Cyber-attacks have been back on the front page of late. But does that, albeit briefly, transform the IT professional into the 001 secret agent of corporate counter-espionage, or is the reality rather more mundane?
The IT world is a dangerous one, if the mainstream media is to be believed. High-profile incidents against our largest institutions, daily death threats on social media, personal data going missing etc. etc. Barely a week goes by now without some large website being hacked or taken offline.
The cast of perpetrators has increased too. In the past, the typical hacker was a bored school kid with social issues but now the internet is so pervasive in our society that the battle lines are being drawn. Governments and terror organisations wage proxy war while the militant arms of advocacy groups see websites as a legitimate target for protest and disruption. The difficulty in tracing those responsible adds an air of mystery and intrigue and as an IT professional I’m often asked for my opinion on things.
Ignorance is bliss
When working for large financial institutions you often wonder if there’s ever likely to be an attack on your systems. The reality is that even if this does happen there’s not much you’re going to be able to do about it. In the event of a denial of service attack the response will be coordinated by the ISP and the extent your involvement is going to be an hourly email update. Similarly, if anyone breaks into your system then chances are you may never know, and, even if you do, the security guys dealing with it will be having discussions so arcane that you may as well just accept that ignorance is bliss and leave it there. After all, many IT security specialists started out as teenage hackers themselves.
During the development cycle security issues are often overlooked. Time and budgetary pressures mean security considerations are seen as burdensome and individual developers are left to raise concerns. Some developers even take matters into their own hands and will spend time covertly hardening their code against intrusion. Teams in charge of infrastructure will also sometimes roll out security changes without warning – usually causing some previously reliable system to spontaneously fail, leaving system admins scratching their heads and wondering what on earth has just happened.
A larger headache in the day-to-day running of the IT department is the computer virus. These malign bits of code come in many flavours from the simply irritating to the catastrophic. I had a catastrophic experience with one many years ago, as an undergraduate – it wiped out most of my nearly completed final year thesis. I learned a couple of vital life lessons that day about the value of backing up your work and running virus protection. Needless to say, many system admins haven’t – all too often I’m greeted with the message “Your virus definitions are out of date” when logging into one of our servers.
When viruses do get through the corporate firewall they’re often of the “email your entire address book” type. They are irritating, but usually easy to get rid of – and occasionally amusing. One once managed to send an email to the company email distribution list. To seasoned professionals, an obvious virus, but obviously not to the numerous staff whose replies to the original message were then read by the entire firm.
A much bigger potential problem is around data protection. Although we are all mandated by law to treat real data with the utmost care, this is very rarely the case – whole production databases are cloned “as is” into testing and development for performance purposes, as the overhead in anonymising the data is apparently too high. Even cut down environments are usually sub sets of real data. It always astonishes me that this happens time and again and that often vendors don’t even supply any means to scramble data. No matter, though, because management can always invoke the time-honoured solution of “sign off the risk and hope the auditors don’t notice”.
The risk, however, is very real and ever present. Development environments are, in theory, firewalled off from the real world, but this is never entirely the case. There is also always the danger of a mole within the organisation who chooses to steal data for whatever nefarious end they have in mind. Companies have recognised this problem and the solution is usually to disable all USB ports and optical drives on our workstations. An annoying but understandable precaution, right up until the policy changes are somehow left out of the new builds and un-locked down workstations start reappearing in the office again as the upgrade cycle continues. We can then all get back to speculating who is most likely to have a one-way ticket to Rio in their pocket.