Interview with Billy Barron, co-author of “Maximum Security 4/e”
Who is Billy Barron? Introduce yourself to our readers.
I am a 15 year veteran of the computer industry. What’s unique about my background is that I’ve spent about half of my time as a system/network administrator and the other half as a developer. A good part of that development time has been working on security related products for the system administration market. I feel that my system administration experience gives me a unique view into how to secure the products I develop.
I am currently an architect and developer at Avatier Corporation for cross-platform products. The special challenge of my work here is that we use .NET in the Windows world and Java elsewhere and must make them work in a compatible and secure manner.
On the side, I’ve been co-authoring and editing books for Sams Publishing for about the past 10 years. You’ll find my fingerprints on books on the Internet, Security, and Software Development.
How did you gain interest in computer security?
Back in the late 1980s, I was a system administrator in a University environment. I dealt with stopping student crackers on a regular basis while at the same time having friends who would break into computers but not do any damage. I had an early exposure to both sides of the security world. I remember having to disconnect our University from the Internet due to the Internet Worm back in 1988. All of these experiences got me interested in security.
What are your favorite security tools?
My favorite single tool is nmap. It is the ultimate tool in figuring out what types of machines are on a network and what services are enabled. On every single network I’ve audited with it, machines and/or services showed up that were not supposed to be there.
What operating system(s) do you use and why?
I use just about everything imaginable as I do cross-platform development. In the past month, I’ve worked on security software for seven different operating systems from Mainframes all the way down to Windows.
As far as my personal preferences go, Solaris is my first choice. It has the best balance between features, stability, performance and security of all Operating Systems.
How long did it take you to complete your work on “Maximum Security 4/e” and what was it like?
From start to finish, it took about 6 months. I’ve worked every edition of this book as either a technical editor or co-author. What was challenging about this edition was that I was revising material on many different topics to stay up with the latest trends. I spent quite a bit of time thinking about terrorism and its impact on computer security. You’ll find that discuss in this new edition.
What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?
The biggest challenge is my mind is one that almost is never discussed. Often the easiest way for crackers to gain access to sensitive information is to call up the help desk and convince the staff that they are a valid user. Then the cracker gets the help desk to either reset the password or give out other sensitive information that they shouldn’t have.
I’ve been working on a product called Password Station.NET, which is designed to address this challenge. It takes password reset out of the hands of the help desk and requires the end user to answer some personal questions.
However, a product can not solve 100% of the problems. All help desks need to have carefully thought out procedures for correcting identifying their users to avoid this problem.
What’s your take on the full disclosure of vulnerabilities?
Unlike most security people, this is an issue that I really don’t get worked up about. I see both sides of the argument and think that people who think they are going to get everybody handling disclosure the way that they want are kidding themselves. My view is that vendors should do what they feel is right while being prepared for somebody to air their dirt on the Internet without warning. If customers do not like a vendor’s disclosure policy, they should spend their money with someone else.
What are your future plans? Any exciting new projects?
My plans right now is to continue expanding the Password Station.NET product to more and more systems. My newest project is a suite of new products called 1Touch Admin that will be released by Avatier Corporation. The purpose of the new products is to securely create, modify, enable, disable and remove computer accounts on a cross-platform basis. HIPAA has made the ability to do this quickly critical in the health-care industry.
The existing user provisioning products on the market each have their problems. Many of them take weeks to install, do some operations in an insecure manner (such as not-encrypting network traffic), or not allowing the delegation of provisioning authority. 1Touch Admin will take minutes to install, will encrypt all traffic across the network, and allow the degelation of authority while having an easy to use web front-end.