Careers in Information Security: Fighting the Insider Threat
In this exclusive interview, Matt Bishop, Professor of Computer Science at UC-Davis, discusses:
- His current projects, including vulnerability analysis and the insider threat;
- Opportunities for information security students;
- Advice for individuals looking to enter the field.
TOM FIELD: Hi, this is Tom Field, with Information Security Media Group. I'm talking today with Matt Bishop, Professor with the Department of Computer Science with the University of California, Davis, and we are going to be talking about his department, the work that he is doing and then some options for people that either are starting careers or looking to make a mid-career move. Matt, I want to thank you so much for joining me today.
MATT BISHOP: Thank you for inviting me.
FIELD: Matt, tell us a little bit about yourself and the work you have been doing at UC Davis.
BISHOP: I graduated from Purdue, and then I went to NASA Ames to the Research Institute for Advanced Computer Science for a couple of years. I then taught at Dartmouth for six years, and then came out to Davis. I am a Professor in the Computer Science Department and one of the co-directors of the security laboratory here, and I have been working in computer security since, I guess, since 1979 when I was a grad student.
What has always interested me is why we can't build computer systems that aren't vulnerable. Why are there problems? We've had computers now since the '40s or '50s, and yet we still can't build a good one or one that is secure. So I got interested in vulnerability analysis when I was a grad student, and I'm still continuing to do that, and it has taken me down some interesting paths. Perhaps the two that, at least to me, are most interesting are first of all, when you gather data to analyze vulnerability, sometimes you come across very sensitive data like names or passwords or things like that. So how would you eliminate the sensitive data and yet retain enough information to analyze the vulnerability, or figure out how the attack worked and so forth. That is called data sanitization, and that is an area that I have been doing quite a bit of work in.
Where you are trying to balance the needs of security, the need to do the analysis with the need to keep people's information private, because there are some things that simply should not be available to anyone other than the people who need to know them, It is a very, very difficult problem because there are two aspects to it.
The first is for example, eliminating SYNTAX, you know, if you see the word login followed by a colon, the next thing is probably a user name, so it is easy to remove that, but then there are issues of semantics. For example, in California if you know the zip code, the number of children and income to within some range, I don't remember the exact range, you can uniquely identify about 50% to 70% of the people in the state. So this is where information is contained in the content, and that is a lot harder to figure out. So, that is one area that I have been looking at.
The second one I got involved with when some friends of mine asked me to help them look at a voting machine and basically their job was to see how hard it would be to rig the voting machine to report the results that somebody wanted. This was done in a laboratory, and it was not done during an election of course. It took us about five minutes to rig the machine and then 30 minutes to change the results of what would have been the election ,and through that some other people pulled me into other adventures.
So I have been spending a lot of time doing work with electronic voting and the whole idea of voting machines and the like. And it turns out that there is an aspect that until recently most people haven't been looking at, which is not the reliability of the voting machine itself or the security of the voting machine itself, but instead the security of the voting machine within the context of the election.
In other words, an election is a process, and certain things you do during that process will reveal problems in accounting or problems in the machine. But if you just look at the machine itself, something may look fine when it's not, and something may look bad when it's really okay because of the surrounding procedures and so forth. So we have been trying to build a model and analyze that process so we can better understand what the requirements for voting machines are.
FIELD: Interesting stuff. Let me ask you a little bit about some of your students. Who do you find entering your program right now, and what do their career interests seem to be?
BISHOP: What's really neat is we find an incredible variety of people entering the program. One of my best grad students, for example, was a double major -- computer science and creative writing -- and that's great because people very often have the idea that if you want to do computer security, which is the main area I work in, you have to be highly technical. In fact, the opposite is true. You need to understand -- the technical stuff you can learn, but what is often much harder for people to learn is how a society functions, how systems functions, systems of people and policies and so forth function and how the machine fits into all of this, and that is a critical component to security.
The other thing I've found is that very often when you do things like creative writing or languages or the like, you come up with interesting but different ways to look at problems. And a lot of computer security is questioning the assumptions on which your systems are built. People who have done a lot of creative work are very good at finding these assumptions and saying, 'What happens if that is wrong?' and more often than not, what happens if that is wrong is someone is able to break in.
So we get a fairly broad spectrum of students, which is wonderful and their career interests, the ones that I have the most contact with, typically want to go either work for companies in industry or work in academia and teach and do research. But a few students have gone into government, and some of them have done incredibly good work there as well.
FIELD: Well, that was going to be my follow up question: Where are you placing some of these really bright, sort of diversely talented students?
BISHOP: A lot of them go to commercial firms. We are fairly near Silicon Valley, so a lot of people go there. For example, we have some people -- one of my students is working at Google. In fact a couple of them are working at Google. Some of them work for Sun Microsystems, all sorts of other companies. Some go to start-ups, and there have been a couple who have gone on to careers as professors, and some have in fact gone into government. For example, one of our outstanding graduates now works for the National Institute for Science and Technology, and another one, who graduated about the time I came in, now works at one of the national labs. Another one of my students is now working for Sandia, so people basically come out of here able to go pretty much wherever there is interest in security and that interest is growing.
FIELD: That's got to be really gratifying for you to see.
BISHOP: It's nice. What is really gratifying is that as far as I am aware, none of the students have taken the jobs because they desperately needed a job. All of the students who took the jobs basically said you know, this is a really good fit and I really want to do this. And I think that's what gives me the most satisfaction, knowing that the students are doing what they want to do rather than what someone else thinks they should do or what they have to do out of desperation.
FIELD: That's good to hear. Now you spoke about some of the initiatives you are working on, the vulnerability analysis, the electronic voting; what are some of the key initiatives that you are working on now that would be of particular interest to financial institutions?
BISHOP: I don't know whether or not electronic voting would be of interest because it can be used for corporations and stock holder meetings and things like that. Probably the one that is of the most interest to financial institutions is the insider problem. The normal view of this is well, somebody you trust does something nasty such as a bank president wiring $10 million dollars to an unnamed or a numbered Swiss account and then leaving, and the controls that are in place either malfunction or aren't appropriate to prevent someone that highly trusted from absconding.
This problem exists, not just computer threats, society, because when you put trust in something you are expecting the person to honor that trust. What happens when it is breached? Well, if you read the literature, it turns out this problem, at least in the computer science sense, is not well defined because each person, each paper uses its only slightly different definition, and in fact we were amused to find one paper in which there were two different definitions used in the paper.
So what we are trying to do is first develop a better understanding of how the insider comes about, what gives the person the ability to be an insider, not in a psychological sense but in a technical sense. And secondly, how can we look at a particular institution and give them a method for figuring out, okay, of all these people, who are the insiders, or rather who would have accessed not just them themselves, but through them, and I will explain that in a moment, and then what are the risks. So in other words we are trying to come up with some way to quantify the measure of the problem.
Now what do they mean by through them? Well, let's say for example you work in an institution, and only trusted people have access to the system. So you go home every night and the janitor comes in and it sweeps up, and the janitor is accessing that computer, unless it is very well protected. So the janitor now is a point of concern. Now let's say you are working at home and you are logging into your system, you are going in over a virtual private network, so it is very secure and the like, and the refrigerator repairman comes in and works on your refrigerator and notices you typing in your password. That refrigerator repairman may now have access to your system. Or if you have a teenage child who has not yet learned the meaning of the word no or limits, and they see you dong this, they may have now have access. So those are other things you have to factor into consideration.
Most of the work we see with the insider problem either deals with, well, you are already on the computer, so how do you protect against that, which is part of what we are interested in, or they say, here's this persons job, what can this person do as an insider based on the job?
FIELD: Okay. Now I know you have got a lot of business partnerships, and one of the key issues from academic institutions is what are businesses asking for from the academic institutions. What do you find the expectations are now for new security professionals entering the field?
BISHOP: For people who are graduating and going into careers in security it depends on exactly what they are doing. The thing that most companies seem to expect is a good understanding of how things work and what security is, and how to apply it to the company's particular problems. A very good example of this is programming. There is a serious problem with what it known as secure coding, which is a misnomer by the way. No program can ever be made secure because there are just too many things it relies on. But on the other hand, we se ethings like buffer overflows and race conditions, which are obvious problems. So companies are really concerned about people not being able to know what those things are and not write programs that have those vulnerabilities. So we are seeing a lot of interest in how do you teach this stuff and how do you graduate people who won't make these mistakes.
Most companies are more than willing to train people on their particular equipment or in their particular set up. I've seen a few that tell me your students should walk out and walk into a job, and we should not have to do any training, but my experience is that is number one, unrealistic; and number two, most companies realize their set up is unique enough that people will have to learn on the job. So basically what they want are people who lack professionally and who know security in general and who can very easily apply it to unique and novel situations.
FIELD: That makes sense ,Matt. One last question for you, in terms of somebody that would be getting into information security now, whether as a first career or as a mid-career move, what advice would you give to them?
BISHOP: Let me give you a multi-part answer. The first one, if you are coming into it or you are interested in it as a first career is: don't just become technical. Focus on the technical stuff, but also focus on its role in larger environment. For example, you learn technically here is a policy, how do you implement it? But what you don't learn is well, is that the right policy? And a lot of times companies have, for example, clamped down so tightly that the people who are doing the work simply can't do it. So what do they do? They start doing it on other systems or find other ways around your security and all of the sudden you've got a major security problem.
I've seen security groups within companies basically -- you might call them the abominable no-people, because they keep saying no, and that is very bad. What you say instead is well, if you do that here are the dangers that you are going to create, so we don't want to do that. Tell me what you are trying to do, and we will see if we can figure out some way to help you do it.
So in other words, security is not just technological; it is also very much a people-oriented thing. So if you are trying to get into it as a first career, do the technology, but also do humanities, do history, do sociology or whatever interests you about people because that will help build your understanding and ability to work with people.
As a mid-career move, one thing you might do is look at where your strengths are. And the neat thing about computer security is that it cuts across all boundaries of computer science. One of the thrills that I have had is that I've worked in very formal mathematics. I've also worked in very applied systems, as in how to display data and how do we figure out how to fix it, where you dive into the network traffic and look and see what is going on. So look to what your strengths are, and then see how you might apply them to security. And if you don't know about security at all, there are a lot of good books out there. I would recommend some of the introductory ones, and as you go one there are a lot of good textbooks. Look through them and see how that information applies to you or how you can apply that information to what you do.
FIELD: Very good, Matt. I appreciate your insight and your expertise today. You've offered us a lot, and we are very grateful for it.
BISHOP: Thank you.
FIELD: We've been talking with Matt Bishop, Professor in the Department of Computer Science with the University of California Davis. For Information Security Media Group, I'm Tom Field. Thank you very much.