By Richard Parcia
?Well, I suppose I see a different world than you do, and the truth is that what I see frightens me. I’m frightened because our enemies are no longer known to us. They do not exist on a map. They’re not nations, they’re individuals. And look around you. Who do you fear? Can you see a face, a uniform, a flag? No! Our world is not more transparent now, it’s more opaque! It’s in the shadows. That’s where we must do battle.? — M, in the movie Skyfall
When I was still heading an IT group in a digital health services company, I always had conversations with the site information security officer. It was inevitable because Joyce (that?s her real name) inherited the position that I pioneered in the site.
Our conversations ranged from being subtle as she was my former student, to the more passionate that often drove either one crazy. And quite honestly, I was the one who often goes bonkers because, inasmuch as I hate to admit it that time, her points on security are right on and we just didn’t reconcile with our respective approaches.
Since we came from different backgrounds (she came from an auditing background and I came from IT), it was also inevitable that we are going to clash. She?s used to do things by the book and I am more inclined to balance things, being ?paranoid? and an advocate of the value of having a ?great place to work? (blame my Intel roots).
However, we both agreed that more than the technical deterrents, it is culture that serves as the companies first and last line of defense against information security violations or attacks. The root of any attack or violation is not an IP address. It?s the people.
I was reminded of those conversations on the topic by a recent international incident that is being touted as a geopolitical joust with dire repercussions. I am referring to the recent Sony hacking incident that is so serious that got Hollywood scared.
With all its advocacies, pretentious or otherwise, Hollywood hardly fought back outside of the jokes from Tina Fey and Amy Poehler. If it weren’t for curiosity, and the money that can be made because of that curiosity, no theater would have shown Franco and Rogen?s folly because there were bomb threats. It was that serious.
The US government has already declared that it was an attack coming from North Korea; an accusation that the latter vehemently denies. However, a recent article from CNN voiced out a possible angle that reflected the sentiments of not too few security authorities. The sentiment was that the attack was due to a massive internal leak that allowed outside forces to see the weak points of the Sony security programs.
Why give credence to an angle that the US government has denied albeit unofficially? It?s like this: Hacking is a practice not only done by a few people. It?s so widespread that the tools to do it are readily available on the Web.
We are not even talking of private boards and networks wherein the more technically competent and brazen lurk. We are talking of typical message boards and even blogs that have detailed ?how-to-dos?. If there are even sites that even detail how to make bombs out of household chemicals, hacking into someone?s social media account is not that hard to do.
But while hacking is prevalent, not a lot of enterprises are victims of this. This is due to the fact that most companies worth their salt do have standard security policies and technical deterrents deployed in their environments that make it harder for first time hackers to break.
This is true even for small companies that are being hosted by reputable data centers that guarantee to prevent or repel attacks.
Besides, hackers do it to prove a point (often done by experienced hackers and their targets are specific) or to just have fun (the most common and quite random). The latter is something that I am familiar because a long time ago, I, together with a bunch of alcohol-driven instructors of a computer college used to do it a lot.
We scanned ports and IPs, ?nuked? online chat users, and randomly checked website vulnerabilities. We also guessed passwords which was quite easy in the ?90s.
Nowadays, you cannot guess passwords because of complexity requirements. But why guess it when somebody can give it?
Sony?s hacking woes might have been done by people from the outside but the keys to their building might have been given away by the people from the inside. The ?disgruntled employee? is a bigger threat than a random hacker.
Inside information, epitomized by the ?password?, is still the most vulnerable point of failure. Security auditors will tell you that companies with the stature of Sony might have sophisticated technical deterrents deployed but might also have personnel that didn’t pay much attention to basic privileged access management schemes or were just plain careless.
What about disgruntled employees who held inside information? Now this is harder to detect. It can be anybody who was given a low rating by the boss, or somebody who was harassed by a colleague, or somebody who was promised a raise and didn’t get it, or worse, the person who found out that he is about to get the boot because his or her job had just been outsourced.
Disgruntled employees who hold critical information do not need to be part of IT. It could be anybody. It could be the payroll person who holds the password for the online bank accounts. It could be the logistics guy who holds the password of the shipping system of a logistics company. It could be the HR officer who holds the key to the employee database. It could be the claims processor of an insurance firm who has access to all of patient databases.
This is where culture comes in. It?s not just about a culture that makes the employees protect the information of the companies that they work for. It should also be a culture that makes companies take care and trust their people. It should be reciprocal.
The grind can make people snap. A company that does not care about their people will not get love either. Was this the case for Sony? I don?t know. Maybe yes or maybe not.
However, CEOs or leaders of any organization should be reminded that the biggest hacking incident or the highest security threat is closer to home. The threat may not be a looney leader of a dangerous state. It could be the lowly but genius accountant whose psychotic tendencies were triggered by a hostile environment.
This leads me to another anecdote. When I was first invited to teach in a graduate school many years ago, I was asked to do a teaching demo by the dean so that she can assess my capabilities. I taught an actual class and their professor sat with them to be my ?demo students?.
The professor, who was proud of his technical know-how, asked me how to stop all of these hackings. Expecting a technical answer, he was dumbfounded when I replied that its important to see hacking as an ethical issue first and a technical one, second.
The author is an associate professor of information systems at the Graduate School of the University of Santo Tomas. He has held various technology positions at Intel, TriQuint Semiconductor, and Unitedhealth Group. Currently, he is the head of IT Infrastructure and Operations for Holcim East Asia
