By Rich Loeber
I am amazed at how many companies and organizations I run into where computer security is lax and nobody seems to care very much. Recently I heard from a business associate who is just getting started in a new position. He told me that his company’s IBM i is connected directly to the Internet with no protection at all, not even a firewall or even a router. He demonstrated to his new boss how he could quickly hack into the system, track down the ID and password of a security officer and then sign on using that profile. I won’t tell you how he did this, but it was not rocket science. They are shopping for security protection for their IBM i now, but how did they get to this point to begin with?
What these organizations need is a Security Evangelist. Someone who knows what the problem is and really believes in the message. The dictionary contains several definitions of “evangelist” and the one I’m thinking of is “a person marked by evangelical enthusiasm for or support of any cause.”. If you don’t believe the message, then you can’t sell it to your organization’s decision makers.
I then thought back over my almost 50 year career to try and pinpoint those places where I bought into the computer security message. I can think of three events that really got me convinced that this is a legitimate issue.
When I started in the computing field in 1965, computers were new and companies that had them liked to show them off. It was not unusual to have a glass enclosed computer room with open access to the public to walk by and watch the computer in operation. Then, there was a Viet Nam war protest bombing of one of these computer centers and, overnight, they got boarded up and physically secured. Companies realized that they were dependent on the computers for many operations and the public display put them at risk.
At around this same time, in 1973, along came the Equity Funding fraud. This was a computerized fraud scheme where a financial conglomerate engaged in fraud on a huge scale to maintain a high stock price and fool Wall Street and investors. At its height, the scandal involved as many as 100 employees who used their computer system to create fictitious insurance policies. At one point during the fraud, someone estimated that if the insurance policies being written continued at the same growth rate, they would end up writing more policies than there were people in the US. It was dramatized in the made for TV movie, “The Billion Dollar Bubble” staring James Woods and Sam Wanamaker. I could not find the movie available on NetFlix or at Amazon, but if you can see this movie, it is very convincing.
These two events, which happened quite close to each other, got me thinking that the computer security issue was a real issue and not just something being touted by IBM to sell more of their services.
The last event that turned me into a security evangelist was reading the book “The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage” by Clifford Stoll. This book, published in 1990, starts with a college IT guy from Berkeley trying to track down a 75 cent billing error. His search leads him into the then new world of computer hackers on a global basis. This book is still available from Amazon.com and if you’ve never read it, you should.
If you don’t believe in the computer security message, then you can’t convince others. I became convinced by just keeping my eyes and ears open to what was going on around me. If you’re working in the computer security field, you need to be an evangelist and get everyone at your organization on board. If you don’t believe the message, how can you expect the rest to? I think this is what’s needed today. There is still just too much laxness in the field.
If you have security was stories you’d like to share, you can reach me at rich at kisco.com. All email messages will be answered and I might even use some of your stories in future posts.