In a quiet, windowless auditorium in Bristol, in the west of England, Lucy Robson and her team hunch over their laptops as the seconds on a giant clock above begin to count down. In a few moments, the enemy will begin the attack – but these villains won't be coming in through the doors.Robson is competing in the finals of the UK Cyber Security Challenge, held at Hewlett-Packard Labs in Bristol. The participants, largely teenagers and amateur programmers, have been plucked from outside the cybersecurity industry. The hunt is on to find a new generation of people with the skills to battle the darkest elements of the online realm – the hackers who seize government secrets, anonymous activists bent on causing mayhem, and criminals stealing credit cards.
The industry needs fresh blood because the nature of the threat has changed. "Five to ten years ago, you'd be protecting against a clever kid who wants to deface a website," says Martin Sadler of HP Labs. That kind of unsophisticated attack was once relatively easy to thwart. But those days are over. Take the hackers who broke into the Sony PlayStation Network earlier this year. They breezed past the security measures of one the world's biggest electronics companies to steal the names, addresses and possibly credit card numbers of over 100 million people. Sony had barely recovered when a different part of the company came under attack last week.
Hackers are no longer motivated by mischief alone but by big money. Cybercrime alone – including stolen credit card numbers and industrial espionage – now costs the UK £27 billion a year, according to the government's Office of Cyber Security and Information Assurance. The story is no different in other parts of the world.
At the same time, new forms of illegal online activism have grown up, with a collective called Anonymous at the vanguard, crippling websites and gleefully exposing secrets. "Anonymous is not a specific group that you can go and arrest," one of the competition judges explains. The label masks an ever-shifting informal membership who might be active for a year, or for 3 hours. "It's a bank manager who wants to be a bad guy for the day," he says. "You can't punch someone in the face on the street, but you can on the web."
While the diversity, motivation and acumen of the bad guys may have grown exponentially, the defenders are struggling to keep up. Pure technical acumen doesn't cut it any more. The current crop of cybersecurity professionals badly need to up their game. The Cyber Security Challenge, if not an act of desperation, is certainly one of necessity.
Last year about 4000 people entered the competition hoping to be crowned ultimate cybersecurity champion. Today, after a series of gruelling heats, only 30 remain. To the winners will go expensive training courses and internships. But the real beneficiaries might be the sponsors. They include security firm Sophos, defence contractor Qinetiq, and the UK government's Defence Science and Technology Laboratory, and they are treating this contest as a scouting operation.
Earlier, the contenders got their orders from the fake CEO and board members of a fake manufacturing firm called the Metal Box Company. Today's task, they were told, was to secure the firm's website and network. Then the finalists were split into teams with names like Enigma, Turing and Bombe.
They are about to start the first of the day's trials that will test their technical abilities, interpersonal skills and teamwork. Later on, judges will award two prizes: one to the winning team, the other to the best individual player. Entrants vying for the title include a professional actor, a geeky kid with hair down to his shoulders, a postman from northern England and, competing in Team Enigma, 17-year-old Robson, the contest's only girl.
Robson taught herself network security by reading Wikipedia and textbooks she bought with money she earned from a part-time supermarket job. "If it affects me, I want to know how it works," she says. She lives in Cromer, a small town on the east coast of England, with her dad, a carpet fitter and her mum, a certified chartered accountant. "Make sure you get the 'certified chartered' bit, it's important," Robson instructs. She speaks as if she's processing every word before it emerges. Her cropped dark hair rests on the collar of a grey suit and a fashionable scarf. The other entrants wear T-shirts and jeans.
Robson entered the competition with two friends she met at a computer summer school. In the run-up to the finals, their team shone, sussing out well-disguised flaws in a home computer. "We got here because of Lucy," says her friend Stuart Rennie. "She was amazing." But today, Rennie has been placed on Team Bombe, competing against Robson.
It's 11 am, and the attack is about to start. The task is to identify and fend off waves of invaders who want to break into the Metal Box Company's computer network. The teams are clustered in one corner of the auditorium, isolated from each other by barriers. The wires trailing from their laptops disappear into a tangled clump under a nearby table, where the action is coordinated by the games masters, led by Andrew Laird of Bristol-based security firm Cassidian. The exercise is being staged on a Cassidian-built software simulator called Hotsim (for "Hands on Training Simulator"), which is robust enough to manage the cybersecurity training of the Brazilian and Finnish militaries. Hotsim reproduces all the day-to-day traffic you'd expect in a big company network, such as employees browsing the internet, instant messaging and exchanging emails, so the teams' laptop screens mirror what an IT security team in a real company would be looking at.
The competing teams monitor this virtual traffic for signs of intrusion, using standard programs that display employee activity, a breach detection system and a firewall to keep out threats. A skilful cyberdefender knows how to program these tools to spot and block threats. If the contenders can successfully juggle all three, they can prevent the invasion.
Team Enigma, though, start badly. It's only a few minutes before the first sign of trouble: a "port scan" conducted by the enemy. Ports are the way into the network. Think of an arterial road system into a city that provides hundreds or thousands of routes for different types of vehicles and destinations. Similarly, a network has many thousands of specific routes along which traffic travels, called ports. By convention, internet browser traffic on a server comes in through port 80. Email tends to go out of port 25. Potential intruders will scan thousands of these ports in an attempt to discover weaknesses in the network's security. That's what is happening now, but in their initial scramble to secure the perimeter neither Robson nor the rest of Team Enigma have noticed.
The person in charge of monitoring the traffic zipping around on the network router is Tony Shannon, a stocky, confident 28-year-old with a pierced eyebrow. After a few years in the IT industry, he's back studying computer security at Nottingham Trent University, UK. Shannon's style is nothing like Robson's. He has decided that the way to impress the judges is to mount ostentatious vocal displays. "Oh yeah, we're FUBAR," he declares, as thing start to come unstuck. "We're folding like a cheap deckchair." And the team really is folding in the face of the attacks. For all his earlier bravado, Shannon hasn't found much to contribute so far. There's anxiety in his voice.
- 08:00 06 June 2011 by Richard Fisher
- Magazine issue 2816. Subscribe and save
- For similar stories, visit the Computer crime Topic Guide
Other Keyword : Defender, pertahanan, teknologi pertahanan, teknologi ilmiah, penguatan, dasar teknologi, sejarah teknologi,teknologi internet.
0 comments:
Post a Comment