The unruly frontier of cyberspace

Jan 1, 1997 12:00 PM, By JOHN MCCUMBER

John McCumber is a computer security consultant with Trident Data Systems, Fairfax, Va. Previously he was a principal analyst-section manager with Litton/ PRC Inc., where he provided services to numerous Department of Defense organizations. McCumber retired from a career in the U.S. Air Force in 1994. He holds adjunct faculty status at the Defense Intelligence College, Eastern Michigan University, James Madison University and the DOD Security Institute.

I have been in the computer systems field for two decades now, with more than half that time devoted strictly to the study and practice of computer and telecommunications security. State-of-the-art systems are now being used for purposes no one could have foreseen even five or six years ago. The Web, tele-medicine, and computers that support the physically disabled are nothing short of miraculous.

Unfortunately, the practice of computer security usually requires that I concentrate on the potential abuse and exploitation of these technologies instead of their more grand applications. There seems to be no end to the crooks, spies, perverts and thieves developing digital savvy and finding new ways to employ computing technology. Add to this rogue's gallery the curious, inept and irresponsible, and our national information infrastructure begins to seem an unruly frontier.

Security professionals have always lived on a similar frontier. They must always prepare for the adverse results of natural disasters, perfidy, violence and accidents. They don't exist to eliminate these threats, nor do they define the policies, rules and regulations that prescribe human behavior. Ultimately, the security professional's job is risk management: He or she must recognize threats to assets and minimize the potential for harm.

I have found my job is more akin to the security discipline than to the computer vocation for which I was educated. Computer security engineering is merely an extension of an organization's overall risk management process. I identify assets, profile potential threats, look for vulnerabilities and develop safeguards and recommendations - the same stuff security professionals do. The only difference is the cyber frontier I inhabit. This parallel may not seem profound, but its impact is.

A most recent case in point occurred a couple of weeks ago. I received a call from a security manager at a hospital where I had performed a vulnerability assessment a few months back. He called to share a story and tell me I had been right.

When we began that job, we had easily gained access to most of the hospital's main computer file servers using fairly simple techniques. Within a half hour working from our lab across the Internet, we could easily have disabled their entire telecommunications infrastructure. Within two hours, we had control of their e-mail system. Not long after that, we had gained root access on servers that provided us with a treasure trove of sensitive information.

When I presented my findings to the hospital administrators, I found myself in the middle of an ugly scene. One of the computer managers jumped up and accused me and my staff of using dirty tricks and insider information. Another claimed we had fabricated our findings to scare senior managers into paying for overpriced, worthless security products like firewalls. Even with tangible proof, many of my computer colleagues did not want to listen.

This was not the first fiasco to result from my team's efforts. We have come under fire for our services on many occasions. What intrigues me is that the flaming inevitably comes from our computer colleagues. Sometimes it is hard to believe the vitriolic nature of the comments and accusations. The security manager had called to say that the previous week, two of their servers had been crashed by an unknown attacker coming in through an Internet connection. The culprit pasted digital graffiti around their internal network as well - a real comedian. I just wondered whether the incident affected some poor soul waiting for medical treatment. My caller expressed his appreciation for our group's efforts. They had dug out our report of findings and were preparing to implement many of our recommendations. The security manager said he wanted to call since he suspected no one from the computer shop would. It seems a couple of people had recently been relieved of their positions for not taking appropriate precautions.

He and I shared a nervous laugh borne of shared experience. He said he had advocated the need for immediate safeguards on several occasions, only to be accused of a "Chicken Little" mentality. When the threat was manifested, saying I told you so just was not appropriate. So it was with me. I thanked him for the call and asked him to keep in touch. He still does.

The unexpected phone call drove home the point that the security manager and I share a common purpose and a common profession - the management of risk. We must ponder the possibilities, profile the threats and recommend safeguards to minimize risk. Ultimately, someone else usually makes the decision. Sometimes it is based on statistical analysis, sometimes on finances and sometimes on hope alone. Whatever the result, we continue to do our jobs and bite our tongues when we want to say, "I told you so."

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue