Opinion - If you ask me
Robert Chapman, Firebrand Training and David Sandham, communications editor, offer their views on current issues.
If you ask me
Why we need to start thinking like hackers
The past few months have seen a plethora of security pundits predicting the biggest threats to corporate networks in 2008. Vista and voice-over IP vulnerabilities dominate the lists - however, hackers remain a virtual 'untouchable' element in corporate security policies. It feels as though we've given up the fight against hack attacks - people are warned when they first join a company not to give out their passwords for fear of someone unwanted gaining access to corporate information, but for most of us, that's where our security awareness ends. But in reality, installing an initial, robust defence against hackers isn't that difficult - so many breaches have been caused because someone has simply let a hacker in through the back door. This can be stopped quite simply by ensuring staff are already one step ahead.
The current lack of awareness of basic security principles has already been exploited by hackers in the practice of 'footprinting' corporate networks. Footprinting consists of researching network vulnerabilities and can account for up to 90 per cent of a hacking attack. The technique involves a range of active and passive information-gathering activities. Passive reconnaissance involves researching everything about an organisation. This activity has now stretched to the social networking sphere - an unintentional clue left on a blog or a Facebook profile could be the missing link a hacker needs to gain access to the network.
The active reconnaissance covers stages such as DNS lookups, ping sweeps and port scans. These may sound like technical processes to the majority of staff, but understanding how sending an email to a dummy or alias address could help many employees to see how a huge catastrophe can be started by a seemingly harmless initial enquiry.
It's critical that employees start to think like hackers to put a stop to breaches before they happen. Understanding why policies are in place, what the consequence of slack security policies are and regularly updating staff on the latest threats in the IT world will return the knowledge power back to the employers. By knowing more about the enemy up front, corporate networks can raise awareness of potential attacks.
Outside a legal framework, random network footprinting should be viewed as at least suspicious - at most destructive. Employees have to understand that this is where the biggest threat to the network lies, and their ignorance on security policy could be the catalyst to a nightmare chain of events.
Robert Chapman is the CEO of Accelerated Learning pioneer Firebrand Training, formerly The Training Camp
The software that cried wolf
Over the last two decades there has been a steady influx of mathematicians, physicists and engineers into investment banking, attracted by high salaries, or propelled by reduced opportunities in academia. Originally this new breed was jocularly called 'rocket scientists', not because they were aerospace engineers but because rocket science was the hardest-sounding science many bankers had heard of. Today, they are more commonly called 'quants'. The quants' mathematical and computing skills have been increasingly in demand as banks and their clients have become enamoured of ever-more elaborately sophisticated ways of grasping the apparently random motions of the capital markets.
Quantitative finance has become a hot subject. Teams of quants toil across Wall Street, the City of London and other financial centres, tinkering with computer models and inventing new ones. It's a kind of mathematical arms race. One of the main effects of this trend has been the boom in derivatives, a more complex form of security than the humdrum share or humble bond, and one which can be fine-tuned to the quants' models. Derivatives are also much riskier as well as much more difficult to understand.
Now, with the fiasco caused by French bank Société Générale's loss of an astonishing €5bn, blamed on derivates trader Jerome Kerviel, one wonders whether the quants will have their wings clipped. We may see a new fashion for simpler, more user-friendly financial instruments which even the least-mathematically inclined manager can easily track and control.
The exact cause of Soc Gen's woes will not be known for some time. When I called them to ask about the risk management software that should have alerted them to rogue trades, their response was a polite "no comment". But according to Avivah Litan, vice president and analyst at Gartner, the problem at Soc Gen may not have been that rogue trades did not set off alarms, but that these alarms were lost among the large number of alarms which are typical of banks' security software. Just like the boy who cried wolf, risk management software - which sends alerts too frequently - all too frequently gets ignored.
In a typical investment bank, "dozens of alarms go off per week. Certainly, well over 25 per month", Litan told me. According to Bruno Piers de Raveschoot, MD of Actimize Europe, a company which supplies software to financial institutions: "Less than 8 per cent of European financial institutions have a complete protection system." He believes that the problem at Soc Gen was caused by their not being able to combine all the warning signs together. Having nearly brought down France's second largest bank, it would be a shame if rogue derivatives trades also brought an end to a promisingly rational way of analysing the markets - the labours of the quants. We may hope that banks continue to develop quantitative finance, while also remembering what most engineers know, that technology is there to empower people, not overpower them.