Computer hacking has been around for as long as computers communicated with each other. Some would argue it has been around as long as computers have existed. For a long while hacking was simply a challenge. The competitors ranging from thrill seeking high school kids to academics trying to prove a point. In those days, security was an issue, however, computer systems could be kept safe as long as the IT staff knew their job and were allowed to do their job.
The world came to use computers everywhere under the impression that they were relatively safe. Fast forward to today, and things have changed drastically. Cyber crime is professional and no system is safe. Some are safer than others but everything is vulnerable to some extent. For the first time in the history of humanity, the tools required to drastically impact a large commercial organisation or a Government, are freely available.
In the past, cutting edge technology has been the privilege of Governments and possibly very large companies due to the tremendous cost and restrictions in availability. For example, weapons grade uranium is thankfully unattainable to the average person. However, the tools for causing harm via cyber crime are, quite literally, freely and easily available. If a person does not know how to effectively use these tools then they can contract others to do the job for them at a relatively low cost. The greatest irony is that intrusion costs less than prevention! Espionage, both industrial and Government, is now almost exclusively done via cyber crime. Companies can now go to war with each other wielding weapons such as denial of service attacks as a means of disrupting their competition’s business. What started as identity and credit card theft aimed at individuals, has mushroomed into full scale war between companies and Governments. An entire black industry has silently grown into existence world-wide.
Internet based technology has exploded. No organisation, be it Government or commercial, can operate without being plugged into the internet. The reality is that today, almost all infrastructure, whether civilian or military, is connected to the Internet and this unfortunately leaves it open to attack.
The need to have effective cyber security was highlighted in a quote by US Admiral Jonathan Greenert, the Chief of Naval Operations. “The level of investment that we put into cyber in the department is as protected or as focused as it would be in strategic nuclear,” Greenert says in an interview in Singapore, just before the start of the three-day Reuters Cybersecurity Summit in Washington (link.reuters.com/dam97t). “It’s right up there, in the one-two area, above all other programmes.” But it is not just the military that understands the need for cyber security.
The corporate world is heavily dependent on Smartphones and other wireless technology. At the same time, the level of sophistication employed by cyber criminals is rising dramatically. Firmware based malware that is operating system independent, is on the rise. Fragmented attacks where malware is progressively downloaded over a period of weeks to avoid detection, is another example. The tools for detection are also improving but they lag behind the attack mechanisms. There is an emerging need for skilled people to man the defences of every Government and company on the planet. These people have to have deep knowledge of computer communication, operating systems and computer languages in order to know what to look for and how to stop it.
In the early days the game was about preventing attacks. Today, it’s still about prevention but it’s also about managing and minimising the impact of an attack. It’s about the knowledge that an attack has occurred, what happened and how to prevent it happening again. There is also the problem of persuading companies and Governments that the costs involved in protecting themselves is money well spent.
IT generally, and IT security especially are looked on as a burden. Money is spent reluctantly because the perception is that it isn’t contributing to a company’s bottom line. This problem is compounded when the money is spent inappropriately. For example, companies often spend large amounts of money on intrusion detection/protection software, but then fail to support that with the trained staff required to properly configure and monitor the software.
The biggest problem is that if the money is well spent, there is no obvious indication to management that it’s working. Hackers intrude silently and discretely, companies tend to conceal the knowledge that they have been attacked. A good analogy is spending money to ensure the electrical wiring in a building is safe and secure. If the money is well spent then nothing happens.
On the other hand, if corners are cut, people could be electrocuted or the entire building could burn to the ground. Where the analogy breaks down is that the owner of the building could not conceal the tragedy, however, companies often do conceal the fact that they have been successfully attacked. This leads the corporate world to feel that the issue of computer security is a non-event that isn’t really a significant problem.
Finally, there is a skills issue across the whole of ICT. Traditionally, computer security was the domain of the IT support people. Software developers didn’t need to know, neither did the company policy makers. Today, everyone needs an awareness. Software developers need to ensure their applications are as safe as possible. They need to be aware of their legal responsibilities in this regard and they need to be up-to-date with whatever software development infrastructure they are employing.
An organisation’s computer security is too significant to simply be something the IT guys do as an extra part of their duties. It requires a dedicated team of people supported by management. They need to have input on business processes, physical plant and office spaces for the organisation. Policy people need to talk to them to understand the policies required to prevent or minimise the impact of an attack. The selection of software (either off the shelf or custom built) must now consider security issues, in addition to whatever functionality is required.
Overall, we are in a world where every organisation, both corporate and Government, needs to be plugged into the internet; is totally dependant upon ICT for their daily operations; does not appreciate the significance of the problem; and is reluctant to spend serious money on computer security. Ultimately, there will be no choice and so the demand for skilled computer security professionals will increase. At the same time, any improvements in the tools used by these people will decrease the costs involved by preventing more sophisticated attacks and also easing the workload of the security people involved.
The Department of Computing at Curtin University is addressing the problem on two fronts. Firstly, they have introduced a Graduate Diploma in Computer Security. This is a one-year, full-time course aimed at taking in students, who already have a computing degree and some experience under their belts, and skilling them in a variety of issues ranging from assessing the needs of an organisation to detecting and managing an attack. Related issues such as the impact of cloud technology are also taught. From a research perspective, the department has a long history in the area of pattern recognition and is developing better techniques aimed at providing security professionals with a higher level of assistance in recognising suspicious activity. For more information click here.
