The cyber attack on Sony Pictures late last year revealed not only the lengths that determined hackers will go to in targeting a company, but also the devastating impact they can have.
The aggressive attack, by the hacker group Guardians of the Peace, was intended to damage and publicly shame the company. It resulted in the publication of millions of private emails, as well as personal information about the company’s executives, and stars such as Ben Affleck.
Such attacks also reveal weaknesses in corporate cyber security, and the way in which companies and governments respond to the threat presented by today’s sophisticated breed of hackers.
Engineers working in the cyber security field are at the front line of efforts to protect countries and private companies from attacks by hackers and digital criminals.
“Elements of cyber-security divisions are beginning to become the norm in the areas where world-class R&D is being carried out
Jim Wheeler, Protection Group International
Cyber-security engineers can be involved in anything including managing networks to keep hackers out, testing networks to assess their vulnerabilities and forensic analysis of attacks and new malware to understand the nature of a threat. They can also be involved in advising companies and government departments on the latest threats, as well has how to better protect themselves.
Unfortunately, every organisation has something worth stealing, particularly if it has great ideas, according to Jim Wheeler, director of cyber operations for Protection Group International (PGI), a UK-based risk management specialist.
“Elements of cyber-security divisions are beginning to become the norm in the areas where world-class R&D [research and development] is being carried out,” he said. “The most efficient deep-sea drill bit, the strongest engine, the lightest battery, the best compression algorithm: they all need their future revenue streams protecting.”
Countries can be attacked via their financial systems, utilities or ability to process and deliver information, including through both governmental and commercial organisations, according to Elaine Baker, engineering director at BAE Systems Applied Intelligence.
“We protect a lot of companies across a variety of industries, starting with what might be termed ‘critical national infrastructure’,” she said.
“We protect against all kinds of threats, including insider trading at banks and financial institutions, fraud, money laundering, hacking, phishing and the like – what might generally be termed old-fashioned cyber crime or cyber terrorism.”
Increasingly, cyber-security firms such as BAE Systems are also looking at digital criminality, or the perpetration of major crimes using modern tools, said Baker. “It’s easier and far safer for career criminals to commission malware writers and hackers to build a tool that lets them skim a tiny amount from hundreds of thousands of bank accounts than it is to run, armed, through the door of a bank branch – but the end results are often the same,” she said.
The company’s cyber-security team helps its customers guard against advanced cyber attacks. These are often extremely targeted hacks specifically tailored to that organisation – as was the case in the Guardians of the Peace attack on Sony.
“It’s easier and far safer for career criminals to commission malware writers and hackers to build a tool that lets them skim a tiny amount from hundreds of thousands of bank accounts than it is to run, armed, through the door of a bank branch – but the end results are often the same
Elaine Baker, BAE Systems Applied Intelligence
However, unlike the Sony attack, in many cases the intent is not to humiliate the targeted organisation, but to steal valuable intellectual property or other information, or to disrupt their operations.
Engineers working at BAE Systems Applied Intelligence develop advanced technology- led security systems, according to Baker. This includes protecting an organisation’s email systems.
Email is one of the most widely targeted systems, and 70–90 per cent of malware is designed specifically to attack a given organisation, Baker added.
“That means so-called ‘Zero Day Attacks’ – attacks that are entirely new and that haven’t been seen before – are being made against a much wider variety of organisations,” she explained.
On an average day, engineers working in cyber security could be designing and building sensors to identify malware signatures, or handling and analysing data. In particular, cyber-security engineers need to be able to understand the movement of data and the mechanisms used to move and act on it, and then understand and analyse its impact, according to Baker. “In essence, the skills needed are core engineering skills,” she said.
Engineers working in the sector need detailed information and analysis skills, with experience in understanding data and spotting patterns within that data.
“Another important skillset is the ability to predict outcomes based on information we review and enhance,” Baker added.
More and more graduates are finding the idea of working in cyber security appealing, and as a result BAE Systems has seen a high level of interest in roles at its Applied Intelligence arm, she said.
The company recruits professionals at all levels, including software engineers and design specialists, who work with client organisations and within the Applied Intelligence research laboratories, she explained.
Across the industry as a whole, however, there is a significant shortfall in the number of properly qualified cyber-security professionals both in the UK and globally, and many top companies are struggling to recruit the staff they need, according to Stephanie Daman, the chief executive officer of the Cyber Security Challenge – a programme of national competitions and education and networking initiatives designed to encourage people to enter the profession.
That is not because the UK does not have talented individuals who could do these jobs, but rather because many of those with the right skills are self-taught and do not therefore have formal qualifications, she said.
“As cyber security is now fundamental in ensuring that we trust the online services that have become so much part of our lives, the disconnect between the talent we know is out there and the right number of properly qualified individuals in cyber security roles is hugely worrying,” added Daman.
Academia is helping to address this need, with graduates in ethical hacking, information security and cyber security beginning to enter the workplace, according to PGI’s Wheeler.
But specialists are also moving across from IT roles, network engineering and software design into the cyber-security field, he said.
In 2014, PGI also launched its own Cyber Academy, in a bid to help bridge the skills gap. Good cyber-security engineers need knowledge, attention to detail and integrity, according to Wheeler.
Ultimately, though, all engineers will need to be aware of the dangers of cyber crime, he said.
“Both cyber crime – crime committed purely on computers – and cyber-enabled crime – crime that is helped by the use of computers, such as illegal-substance logistics, fraudulent purchases and credit-card detail theft – have grown exponentially,” he explained. “So much so that we all need to become more aware of the risks and have an embedded cyber-security strategy.”
Five ways to prepare for your first day
If I may add my own personal Tip No. 6 it goes something like this: From time to time a more senior member of staff will start explaining something...