CEO Interview: O-ISC Keynote Speaker, Intrepidus Group
Author: Technology First
February 2010
What is your experience in security?I am CEO and co-founder of the Intrepidus Group, and Adjunct Professor at Carnegie Mellon University. Prior to starting the Intrepidus Group, I have held the positions of Managing Director at Mandiant, Principal Consultant at Foundstone, and Researcher at the US-CERT.
I am a regular speaker at various industry conferences including Black Hat, OWASP, ASIS, SecTOR, Hack in the Box, Infosec World, TechnoSecurity, CPM, ISSA meetings, and several forums catering to the FBI, US Secret Service, and US Military.
I have written technical articles and columns for publications like Securityfocus and SC magazine, and have been interviewed for mainstream and technical audiences.
I hold a Bachelor of Engineering in Computer Engineering from Bombay University and a Master of Science in Information Networking from Carnegie Mellon University. I currently lead the OWASP Java Project, a worldwide consortium of Java security experts, and am also on the board of the Government Technology Research Alliance.
What is the most common security problem that you see in companies?
The lack of employee awareness to common security threats is probably the number one issue as was learned from the ‘Aurora” attacks against organizations like Google, Adobe, Juniper, etc. Most security organizations treat employee awareness as a burden and often under budget the activity. As a result, employees are forced into boring, mandatory computer-based or in-person security awareness training that has little to no impact on their mindset. The result is that employees are put off by security and view it as ”the security guy's job.“ This lowering of the guard allows attackers to focus their attacks on end-users through targeted phishing emails and easily compromise their systems to gain a foothold in corporate and government networks.
Will we ever be rid of IT security problems?
The short answer is no. As technology evolves and gets more complex, security problems will only increase.
How secure are app phones? Should we expect security suites on our phones soon?
Mobile security is a big issue. With new mobile platforms, devices and applications mushrooming, the focus is on being first-to-market, and not on security. As these devices continue to add computing power and capabilities, I only expect the attackers to focus more on attacking them. These devices have more sensitive data today than our computers - SMS/MMS history, photographs, call history, web browsing history, documents...everything that an attacker wants access to, as well as a forensics investigator.
What will be the big security issue in 2010?
We will continue to see a rise in mobile security attacks and attacks focused on the end-user via targeted phishing attacks. I see these trends on the rise at least for another 3-5 years while we, the white hats, play catch up with the attackers.
Mr. Belami will be the luncheon keynote speaker at O-ISC '10.
