JUST READ THIS INTERESTING ARTICLE, AND DECIDED I SHOULD SHARE IT WITH ALL MY FRIENDS IN HERE.
Article originally posted on the Infoworld website. 
Recently, I was asked by an instructor at a technical college if I 
would mind responding to some of his students' questions. I happily 
agreed. Ultimately, this resulted in a lively back-and-forth session, so
 I decided to share the exchange with you. Enjoy!
 
Question
 1: Microsoft just announced a huge list of security patches for "Patch 
Tuesday." Why doesn't it just focus on a single product and fix all of 
the security holes in one shot?
 Finding bugs in products 
doesn't work that way. Every product that Microsoft codes goes under 
dozens of manual and automated tool reviews. That scrutiny is vital 
because Microsoft is the biggest target, and as a result Microsoft 
products actually have fewer vulnerabilities than those of its nearest 
competitors. But even with the right tools and processes, you can't 
catch everything. 
New techniques are found, mistakes are made, and until
 you have perfect humans, you'll never have perfect code and you'll 
never have perfect bug detecting.
 
 
Here's
 a good example. Years ago someone discovered they could buffer-overflow
 the HTLM color attribute field located on Web pages as it was rendered 
in a popular browser. No browser vendor at the time ever thought the 
color attribute field could be abused. The vendor's security reviewers 
didn't know to look for it and neither did any of the private or 
third-party tools, despite the fact that every field should be 
boundary-tested. Now all vendors check for it. Everything looks easier 
in hindsight -- improving software is an evolving process.
 
Question
 2: In one of your blog posts, you mentioned something like: "The NSA 
could be hiding small snooping programs in, let's just say, a picture of
 a cute kitten or a fun Android game." So how can the average Joe ever 
know that what they download is the real picture or app with no hidden 
malware in it?
 The short answer is you can't -- not even 
close. The only thing you can do is decide to trust the entity that 
created the device or code, especially if it is digitally signed. 
Because as long as their digital-code signing cert wasn't compromised or
 the machine the code was signed on wasn't compromised, at least you can
 say that the code the developer signed was what they signed when they 
signed it. But the truth is you really don't know.
 
It's all a matter of faith and trust. Certainly some vendors deserve more trust than others. Personally, I believe we need to "fix" the Internet
 and make hacking and snooping, even by the NSA, easier to prosecute and
 easier to detect. It disturbs me greatly that what the NSA does is 
completely legal ... and most countries don't even have the laws that we
 do. I wish everyone's privacy laws were stronger. In the United States,
 we need to modify our Constitution to guarantee more personal privacy. I
 thought the amendment against unreasonable search and seizure did that,
 but it's not even close to being enough these days. 
 
Question 3: I liked your article "Crazy IT security tricks that actually work."
 Someone dismissed your points of "security through obscurity." If these
 things work, then why would the IT Industry be so quick to discount 
them? 
 
People repeat dogma as fact, when all you're 
really talking about are cute little sayings that were a stretch from 
the beginning. Obscurity is one part of security. It shouldn't be relied
 upon as the only defense, but it certainly plays a big part. If it 
didn't, every army would tell the other army what all their capabilities
 were, where all the weapons and troops were, and make everything 
"transparent."
 
The best thing I can say to anyone trying to learn
 is not to accept everything you hear at face value. Respect what other,
 more learned people say, but don't accept anything as gospel unless you
 do it or see it yourself. Stay skeptical.
Question 4: If Stuxnet was the most complex piece of malware 
ever created, then couldn't the "sons of Stuxnet" wreak havoc across all
 of the Internet and not just at the Iranian nuclear facility?
 This
 is a huge, huge fear of a lot of people. However, I expect that one day
 a much less complex piece of malware will "crash" the Internet. 
Sophisticated malware is needed only for sophisticated scenarios. 
Crashing the Internet or stealing from banks is easily accomplished with
 conventional malware. Hackers are likely stealing tens of millions of 
dollars every day, if not hundreds of millions. They are allowed to get 
away with it, and the public accepts it as a cost of doing business 
because they stay below a certain threshold. One day one of them will 
make a mistake, steal too much, and the world will freak out and finally
 fix the Internet.
 
Question 5: It has been widely 
reported that the NSA put backdoors into a bunch of different programs. 
How do we know these backdoors have been closed?
 Most of 
them probably haven't been closed. Until we get their complete list of 
software exploits, which is highly unlikely, we'll never be able to do 
it. And it's not just the NSA you have to worry about, but every 
sophisticated government and hacker group. Software is full of 
exploitable holes that only certain people have knowledge of.
 
Question 6: We're being taught to hack. What is to stop us from being evil with the knowledge we've been given?
 Hacking
 is actually fairly easy. It's like a cookbook recipe: Once you know how
 to hack, it's mostly a repeatable process. Most hackers simply mimic 
what someone else did. They seldom think of anything new. You want to 
impress me? Do something new. Most hackers are followers.
 
The 
smartest hackers are the good guys. It's easy to hack; it's much harder 
to defend. It's easy to tear down a barn with a saw and a sledgehammer; 
it's much harder to build the barn. It's even more impressive to build a
 barn that can resist the saw and the sledgehammer.
 
You shouldn't
 hack illegally for the same reason you shouldn't assault someone. It's 
morally wrong. I've had the skills to hack illegally for over two 
decades. I get paid to hack legally all the time. Over the past nine 
years it's never taken me more than an hour to break in (except one 
time, when it took me three hours). This includes banks, hospitals, 
government agencies, and Fortune 500 companies. It's not that hard to 
hack. And guess what? I make a very good living -- far better than I 
could ever have imagined. I am living the dream.
 
Legal hacking 
allowed me to accomplish this, and I don't have to worry about the feds 
arresting me. If you go the illegal route, it's going to catch up with 
you eventually. It always does. You can make more money and sleep well 
at night by hacking legally. You'll have a better career and a better 
life doing the right thing.
 
Question 7: I read that no matter how long or complex your password is, that it can be broken by a pass-the-hash attack. True?
 In a sense. PtH (pass-the-hash) attacks
 require that the attacker obtain local administrator status on the box 
they are stealing hashes from (or obtain domain administrator on a 
domain controller). If you have that sort of access, then what can't you
 do?
 
That said, if attackers steal the ultimate authentication 
secret -- for example a password, a password hash, a Kerberos token, a 
ticket, and so on -- they have the ultimate authentication they need to 
do almost anything. Length of password, hash, digital certificate key, 
and so on will not protect you.
 
PtH attacks are a valid concern, 
but if they went away completely (Windows Server 2012R2 has plenty of 
PtH defenses built in), it would not stop attackers in the slightest ...
 because they already own the box. They can just do keylogging, Trojan 
the machine, or modify the operating system. We should be more concerned
 about how attackers get that elevated access in the first place, not 
focused on what they do with it once they have that access. ... Because 
sky is the limit and there is no defense.
Question 8: Is the NSA leaker a hero or a traitor?
 He's
 a bit of both. Ultimately, he broke his NDA and many laws. He has put 
other people's lives at risk. He should be punished for that. The only 
rationale to do what he has done is if what you are revealing is illegal
 or unconstitutional. So far nothing he has revealed is either of those 
things. Nothing he has revealed is a surprise to those of us who follow 
the NSA.
 
Just read any James Bamford book. He was writing about 
the NSA's capabilities 25 years ago. The only new things that he 
revealed, to those of us who follow the NSA, is names of programs and 
perhaps some individual exploits.
 
That said, he is to be 
applauded for bringing the excesses of what the NSA is legally allowed 
to do to the public masses. I'm hoping that everyone being upset with 
the NSA will lead to laws being changed, so the NSA cannot legally 
collect everything they are already collecting. It upsets me, and 
others, that it took a single employee breaking the law to make the rest
 of the world up in arms about something we've known for years if not 
decades.
 
Question 9: We discussed the FBI takedown of the
 Silk Road in class and I was wondering: If the NSA has all of the 
access to our personal lives, why did it take the FBI three years to 
take them down?
 Law enforcement is always slow, especially 
when it crosses multiple jurisdictions. It takes time to start legal 
projects, collect evidence, obtain warrants, and proceed. But I suspect 
that most of the time was spent just getting on the FBI's already busy 
radar. The FBI, like your own company, has a budget and a project plan 
each year. I bet Silk Road wasn't on the radar until enough people 
started complaining. Plus, many times the investigation goes on far 
longer than what's needed to collect evidence, as perpetrators go after 
bigger targets and commit more crimes, resulting in easier-to-prove 
court cases and longer jail sentences.
 
Also, the NSA and the FBI 
don't always share information. The NSA, for the most part, doesn't care
 about drug trafficking, money laundering, theft, and a lot of the other
 things the FBI cares about. As bad as our laws are, the NSA can't 
simply share what it has with other legal entities.
 
Question
 10: I want to work in information security, first as an administrator 
then ultimately as a consultant. What is the best certification to 
pursue? 
 I have about 50 certifications, and I learned 
something new from each one of them. Each cert made me a more 
knowledgeable technician, and each gave me something that made me more 
employable. But if you're talking about which ones count the most, 
that's a slightly different answer: It's the certification most relevant
 to your potential employer or its customers.
 
Fortunately or 
unfortunately, experience counts more. Because of that, you want to pick
 certs that give you both credentials and real hands-on experience. I 
like the CompTIA stuff. It teaches a lot. But their certs are basically 
thought of us "base" certifications. When you earn one of those, you 
know the basics. Still, great to know, and you will learn something.
 
Personally,
 I'm not a huge fan of the CISSP (because it's a lousy test), but it's 
probably the one cert that most employers and clients like to see. I 
think it's because bosses and clients often have it and think it was 
hard, so they like to know other people they are hiring had the same 
hard time with it.
 
I'm a huge fan of anything SANS does or 
offers. I think the SANS courses, books, instructors, and certs teach 
you more hands-on experience than any of the other relative certs. When I
 see someone with a SANS cert, I immediately trust them. It's the 
security geek's CISSP. I also like the CEH and other certified auditor 
exams. Each has its benefits. Each teaches you something.
  
Question 11: What kind of tools should I run to make sure my PC is clean (or as clean as possible)?
I
 never recommend a particular product. They are all fairly accurate, and
 they all fail miserably on a daily basis. Don't believe any of the 
"accuracy tests" you read. It's not that the tests are inaccurate, it's 
that they often set specific parameters that (accidentally or otherwise)
 benefit particular products.
 
I've been in the AV field since 
1987. Accuracy goes up and down on every product over time. Just pick 
one that is reasonably accurate and one that doesn't kill your system's 
performance. You should run AV, but remember that 99 percent of all 
successful exploits are caused by unpatched software.
 
Question 12: How can I detect if my computer has been turned into a bot to help perpetrate a DDoS attack?
It
 can be hard, especially if your computer has been hit with a rootkit. 
AV is supposed to detect that sort of stuff, but it often misses it. I 
love to do two things to look for bot programs myself. First, I use the 
free utility Autoruns.
 It will show you everything that is running when your PC starts. It 
will be a hundred things. Research anything you don't recognize. When in
 doubt, uncheck the program and reboot. If it breaks something, run 
Autoruns again and recheck. 
 
Second, download TCPView from 
Sysinternals. Close every program you think could possibly be 
communicating with the Internet. Then run TCPView. Research any programs
 or processes that are communicating with the Internet. Most of the time
 you'll see one or more things connecting to the Internet that you 
didn't know about. This is normal. Usually they are just legitimate 
programs connecting back to the vendor doing something the vendor 
programmed them to do. Research the destination connection points. If 
you can't figure out what the program is connecting to and whether it is
 legitimate, consider using Autoruns to disable it.
 
But the truth
 is that malware programs can be very difficult to discover and remove. 
When in doubt, back up all your data, reformat (or reset), and reinstall
 everything again. This is the only way to truly know that you are 
starting with a clean state.
 
Question 13: I use a MacBook Pro. I know it is built on Darwin Unix, but is it truly more virus-resistant than Windows 7 or 8?
Yes
 and no. No, in that OS X has far more vulnerabilities than Windows -- 
and I don't mean a little. Windows gets about 120 to 200 bugs a year. OS
 X gets two to three times as many, if not more.
 
With that said, 
because OS X runs on only 5 to 10 percent of the world's computers, it 
still isn't a very big target. Bad guys target popular things because 
they are more likely to get something of value. Running OS X will 
probably incur less risk compared to a Windows computer -- probably 
significantly less risk.
 
Note that computer viruses aren't nearly
 as common as worms, Trojans, and other sorts of malware. Use the term 
"malware" or "malicious program" instead of "virus." Virus indicates 
only one type of malware.