting the unique needs and business requirements of a broad spectrum of clients.

He is an advocate of good OO skills and patterns, and is particularly passionate about security solutions and best practices. Dave holds the designation of Microsoft Developer Security MVP. He has been developing and working on computers since he was a kid and still has his Apple II to prove it.

In addition to his corporate projects, Dave enjoys sharing his knowledge and understanding of some of the Industry's most innovative and forward-thinking arenas with other professionals and up-and-coming developers. He is an active speaker at a variety of user groups, code camps and conferences throughout Canada and the United States, and via his informative blog: www.haveyougotwoods.com.

To listen to the interview, click on this MP3 file link

Go to www.microsoft.com/youshapeit/technet for a look at this interview and much more.

The latest blog on the interview can be found in the IT Managers Connection (IMC) forum where you can provide your comments in an interactive dialogue.
http://blogs.technet.com/cdnitmanagers/

DISCUSSION:

Interview Time Index (MM:SS) and Topic

:00:30: Can you provide a profile of your roles and challenges?
"....We write software for clients and provide website hosting for our clients. Our challenges are to keep our software and our servers secure and to educate our clients and our staff about security...."

:01:00: What are your recommendations for security governance and defense in depth?
"....Governance can bring about some good security changes through policy and even through law....The biggest thing that has impacted a change have been some of the security breach notification laws that they have in California. If your systems get compromised and there is information about your customers on it then you have to notify all your customers. Now there's a motivation for businesses to provide security because having to notify all their customers is bad publicity....As far as defense in depth goes, the biggest thing we're missing is educating the people. It seems to be the weakest link and always has been the weakest link in our system...."

:05:06: What are your best practices regarding virus protection?
"....Don't trust anything....Layering your protection is an important thing (defense in depth)....Another thing that I am noticing in the attack sector are Instant Messenger worms....An easy way to defeat that is if someone just sends you a link, ask what it is. If they answer, then it is probably legitimate. If there's no answer, it is probably an automated worm that has taken over that computer...."

:06:34: How about malware removal and your recommendations in that area?
"....Malware seems to be dropping off more as the security of the operating system and the browser improves. But running a fully patched system as a non-administrator really reduces your risk....Windows Defender....The Malicious software removal tool from Microsoft....Ad-Aware....Spybot....."

:07:34: What can you say about corporate espionage?
"....Fewer and fewer companies are reporting it to prevent bad press which makes it difficult to gauge how big it really is....One of the ways to protect against it is to use document rights management services...."

:09:45: David overviews Forefront security.
"....It's a nice unified virus and spyware protection system for the client and the server....You have a central management server that you can administer all the clients in your organization from a central spot....and it's all done through group policy objects....They've got some customized versions of Forefront that integrate the whole suite of Forefront products....There's the Exchange one which does virus scanning, malware, content, band filtering....it ships with a bunch of anti-virus engines in it....There's a few other server Forefront products for it....Sharepoint, Office Communications Server...."

:11:38: Can you provide your recommendations for Security Solution Accelerators?
"....Security Solution Accelerators are a pretty neat set of tools and documentations. The one I really like is the Windows Server 2008 Hardening Guide that has a huge amount of information on how to harden out Windows 2008 Server....Also there is the GPO Accelerator which is a nice little wizard which allows you to define group policies....On the TechNet site you can find a massive amount of these Accelerators....There's a lot of information on that site...."

:13:03: Can you see a shift in attack vectors?
"....One thing it is moving into is the application layer. We've secured a lot of the browser stuff....The new attack vectors seem to be things like Flash, PDF's and all sorts of common applications that you've got that run in your browser or in documents you download...."

:14:09: What are your insights on passwords and alternatives?
"....we really need to look at incorporating more things into identification. I like smart cards in combination with a PIN or password...."

:15:39: What are the problems with security?
"....The big problems I've found with security are education, spending and a desire to secure systems...."

:16:51: What are the security challenges and solutions with web hosting?
"....With web hosting we have shared space that anyone can upload any code to, so we have no control over what these users are uploading to our servers. The issue there is how to isolate them so that if they write bad code or insecure code that it limits the damage to the system. The way this is accomplished is through your file system ACL's that is locked down, an FTP system that is locked down so that they can only access their home directory, having partial-trust for .NET applications (a phenomenal tool)...."

:18:57: Provide your predictions of future IT/Business security trends and their implications/opportunities?
"....Organized crime is going high tech in a huge way (phishing etc)....Auction sites are auctioning off security exploits....There's a huge rise in botnets....We are going to see a lot more of 'a patch is out now there's an exploit' instead of the other way around...."

:21:03: Which are your top recommended specific resources and why?
"....http://www.securityfocus.com/....security mailing lists that I'm on....The Register (UK based)....

:22:48: If you were doing this interview, what question would you ask and then what would be your answer?
"....What are the issues having an organization where you have programmers and you have IT pro personnel?...."

:24:06: David shares some stories from his work.

:26:30: Do you have additional comments you want to make?
"....Communication and education are two areas we are lacking in...."