Computer Crime Research Center


Viruses, hackers and other cybersecurity dangers

Date: November 23, 2005
By: Chuck McCutcheon

Viruses, hackers and other cybersecurity dangers are a growing headache for millions of people -- but too few are learning how to fight the problem.

That's the view of computer experts, who say it's high time the public -- from corporate chiefs to at-home Web surfers -- joined information technology workers in being trained to protect themselves online.

Some states have set up Web sites offering cybersecurity tutoring, while colleges are exploring ways to teach the subject to a broader audience. Experts say there's lots of catching up to do.

"We're losing the footrace on computer security, and I just haven't seen any kind of educational groundswell that can answer this challenge," said Dave McIntyre, director of Texas A&M University's Integrative Center for Homeland Security.

A survey by the National Cyber Security Alliance, a Washington-based nonprofit group sponsored by both government agencies and private companies, found that 62 percent of homes with broadband access to the Internet did not regularly update anti-virus software. Nevertheless, it said, 86 percent kept sensitive information on home computers.

"There is an enormous need to educate non-computer professionals on computer security -- there are a lot of naive users out there," said Bruce Schneier, chief technology officer of Counterpane Internet Security Inc. in Mountain View, Calif.

Anti-virus software and other technologies only go so far in protecting a network, given how fast threats are proliferating, Schneier says.

During the first six months of this year, the security software firm Symantec documented nearly 11,000 new viruses and computer worms attacking the Windows operating system -- a 48 percent increase over the previous six months.

"People need training, and it has to be more than just saying, `Install a firewall,"' said Judith Collins, director of Michigan State University's identity theft crime and research laboratory. "It has to be not only on how to secure their hardware but on how to secure information while you're on the Internet, on what type of information to refrain from putting on the Internet."

But such training is not widely done. The consulting firm Ernst &Young, in a survey of 55 countries released this month, found that just one in three executives and two of five general users had received any instruction on how to respond to computer security incidents.

"Users of sensitive systems, like financial institutions, get a lot of training, but in other industries it varies greatly," said Amit Yoran, the Homeland Security Department's former cybersecurity chief. "If you go down to students and home users and consumers, it's just up to them to find material on their own to learn about security issues."

To give people a place to turn, the state of Michigan in May unveiled a Web site -- It features details on viruses and other risks and offers online quizzes for ordinary users to test themselves.

"There is a growing recognition that we have to do more educational awareness," said Dan Lohrmann, the state's chief information security officer. "It's a challenge."

The National Cyber Security Alliance has been seeking to draw attention to its Web site, Executive Director Ron Teixeira said an upcoming campaign will provide holiday consumers tips on online shopping.

The alliance maintains that educational efforts should begin as early as kindergarten. "The main way kids now get technology skills is peer-to-peer, the equivalent of learning about sex from the street," it said in a report last year.

At the college level, Texas A&M's McIntyre said he is developing an information security curriculum aimed at regular users, business executives and managers. He hopes to start programs offering two or three days of instruction as well as longer continuing-education classes that could be offered online.

One predicament, said Julie Ryan, an engineering management professor at George Washington University, involves the ethics of computer security.

"By definition, we can't teach students how to protect and defend information assets and systems without teaching them how to attack" those systems, she said. "We go out of our way to caution students on law, regulations and morality, but there is always a possibility that a student will abuse the knowledge provided, either on purpose or by accident."

That, Ryan said, opens the door to liability concerns.

She recommends more faculty training. "The people who are qualified to teach and understand computer security are, by and large, computer scientists -- you don't find a lot of MBAs or lawyers," she said.


-- Denial-of-service attack: a data attack that causes victims to lose service by consuming the bandwidth of their network or overloading the computational resources of their systems.

-- Phishing: attempts to acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an official-looking but fraudulent e-mail or instant message.

-- Virus: a self-replicating program that spreads by inserting copies of itself into other executable code or documents.

-- Worm: similar to a computer virus, but self-contained; it does not need to be part of another program to spread.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo