Sunday, December 21, 2014

Is corporate security, faced with determined hackers, just a matter of workplace discipline?


Was the Sony Hack by “agents” of a foreign power (that is, the DPRK) really the result of poor IT workplace discipline and procedures?
  
I think that’s possible  A lot of the security lapse seems to have occurred because an administrator’s logon was not encrypted and not properly secured, and probably not changed frequently enough. 
I was involved in a few controversial “scares” during my mostly mainframe career, and the technology involved in each incident would seem simple compare to the complicated scripting explained in US-CERT’s recent bulletin on the brute force authentication hack and SMB Worm. 
  
I won’t go into details tonight, but in every case (going back to the middle 1970s) there were simple procedures that could guarantee that production files could not get corrupted accidentally during testing, or that the source module and load modules being executed in production (after elevation) were consistent.  But one had to remain alert to use the procedures properly.  When updates to elevation procedures were announced, the programmer-analyst needed to pay attention, and realize that the procedure steps, when followed properly, guaranteed integrity.   There were a few occasions where neither myself nor several levels of management fully understood these things at first.  There is a degree of “maturity” required by everyone in staff to grasp the importance of following procedures.  The most serious breach might have occurred in the summer of 1991, when a member of the elevation team (a young male) discovered a serious error in the way some moves have been done for some time.  I remember the employee;  he was attentive, and he brought to the workplace the diligence that companies need all the time.

I do think that major Silicon Valley companies and telecommuncations companies have given more attention to goof-proofing their security than most entertainment companies would have done.  So I’m counting on the security procedures of the companies that provide they platforms upon which I do a lot of my self-expression (Google, Facebook, Twitter, Bluehost, Verio, etc).  The same should be true of banks and financial institutions, and of utilities and power companies.  Still, so much depends upon the attentiveness of every employee. 
  
In 2002, I did spend a lot of time looking at jobs at Warner Brothers, and it looked like a good shop, one that had a lot of both mainframe (DB2) and Internet.  It’s generally true that IBM mainframes are more difficult to compromise than Unix or Linux, and that the Unix-Linux-Mac world seems a bit more solid than Windows, which still has some real problems with very determined attacks.  Also, routers have vulnerabilities that need more attention. 
  
Picture: the Management and Administrative Subsystem of Medicaid MMIS used to be called “MARS”.  

No comments: