After Justin Funke had performed his first security audit, he knew how
much money the president of an online service provider made one year.
As a computer systems security analyst, he had to test the network for
any holes and blind spots. And it did not take him long to find some.
"Within 30 minutes, I had the full run of the network and I just can't
put into words the look on the president's face when I recited back to him
his client list and told him that...I thought he wasn't paying himself enough."
It turned out that this company ran a cable connection directly to its
network without a firewall (a system that protects computers and networks
from unauthorized use). That is like putting up a large, pulsating neon sign
that reads Crackers Welcome.
Thankfully, Funke turned it off before it attracted any unwanted visitors.
It certainly appears there are more of those these days. And there is no question
that they are causing more damage than ever before.
Cyber crime cost the U.S economy more than $265 million in 1999. That's
what Louis Freeh, director of the Federal Bureau of Investigation, said in
a presentation to Congress. Some suspect that number is too low. And if it
is accurate, it is pocket change compared to the damage hackers caused in
2000.
A teenage cracker shut down major sites like CNN and eBay. His attack caused
millions of dollars in damages. The cyber cops eventually tracked him down
through chat rooms, and he soon found himself in a courtroom. And that was
not even the worst of it.
Some say the global economy lost billions of dollars in foregone sales
and extra costs when the I Love You virus wormed its way through cyberspace,
affecting more than 45 million computers users across all time zones.
Yiman Jiang certainly remembers that day. She is the principal partner
of a computer consulting firm. She is also an expert in computer security
issues.
It took her and her staff more than 10 hours to access a site from which
she could download the necessary protocol to fight the virus. In the meantime,
there was not a whole lot she could do except for sending a mass e-mail that
warned her staff not to open any incoming messages that professed amorous
affection in its subject line.
"The best one can do is to take all precautions," she says.
That means running tests and more tests to make sure the system you are
protecting is ready to handle any denial-of-service attacks or viruses.
It also means keeping up to date with new software developments. And that
is the most difficult aspect of working in the field of computer security
because it is changing so rapidly, says Jiang.
New bugs are coming up constantly, and so are new counterattack programs,
she says. And once you are up to speed, you have to implement them because
the other side may already be working on a way to get around them.
"Once a system is in place, most people tend to think [they] are safe and
OK," she says. "But that's not the case at all."
Indeed, computer systems security analysts and crackers are locked in a
virtual arms race.
"We will build better defenses, and they will try to find ways to get around
those defenses," says Dave Kennedy. He is the director of research services
for an Internet security company. "That is just the tension that has always
existed between defense and offense."
None of the people interviewed in this story would name the clients for
whom they worked.
"We sacrifice a lot of media for our clients' security," says Dean Pothorin.
He heads a company that sells firewalls for small and medium businesses.
Both sides would like to know what the other side is doing. "It's a battle
of intelligence," says Pothorin. So spies abound, only this time you will
not find them lurking around in shadowy corners. Espionage now happens online.
"Members of our staff are very much in tune with what's going on in the
hacker community," says Pothorin. "It is one of those communities where you
have to be trusted to get into. You can't just show up and say, 'I am here,
let's talk.' It takes years and years to get into the underground and understand
and realize what's happening. So we got people who are very deep into this
stuff, and that's where we get our intelligence from."
Note that there is a difference between "hackers" and "crackers."
Hackers are ethical professionals who try to break into their clients' sites
to find the security holes. Crackers are just out to break into systems to
cause havoc. People often use the term "hacker" when they really mean "cracker."
Demand for computer security analysts is incredibly high. It far outstrips
supply, and companies are scrambling for security analysts with experience.
"Generally, I get two or three probes a week from people who want to know
whether or not I'm interested in another job," says Kennedy. "And everybody
who is an established security information person gets those."
And since they are in such high demand, security analysts can command high
salaries.
"There are a lot of information security people who are making well over
$100,000 a year," says Kennedy. "I can say that there are maybe a hundred
people in my field who are making a quarter-million dollars a year."
But along with high salaries come long working hours. "Programmers are
infamous for working 40 to 50 hours straight before taking a break in order
to finish their current assignment," says Funke.
But it all depends on your perspective, he says. "Anyone who finds information
security as fascinating and exciting as the majority of us in the field soon
realizes that time is relative," he says. "If you do not enjoy this work,
you won't make it longer than a couple of weeks, guaranteed. The long hours
are by choice, not by [necessity]."