How to delve into the hacker’s mind

In the late eighties, Cliff Stoll wrote The Cuckoo's Egg. Immensely popular, the book glued itself to the top of the New York Times bestseller list for more than four months. People, it seemed, were attracted to the story of a hacker who managed to successfully embed himself inside a university system and, from there, gain access to other, more valuable, targets.

Thankfully, that was 20 years ago. Now, with intrusion prevention, computer forensics and event management, we're all safe.

Except, of course, we're not.

If a hacker was on your system, how would you know? In fact, are you sure there isn't one there right now?

Emlyn Everitt, senior security consultant at Logicalis, and holder of the UK's first PhD in intrusion prevention and detection, suggests that companies are ignoring a risk that is as old as computing itself.

"This is not about spreading fear, uncertainty and doubt," says Everitt, sitting in a fashionable-looking office in that wholly unfashionable part of London's outer sprawl known as Slough. "It's a matter of balancing risks against investment and cost. The elite guys are very good at covering their tracks. There are circumstances where hackers are so truly embedded in the infrastructure that the required expertise isn't there to discover them."

Everitt should know. Having begun his career in systems development and communication with consulting firm Hyder, he moved on to a security role at BT where he simultaneously undertook a PhD at the University of Glamorgan entitled Inferential Analysis of Incomplete Audit Data Sets. Having recently received his doctorate, Everitt believes the experience he gained through study has been invaluable.

"A PhD teaches you to think outside the box," he says. "There are very few people who can do it naturally, but this sort of thinking is indelibly linked with network security. I developed new mental and cognitive abilities as a result of study. It's like an upgrade to my CPU."

For Everitt, a PhD pushes the boundaries of information security qualifications. If today's challenges are to be met, he argues, then information security professionals have to push themselves further.

"Companies are struggling to detect the best of the hacking fraternity," he says. "Getting under the skin of hackers is a difficult matter for most organisations. Qualifications can help – for example CISSP suggests a certain amount of competency. But a lot of modern commercial qualifications can be circumvented: multiple choice questions alone aren't enough."

For Everitt's thesis he designed a system that employed two intelligent search strategies that were capable of re-sequencing and regenerating audit logs compromised by either system failure, an inadequate system setup or by an intruder.

"Incomplete data sets hinder the detection process," he explains. "I therefore looked to address that problem through my PhD."

Automated intrusion detection systems have traditionally been hindered by their inability to cope with incomplete information. Everitt had to dream up a way to get around this.

"You begin to look at things from different angles. The hacker is using his imagination, so I had to use mine," he recalls.

To circumvent the problem, Everitt suggested the creation of an intelligent system, one that could deal with incomplete or "noisy" data sets. The suggested system apparently used genetic and simulated annealing in a "de-coupled object-based framework". This might go some way to explaining why a recent news article described Everitt as the "world's brainiest security expert".

With his CPU upgraded, Everitt now seems ready and able to hunt down today's hacker. But what is today's hacker like? And what motivates (almost invariably) him?

"Script kiddies are the noisy ones, the hackers that everyone knows about," he says. "They go for website defacement and reach for the low-hanging fruit, the sort of things the CEO takes notice of. Because of better protection this low-hanging fruit is disappearing, but the stuff higher up is still there."

This necessitates a change in tactics. "Elite hackers can sit on your network for six months and not get the attention of anyone, let alone the CEO. These people are getting under the radar because they are compromising the systems that are there to detect them. It's our job to produce mechanisms to capture them."

Everitt suggests that the increased professionalism of hackers has also been underestimated.

"There is a clear trend of criminal groups gathering information and becoming increasingly professional about the means they're using to gather it," he claims. "Most criminal organisations easily circumvent perimeter security by sending a minimum-wage individual into the company. Background checks and controls to weed these individuals out don't exist, so it's relatively easy."

Scariest of all, some of this is organised at government level. "The French secret service openly states on its website that it is involved in industrial espionage on behalf of French companies," says Everitt. "Other information bodies claim the same. It's not something out of science fiction or thriller novels, it's something that goes on every day."

Criminals are after information. Everitt suggests that, in some cases, they have a better handle on the value of information than the companies from which they are taking it.

"Companies are invariably behind on the learning curve," he says. "What they have to do is get a handle on the value of information. A company may think that it is too small, that it won't happen, but assets come in many forms. Companies that are below the radar in terms of tangible assets may find themselves used as a stepping-stone towards bigger things." Just as in The Cuckoo's Egg 20 years ago, often the easiest way to access information is through an indirect route.

To combat the continued threat, governments and legislative bodies bring in reforms that heap compliance worries on IT professionals. Increasingly, the onus is put on them to protect company assets. Although it places a tremendous strain on the profession, Everitt argues that it's all in a good cause.

"It's good that there is more effort being made in this area, and perhaps we need still more," he says. "Information risk needs to be dealt with in the same way we deal with health and safety. With the increasing dependence on information assets and increased likelihood of compromise and brand depreciation, companies will be forced to look at it."

Everitt believes that, in the not-too-distant future, information security will become an integral part of any staff learning program. This is because, despite what many vendors say, most security breaches could be prevented through education.

"There are numerous companies offering solutions at the moment," he says. "It's a bit like a Wild West scenario, where everyone claims to have a magic remedy that turns out to be snake oil. If everyone within the company were to understand basic IT security, you wouldn't need half this stuff."

Everitt suggests that firms lack an adequate grip on information security, particularly in the area of education, but they will eventually be made to catch up.

"But the cynic in me says it will take the Equitable Life of the information security world to force this through," he admits. "The UK Government is still behind in applying raw and hard legislation. It's happening piecemeal, but it will come. When bridges and buildings collapse, new standards are driven for civil engineering. The criminals are there to make use of information assets, they will drive the maturing of legislation."

With the light fading, we take a break for the camera. After a spell in front of the lens we return, and Everitt begins to push home what seems to be a particular passion of his – the value of BS7799.

British Standard 7799 is one of the most widely recognised security standards in the world. Originally published in the mid-90s it was revised in 1999 and acts as a blueprint for security within any given organisation.

"As a framework for best practice, it can provide a guide to solving information security risk and also compliance," he says. "Not only will companies meet compliance requirements if they invest in BS7799, but they will also have an internationally recognised example of best practice to prove themselves if anything goes wrong."

Mistakes happen, argues Everitt. But at least with BS7799 in place when these mistakes do occur, companies will be protected. If you've done all you can, how can you be held liable?

"I'm not a lawyer, but it makes sense to me," says Everitt. "It puts information within a non-technical framework, so in turn it can help the education of the board. If there ever was a free lunch, this is it. It's information for free and standards for free."

Greater education at board level is where it all ends up, suggests Everitt. But it is also where true information security should begin.

"Separation of management has long been a problem," he says. "But responsibility has to evolve away from the IT department. In fact, IT governance has to move completely into the corporate governance portfolio. There is a growing adoption of roles – such as information governance officers as opposed to IT or chief information officers. This helps, but what you really need is a whole board that understands and knows how to mitigate IT risk."

Getting a long-established board of directors to properly understand this problem, and accept its implications, will not be easy, despite the increasingly high profile given to it by the media. But it will certainly be easier the next time that a high-profile company is compromised. Just pray that it is not yours.