With a background as a teacher at Columbia University and a sought after security expert, Dr Hugh Thompson of Blue Coat systems gained notoriety in 2006 when he hacked the electronic voting system in Florida for a PBS TV special. He has founded security companies and written several books on information security that have become required reading at many software companies.
Dr Thompson is particularly interested in how we assess the efficacy of the tools and techniques used in security management.
“One of the things that’s held us back the most is that we haven’t ever had good metrics in security. The result of that is that we’ve adopted practices, technology, training methods and all sorts of things that don’t have a basis in actual metrics. No one can tell you how much better off you are because you bought Thing A or used Policy B,” he says.
He contrasts this with insurance companies who have extensive data correlating personal information with driving risks. This comes from years of extensive data collection and analysis allowing insurers to correlate risks with real activities. We lack that degree of maturity when it comes to information security metrics.
“The biggest threat that we face, this is from some of the research from Columbia University, is the human element of security,” according to Dr Thompson. ”If you really think about what the investments have been in security technology, if you really believed that this was the problem, then we wouldn't be investing the way we have historically”.
With proportionately little research done in this area, little has been done to address the education of users. This is despite users being more knowledgeable than in the past. A critical element of this is that personal information about information is more widely accessible than ever before.
“Just with LinkedIn and a couple of Google searches and maybe even Twitter, I can figure out who the IT administrators are, what they had for lunch, their favourite sports team, when they went on vacation and where they went. When you know so much about someone and you want to trick or convince to bring a piece of malware inside it’s a really serious challenge,” said Dr Thompson.
Many of the attacks we’re seeing are using individuals as the vector for malware. As Dr Thompson puts it, the ‘A’ in APT is about advances in social media as much as it is about advancement in technology.
This is coupled with the greatly improved tools people have access to with business users taking advantage of personal tools and services such as tablets, smartphone and cloud services. This means that IT security people have to adapt to a changing threat profile where they no longer have complete control of the end to end environment.
As a teacher of the next generation of info-sec professionals, it’s possible that Dr Thompson could be either equipping the next generation of IT protectors or arming the next wave of bad guys. How does he deal with this?
“There’s been a debate in security for a long time on whether teaching people how to exploit a buffer overflow or use SQL injection is a good or a bad thing. The interesting flipside is that anybody can access that kind of information. The scary part is that teaching people how to do this and how attackers work isn't typically a part of computer science curriculum,” says Dr Thompson.
In his view, if you don't teach developers how their systems might be exploited then there’s little chance that that they will learn how to develop more robust and secure systems. He also suggests that ethics needs to be taught as part of computer science education.