Today, SOURCE is talking with Lenny Zeltser. Lenny Zeltser leads a security consulting team at Savvis. He is also a Board of Directors member at SANS Technology Institute, a SANS faculty member, and an incident handler at the Internet Storm Center. Lenny frequently speaks on security and related business topics at conferences and private summits, writes articles, and has co-authored several books. Lenny is one of the few individuals in the world who've earned the highly-regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification. Lenny has an MBA degree from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

SOURCE: How did you get into the field of security?

Zeltser: After earning a computer science degree, I wasn’t sure which of my IT interests I should pursue professionally. So I did some system administration, some network management, some software development... These tasks intercepted at information security. It was the focal point of what found most engaging about my projects. I’ve been pursuing information security ever since, with a slight detour to study business administration.                                                   

Zeltser: I’m active in the SANS Institute community, and have found its Reading Room a useful and diverse source of security references: http://www.sans.org/reading_room/

I am a fan of the daily security diaries my fellow incident handlers publish on the Internet Storm Center site: http://isc.sans.org/

I also enjoy the security management coverage provided by CSO Online: http://www.csoonline.com/

A follow a lot of security blogs, too many to list here. My favorites include:

GnuCitizen for pushing people’s assumptions about Web security: http://www.gnucitizen.org/

TaoSecurity for providing thoughtful commentary and advice on managing secure infrastructure: http://taosecurity.blogspot.com/

Websense Security Labs for including lots of details about their malware research: http://websense.com/securitylabs/

RaDaJo for offering technical and relevant perspectives on many aspects of information security: http://radajo.blogspot.com/

When I get the chance, I tune into security podcasts, such as PaulDotCom: http://www.pauldotcom.com/ and AudioParasitics: http://podcasts.mcafee.com/audioparasitics/

Lately, I’ve been increasingly using Twitter as a source of security information and discussions. (I’m there as “lennyzeltser”: http://twitter.com/lennyzeltser)

Zeltser: I’ve been exploring the world of malicious software for a while, and continue to be fascinated by malware inner-workings and by the role it plays in attacks. For instance, consider what we know about the recent credit card breaches. Malware was integral to the intruders’ ability to maintain presence on the compromised infrastructure and to funnel data out of it. I teach a malware analysis course to help IT and security professionals understand how malware works and how to defend against it: http://www.zeltser.com/reverse-malware/.

A more recent interest of mine is the organizational dynamics that prevents teams from being proactive about most decisions, including security. I’ve been thinking what advice I can offer without expecting the listener to spend a lot of time preparing for a security incident or planning with a long-term perspective in mind. This led me to create several “cheat sheets” that offer tactical security tips: http://www.zeltser.com/cheat-sheets/. My SOURCE Boston talk How to Respond to an Unexpected Security Incident is also based on this premise: http://www.sourceconference.com/index.php/source-boston-2009/boston-2009-sessions.

Zeltser: The challenges I perceive echo the interests I mentioned in the previous answer.

I’m concerned about the complexities of modern malware, which are the result of its authors’ significant time and monetary investments. As data becomes more valuable, the return on such investment becomes clear. Of course, the defenders are not keeping still. We find ourselves in an arms race with attackers, which is a risky and stressful situation.

Secondly, I worry that the advice security professionals offer risks is often unrealistic, because it expects organizations to be proactive about security. For example, it’s easy to say “Keep your security patches up to date,” but how to protect the environment that’s guaranteed to be behind on patches? I hope security professionals, including myself, can develop a more practical perspective on security controls.