Home > Articles

A Conversation with Shon Harris on IT Security

The threat landscape that companies face today is not the same that they had to deal with even five years ago. Today’s threats are not the lone hackers but organized, trained, and funded groups that are backed by organized crime rings or nation states. In this interview, Shon Harris further defines this threat and how corporate IT managers can mitigate against them.
Like this article? We recommend

Like this article? We recommend

The threat landscape that companies face today is not the same that they had to deal with even five years ago. Today’s threats are not the lone hackers but organized, trained, and funded groups that are backed by organized crime rings or nation states. In this interview, Shon Harris further defines this threat and how corporate IT managers can mitigate against them.

Please provide us with some background information on your organization and your industry.

I work in the information security industry, which has critical impacts on businesses, organizations and nations. Our society only increases its dependence upon technology, and properly securing it can come down to the life or death of an organization.

The information security industry is relatively new compared to other industries as in financial, medical, and telecommunications. The industry is currently going through many different “growth pains” as it moves from a chaotic and infant entity to a more mature and disciplined space. I and my company have been seen as visionaries in helping some of the largest corporations and government agencies secure their most precious assets against the largest threats they face today.

Logical Security is going into its 8th year of existence, while I have been in the industry for 15 years. My company specializes in risk management consulting services and training. We build enterprise-wide risk management programs that not only allow our customers to identify their vulnerabilities and stop their adversaries, but correlate and integrate information security issues into their overall business decisions and vision.

What are some of the primary challenges your industry faces?

The threat landscape that companies face today is not the same that they had to deal with even five years ago. Today’s threats are not the lone hackers but organized, trained, and funded groups that are backed by organized crime rings or nation states.

Attackers are no longer interested in spreading benign viruses, but have very focused goals of obtaining an organization’s most sensitive data as in social security numbers, credit card information, medical data, and privacy and financial information. The attackers are using our technology against us and we are constantly being outsmarted.

Companies and government agencies are finding it difficult to keep up with a threat that can morph and adapt at the rate of speed that is currently taking place. Anti-virus products capture around 23% of the malware that is on our systems, meaning that most systems are infected and being used by an underground criminal without our knowledge.

Organizations have a false sense of security because they have anti-virus, firewalls, intrusion detection, intrusion prevention and other technologies in place. While these are necessary defenses, the enemy is circumventing them and covertly embedding themselves into the technology and devices we use day in and day out.

What solutions are you contributing to overcome these challenges?

I have several roles in the industry: author, consultant, instructor, and speaker. These are the different avenues I have to educate and help the industry identify its real risks and come up with real solutions that are efficient and effective.

I have written books that are used in the trade industry and text books that are used in some of the top information security graduate programs offered in universities today. I write magazine articles and online whitepapers that cover emerging technologies, security best practices, industry trends, information warfare, and more.

I consult with many of the top Fortune 100 companies on topics as in vulnerability and risk management, intellectual property protection, data leakage, secure e-commerce, identity management, cryptographic solutions, business continuity and more.

I have trained thousands of people in the last 10 years on material based on my bestselling book, and I talk at conferences around the United States on various information security topics.

I am currently working with the Department of Homeland Security (DHS), National Security Agency (NSA), National Institute of Standards and Technology (NIST), and MITRE on my new book that explores how the industry can enumerate, automate, and measure how we are carrying out security practices today.

So I write, teach, and consult on emerging threats that our companies, organizations, and nation face along with the necessary countermeasures.

What do you feel is the most important message to convey to individuals?

We are not as safe as we think we are. The amount of bank and credit card theft that takes place increases dramatically each year. Identity theft is the most prevalent white collar crime worldwide. Our technological defenses (antivirus, IDS, IPS, firewalls) are being either bypassed or circumvented.

The threat organizations face today is referred to as the Advanced Persistent Threat (APT). This means the attackers are skilled, patient and organized. Their goal is not to disable businesses’ functionality, but siphon off sensitive information covertly so that competitive espionage and fraud can be carried out in the background without anyone knowing about it.

Criminals can carry out their activities anonymously, which makes it hard to know who is attacking you; the criminals may be in countries such as China or Russia, which makes it hard for law enforcement to investigate, and their attacks are becoming more sophisticated, which makes it harder to defend against.

While education and awareness is not the sexiest part of security, it is the most critical. If company owners and individuals understood even the most common and basic ways that attackers enter their computers and networks, they could carry out more useful defenses. Education takes more than just 30 minutes of security awareness training annually; it needs to happen on continuously. Company owners and officers should demand to be briefed about security issues that threaten their environments monthly if not weekly. Security risks should be integrated into the C-level business decisions. Security and how it affects the organization should be discussed at the board level. Organizations should invest in continuous training for their security IT personnel. The enemy is getting smarter, and so should we.

How has the information security landscape evolved over the last 10 years?

Our networks have moved from centralized homogenous closed environments to open distributed heterogeneous environments. We have not only connected our networks to the Internet, we connect smart phones, laptops, iPads, wireless devices, USB devices, and more to our precious networks, which expands each and every end point that is open for attack.

Over 70% of most companies’ financial transactions are happening over the Internet in some fashion of e-commerce. We move every type of sensitive data that is available over some type of digital communication link every second. Things as large as your power grid down to things as small as a pacemaker are dependent upon technology, which means they are open for attack.

Our life is continuously being enriched by technological advances, but these advances open us up to more types of threats on our way of life.

How have the threats that companies face today changed over the last five years?

Hackers used to be just annoying, and the cost of dealing with them was relatively low. They caused small problems, such as defacing websites—versus the competitive espionage, fraud, and organized crime that takes place today.

We refer to the new type of threat as the Advanced Persistent Threat (APT). APTs differ from the regular old vanilla attacker in that the threat commonly comes from a group of attackers, not just one hacker, who combines its knowledge and abilities to carry out whatever exploit that will get them into the environment they are seeking. The APT is very focused and motivated to aggressively and successfully penetrate a network with variously different attack methods and then clandestinely hide its presence while achieving a well-developed, multi-level foothold in the environment. The “advanced” aspect of this term pertains to the expansive knowledge, capabilities, and skill base of the APT. The “persistent” component has to do with the fact that the attacker is not in a hurry to launch and attack quickly, but will wait for the most beneficial moment and attack vector to ensure that its activities go unnoticed. This is what we refer to as a “low-and-slow” attack. This type of attack is coordinated by human involvement, rather than just a virus that goes through automated steps to inject its payload. The APT has specific objectives and goals and is commonly highly organized and well-funded— which makes it the biggest threat of all.

Why is it so easy for hackers to infiltrate our computers and networks?

While many organizations still do not practice some of the most basic security practices fully (password protection, encryption sensitive data, etc.), it is getting harder to locate the entry points that attackers use and identify their malicious activities once they have gotten through those entry points.

Attackers change their MO as companies and users get wise to their tactics. For example, the phishing attacks that include fake emails from supposedly reputable entities that tricked people into clicking on dangerous links have decreased since more people have been learning about these types of attacks. As more people are learning about the dangers of opening email attachments, for example, attackers are moving onto attack types that people are not aware of. Just like any type of crime, it is a cat and mouse game. As the cat gets smarter, the mouse has to change its tactics.

What the most common fallacy in the information security industry?

Just because you have anti-virus and other types of technology to scan and identify malware and attacks does not mean that you are fully protected. The attackers know exactly how different anti-virus and similar products work and they craft their malware and attacks to not be detected by them.

Attackers come up with new ways of attacking a system; then the anti-virus vendor comes up with new signatures to identify those attacks, so the attackers come up with newer attack methods and the cycle continues. It is hard to stay in front of attackers when they are driving the bus on innovation.

Millions of computers are infected with programs called bots, which is short for robot. Once a computer is infected the attacker can do anything that the software bot is programmed to do:

  • Capture keystrokes as the user is typing
  • Siphon money while a user is carrying out on-line banking activities
  • Attacker other computers
  • Take screen shots of what the user is working on
  • Turn on the webcam and watch and record the user
  • Mine the computer for passwords or credit card numbers

Another fallacy is to think you are not important or big enough to be a target. The largest targets for attackers right now are midsized and small companies. These companies do not commonly have a security staff and security technology and practices that the larger companies have. This level of company is currently the most under siege.

Is it going to get worse before it gets better?

Probably. Hacking has been taking place for years, but it has recently evolved to being more criminal in nature. Since more and more attacks are financially driven, the attackers have become more determined and organized.

The most precious asset to companies is their data, which is always in some type of digital format. If it is in a digital format, it is vulnerable.

There are several types of data that an organization may or may not be aware that need to be protected. This data includes intellectual property, social security numbers, medical information, merger and acquisition plans, financial projections, pre-launch product specifications, credit card numbers, source code, marketing material, and more. Losing this information, either through loss or theft, can cause a company to be faced with law suits, regulatory penalties, loss of their customer base, Federal Trade Commission investigations, loss of brand and reputation, and even bankruptcy.

Organizations are getting better at identifying and locating their sensitive data and implementing controls at where it resides—but they have a hard time following this sensitive data as it transverses their networks and others. Let’s say that you have sensitive data that is centrally located in a database with layers of controls. The operating system and database application are controlled, and you even have a host-based IDS installed on this system. Now your employees need this data to carry out their daily tasks, so they collect pieces and parts of this data and store it in PDF files and spreadsheets, e-mail it out to business partners, save it on their laptops so they can work on it at home, or copy it to a USB drive. Now you have your data spread out in several different places that are not under your control. Since they are not under your control, they are properly not protected—which makes it a lot easier for the adversary.

What should individuals and companies be doing to reduce their information security risks?

Awareness is the number one step. You cannot protect yourself from a threat if you don’t realize what it is and that it can happen to you.

Business owners and C-level executives should require their security technical staff to provide them with weekly reports that illustrate the organizations current security posture. This should include the system and network vulnerabilities and associated risk scores for these vulnerabilities.

IT and security personnel should attend more than just one training session a year on what they need to know to protect their infrastructure. Employees should go through quarterly awareness training, instead of just annual training.

From a more technical view, every organization should do the following:

  • Develop a robust enterprise security architecture including policies, procedures and standards.
  • Identify the company’s most value able assets so they know what has to be protected first.
  • Practice defense-in-depth, which means deploying layers of countermeasures instead of just relying upon one type of technology to protect the network.
  • Identify all the entry points attackers can use to penetrate the environment so that these holes can be plugged.
  • Carry out quarterly vulnerability, penetration tests, and audit procedures to identify vulnerabilities in a timely manner.
  • Identify how data is leaking from the environment and implement Data Leakage Protection technologies.
  • Properly control the external devices that can be plugged into the network (smart phones, laptops, USB drives, wireless devices).
  • Carry out proper credential creation and protection.

Where are we going in the information security world?

We are currently working to automate our security products and tools in a standardized manner. The more security practices we can automate, the more we take out the human element—which is slow and error-prone.

We are advancing our technologies so that they can directly communicate to each other and create what is called a self-defending network. The networks will be able to react to threats and attacks in real time, versus the manual way we deal with attacks today.

While it is still 10 years down the road, we will be eventually obtaining situational awareness (SA) of our environments. Once our security tools are standardized and automated, we will be able to use them all in an orchestrated manner to view and understand our networks in a holistic manner.

SA is the understanding of complex environmental elements, there meaning in specific contexts, which allows for successful decision-making and projections of what is around the corner.

What role do you see your company playing in the upcoming future in your industry?

Currently my company is working with MITRE, NIST, DHS and the NSA on developing a book series and educational track that focuses on how our security tools and practices can take place through standard automate methods to create self defending networks. Since attacks on systems and networks happen in real time, our protection against these threats must also take place in real time. Standardized automation is the foundational component for situational awareness.

Logical Security consults with some of the largest corporations and government agencies on how they can move their risk management efforts to more streamlined, efficient and effective methods. Logical Security provides consulting and education to help these entities carry out vulnerability assessments, enterprise security architectures, and enterprise-wide security programs.

While our adversaries advance in their techniques, we work with companies on not only how to defend against them—but stay ahead of them so that the attacks will either not cause extensive damage or not take place at all.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020