The Friday Interview: Andy Harbison, Ernst & Young

13 Feb 2004

Digital meltdown, viral Armageddon, internet apocalypse. Perhaps these are not the words that Andy Harbison (pictured) would use to describe today’s internet security quagmire, yet the Ernst & Young security expert pulls no punches about what he sees as the rapidly escalating threat faced by the net.

For example, of the recent MyDoom virus he says: “If instead of targeting and taking down the SCO website, the virus had randomised its attack, it would have had a fighting chance of taking down the TLDs – the top level domain name servers. If they had been overwhelmed, there would have been no more domain name resolution and that would have knocked out the internet. How long for is another issue…”

In making such comments, Harbison could be accused of further hyping an issue for which there is already no shortage of doomsayers – many of whom working in an industry that will directly benefit if we all buy more security products and services. It’s a classic Catch 22 situation: speak out and be damned, shut up and be accused of irresponsibility. Harbison is one of those who prefers to speak out and if what he says ends up sounding like hype and hyperbole, then so be it. He makes no apologies for his viewpoint, which he points out is informed by 20 years’ experience in the IT industry.

Harbison is a manager within E&Y’s Technology Security Risk Services, one of the largest security consultancies in the country employing 30 consultants and technical staff. Penetration or ‘pen’ testing is one of the principal services it offers. This involves trying to break into corporate networks in order to gauge how secure they are. Whereas many pen tests consultants use automated scanners to probe for weaknesses, Harbison feels there is no substitute for human ingenuity and openly admits that the group uses “real hackers” to perform the tests. He quickly adds that they are ‘white hat’ hackers – the good guys – and not ‘black hats’, the miserable so-and-sos that set out to do damage, steal corporate secrets and so on.

Why hackers and not scanners? Because, he says, real hackers themselves tend not to use scanners, which they see as blunt instruments to probe for weaknesses. Moreover they create a lot of ‘noise’ on the internet, alerting corporate security personnel that their networks could be under attack – very uncool.

While all organisations are vulnerable to hackers, some do a better job at protecting themselves than others. Harbison notes that Ireland seems to be ahead of most other European countries in this regard. He’s not too sure why, but Irish businesses “do seem to be clued into the internet hacking business”. We do less well, however, on two other security fronts: web applications and internal security policy. In these areas – particularly web applications – our performance is “utterly miserable” he reckons.

Web applications refer to the clutter of programmes sitting on top of Windows or other operating systems that enhance the user experience of the internet. Hackers have discovered that the build quality of some of these applications is less than perfect, making them vulnerable to manipulation. Hackers have found they can insert their own commands that would allow them to, for example, harvest credit card numbers unbeknownst to the victim.

From talking to Harbison, you quickly realise just how fluid and dynamic the whole hacking ‘industry’ is. The rule seems to be that as organisations bolster defences in one area, the hackers move on to the next area of weakness. A current favourite of hackers is the old practice of ‘dial-up’ hacking, whereby they attempt to gain access to corporate networks not through the company’s internet connection but through their PBX or internal switchboard. If successful, the hacker can essentially take over the PBX and run up huge phone bills on the company’s account. This happened in the UK on St Patrick’s Day 2002 when a company found itself facing a £100,000 phone bill following a successful dial up attack.

Moreover, businesses that feel that they are minimising the threat may actually be opening a back door to hackers, notes Harbison. For example, in firms that have banned internet access for employees, the staff can get around this by buying their own modem and hooking it up to their PC through the Comms port. These often unprotected modems become soft targets for ‘war dialling’ attacks, which involve scanning telephone lines to find unsecured modems and create backdoors into corporate networks.

Harbison’s job also encompasses computer forensics. This involves searching computers for a trail of evidence that would incriminate a user of fraud or other illegal activity. Until now, computer forensics has largely been limited to computer networks and PCs but as the recent case of the schoolgirl and the camera phone illustrated, the mobile arena is a growing market for this type of service. In both computer and mobile networks, the key consideration is preserving evidence, says Harbison. “I heard a so-called expert talking on the radio recently saying that anyone who receives an offensive image on their phone should automatically delete it. Wrong. You don’t delete it; go to the Gardai.”

Harbison believes the problem, which can only get worse, is “extremely difficult” to counter and he has some sympathy for the mobile operators. “There are software filters out there but if the operators start using it, the trouble is that for every child porn image they block, they’ll be blocking a thousand conventional images. Don’t forget: one person’s baby photo is another’s child porn image.”

Since the problem is one of human behaviour, the solution, he argues, needs a human rather than a technical solution. The same could be said of the internet itself, which he believes could soon become a victim of “too many people taking and not enough putting back in” – a reworking of the classic ‘Tragedy of the Commons’ scenario. Until investment is made in maintaining and protecting this valuable shared resource, he argues, virus problems and hacking attacks are likely to get even worse.

By Brian Skelly