Security centres of excellence

• Article 2 of 3
• Global IT Delivery, October 2006
• View a PDF of the original article

One of the most frightening statistics about security isn’t the number of different attacks now possible. Nor is it the number of attempted or successful hacks against corporations: 87% of large businesses in the UK suffered security incidents in the last year, with a median of 19 incidents per company, according to a PwC report for the DTI. It’s how few successful breaches in security are actually reported or investigated – just 15%.

There are many reasons for this. But often the problem is one of trust: can the security company doing the investigation do what they say they can? How much will they overcharge while they’re getting up to speed? Will they tell the truth about what they find?

It’s no surprise that some organisations, at least, are looking for alternative investigators who are more interested in finding out what’s happened than the bottom line and who have the skills necessary to solve the crime. What is a surprise is where they’re finding them: universities.

“The key to our success is that we’re flexible in terms of people’s needs. As long as it’s interesting, we’re interested,” says Andrew Blyth, principal lecturer at the University of Glamorgan’s school of computing. In common with universities such as Cardiff, which recently hit the headlines for exposing flaws in HSBC’s online banking system, and Royal Holloway, whose Information Security Group is famous enough to get mentioned in ‘The Da Vinci Code’, Glamorgan has been showing that academia is more than capable of helping public and private sector organisation with computer security. Its work ranges from reverse engineering viruses to exposing paedophile rings in Australia.

Blyth says there are many reasons why his group has been sought after to help the police, the security services and other organisations. As well as rigorous scientific and classical training in computer science, the group is “an independent academic organisation: we’re not interested in repeat business, where you always have one eye to the next job – I have no salaries to pay since research is what we do. We’re more worried about how this job is going. If someone wants to know if there’s a Trojan on a machine, we’ll tell them. We won’t say there’s a reasonable doubt and we’ll have to do another report.”

Blyth’s forensics lab originally grew out of his own interest in conducting forensic research. He approached companies whose needs coincided with his interest and before long he had built up a security group and a reputation for “the weird, whacky and wonderful”. The group consists of five members of staff, three PhDs and three students with security MSc awards. As well as helping with the school’s research, the work done by the group helps security in general, since the techniques developed get passed back to the security community, rather than kept as commercial secrets.

It also helps with the university’s finance, since in common with Royal Holloway’s ISG, the university negotiates a payment for the group’s work through its commercial line. Nevertheless, Blythe holds off from spinning off the lab as a commercial entity. “It was created to do research and creative things and that’s what I enjoy: solving things and being taking into areas where I wouldn’t have thought of going.”