Inside the hacker's mind

Crime prevention requires a non-academic approach, says Ian Johnstone-Bryden


Crime prevention requires a non-academic approach, says Ian Johnstone-Bryden

Much of my working life has involved support for the development of standards and criteria. Unfortunately, the way that these important tools are used is not always constructive. Much the same applies to dependence on qualifications.

Qualifications appeal most to big enterprises (government or commercial) where there is an established bureaucracy that tends to follow "railway tracks". To the smallest enterprises, voluntary and mandatory regulation is a difficult overhead in terms of both funding and staffing.

In a general sense, qualifications depend on a static knowledge base.

Any mature, conservative environment allows training courses to be created, examination papers to be drafted and certification processes to be implemented. However, in any rapidly developing industry, academia does not do a very effective job of keeping up with developments.

That then creates opportunities for suppliers to establish their own certification systems. This provides a method of applying a buying lock on users. Through the history of the IT industry, supplier training and certification has proved to be the only way to keep up with the latest releases of products.

Falling into a pattern

With risk management and security, which tend to be mixed together even though they are two very different concepts, we are now falling into a similar training and certification environment. In the process we are promoting IT personnel as the natural managers and claiming that security has to be technology driven, repeating mistakes made by previous generations of security managers.

It is interesting that most hackers are not qualified IT professionals, even today. Most could be described as drop-outs who have been failed by various national  education systems.

This mirrors offender profiles across a range of criminal activity. The result is that security and risk management contain vulnerabilities when developed by someone who comes from a traditional academic and commercial background, for the simple reason that stock answers are applied fairly crudely, based on obsolescent knowledge.

Effective crime prevention requires skills that are usually the antithesis of bureaucracy and academia. Acquiring those skills can be difficult, and at some point it requires a measure of contact with people who are the potential threat.

I learned my skills working for governments where the line between legality and illegality could be hard to find on occasion. And over the years I have worked with colleagues who at least started their careers on the wrong side of the line. However the skill set started off, it has been developed by long hours of research and experimentation, and it requires a different mindset from that required in traditional corporate employment.

The internal threat

The most common threat is still from within the organisation, and information threats usually involve someone from inside the IT department. Very often, the threat is triggered not from greed but from anger, frustration or boredom.

As technology has expanded, it has become a driver, with the result that IT is applied without necessarily working out whether it is going to offer value. That is extremely good news for suppliers because they can concentrate sales on desire rather than need.

The containment of threats  should be a need-based process that is a continuing task. The only way to decide what needs to exist is to produce functional plans and identify clearly the risks that apply to those plans.

It is easy to get it wrong. Take, for example, the case of a co-location outfit in the US which selected a huge volume of security products from leading IT suppliers. It introduced all sorts of biometrics systems, put up kevlar panels inside all walls to a height of 8ft and replaced all glass at the front of the building with ballistic glazing.

Within six weeks of starting operations, two individuals arrived with a van and some poorly forged identification and were helped to remove a number of servers belonging to three different clients.

Ian Johnstone-Bryden is a consultant with the Firetrench Consortium, an international co-operative of specialists working on aerospace and defence projects

Read more on Hackers and cybercrime prevention