Thompson’s students sign agreements not to use their “bad guy” skills anywhere other than a disconnected lab where they practice creating threats and solutions. In the real world, however, these skills are all too easy to acquire.
“Everything’s out there on the Internet on how to do it,” he explained. “Hackers think nothing of walking into someone else’s [digital] house—they look at it differently.”
Protect, Detect, React
Brajendra Panda, professor of computer science and computer engineering, focuses on software security, which he describes as a repeating cycle. First, programmers must install security measures, with the knowledge that no security system is perfect. When criminals do find a way in, the system must be able to detect them, and then adjust to prevent future breaches, starting the cycle over again.
Panda’s most recent research focuses on insider threats to database security, which pose complicated challenges. “Every organization, small or big, uses a database these days, so all the information is kept in a database,” he explained. “They want to protect that as much as they can, and at the same time they want to share the information with others. That makes it difficult. Once you open it up to the rest of the world, you never know who can do what.”
Insider Threats
While keeping unauthorized people away from sensitive information is a straightforward goal, threats to database security can also come from employees who need this information as part of their jobs. Panda is looking for ways to balance security with employee access.
“In the case of an outsider threat, if you have a tiny suspicion that someone is doing something malicious, you can make the decision to stop it. But in the case of insiders, just a tiny suspicion is not enough, because if you stop it, your own work gets hampered,” he explained. “So maintaining the balance for insiders is very hard.”
Panda’s approach involves first classifying data according to how critical it is to the organization, and putting the most security resources toward the most critical data. The second step is to create a profile of each user, which includes a record of their activity on the database. Using this profile, an algorithm can compare past activity to current activity and see if a user is suddenly accessing information that has never before been part of his job. This change in activity could indicate suspicious behavior, and the algorithm can determine whether this anomalous behavior is acceptable, or if it is risky enough to take action.
It is also important to know all of the direct and indirect ways that database users can compromise security. For example, imagine that an organization wants to give a user access to employees’ personal information while preventing that user from knowing whose information she is looking at. The company could deny access to the names of individuals in a database, but the user might still be able to guess the identity of some employees from other details, such as salary amounts.
Users who are able to update databases pose different threats, and security programmers must be aware of the indirect ways they can affect data, as well. To illustrate this, Panda gives the example of employee classifications. While a user may not be able to change salary amounts, he may be able to change an employees’ classification or rank, and affect their salaries that way.
Panda pointed out that there are other issues associated with this kind of employee monitoring. When an organization has access to all the employees’ activities, that company must decide what kind of behavior is considered acceptable.
“If somebody goes to CNN’s website to view the news, do we stop them?” he asks. “Certain things, even though they go beyond the job description, we don’t necessarily stop them. Those are the ones that are hard to enforce.” Panda explained that each company has to decide what kind of internet activity, such as checking the news or using social media sites, is acceptable in the workplace, and include that in the algorithm.
Social media also presents a different kind of security threat. “If employees go to facebook, are they posting something that may be a company secret?” he asks. Employers have to determine how much risk social media use presents to their information, and balance that with employee privacy concerns.
Network Security
Dale Thompson also looks at the security of data, focusing on the threats to personal information that travels across the internet. In the class he teaches about network security, he explains to students the different ways that their information can be captured. For example, a criminal could send an email that looks like it came from your bank, prompting you to log into what looks like your normal bank account. However, malicious software in the email can capture your password as you log in and transmit it to the hacker.
Thompson explained that many things people post on the internet can transmit information that they weren’t intending to make public. For example, photos posted on facebook can sometimes contain metadata embedded in the file, and accessing this data could give hackers information about where the photo was taken.
This worries some people more than others. Privacy on social media sites like facebook has always been a complicated and controversial issue. While some people enjoy broadcasting every place they go and every article they read, others want more assurance that strangers will not be able to see this information.
Thompson conducts an informal poll among his students every semester, asking them if it’s important to them to keep their information private on the internet, and every semester, more students report that they aren’t concerned about privacy. “It used to be 10 percent didn’t care,” said Thompson, “and now it’s 40 percent.”
The Problem of Privacy
Thompson is fascinated by the discussions and debates around internet privacy, and one of his research goals is to help create clear definitions for internet privacy, which is currently too vague a concept to be useful to engineers.
“Different cultures and different generations define privacy differently,” said Thompson, and he explained that this lack of agreement means that different systems address privacy very differently, sometimes with an all-or-nothing approach. “A lot of them are extremely private and usable, or privacy is an afterthought.” He explained that this lack of agreement has kept engineers from focusing on privacy issues, leaving that up to social scientists.
Even though engineers don’t usually study privacy, it can still affect them. Thompson explained that privacy issues had an impact on the field of radio frequency identification, or RFID, which allows computers to gather information from small tags attached to objects. “RFID was called Orwellian when it first came out,” Thompson explained. “It’s slowed them down because they did not adequately address those issues. They didn’t see it coming.”
Biggest Issues
Panda and Thompson agree that what makes the internet so useful—easy access to information and communication tools—is what makes it so insecure. “Almost everyone has access to some computer or digital gadget connected to the internet,” said Panda. “Now that we’ve opened it up to the whole world, we do not know who’s getting into the system. Is it my next door neighbor or someone in another country? We want to share information, but we have no control over who gets it.”
Thompson hopes that as the internet becomes more integral to our lives, people will grow up understanding more about digital ethics and security. “These days, they’re teaching kids how to be safe on the internet in kindergarten,” he pointed out.
Unfortunately, the bad guys will always be out there, and the internet is the perfect place for them to organize. “The good thing about the internet is communication,” said Thompson. “The bad thing is that if you have people with out-of-the-ordinary norms, they tend to group together.”
Luckily for the rest of us, these and other U of A researchers are busy designing methods to protect our systems, detect security breaches and react to them. As the threats evolve, so does the research.