Grimes: Please give an example.
Cole: We educate about phishing emails containing [malformed] PDF files. But if you tell an end-user not to open any PDF file, you're creating a barrier in their legitimate work. Instead, let them open PDFs, but put mechanisms in place that strip the executable content out of the messages. We go further and recommend that the most dangerous applications, like browsers and email programs, be separated from the company's data, usually by virtual machines.
Grimes: How do you normally do that?
Cole: With Macs, I do it with VMware's Fusion. Windows 7 is a little tougher to do right, but with Windows 8 and its built-in hypervisor capability, it's a lot easier to do. Essentially, we want to run high-risk programs in their own virtual machines and not even let the end-user be aware that it's doing so.
Grimes: I understand what you're doing here. But I've written many times over the years about the long-term viability of security sandboxes and what is known as the red/green computing paradigm, where the trusted stuff runs in the "green" part of the computer and the untrusted and high-risk stuff runs in the "red" part of the computer. I haven't seen any evidence that red/green computing works, especially if you look at history. If it became popular it would be hacked.
Cole: I agree. Whatever becomes popular is always hacked. But by separating not just the programs, but the data, we gain additional security protections. We want to use virtual machines and network segmentation so that even if the client computer is compromised, there is very little to compromise on the computer. The data is located somewhere else. And even if the hacker tries, they'll have a hard time getting to that data.
Right now the world's companies are full of flat networks, where if one computer is compromised then the hacker can easily move throughout the company. That sort of planning and thinking isn't working.
Grimes: You've been a longtime instructor. What general recommendation would you give to a budding security professional?
Cole: Get a good foundation knowledge of the core components of computer security. You don't have to be a Cisco expert, but you have to have a base knowledge of routers, switches, and networks. You have to know how operating systems work.
This is how doctors are trained. You may eventually be a cardiologist, but all doctors start out with general knowledge from their first years of med school. After you have the foundations, then decide on an area of specialty, with the two main categories being offense and defense.
Grimes: Sounds like great advice from someone who has been working in the trenches and educating students for over a decade. Thanks for sharing your time with me and with my readers today. And continue to fight the good fight.
This story, "Eric Cole: Interview with a remarkable security guru," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.