Stan Stahl is an information security expert in Los Angeles with more than 30 years of experience . He is president of both the security consulting company Citadel Information Group, and the L.A. chapter of Information Systems Security Association. Stahl's career included work with the White House as well as government agencies, including the Department of Defense and NASA.

What stage is the cybersecurity industry in?

I would say adolescence. Up until a couple of years ago, most of the attacks were by kids who cared if they could break in; they weren't in it for financial gain. Then the trend became identity theft; now it's online bank theft. If you're a company with intellectual property, you also have this to worry about.

How serious have attacks become?

We have unsecured companies that are the equivalent of 14-year-olds driving cars. We've seen much more corporate espionage in the last couple of years and this is not just companies we've dealt with. Attacks have gotten more sophisticated and what criminals are looking to steal has gotten more and more valuable.

What are your cybersecurity tips to businesses ?

Basically pay attention to three things.

1. Get the right technology: Make sure your architecture―how your networks are connected―is done in a standard, secure way. If you want to strive for the best cybersecurity, you strive to be certified ISO/IEC 27001.
2. Manage the technology carefully: You want the computer to make a record every time a sensitive file is touched, and every time somebody tries to log on and is unsuccessful. If there is an attack on the firewall and subsequent to that there is an attack on a server, you could reasonably assume the attack on the firewall was successful and now a criminal is on your server. If you're not paying attention, the cybercriminal would be able to live there forever.
3. Increase senior management involvement and leadership: We came up with the concept that it takes the village to secure the village. Top executives need to be more aware about the dangers and train their people, including subcontractors and trading partners, to be more vigilant.  

Which step do companies apparently lack most?

Senior management and leadership. It's the most important. That's the biggest reason most businesses are sitting ducks.

What is the main difference between information technology (IT) professionals and cybersecurity professionals?

In hockey there are six people on a team, five of whom are in front of the goalie. The goalie is a totally different animal because there's nobody else to block the shots from the net. The security professionals-- us guys--we're like the goalies in the field: Our sole, single focus is catching bad guys.

How are the physical and cybersecurity worlds merging?

Let's take a building for example. There is a back door that has a camera on it 24/7. The day before, I found a vulnerable wireless port and hacked the network so I would not have to go inside the building. That's one way there is convergence and where convergence actually weakens physical security. Once you take cameras and monitors, and connect them to the corporate network instead of their own wires, then anybody who hacks the corporate network can do whatever he wants with the footage.

What's a positive example of convergence?

One of the things happening is if you want to log into your computer network at work, you would also need a little card called a badge reader. You would use your badge reader to enter the building and this is one layer of defense to identify you. So if you are not in the building, someone else who made it inside the building  with your user ID and password still would not be able to sign into the network as you.  It's the connect-the-dots kind of thing.  You see it in places like the NSA and CIA. Even if it's affordable, it's not yet well known down layers of the economy's smaller businesses.

Is it easier to hack a smaller company than a larger company, or does size not matter much?

All other things being equal, it is easier to hack into a smaller company than a medium-size company. If you're small, you probably won't have the technology and  management resources; if you're really big, you just get all the problems of managing a big company.

Steve West has worked as an information security professional for seven years at various companies. In October, West decided to start his own consultant business Wombat Labs in San Diego. He is a self-described “white hat,” the industry term for hackers who ethically perform penetration testing to ensure a company's system is secure.

What are the other "colors" of hackers?

“Gray hats” are essentially mercenaries: They will defend systems for money and hack systems for money. “Black hats” will break things, steal data and resell them on the black market.  

What is a popular place to find hackers?

I enjoy going to hacker war game websites. You can practice breaking into things in a secure and legal environment. Ones I go to are enigmagroup.org and hackthissite.org. I am fairly certain a lot of black hats and gray hats go there. You can tell by the way they act: the kind of things they choose as their avatar, like lots of skulls; names they choose for themselves. A few clicks on the websites' links can get you to real hacker websites.

On average, how much is someone's credit information worth on the black market?

Somebody's identity---which includes credit card number, social security number, mother's maiden name-- that has not been used fraudulently goes for about $50.

What is an example of a common vulnerability?

There is a growing threat on the Internet called botnets. A botnet is several million compromised computers that can be controlled and utilized by black hats to nefarious ends. Random people have all these unprotected computers with various viruses and Trojan horses. The malware don't do anything to announce their presence but just slip in and leave back doors for black hats. The low-level black hats do rent botnets.

What red flags indicate your computer may be used for botnet activity?

One way is to look on your network and see if you're sending out a huge amount of stuff that you shouldn't be over the wire, but a person would need some degree of technical skill. I don't want to be an alarmist, but this is the reality we live in unfortunately.

How much cybersecurity should an individual need?

There are different levels of hackers. At the lowest level is the “script kiddie”: They are loud,  ego-driven and smart enough to do damage, but they can only use preexisting tools downloaded from the Web. And then you have groups like the NSA, the Chinese intelligence agency, Mossad [Israel's spy agency]; they can walk through anything you put up. But seriously, 'Is the NSA going to want my data?' You need to figure out who you are trying to be secure against and then build it so that you are secure to that level.

What can someone do to reduce chances of cyber-attacks?

Keep your operating system and applications you commonly use up-to-date because they will have the latest patches. Also minimize the amount of things running on your computer so you have a minimal surface area for people to attack and exploit.

What's the worst hacking case you've seen?

TJX, operator of discount chains including T.J. Maxx and Marshalls, is a major textbook case of how bad it can be. For a number of years, its stores were processing customer transaction data over wireless unencrypted. This became known in the black hat circle. Black hats with laptops would go into the parking lot of stores, would “listen” and credit card numbers would just come in over the air. Eventually TJX discovered this in 2006 and took a huge beating.

Is it easier to detect a threat or fix one?

It's a lot easier to detect a problem than fix it because you have to fix the problem and make sure you haven't introduced other problems. Often time it is easy to fix something, but there also needs to be the political will to fix it.

What's the future of cybersecurity?

More and more people are saying the future of cybersecurity in the next decades is going to be as much a battlefield as anything else. When you start a war with a country, the first thing you do is knock out its communication. Real world events between nations can also cause little invisible cyberwars to start. So far nothing too terrible has happened in terms of like completely shutting down a country's infrastructure. That's why I think cybersecurity is a wonderful field to get into at this time. Now is the blossoming of the industry.