Entrevista. Rebecca Herold, especialista reconocida a nivel internacional

Escrito por  Lunes, 09 Junio 2014 21:07

Fue seleccionada como uno de los expertos en seguridad más influyentes de  2007 y entre los Top 25 asesores en privacidad.


Su conocimiento en evaluación de riesgos, análisis de brechas, desarrollo de contenidos de la política, concienciación, estrategias de desarrollo e implementación, entre los aspectos más sobresalientes de su experiencia profesional, la convierten en una de las voces más especializadas para consultar, sobre los diferentes asuntos inherentes a la seguridad y la privacidad.

Un listado de sus publicaciones y su trayectoria completa están en: http://www.rebeccaherold.com/


Revista Sistemas: In your opinion, what changes have occurred in the past with regard to hacking? What is the profile of the hacker today? What are the motives that motivate their actions in today's society?

REBECCA HEROLD: Hacking has changed dramatically over the years.  It started out basically as an activity for someone who was intellectually curious, just trying to figure out how a software program or hardware system works. Today there are many different types of hackers, with many different types of motives. Here are just a few:

1.            Malicious hackers who want to generally cause harm and destruction.

2.            Those who want to hack other systems secretly, just to see if they can, as a personal challenge.

3.            Hacking to notify as many people as possible of their thoughts, such as against a business or product, and/or to show their expertise and get attention.

4.            Hacking to steal information, which they can then sell, use for extortion, etc.

5.            Hacking to discredit a business or other type of organization, and to damage public trust in a business or organization.

6.            Hacking to impersonate others, to make posts that look like it was done by others; such as politicians, celebrities, classmates, etc.

7.            Hacking to make a political or activist statement, such as Anonymous and LulzSec have done.

8.            Ethical hacking to find vulnerabilities and then fix them.

9.            Hacking to destroy or bring down an enemy's computer network and/or systems as part of warfare.

There are more, but these are arguably the most common.


RS: Many enterprises have been worked and are working in pursuit of an organizational information security culture, according to the environment surrounding the individual in today's society. In this sense, could you specify actions to serve as references in this direction?

RH:Regular training and ongoing awareness communications are needed. So are formally assigned responsibilities for information security and privacy. I’ve also seen including consideration of how well personnel address security and privacy protections within their annual appraisals; this has been particularly effective.

And, of course, having documented policies, procedures and standards that are consistently enforced throughout the organization.


RS: Which strategies you suggest, for managers and organizations, will be aware of the risks that have the hacking and acting accordingly?

RH:Strategies for managers and organizations to be aware of hacking risk?

Here are some that have proven effective for organizations:

1.            Use intrusion detection and prevention systems.

2.            Stay aware of the hacking activities going on elsewhere.

3.            Implement a process to regularly test and deploy systems, applications and hardware updates, especially security updates.

4.            Ensure the software used on all endpoints (e.g., laptops, smartphones, tablets, wearable, desktops, etc.) and servers are updated.

5.            Use security software throughout the entire organization. These should also be configured to detect and prevent phases of an attack, as well as observe indicators over the network, on disk, and in memory.

6.            Processes and standard operating procedures (SOPs) should be built with security in mind. This applies to not just to employees, but to business partners, contractors and customers as well. These should include methods of hacking detection.

7.            Investigate any anomalous network and system behavior. Attacks are known to begin with reconnaissance, and such suspicious activities may be the first sign of an attack.

8.            Continuously plan or review your incident response procedures with all necessary parties, not just IT, but also all other key stakeholders, such as business unit contacts, physical security areas, HR, etc.


RS: Did the messages of those responsible for information security in organizations are more focused on security, than in business needs?

RH: I’ve found that emphasizing how information security practices can support business, keep it going, and protect the business’s reputation and maintain customer trust accomplishes more widely accepted and adopted security practices by all personnel throughout an organization. This results in more effective information security.


RS: There are an absence of innovation in managing unknown risks in organizational context. Do you agree? Why? What suggestions can you do about it?

RH:I agree we need to evolve our risk management methods to keep up with new technologies as they evolve. Too many organizations insist upon continuing to use the same risk management in general, and risk assessment/analysis methods in particular, that they’ve been using for the past 5, 10, and more years.  However, technologies are evolving by leaps and bounds. This requires risk management to also evolve in a similarly exponential manner.


RS: Which are the modern trends to face new hacking techniques?

RH:The devices, new, emerging and future, that are involved in the “Internet of Things”. Wearables are of particular concern, as well as smart appliances. But we also need to continue to address the tried and true hacking techniques; criminals and malicious folks will also continue to use what is working. Social engineering will always be a problem that continues to work for hacking.


RS: The rise of the Internet of things, as calculated by the IEEE in 2020 there will be 50 billion devices connected to the web and the presence of IP sensors that will monitor cities and will handle automation technological infrastructure of the countries. How will jeopardize the functioning of businesses, communities, regions and countries; and even more our lives? Can you give some insights about the risks that these new technologies could bring against information security and privacy?

RH:  This creates a very real concern. I’ve been leading the U.S. National of Institute of Standards and Technology (NIST) Smart Grid Privacy group since 2009, and the smart appliances, smart meters, and all other smart devices that will be connected with each other brings with them more additional security and privacy risks than we’ve ever seen before.  I will be covering a wide range of these issues at the June event, along with ways in which security and privacy controls and protections can be built into these new types of IoT devices.


RS: The defense sector of the countries stated that the battlefield is no longer just land, sea and air and space but that cyberspace will be, or already is, a field in which future wars will develop. Do you have any reviews with respect to the subjects of Cyber security and Cyber defense in the nations of the world?

RH:Indeed, there will be some significant use of cyber during warfare, in ways far beyond what are current, and in ways that have not even been imagined yet.


There have been several reports released in recent months on various cybersecurity topics and how they relate to national defense. Here are some you may find of interest:

·                     DARPA Innovations Advance National Security


·                     Britain, Israel Agree to Finance Joint Cyber Defense Research


·                     U.S. Must Crack Down on China's Cyber Threats


·                     Colombia developing new national cyber security, cyber defense policy


·                     Hacks on Gas (and the Grid): Cybersecurity, Energy and National Defense


You can also see the latest draft NISTIR 7628 Rev. 1 reports on smart grid cybersecurity and privacy at: http://csrc.nist.gov/publications/PubsNISTIRs.htmlWhile there are no specific links described to warfare, the discussion should reveal the warfare implications to readers.


RS: The Social Engineering as one of the most used "hacking technique" in which people are involved, this suggests that before the moral laws and regulatory affairs, ethics is behind all this. What is your opinion on the influence of ethics in information security processes? Is there any way to make it a matter of citizen behavior?

RH:Ethics plays a huge factor in information security.  Especially considering the insider threat. When you provide individuals with authorization to access sensitive, and quite valuable, data that which they could possibly sell to others for huge profits, ethics must be present to help them make the right decisions.


Organizations need to cover ethics within their training and awareness content. Schools need to teach ethics as part of their curriculum.  My sons have gone to Montessori style schools since they’ve been going to school, and respect and ethics have been a major aspect of that curriculum. Even though we need to include more high-tech and information security content in our curriculum, we cannot remove those ethics lessons in the process of doing so.


FYI, here is an article I wrote on computer ethics you may find useful: http://www.infosectoday.com/Articles/Intro_Computer_Ethics.htm


RS: With cloud applications there is a danger that once breached the IT security perimeter, the software could be affected because of absent secure code practices. This can occurs, because information security experts are not always experts in software. What is your opinion about this situation?

RH:  Coding mistakes and oversights have been a problem ever since there has been programming. And it can occur to the most brilliant of programmers. Just look at the OpenSSL programming error from the beginning of this year (http://privacyguidance.com/blog/would-a-proprietary-openssl-have-been-more-secure-than-open-source/) that continues to cause problems and concerns. So certainly having folks coding who are not security experts, and security experts who are not software programmers, leaves gaps in knowledge and understanding, which leads to unsecure software code. This is a problem with any type of software, not just cloud-based.


Because of the importance, information security and privacy controls must be engineered into all types of software applications; cloud-based but also those that are back-office, used on mobile devices, within social media sites, etc.  Otherwise information security controls will be ineffective or lacking, and personal information will not be protected in ways to protect privacy.  It is important for those who are going into software engineering and coding to have more than just a high-level information and security class. Such controls are so important, programmers should have an in-depth knowledge of how to build security controls as a part of their core competencies. Any programming curriculum needs to include at least three (introduction, basics, advanced concepts) or more (additional specialties, such as cloud, mobile, wearables, IoT, etc.) classes that focus on information security and privacy

Califique este elemento
(0 votes)
Leido 8426 veces Modificado por ultima vez Domingo, 15 Junio 2014 20:50

Ingrese su comentario

Por favor confirme que ingreso la informacion requerida. Codigo HTML no esta permitido


Patrocinadores Edición 131


Actividades Académicas


Sobre ACIS

La Asociación Colombiana de Ingenieros de Sistemas es una organización sin ánimo de lucro que agrupa a más de 1500 profesionales en el área de sistemas. ACIS nació en 1975 agrupando entonces a un número pequeño de profesionales en sistemas. Más información