March 04, 2005
Chris Goggans is an internationally recognized expert on information security with over a dozen years experience in network and information security. He has performed network security assessments for some of the world's largest corporations, including all facets of critical infrastructure, with work spanning 22 countries across four continents. Mr. Goggans has worked with US Federal law enforcement agencies on some of America's most notorious computer crime cases. His work has been referenced in publications such as Time, Newsweek and Computerworld, and televised on networks such as CNN and CNBC.
Mr. Goggans is a frequent lecturer on computer security and has held training seminars in nine countries for clients such as NATO, the United States Department of Defense, Federal Law Enforcement agencies as well as numerous corporate entities. He been asked to present at major conferences as COMDEX, CSI, ISACA, INFOWARCON, and The Black Hat Briefings. Mr. Goggans has also co-authored numerous books including "Implementing Internet Security," "Internet Security Professional Reference," and "The Complete Internet Business Toolkit."
During the Summer of 2003, Mr. Goggans was invited to become an Associate Professor at the University of Tokyo's Center for Collaborative Research.
Currently, Chris is President of SDI, Inc., a Virginia-based corporation providing information security consulting.
Q:: We have seen many urban myths of the internet, such as the email that infects your computer with a virus just by opening it, that have stopped being a myth and implemented by collaboration of lazy and careless system architects and curious and malicious crackers. The same happened with the "technologically gifted criminal", another myth that has now become true in the figure of spammer-zombie coders and security experts for illegal casinos. Do you think this other urban myth, the "evil terrorist hacker", is now becoming a real threat? To what point is that presumed threat just a figurehead to use in the war for control over our civil liberties in cyberspace?
A: In my opinion, neither of these were "myths," nor did they "become true." They have been true all along, only people's perceptions of the reality of existing threats has changed. For example: It has been possible to automatically execute code by viewing mail in Lotus Notes by design using Lotusscript from its inception. Similarly, buffer overflows and/or embedded scripting in mail clients such as Outlook and Eudora have made it possible to likewise execute code under similar circumstances.
Regarding the "evil hacker terrorist," this term is not really something I would use...I'd stick with the simple "computer criminal" since I like the word hacker, and one person's "evil terrorist" is another's "holy freedom fighter." Regardless, as long as there have been computers there have been people who would use them to further their own goals. This could mean the Russian Mafia using Denial of Service attacks against on-line banks to extort money, the Zapatistas and Tamil Tigers hacking web-pages of their opposing political parties, or simply a lone man stealing intellectual property from his employer to resell. None of this is new... people always use the tools at their disposal to commit crimes. The computer is just another tool.
The biggest issue we should concern ourselves with is the total reliance on computer technology in today's world. It is very easy now to cause major havoc across critical infrastructure from across the world with a few skilled amateur attackers. A concerted effort by a nation-state could have even more dire consequences. I feel that there should be more government involvement (particularly financial) in assisting critical infrastructures with the security of their computer networks. I've seen far too many banks, phone companies, power companies, etc., with horrendous security ultimately blamed on "lack of budget." This can and should be corrected.
Post a comment
Thanks for signing in, . Now you can comment. (sign out)(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)