On the job their co-workers may call them IT geeks or propeller heads, but when they enter the Toronto Convention Centre next week, they become the IT version of the League of Justice, super heroes in the growing battle against computer crimes.
The Nov. 20-21 event is the first SecTor conference, organized by the 2,000-member strong Toronto Area Security Klatch. For computer security professionals, it's their version of Harry Potter's defence classes against the dark arts.
Brian Bourne, president of CMS Consulting Inc. and chief organizer of SecTor, expects 300 computer security professionals will gather to learn from experts what is new by way of threats and, equally important, what they can take back to their jobs to safeguard their employers.
The event is badly needed, says David Senf, director of security and software research at IDC Canada. "Our surveys of Canadian businesses show that their faith in the security of their IT systems is irrationally high," he says.
Mr. Bourne says he got the idea for SecTor from the annual BlackHat security conference in Las Vegas. "There is a growing and pressing need for professionals to get together, network and learn what is happening out there."
At the same time he does express a concern that SecTor, like BlackHat, might draw not only cyber-crime fighters but their criminal counterparts as well. "Computer crimes are growing at an explosive pace," Mr. Bourne says. "It often seems the bad guys are inevitably one jump ahead of us."
Too true, says Mr. Senf. "There are all sorts of really cool scams out there today. The thing that impresses is not just the numbers but how sophisticated today's bad guys are."
Making those "cool scams" easy to perpetrate is the fact that most Canadian businesses rate their security measures at a 3 or 4 on a scale of 5, he says.
"One major overlooked area is employee exit security," Mr. Senf says. "Only 30 per cent of mid-market companies and just 40 per cent of large companies have any sort of policies in place to ensure employees leaving the company no longer have access to its systems."
For the general public, especially young people, the biggest threat comes not from e-mail attachments - the source of 46 per cent of all viruses and dark-side threats in the rest of the world - but from music and video sharing, says Dean Turner, one of Symantec Corp.'s top security experts.
"Everywhere else in the world it is e-mails. In Canada because there are no laws against music downloading and sharing, peer-to-peer intrusions top the list," he notes.
"What we are seeing is criminals using extraordinarily innovative ways to rip people off and using modern management techniques that would make a Harvard MBA proud," Mr. Turner adds.
Experts say there are four major shifts in computer-related crimes and mischief:
Thanks to the Web, instead of the bad guys having to go to their victims by breaking into servers, laptops and through e-mail, the victims now come to them simply by clicking on an infected website or a display ad on even the most trusted websites.
Intrusions have shifted away from well-protected servers and databases to laptops and desktops. The reason is simple: Little security. The result is a dramatic growth in peer-to-peer intrusion networks. In the past, if law enforcement could track intrusions back to a single server, they could end a scam. With peer-to-peer networks, however, there are no underlying servers, just tens of thousands of connected desktops and laptops.
Attacks have moved from the underlying architecture, such as operating systems, to applications themselves. Again the reason is lack of adequate security. Criminals often reverse-engineer applications to spot weak spots, then create threats that play on them.
Virtualization, the ability of single servers to run multiple programs simultaneously, has created new vistas for talented bad guys. "The problem with virtualization is that people think there is as much security as there would be if applications were running on separate computers instead of virtually on a single server," says Richard Reiner, chief security and technology officer at Telus Security Solutions.
"The simple truth is that there is not."
The driving force behind the boom in IT black arts is money - loads and loads of money. Dr. Reiner says a single personal information file trades on the black market for about $7. Create a bogus e-mail that encourages people to provide financial information such as a credit card number, and the response could number in the tens of thousands globally.
He tells of a recent scam where an Eastern European ring targeted the websites of financial planners, scooped up thousands of clients' e-mail addresses and data, and used that information to run a stock market boiler room swindle.
In another, enterprising scalpers organized a peer-to-peer connection with more than 100,000 unsuspecting laptops and desktops, then used them to scoop 75,000 tickets to a pop concert within 90 seconds of their release for sale online.
"If we are ever going to effectively tackle this tremendous problem [of online crime], we need more public awareness and more IT security professionals," says Bruce Cowper, senior program manager, security intrusions, at Microsoft Canada Co. in Mississauga.
"When the problem with Internet and IT crime became so great in Nigeria, the government shut off Internet access ...," he notes. "All that happened was many of them moved to Canada."
