Eric Cole: Interview with a remarkable security guru

Years ago I enrolled in one of the best classes on computer security I’ve ever taken. It was given by SANS Institute and taught by instructor Eric Cole. What made the class so good was that he taught about data and program segmentation, which is a topic he continues to evangelize about to this day.

That class applied the segmentation idea to Microsoft’s Internet Information Service and discussed how data of different types and risk categories should be stored in separate folder locations with separate security permissions. Most Web programmers put all the files for a particular website under one main folder. Cole taught that it made more security sense to create folders based upon security classifications, and to place each piece of content into the appropriate security folder.

[ The Web browser is your portal to the world — as well as the conduit that lets in many security threats. InfoWorld’s expert contributors show you how to secure your Web browsers in this “Web Browser Security Deep Dive” PDF guide. ]

It made so much sense that it was earth-shaking. I’ve never encountered those recommendations in any other Web programming class, even though it’s a common-sense application of the “least privilege” principle.

I took a few more classes from Cole over the years, bought his books, and followed his career as he earned a Ph.D. and became founder and chief scientist at Secure Anchor Consulting.

It’s taken me a while, but I felt it was finally time to interview Cole, who has been with SANS for 13 years and still serves as an instructor. He also consults for clients, focusing on improving network architectures so they can defend against advanced threats. We began by talking about his work with clients to turn products into solutions that focus on the right areas to stop attackers.

Roger A. Grimes: Where are you focusing in your work with clients?

Eric Cole: Better segmentation. End-user systems are segmented from the critical data. Most networks are fairly flat, so when a computer gets compromised the threat can easily spread. The external threat is the source of a lot of problems, but the cause of the compromise is the incidental/accidental insider.

The client systems are the new DMZ. We need to separate the client systems away from the data. That way the amount of damage they can do is minimized. The key goal is inbound prevention and outbound detection.

Grimes: How much of a role does end-user education play?

Cole: End-user education is a good thing. End-user awareness is necessary. But awareness is only part of the solution.

You need to set up your users for success because some of the phishing emails are so good that it’s hard for anyone to figure out if it’s real or not. At the same time, you want to educate — you don’t want to inhibit an employee from doing their legitimate job. If you tell them not to click on entire classes of content, you’ll block too much good stuff as well. 

Grimes: Please give an example.

Cole: We educate about phishing emails containing [malformed] PDF files. But if you tell an end-user not to open any PDF file, you’re creating a barrier in their legitimate work. Instead, let them open PDFs, but put mechanisms in place that strip the executable content out of the messages. We go further and recommend that the most dangerous applications, like browsers and email programs, be separated from the company’s data, usually by virtual machines.

Grimes: How do you normally do that?

Cole: With Macs, I do it with VMware’s Fusion. Windows 7 is a little tougher to do right, but with Windows 8 and its built-in hypervisor capability, it’s a lot easier to do. Essentially, we want to run high-risk programs in their own virtual machines and not even let the end-user be aware that it’s doing so.

Grimes: I understand what you’re doing here. But I’ve written many times over the years about the long-term viability of security sandboxes and what is known as the red/green computing paradigm, where the trusted stuff runs in the “green” part of the computer and the untrusted and high-risk stuff runs in the “red” part of the computer. I haven’t seen any evidence that red/green computing works, especially if you look at history. If it became popular it would be hacked.

Cole: I agree. Whatever becomes popular is always hacked. But by separating not just the programs, but the data, we gain additional security protections. We want to use virtual machines and network segmentation so that even if the client computer is compromised, there is very little to compromise on the computer. The data is located somewhere else. And even if the hacker tries, they’ll have a hard time getting to that data.

Right now the world’s companies are full of flat networks, where if one computer is compromised then the hacker can easily move throughout the company. That sort of planning and thinking isn’t working.

Grimes: You’ve been a longtime instructor. What general recommendation would you give to a budding security professional?

Cole: Get a good foundation knowledge of the core components of computer security. You don’t have to be a Cisco expert, but you have to have a base knowledge of routers, switches, and networks. You have to know how operating systems work.

This is how doctors are trained. You may eventually be a cardiologist, but all doctors start out with general knowledge from their first years of med school. After you have the foundations, then decide on an area of specialty, with the two main categories being offense and defense.

Grimes: Sounds like great advice from someone who has been working in the trenches and educating students for over a decade. Thanks for sharing your time with me and with my readers today. And continue to fight the good fight.

This story, “Eric Cole: Interview with a remarkable security guru,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.