Date: Mon, 3 Dec 2001 19:30:26 +0000 (GMT) From: Alex Butcher > I'm writing a story about a new technology course on offer at Cranfield > University, which focuses on cyber crime prevention and detection. It is > aimed at showing police and IT security professionals how to extract > evidence from digital communications. Their "Forensic Computing" MSc/PgDip ? > I wonder if you think this kind of course is valuable/necessary in the > fight against cyber crime? The devil's in the details, but potentially, yes, it is of value. We have laws regarding criminal offences perpetrated using computers, but suspects are rarely prosecuted due to the issues involved in collecting and presenting high-quality forensic evidence. Laws that aren't seen to be enforced are frequently disregarded as there is little or no deterrent effect. The reasons that I say the details make-or-break this course are firstly because if forensic investigations are conducted without proper technical awareness then there is a risk of unsafe convictions. Some of the technical evidence I have heard presented in prosecutions has been of a very flimsy nature. With this in mind, defending counsels should also make themselves of the technical issues involved in computing forensics in order to properly defend their clients. Secondly, and Cranfield to appear to address this, the skills required in performing computer forensics can be abused, so an ethical approach is essential to prevent breaching the privacy of parties unrelated to to case in hand. > Is it important for students in general doing technology-related degrees, > and hoping to work in IT departments, to be taught about security > techniques and computer crime? Absolutely. Many of the problems we're encountering are due to limited coverage of security issues in degree courses and a high intake of inexperienced personnel that have been employed to satisfy sustained IT infrastructure demand. Systems are being deployed and programmed by people with little awareness of the security ramifications. It's sometimes difficult enough to write and configure software securely when you *are* aware of the issues involved! In the past, deploying insecure systems was less of a problem in all but the most sensitive organisations because they frequently weren't accessible to outsiders across a network and so were arguably subject to fewer attacks. These days, systems are more complex, they're being combined with other systems in diverse ways and they're commonly accessible (directly or indirectly) across the Internet. Recently, we've seen a Denial of Service (DoS) attack targeted at Nokia mobile phones via the SMS protocol . This case illustrates that secure design and implementation has become a requirement in all sorts of systems that weren't previously thought to need it. The academic community undoubtedly has a part to play in educating their current and future students (and therefore tomorrow's personnel), but organisations should take steps to make sure that *all* existing staff (i.e. not just "IT people and programmers") have received training appropriate to their role and, just as importantly, practise what they've been taught in a culture of security awareness. Alex Butcher Independent InfoSec Analyst.