While the information technology wave put India
on the global map after ‘Y2K,’ there were professionals finding their way well
before that into this nascent field, which was about to explode. Mrs. Bharani Rangabashyam describes her experiences and
insights into one of the most important aspects of this sector – security.
 |
| Bharani Rangabashyam (1986, ECE) |
Introduction
When we were in college, Information
Technology or Computer Engineering was not offered as a separate Undergraduate
Engineering major at PSG College of Technology. I distinctly remember
that the institution had just begun the Masters in Computer Applications
program at that time, which had a good reception with applicants from around
the country. In the undergraduate program, we had a few electives
related to Information Technology, which students majoring in other areas could
opt to take.
In the early nineties, Information
Technology began evolving in many sectors in India, prompting many of us to
switch over to it as a career. Of course post the so-called Y2K, the
participation of Indians in this sector was a tsunami. I was part of the early
wave of engineering graduates who began migrating to this field.
Many companies setup a separate
Management Information Systems (MIS) Department. Software training centers
mushroomed all over the country. The trend was to aggressively learn as many
Application Software offerings as one could in a short time, and apply for jobs
requiring those skills, preferably overseas.
The gold rush
begins
Cramming resumes with a long list of
Application Software names supposedly increased the confidence level in many
candidates. Even the so-called software body shops encouraged candidates to
match their resumes skill-by-skill to what was in the job requirement.
"So what if you don't know that exact skill? You know something similar
right? Just put it down in the resume and you can learn the exact matching
skill while on the job" was their rhetoric.
What many did not realize, then, was
that, it was not the number of Application Software types listed on the
resume that would give candidates the strength needed either to secure the job
or more importantly, do well once they start.
True value lies in understanding the
fundamentals of the 3S's of IT, namely:
• Software
Development Methodology (SDM)
• Source
control
• Security
These 3S's are platform and
domain-agnostic, and are continually evolving.
An Information Technology Company
whose primary business is software development may include the 3S's as
part of their training. But if we were to join the Information Technology
division of a company whose main business is in some other domain, then the
onus is on the applicant to know the significance of these fundamentals.
Hack attack
In 2001, I joined the Corporate
Information Technology division of a USA based off-price retail chain. It was
an $18 billion company then, with growing operations in the US, Canada, and
Europe.
But on the Information Technology
side, it left a lot to be desired. It took over 8 years, and a major hacking to
put controls in place. It is still a work-in-progress as the company heads
towards $40 billion in revenues.
Senior Management attitude before the
hacking was ‘we are not an Information Technology company, so it is not
mandatory for us to achieve any high SEICMM/ISO standards. We would invest just
enough in Information Technology to support our main focus, which is our retail
business.”
The hacking was a painful lesson for
the senior management in the company. After that episode, there was a
radical change in the company’s Information Technology policies.
A comparison of the Before-After
scenarios would bring out the significance of each of the 3S's, and how
these add value to the overall performance of the company.
Impact
of Software Development Methodology (SDM)
SDM is a framework for building and
managing Information systems from inception to installation. Common
methodologies include:
- Waterfall
- Iterative/Incremental
- Spiral
- Rapid Application Development
and
- Agile.
Traditionally, many Information
Technology companies used Waterfall to progress the Software sequentially
through its life cycle, namely, Initiation, Requirements, Plan/ Analyze,
Design, Build/Test, Quality Testing, UAT, Implementation and
Post-Implementation support.
More recently, the Iterative and Agile
methodologies are gaining prominence.
Our company had used Waterfall
methodology, but not in its entirety before the hacking.
There were no well-defined teams and roles.
Users would provide just the bare-bone requirements, which were often
ambiguous. They would keep changing it numerous times, even in the later stages
of the project, thereby leading to cost and time overruns.
Change Requests were not formalized.
As a result, there were disconnects between the requirements and the end
product. Information Technology managers would give into pressures from
the business, and try to cut corners. Code may go live without thorough testing
causing fatal defects/ failures in the Production environment.
Managing Source
Code Control
Version control of Software is very
vital. There was no designated Release management team before the
hacking. Some developers did their code changes in a shared drive. They even
managed to go-live with their code, bypassing Source control.
Some used Source control, but would
have the code checked out on their machines for a prolonged period of time.
Some left the company while code was still checked out on their machines. This
resulted in Code overlays or situations when only the executable existed, but
the Source code could not be found or had to be re-engineered.
Importance of
protecting Security
Although our company managed Key
Financial Applications in a more secure environment, still, as the importance
of security was not stressed long and hard enough, it left the company exposed
to vulnerabilities.
And we were not alone in being so
exposed. Below is a list of major hacking episodes worldwide in recent
times:
Heartland Payment
Systems
2008: 134 million credit cards exposed through SQL injection to install spyware
on Heartland's data systems.
TJX Companies Inc.2006: 94 million
credit cards were exposed.
Google/other
Silicon Valley companies: 2009, Stolen intellectual property
ESTSoft: 2011, the
personal information of 35 million South Koreans was exposed after hackers
breached the security of a popular software provider.
Target, Home Depot, Sony, 2014
And the list goes on.
Cost of a
data breach
- Studies have shown that the average cost of a data breach is around $7
million with average cost per compromised record more than $200.
The remedy
The after-scenarios in our company
showing improvements in all the 3S's I have described earlier.
· Firewalls
have been strengthened
· People
who exchanged Credentials met with severe penalties
· Credentials
were reset when job roles were changed, and removed when people left the
company
· Mandatory
Security training for all Information Technology associates conducted
periodically
· Bit-9
Parity checks to stop anyone from installing unauthorized software on their
machines.
· All
across IT, well-defined teams formed with clear roles and
responsibilities.
· RACI
matrix looked up to see who is Responsible, Accountable, Consulted
or Informed for a specific task.
· Release
Management team put in place checks and balances for any software that is
released to the live environment.
· Release
Management published the guidelines for parallel development, and branching and
merging code in central repositories.
· Estimation
is done at various stages of the project, and budget increases are strictly
scrutinized.
· Any
lapses in the process, escalated to senior management. Also publicized widely
to name and shame individuals who are repeat offenders.
· Projects
for total encryption/ masking of cardholder data undertaken.
For individuals the
future is..... a tad scary!
It is important to emphasize that this
sort of vulnerabilities are not just for companies but or individuals also.
Marc Goodman is the founder of the
Future Crimes Institute and a former INTERPOL and FBI agent. He lists a
litany of threats facing us. Here are some examples he shares of what has
already happened in terms of crimes:
Automated Teller Machine (ATM)
Thieves: Fake ATMs where installed at a shopping mall. When
shoppers used these ATMs, their card numbers and pin's were recorded.
They got an 'out of order' message on the ATM. The thieves then used
these numbers to withdraw cash elsewhere.
App
Thieves:
Recently there was a fake HSBC Bank app on Android. Similar to the above
example, people entered their data into it and were subsequently robbed.
Telephone
Network:
The Mexican drug cartel has its own installed telephone network and use auto
piloted vessels to transport drugs into the US
It is worthwhile noting, that while
individuals may not be able to take as stringent measures as companies can, it
is imperative that we take a commonsense set of precautions as well such as
being careful with passwords, protecting private information carefully and not
leaving private information lying around.
Summary
I have pursued a career in in
Information Technology and through its course recognized the importance of
sound security measures. In today’s global economy, individuals are
interconnected, companies are interconnected and economies too are
interconnected. This is bringing enormous innovation, scale and access
across the globe.
However, these very same advantages
are showcasing some vulnerabilities as well. As I have explained in my
own company’s example above, those businesses that do not have proper security
measures, that evolve with the times, leave themselves vulnerable to
attacks. Not only are companies vulnerable, so are individuals.
Within
the secure domain of companies, having a holistic perspective of the 3S’s
(Software Development Methodology, Source control and Security) along with
strong technical and domain knowledge is paramount. Such a focus for
those interested in Information Technology will pave the way for a sound career
in a vital and growing area for enterprises.
About the author:
Bharani Rangabashyam lives with her husband and
son in Leominster, Central Mass, USA.
She works in Corporate IT for a multinational Retail chain. At PSG
College of Technology, she was a day-scholar graduating in Electronics and
Communication Engineering.
No comments:
Post a Comment