<< Back to article Print this page Loading page, please wait...

Security Blanket

Mark Hollands (CIO)
12 July, 2004 12:04

You're never too old - or too young - for a little security education

The bad guys are winning, and a crisis of trust faces this industry. I have no hard and fast data to back me up, it's just a gut feeling that I no longer feel "secure" on the Internet, no matter how many upgrades to my firewall and antivirus software I am packing. I would not access my bank account online if my credit rating depended on it because, frankly, I reckon it does. Spy software, key-logging programs could be sitting on my PC right now, and neither I, nor Windows and McAfee would know.

I count myself lucky because I know the dangers. I also get to see the data on the numbers of mugs on a home PC who have been duped by phishing scams, fallen foul of viruses or even had their PCs hijacked. The occasional conversation with Graham Ingram, the head of AusCERT, or Alistair MacGibbon, chief of the Australian High-Tech Crime Commission (AHTCC), are sufficient to scare the hell out of me, too. [MacGibbon recently traded in his badge at the AHTCC for an executive security position at eBay. - ED]

Others are not so fortunate. The commitment of society and industry to educate PC users on the bear-traps and raids of malicious code across the Internet is pathetic. We spend too much talking to ourselves - this column being a classic example of that - or engaging with bureaucracy such as federal government without pausing to gauge the degree of education in the wider community.

CIOs have a role to play. Too few organizations have even a security policy and education of the workforce is sporadic at best.

Some of the largest Australian organizations, especially banks, are taking the problem seriously and have appointed a chief security officer (CSO). An executive-level commitment to staff education on IT and data security does more than contribute corporate wellbeing. Such initiatives can also highlight the issues for an unprotected PC at home, which contributes significantly to the proliferation of viruses and spam.

Currently, industry, government and media make a lot of noise about the importance of security but rarely pause to check if anyone is listening. The growth of viruses and malicious attacks, as cited by AusCERT, suggests we're getting little cut-through.

This point struck home with me recently when I asked my 10-year-old son (the recipient of a far-too-expensive private education) what he did in the two hours a week dedicated to "computer class". "Nothing much," he mumbled, typical of a boy of his age. "We just play around with PowerPoint, go on Google and find out facts, or check out cool videos and Korean fighting games."

Do you learn anything about security or viruses? "No." Sure? "Yeah."

According to Peter Coroneos, the passionate chief of the Internet Industry Association (IIA), no state education authority insists on security education being part of a curriculum. We are happy to show students how to do dot-points on Bill's slideshow software, but we don't talk about identity theft, hacking or viruses.

"Large businesses are well served," Coroneos says, "but if you go down the food chain then the quality and quantity of education gets thinner. There is no simple, non-technical place to go to get this information."

The IIA has its own security portal, built on the back of a $200,000 federal government grant and promotional packages from vendors and ISPs valued at $1 million. Even so, Coroneos laments it is not a destination that a home PC user, or a child, would seek out.

Page Break

Something Smells Phishy

Phishing and identity theft appear to be the greatest long-term problems.

Banks have good reason to fear their strategy to shut branches and encourage online account management will crash on the rocks of fear. Mean-spirited script-kiddies, and the far more threatening force of criminals who seem to launch their codes from poorly policed states, such as those in Eastern Europe, are out to get our money.

Their phishing code is developing quickly. Scripts are now being written that can overwrite your own destination in the taskbar. If you typed in westpac.com.au, that's where you'd think you would go. But a compromised browser will go to a spoof site and you'll have no way of knowing what's going on.

Microsoft's security lead, Ben English, says you may even be a member of a "bot army" - that is, your own machine has had a virus that leaves undetectable code that can be activated to turn your PC into a "slave machine".

"We need to move fast before the confidence falls out of the bottom of the market," says Coroneos, a director of a company called Net Alert, which is drafting a suggested curriculum for state education departments. "I think the worst thing for a child is to have their identity stolen online. They might never know until they are older and begin life and try to get a credit rating. I have done a lot of work with developing guidelines for the OECD, and created the mission of creating a culture of security, which makes the problem everyone's responsibility to solve."

We are the proverbial bull's roar from that culture today. There are a number of local joint ventures going on, such as the Authentication Taskforce to help protect individuals' online identity. This group - consisting of the IIA, eBay, travel firm Zuji, nineMSN, Yahoo!, RSA Security and others - will conduct an independent stocktake of authentication technologies, using government funds to test their usability for the business and consumer markets. It will develop a push-marketing campaign to highlight the findings. Of course, the greatest challenge is to explain what authentication and identity theft actually means, and why anyone should care.

English, who stresses he is goaled on customer satisfaction rather than fiscal performance, says consumer security is the number one priority and fast becoming a preoccupation at Microsoft. Given the fact that it is his software that has been exploited so many times, one might be forgiven for not expecting anything less.

"We spend millions of dollars globally as part of the 'Protect Your PC campaign'," says English. Currently, there are some 50,000 CDs in the local market with security updates - a useful but not significant number given the fact that more than one in two Australian homes has a PC. However, English says activity will step up when Windows XP Service Pack 2 is released. We might even see some action in the shopping malls.

"What Microsoft and the industry must do is make security transparent so that the user doesn't even know they have it, or that it is being updated over their Internet connection," says English. Most people don't understand what a firewall can do, or nor do they care. Security must happen by default. That is where I want to get to."

He cites a series of surveys conducted by the UK technology site, The Register. Its staff offered 171 commuters a chocolate egg in exchange for their password and got a 70 percent hit rate. The previous year, nine out of 10 people handed over their details in exchange for an el-cheapo pen.

While any CIO might smile at the audacity of such a survey, those idiots at the train station could be your colleagues compromising your security for a piece of chocolate.

Which makes security everyone's issue. Including yours.

If you need assistance to take up the challenge, the leading security vendors and the IIA will surely give you assistance with established education programs and material.

Mark Hollands is principal of the new research and consultancy company, ITR. He is a former vice president of Gartner and IT editor of The Australian. He was hit by the Bugbear virus last November and it cost him $280 and two days productivity to save his data and fix up his PC