How a security training company and a university aim to provide courses on IT security for security managers featured in our April issue.
Mark Rowe met the trainer and the IT man behind the move.
They are Raymond Clarke, Director of SAFE (Security and Facilities Education) and Parmjit Chima, Technology Innovation Centre (TIC, www.tic.ac.uk) centre manager. The TIC is a faculty of the University of Central England, covering engineering and computer technology, and based in the Millennium Point building, in Birmingham city centre. One of my abiding memories of the day is sitting around a table with the two, drinking Costa coffee, with the view behind me of a spotless breath-takingly enormous 21st century building. An IMAX cinema is the least of it. The four seminars planned are, in Ray Clarke’s words, ‘a toe in the water’, to see the demand: introducing non-IT security managers to the IT risks, and simple procedures to manage some of those risks; policy and strategy, how to get in involved in ethical hacking of computer systems; looking at the convergence of analogue and digital technologies, aimed more for those specifying security systems; and a look at the future for the next ten years. Most security managers, Ray suggested, because of their background, are not knowledgeable about technology, himself included, he admitted; and it struck me as Parmjit took us on a tour of the TIC part of Millennium Point, that besides Ray’s commercial sense as a trainer for an opportunity, he had besides a desire, as someone whose 20th century degree was in electronics, to learn more himself, catch up with his IT-aware children and that ‘internet generation’. As he put it: “I felt within the security industry there actually isn’t a point of reference for looking at things that are coming over the horizon, in terms of technology, and what we can do with it.” Thinking of how technology has come on in the last ten years, maybe all anyone can hope for is an approximation of what the world might be like in five years. And it’s not only how the technology advances, but appreciation by security people of what is out there, and what is possible. As Parmjit put it: “If you can get data in a digital medium, thre are so many ways of transmitting, storing and using that image.” Some security managers may be up to speed; one example being banking, because all in that sector are exposed to the technology. Or, a security manager may be in an organisation with a sophisticated IT department. But what of the rest? Is it, I wondered aloud, about security people knowing the detail of IT and network security, or merely being able to converse – being fluent in the language if you like, so the security manager can talk around the table with the IT guy? Ray said: “Are we looking at making them [security managers] experts overnight? No. Are we hoping that we raise the covers on a few areas they aren’t aware of? Yes. We hope it’s the start of a journey.” A journey, both men would agree, that does not stop, because the technology developments do not. And if the security person does not take that technological journey, be sure that IT people will. As Parmjit said, a web camera and image manipulation software are cheap, on sale in PC World, that you can set up, point the camera, so that anyone who walks into view is picked up. No security knowledge required. Rather than alarm engineers, we might see data engineers, Ray suggested. The average [security] installer, Parmjit added, is not a PC user, does not know how to set up a web server, an IP address, how to secure a network – the job of a data engineer, if you like. A wake-up call for the traditional alarm companies, Parmjit added. TIC has become the lead training centre for Cisco Systems in Europe, Middle East and Africa (EMEA) – in other words, the TIC trains the CIsco trainers. The centre is an approved academy for Microsoft. Besides, you can attend to gain a BSc in computer networks and security; or an MSc in data networks and security, to name two degrees.
Data devices
I take the chance to ask Parmjit: well, what can you foresee in ten years,bearing in mind the staggering changes in the last ten years? Smaller devices, more devices able to store more data. He offered the prospect of storing data on your iPod, or your mobile phone, “even your digital watch; and have connectivity. With mobile phone technology racing ahead the way it is, there is no reason why you cannot have devices internet-enabled; and more and more companies are going down that route.” He gave the example of a vending machine; he was looking towards a drinks machine, a floor below, across the expanse of the building foyer over my shoulder. A vending machine with processing power! The vending machine could tell the operator the number of items in stock, what the machine is running out of, and how much money is inside. That is, the prospect of connecting remote devices with remote sensing wireless technology. So how does the vending machine manager know whether Tom, John or Harry went to that machine, and took the money out? RFID technology and biometrics, Parmjit answered. A vending machine biometrically-enable is totally feasible now, he aded. The service engineer would put his thumb to the machine, the machine registers that it has given X money to John. And all this is in real time; the machine has sent the data to head office, so the manager can await the pounds and pence. In other words, information and how fast it can be sent, securely, can affect loss prevention, asset protection, whatever you want to call it. Ultimately, as parmjit summed up, business is all about information, and making sureno-one else accesses that information. Because keep in mind that universities are teaching the internet generation, young people who have grown up with the internet. Yes, the university is teaching computer students in ethical, ‘white hat’ hacking, whereby the student can be an IT security employee, testing for vulnerabilities on your computer network. But what’s to say by night the hacker is a ‘black hat’ hacker, challenging your network, maybe not even maliciously, but to test the boundaries? It struck me that here was a strictly IT side, but a security side too: the need for screening of staff. Parmjit agreed, adding for the need to keep unauthorised people out of computer labs. And sure enough on a tour of the TIC, besides the (out of sight) IT administrators keeping an eye on what the students are downloading and viewing, there’s a physical person at a desk, and a dome camera suspended from the ceiling. Various doors around the TIC are proximity card-controlled, and the photo-identity cards also work computer printers, for example.
Keyloggers
Outside, the trains are going in and out of New Street station; on the horizon is the Bull Ring shopping centre, and Birmingham City’s stadium. Inside, Parmjit is showing a key-logging device. You can buy one for maybe £50 and set it up in a few minutes on a machine, fitting between the computer keyboard and the PC. Thumb-sized, you can mistake it for some sort of adapter. But once attached to your PC, every key stroke is recorded; and in Parmjit’s case that could give away his computer password and let a hacker read, for instance, next year’s exam papers. Parmjit does not bank online. The makers of such devices do say that they are for legitimate purposes, for IT administrators to monitor PC users. But there is potential, there have been cases, of these key-loggers fitted to steal data, a week’s worth of your computer data, for frauds. And who knows how these key-loggers could develop; might they be embedded into a keyboard so you cannot even see one stuck into the back of your PC? As Parmjit says, it is frightening, how easily information can be stolen; a keylogging device attached to your PC one day, and taken away the next. And then there is the prospect of biodata – from your training shoes to your iPod, perhaps; telling you how many steps you have walked; or ‘smart’ fabrics, clothes that can store and transmit data. Back at the TIC reception, handing back our visitor badges, I noticed that the reception desk had colour CCTV monitors. It brought to mind a choice facing everyone in security management: they can choose to stay up to date with IT, the ever more bewildering ways of collecting and moving data, and seek to protect business information from harm, while letting the authorised access it in ever wider ways; or, security manager responsibilities can shrink to the gatehouse, and not a lot else.
