(continued from previous page)
not be the same as the time it's announced publicly--to when the exploit is available. And this is the one that is shrinking. A zero-day exploit is the exploit arrives before the vulnerability is even announced.
It used to be that the patch beat the exploit. The time difference between the two has shrunk substantially. And now in many cases, you're lucky if the patch actually beats the exploit, let alone the time it takes to apply the patch which, in an enterprise, can be considerable.
Personally, what are you most worried about? Not knowing what all the vulnerabilities are, or not being able to come up with a patch before the exploit is available?
Mather: No, my worry is actually something different. My worry is there'll be a sophisticated attack that combines different attack methods. Keep in mind that we, the security professionals, have for years preached defense in depth. And the whole idea of that is to buy time so that if something gets through one layer of defense, you're not completely wide open at that point. Something else will slow it or stop it, to buy you time until you can maybe apply a patch, for instance.
But if you get a combination attack, a one-two punch, that effectively gets through your defense, then your enterprise just got KOed (knocked out). That's my worry. It takes some sophistication to do, some coordination to actually pull something like that off. But that's coming.
Take worms, for example, which are no longer being used simply as worms. They're now used to spread into SMTP engines, which are then used to send spam. Think about this for a moment. Worms being
In a perverse way, it actually shows some kind of business sense from the hackers. If I'm a spammer, I no longer have to worry about opening a Hotmail account and trying to jam 10 million e-mail messages through that account before Microsoft shuts me down. Now, I can walk over to a hacker, get him to write a virus that compromises 15,000 systems worldwide and use each of these compromised systems to send 1,000 e-mail messages an hour a day. Not only that, because it's compromised and I now own it or rent it from the virus writer, I can use it again and again. That's a perfect example of increasing sophistication in attacks.
Are you worried because there isn't a solution to this yet, or that it might just get too good or sophisticated?
Mather: I'm worried because I don't know what I don't know. I'm also worried because, due to the chair that I sit in, we're quite the target. We get huge amounts of electronic trash thrown at us just because of who we are.
Just how much trash would that be exactly?
Mather: The last time I checked, we stopped counting at 2,001 (attacks a day). Today, not all of those are highly sophisticated. A lot of those, quite honestly, are pretty unsophisticated, probably from some so-called script kiddies firing off a script at us. But it's enough for the logs and sensors to record it, and enough for there to be an alert on it. It's not so much that I'm going to act on, but it's more than just an event.
But some of them, we looked at and thought: 'Wow, that's interesting. This guy got pretty close. Think about what would have happened if this was changed to that?that probably would have worked.' That gets scary.
And sometimes you don't see it again, because they don't realize how close they are. Other times, it shows up again. We can see this happening, and it's not just us, various other sensing networks out there also see that. Virus writers will try a version of a virus and put it out there. At first try, it might not go anywhere nor spread very rapidly. Three weeks later, it's back as a new and improved version and one that spreads. They've corrected a problem, and they're getting better. That's not an unusual scenario at all.
What do you have in mind that could possibly fend off these so-called combination attacks? Is awareness the best defense?
Mather: Awareness is one, but defense in depth is what you have to do.
So really, how do you sleep at night?
Mather: Well, there's only so much you can do.
Will you hire hackers to join your team? You know, so you can get them off the streets?
Mather: No, absolutely not, absolutely not. Wouldn't even touch them with a 10-foot pole.
You don't think you can change them?
Mather: No, not even going there. Couldn't care less. Just get out of here. Not even the smart ones...not even going to talk to them. That's not the type of people we want. And this idea that they've reformed themselves--I don't buy it, not in the least.
Hackers will be hackers?
Mather: Yes, I think so, yes. There's not a whole lot of good talent out there, but honestly, I find no reason to hire those people. There's talent if you look for it, even though it may be expensive sometimes because, to be honest, there's not enough to go around.
Eileen Yu of CNETAsia reported from Singapore.
See more CNET content tagged:
regulatory compliance, Sarbanes-Oxley Act, regulation, business development, information security
In this day and age, especially in Information Security, it's impossible for someone NOT to hire hackers, or at least former hackers, in the Information Security industry. The majority of those in it generally weren't the most honest of individuals in their past.
Personally, I have run into SEVERAL Symantec employees, current and former, that have engaged in activities ranging from trading of commercial software to all-out system intrusion at some point in their life. This doesn't make them any less reputable employees.
As a matter of my own opinion, it is generally the sales staff of any organization that I worry about when it comes to ethics. Symantec is no different in that respect.