Is Ignorance Better?
I recently took part in a conference on information handling organised for the Chartered Institute of Public Finance and Accountancy in Birmingham. On the first afternoon we had a super workshop presentation by Peter Wood (First Base Technologies) on the various ways a computer network system, and even an individual computer, can be ‘persuaded’ to give access to information.
There was a big range of approaches, from the technical to the human and the room was, at times, stunned by the extent to which sensitive information could be obtained with little skill. When a key logger – a small device about the size of a cigarette butt end that records every key typed while it is in place- the sense of shock was palpable.
Incidentally, this was a device that took me back to the time when fictional detectives could uncover the truth by being able to read the typewriter ribbon and thereby see the accusing note from the victim which had been destroyed by the villain in an attempt to cover their tracks. There is indeed nothing new under the sun.
Anyway, back to my point. While Peter was going through all his revelations it struck me that any one of the delegates could decide that they were unhappy in their lot, or that their job was under threat and decide to use the information they had learnt. For those who had ears to hear it could be said to be a masterclass in basic level hacking. However, how can you give people the information they need to defend their systems against intrusion if they don’t know the form and method of the likely attack?
It is no different to training a soldier or a surgeon. Both gain mastery over tools that could kill, and understand the nature of a likely threat, and both could ‘Go Rogue’ and cause death and destruction. However, they need this knowledge to do their job, and we have to trust them to use the skills in the way expected. Of course society enforces this trust with the severest penalties, both professional and criminal, for the wrong-doers.
Can we avoid this education risk? No. Education has long been seen as the bringer of power which is why, in most cultures at one time or another, it was restricted from, or to, certain groups. It was, for example, strongly frowned upon in both colonial America and Britain in the 18th century, for you to allow your slave to learn to read as this would make them restless and harder to control. Despite this some slave owners decided that they wanted their slaves, or at least some of them, to have a basic level of education. They assessed utility, in some cases their personal morality, against the risk.
The organisers of the conference (Sapphire Technologies), and Peter, with his long experience, had to assume that the delegates were trusted by their employers to attend such an event. However, Peter walked a fine line and managed, I felt at least, not to make something sound so easy, interesting and invisible that people were fired up to go back to the office and try it out. At least there was no rush to the door at the end of the workshop.
Is ignorance better? It has to be a risk assessment issue, there cannot be an absolute answer because all situations vary. However, it has to be said that with this sort of presentation is not one to be given by amateurs, excited by the shiny new kit on the market. It needs to be given by experienced and skilled presenters who are constantly
A Key Logger -The prize exhibit at the workshop
monitoring the reaction and steering the workshop to keep the risk to a reasonable level.
No Comments
This entry is filed under Wendy's Thoughts and tagged with CIPFA, education, hacking, hacking workshop, ignorance, Peter Wood, security awareness training.
You can also follow any responses to this entry through the RSS 2.0 feed.
Or perhaps you're just looking for the trackback and/or the permalink.