Tim Pierson is an industry leader in both IT Security and Virtualization. He has been a technical trainer for the past 27 years and he’s one of the World’s leading trainers in technology, networks, virtualization and application security with credentials including ongoing selection to author training courses and manuals for global corporations.
He has authored books for COMPTIA, VMware among others. He has been a keynote speaker at many industry events such as Novell’s Brainshare, Innotech, InfoSec World, GISSA, Hacker Halted and many military venues including the Pentagon and numerous nuclear facilities addressing security both in the US and Europe. He was recently in Nigeria and themaiguard caught up with him. In this interview, Tim bares his mind on IT security issues in Nigeria, cloud computing security, Nigeria Internet scam and many more.
themaiguard: Why are you in Nigeria?
Tim: I’m in Nigeria to teach the Ethical Hacking class and adopt the partnership with New Horizons Nigeria, and am bringing various advanced training to the Nigerian people. My mission here is not only to train but also consulting. So it turns out that a lot times in my classes I prove my capabilities and often times I am asked to go and do consulting for various companies.
themaiguard: How has the experience been for you in Nigeria?
Tim: I was actually very impressively surprised. Nigerian people are extremely warm, wonderful people, always trying to help. I tell the joke to my friends that whenever I’m going somewhere people say “oh let me help carry your bag” when am here in Nigeria. I got so used to that when I went back home, I asked my wife,” Could you get the bag out of my car?” and she said “Get it yourself!” Hmmm, well, I guess am home. So it’s always really nice to come back to Nigeria because people are very helpful, they are always trying to help. So I really enjoy coming back.
themaiguard: Why are you teaching Nigerians how to hack computers; how do you ensure such knowledge is not abused?
Tim: That’s a very good question, in my class I often times relate stories about my mum, my mum is 85 years old and she asked me what I teach, she wanted to know exactly what I deal with. I told her mum, I teach people how to break into computers, and I got the kind of response you should expect from an 85-year-old, and she said “Good God! What are you doing that for?” Well I explained to her that mum, how can I possibly show you how to protect your home if I don’t first show you how the burglar breaks into it? It’s absolutely impossible. If you do not arm the individual you are trying to protect their own computer systems with the knowledge the same hackers have to do you harm, you cannot possibly protect yourself.
Now the second part of your question is how do I ensure the knowledge is not abused? There’s a confidentiality agreement signed by all students who take this class that they won’t use this for harm and if they do use it for harm New Horizon Nigeria is not held responsible. Now this may sound like passing the buck, but there is no other way for us to educate the individuals who have to protect themselves. Has there ever been a time that the information I’ve taught been used for harm? Not that I know of but I can’t say that there has and I can’t say that there hasn’t.
themaiguard: Have your business systems ever been hacked? If yes what lessons did you learn?
Tim: Yes actually it has, a lot of times if you advertise yourself out as one of the world’s best hackers, people are gonna come and say “let’s just see” and they are gonna attempt to do you harm. I had a good friend Joe McCray, and I was in Baltimore with him teaching one time, I had to run his class for him for a couple of days, because somebody broke in and took his whole site down, he depends on that for his livelihood. So yes that has happened to me, am human like anyone else and I make mistakes but I try not to, but of course things happen, that has happened to me before as well.
You always learn a lesson. Whenever something happens, that’s how we go through life learning a lesson. And that’s the reason that somebody with lots of experience is paid for, because they have those life lessons.
themaiguard: What is your assessment of the IT security market in Nigeria?
Tim: That’s kind of a loaded question because it just depends on the type business. The banking industry is extremely secure, much more secure than I’ve seen anywhere else. Every business has problems, and the banking business in Nigeria, using that as an example is no different. They have problems as well. But by and large, the ones that deals with money, especially in a country were they may be considered to be a lot of fraud; they must have their guard up all the time. And so they are on heightened sense of awareness. In other countries that may not be the norm, because punishments for those types of offense could be catastrophic. I can’t comment on what the punishment is here in Nigeria because I don’t know, But, I do know that there’s a huge amount of money that is spent on the business especially in the banking industry, any business that deals with money, or the high-profile business needs to be protected more than anything else.
themaiguard: How best do you think Nigeria can tackle the challenge of Internet scam?
Tim: I can say this literarily in two words – extradition treaty. Nigeria currently has no extradition treaty with most countries including the US. So if I am able to without doubt basically single out an individual in Nigeria that has defrauded an individual in the US, I can do nothing. I can basically say to the person shame on you and that’s about all I can do, I have no recourse whatsoever. So if a person knows they can’t get caught, the chances are that they are going to attempt that type of crime again. So I think that Nigeria will come a long way if they were holding people accountable, and it doesn’t just hurt the bad guys in Nigeria, and I understand they (the bad guys) are very few people and it hurts the whole nation because my interpretation of the nation is that they are very warm and very wonderful people. Although there are a few (bad guys) that are hurting the very many. And if those individuals are held accountable, then we can send a message that will go a long way for Nigeria’s reputation in the world as a whole.
themaiguard: What is your assessment of security in the cloud especially in the light of the recent revelations by Edward Snowden?
Tim: First of all you need to understand Edward Snowden didn’t steal things from the cloud; Snowden stole things from the U.S government. The U.S government I doubt will ever put things in the cloud because of security risk, and that’s not to say that the cloud is insecure, I always tell individuals that use the cloud to use an acronym called PIE which stands for Pre-Internet Encryption. If I encrypt something using AES-256 bit encryption, store it in the cloud, I decrypt it on the way out, there is no way that my information will be insecure in the cloud. Well that’s great if am using the cloud for storage, but if I need to process my information while it’s in the cloud, am going to have to give the cloud provider that key so he can decrypt it and neutralize it.
Therein lies the problem of cloud security, cloud security is all about trust, who we decide to trust and who that person is going to trust. In addition to that it’s also about jurisdiction because if the information that’s stored in a server is on another country’s soil then that other country has access to it. I guarantee you the US government will never ever knowingly store a copy of their secure or top-secret government document with another country’s cloud server, it will never happen, unless they are using this PIE that is Pre-Internet Encryption that way they can guarantee it. And most cloud providers the way that they provide fault tolerance is by replicating multiple images so we store a copy of the image in one location a copy of it in another location and a copy of it in a third location. It is said if you have at least three images, at least two of them be in a different location in your secure provided for yourself backup. The top cloud providers will provide you an SLA that says I am replicating your storage to XYZ, you as a company has to ensure that it is on your soil, if that is the jurisdiction that you want it to be veered to, So the cloud is only as secure as the person makes it and as the SLA agreed to.
themaiguard: What is your advice for young and aspiring IT security professionals in Nigeria?
Tim: It depends on where they want to go, if they want to become a professional pen tester like myself, it all boils down to education. Find a mentor, find somebody who is a professional, and ride their coat tails, and when I say that I mean you have to almost become their right hand person, “what can I do for you today?” If you make their life easier by helping them do things like documentation, helping them do things to simply lighten their loads, they will remember that, they will help you. That’s how I started out, I started out by helping high-profile individuals do their documentation and I worked my way into the industry that way.