Do what’s right – an interview with Dr Hugh Thompson

With a background as a teacher at Columbia University and a sought after security expert, Dr Hugh Thompson of Blue Coat systems gained notoriety in 2006 when he hacked the electronic voting system in Florida for a PBS TV special. He has founded security companies and written several books on information security that have become required reading at many software companies.

Dr Thompson is particularly interested in how we assess the efficacy of the tools and techniques used in security management.

“One of the things that’s held us back the most is that we haven’t ever had good metrics in security. The result of that is that we’ve adopted practices, technology, training methods and all sorts of things that don’t have a basis in actual metrics. No one can tell you how much better off you are because you bought Thing A or used Policy B,” he says.

He contrasts this with insurance companies who have extensive data correlating personal information with driving risks. This comes from years of extensive data collection and analysis allowing insurers to correlate risks with real activities. We lack that degree of maturity when it comes to information security metrics.

“The biggest threat that we face, this is from some of the research from Columbia University, is the human element of security,” according to Dr Thompson. ”If you really think about what the investments have been in security technology, if you really believed that this was the problem, then we wouldn't be investing the way we have historically”.

With proportionately little research done in this area, little has been done to address the education of users. This is despite users being more knowledgeable than in the past. A critical element of this is that personal information about information is more widely accessible than ever before.

“Just with LinkedIn and a couple of Google searches and maybe even Twitter, I can figure out who the IT administrators are, what they had for lunch, their favourite sports team, when they went on vacation and where they went. When you know so much about someone and you want to trick or convince to bring a piece of malware inside it’s a really serious challenge,” said Dr Thompson.

Many of the attacks we’re seeing are using individuals as the vector for malware. As Dr Thompson puts it, the ‘A’ in APT is about advances in social media as much as it is about advancement in technology.

This is coupled with the greatly improved tools people have access to with business users taking advantage of personal tools and services such as tablets, smartphone and cloud services. This means that IT security people have to adapt to a changing threat profile where they no longer have complete control of the end to end environment.

As a teacher of the next generation of info-sec professionals, it’s possible that Dr Thompson could be either equipping the next generation of IT protectors or arming the next wave of bad guys. How does he deal with this?

“There’s been a debate in security for a long time on whether teaching people how to exploit a buffer overflow or use SQL injection is a good or a bad thing. The interesting flipside is that anybody can access that kind of information. The scary part is that teaching people how to do this and how attackers work isn't typically a part of computer science curriculum,” says Dr Thompson.

In his view, if you don't teach developers how their systems might be exploited then there’s little chance that that they will learn how to develop more robust and secure systems. He also suggests that ethics needs to be taught as part of computer science education.

Join the CSO newsletter!

Error: Please check your email address.

More about APTBlue Coat SystemsGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place