The battle between IT professionals and those who use the Internet for destructive purposes is raging - and there's no end in sight. Reports of computer crime and incidents from the CERT Coordination Center at Carnegie Mellon University more than double each year and are expected to rise. Meanwhile, viruses and worms continue to take down organizations for days. In the following interview, I had the opportunity to talk with cyber security experts Ajay Gupta and Scott Laliberte about their latest book, Defend I.T.: Security by Example (Addison-Wesley, 0-321-19767-4). We discussed who is winning the cyber-security war and what some of the most overlooked security measures are. Read on for the rest of the story.

Tell me about your book.
Defend I.T. is a collection of case studies from our experiences in the field. These case studies are representative of the vast array of security consulting engagements we see in the computer security, forensics, and data privacy arena.

How is this book different from the vast majority of security books that are currently on the market?
It consists entirely of case studies, which is different. Topics range from war dialing, wireless security, computer viruses, computer forensics, HIPAA assessment, and social engineering. People tend to relate better and comprehend more when issues are presented as real-life examples.

Why did you write this book?
When writing Hack I.T., the single most consistent recommendation from our reviewers was for more case studies. We thought of writing a book strictly on case studies, and providing the entire view: what was in place before, the issue at hand, what was done in response, and what may have been done differently to avoid the situation.

Information security is a challenging area. Organizations face security issues every day, but due to the need for confidentiality around these issues they're reluctant to share lessons learned with their peers and other organizations. This book fills a need. We are providing the lessons learned in an anonymous fashion so readerscan benefit from our experience as well as the experience of other organizations.

How is it most relevant to the security community and/or Linux community?
Defend I.T. attempts to illustrate the breadth and scope of knowledge a security consultant should have - covering both the technical and soft skills necessary to be successful in the field.

As we stated earlier the book provides perspective and advice on real-life security issues many organizations are struggling with. Whether the OS is Linux or Windows-based, the issues are similar. The cases cover many OSs and issues your readers would be dealing with.

How can this book help my business/why should I buy it?
It allows businesses to learn from the mistakes - and successes - of other organizations' responses to (commonly occurring) security incidents.

It's apparent that security "incidents" are occurring all the time. Each day you can see a new headline highlighting the latest incident that has occurred. The CERT Coordination Center reported that for the year 2003 there were 138,000 incidents, a 68% increase in the number of incidents reported in 2002 (82,000 incidents) and over six times the 21,000 incidents reported in 2000.

Who has the upper hand these days, hackers or IT professionals? Who is winning the war?
That's a difficult question to answer. Awareness is going up and more organizations are starting to spend money to improve security. Often we're seeing organizations throwing money and software products at security problems without having the strategy, procedures, or expertise to properly and effectively use them. The security community has come a long way, but so have the attackers. The attacks are constantly evolving and respond to each improvement in security. It's too early to tell who's winning.

What are some of the most overlooked security measures?
Strategy and procedures - organizations throw money and security products at security problems without the proper planning or the expertise to best leverage their investment. Also, password strength (or the lack of strength in their passwords) continues to be overlooked.

Companies are getting better at updating their antivirus software and running virus scans on a daily basis; however, given the increasing frequency and severity of viruses, worms, Trojans, spyware, and malicious code, this is an area that demands constant vigilance. Related to this point, most companies allow HMTL-enabled e-mails onto their e-mail servers. Malicious code is often coded right into the HTML and simply opening the e-mail can execute and launch a virus. Firms may want to look at going to text-only e-mails for added security.

About Ajay Gupta and Scott Laliberte
Ajay Gupta, CISSP, founder, and president of Gsecurity, is an expert on cyber security, secure architecture, and information privacy. Gsecurity provides cyber security and data privacy services to federal, state, and local governments, as well as commercial clients in the educational, financial, and health-care sectors.

Scott Laliberte is one of the leaders of Protiviti's Global Information Security Practice. He has extensive experience in the areas of information systems security, network operations, incident response, and eCommerce.

Ajay and Scott are also coauthors of Hack I.T. - Security Through Penetration Testing (Addison-Wesley, 0-201-71956-8)