Archive for July, 2010

The UK Government launched the Cyber Security Challenge yesterday, which offers various prizes including SANS training, places at the Detica Academy, Masters-level university scholarships and more. Their opening gambit is a rather fun cipher challenge which should exercise your braincells for a few hours!

The dearth of information security professionals is becoming an acute issue. Part of the problem is that IT has become so approachable and so powerful — the amount of knowledge required to “get stuff done” has reduced dramatically.

When I was at university 10 years ago, studying computer science, the top third or so of the class were serious Linux/Unix command line junkies. They knew the power of a shell pipeline, their xargs from their elbow, and their TCP three-way handshake from their ICMP Network Unreachable. We produced some serious coders and network gurus, and a large proportion of that particular cohort went on to work for Google, IBM, Symbian and the serious tech companies — because they had the in-depth knowledge of how the belly of the beast worked and weren’t afraid to dive in.

Nowadays, the same university churns out very able students, who are able to program. That’s about it… primarily because now, to get stuff done in Unix, you just have to do the pointy-clicky thing in KDE, Gnome, or whatever cute and friendly desktop environment you want to use today. The understanding of what goes on “under the hood” isn’t achieved, because it’s no longer necessary to get the job done — welcome to the double-edged sword of UX improvements. One of my colleagues, working at the university as a research associate and sometime lab assistant, bemoaned the fact that several students did not even know how to produce the ‘|’ symbol, let alone how it could be used in a Unix shell!

As electronic devices reach the stage of pervasive technology — everywhere, all the time — the risk factor of exploitation increases exponentially. You’d think that we as an industry would have learned our lesson with the legacy our forebears are already leaving us — rapidly obsolescent embedded, SCADA and safety-critical platforms which are having to be retrofitted with security now that everything is online. Sadly, this doesn’t seem to be the case.

In five years or so, information security is going to hit a fairly large and solid brick wall, simply because there are fewer and fewer new people entering the sector… because the universities aren’t producing them. With very few exceptions (I think particularly of Royal Holloway’s various courses on the subject here), academics in computer science departments don’t get practical information security. The importance of being able to code securely (i.e. don’t write commonly exploitable code), detect intrusions, deal with them, and handle the aftermath, is something that universities don’t touch.

It is incumbent on the universities today to not only teach coding, but to teach secure coding practices and nurture the next generation of information security experts. Whether they are willing — or able — to fulfill that task is another question.

The UK Cyber Security Challenge and its various worldwide counterparts are laudable, and play an important role in increasing the public awareness of the importance of information security. However, they are not going to bring nearly enough people into the infosec sector to fill the needs of the coming years.

For now, all we can do is watch and wait — and fix the vulnerabilities when they come along, and hope we don’t make too many mistakes.