Why Computer Security Is Still a Top Issue
by Alex Cosper

The following is an interview I did with my brother John Cosper in July 2016 about his work as an IT consultant. Part of the reason for the interview was to review some of the important keys to internet security, since we keep hearing in the news how easy it has been for politicians to get hacked.

ALEX: John, tell us a little about your background that led to your IT career.

JOHN: In 1992 I was a courier delivering microfiche to large companies with Data Processing Departments (computer rooms). I tried to become friends with the customers hoping for a chance at an entry level job. It worked. Fleming Foods hired me as an Order Entry Clerk. Nine months later they had an opening for computer operator and I was promoted. I changed my education goals, originally accounting, to focus on IT and pursued IT Certifications. Education leads to more opportunities in IT.

ALEX: What is a typical day like for you on the job?

JOHN: As a consultant my work depends on the work needed by my client but in general I must react to support issues for the software I support. Typically there aren't much so I develop and administer the application. That may involve interface changes, code changes, work flow changes, and often report modifications. Documentation is critical to IT so I track anything I do in the Change Management System.

ALEX: How common are security breaches that you have to deal with on a regular basis?

JOHN: I never have to deal with that because there are specialists who are paid to manage IT Security. The companies I work for have IT departments who may have hundreds of IT professionals all with different specialties. 95% of them may have nothing to do with IT Security and in fact, it's literally no more their responsibility to worry or troubleshoot IT security issues than it is. It's simply our responsibility to follow the same IT security policies and procedures expected of anyone using a company computer.

ALEX: What are some of the keys to establishing and maintaining a secure server?

JOHN: Microsoft Windows Servers all come with out-of-the-box default security set to High which means a local firewall and only essential ports opened. The real security isn't on the Servers as much as the network devices between your Server and the outside world: Routers, Switches, and the software running on them. There are many layers. Even past the network devices and the servers, the software running on them needs security. For Example, an Email Server like Exchange needs to have the ability to sift through emails because emails are a gateway into a network. You can have the best security in the world on your network devices, servers, and all computers but if your Email Server is set to low security your entire network is at risk.

You're only as strong as your weakest link. It may be that your weakest link comes from a program on an unaware user's thumb drive. It's an IT perspective that the most dangerous attackers to a network are the employees who log into the network every day. I remember a server admin once telling me everyone logging into "his" servers is an enemy.

ALEX: You've worked in government and corporate workplaces. Who ultimately is responsible for ensuring computer system safety?

JOHN: The companies and agencies I've worked for are so huge it can't be answered simply. It depends on the size, how many sites, and maybe depends on what country they are in.

ALEX: Is it your opinion that any organization faces potential cyber attacks? How are some organization more protected than others?

JOHN: Attacks are a fact of life. Network Security professionals are expected to be prepared for any breach of security regardless of the source. Yes, any organization no matter how small. It goes without saying that size matters: Walmart is attacked more than a local donut shop.

ALEX: Can any given email or other type of data be recovered in a disaster or can it get lost forever?

JOHN: Corporations can track incoming and outgoing traffic so they know when they've been breached. Network Security breaches and data recovery are completely different issues. Nothing gets lost when data is backed up. If the system is hacked and brought down it may be down for a while but the purpose of fault tolerance is to protect data so that under any disaster the system can be restored.

It's a common practice that after a server is backed up the media is taken offsite, whether that's across the street or flown to a different city. The question is how valuable is the data? Can you stay in business without it? Many organizations have Fail-over servers such that if a server goes down in California another server becomes active in Arizona. Losing data is a product of poor data recovery policies, not security. You should never not be able to restore your data for any reason. That falls on the Database Administrator, not security professionals.

ALEX: Please explain why a private server is not typical among corporate or government organizations.

JOHN: The answer is because companies/government consider the work you do their property. And the tools you use are their property.

People use their work email account for personal emails, or they use their work phone to make personal calls, or they use a company car to run personal errands. As a consultant I frequently must sign a contract agreeing that anything I do belongs to them - meaning, if I invent an application while I'm at work I cannot sell it for a profit - it belongs to them. These things the company doesn't want you to do because all these resources belong to them, not you, including your emails. Hence, you have no freedom of speech while you're using a company email account.

ALEX: How much background or level of expertise does an IT professional need to manage a big organization's computer systems?

JOHN: Many years of IT experience, a BS degree in a related field, and IT Certifications in that area are a must. That's if you expect journey level wages. By definition when you say computer systems I presume you mean servers and enterprise applications, not desktop computers? Because getting a Help Desk or Desktop Support job is considered entry level and it's possible to be a friend of an employee and get a job without much experience.

When I worked at Sacramento County many techs were hired without any IT experience who barely knew anything but they were friends of friends and that IT Department had no standards. Also, that was in 1999 when PC networks were new to organizations. When I left Fleming in '96 they didn't have a client/server network; all they had was a mainframe with dumb terminals. The only PC in the building wasn't connected to anything, just stand-alone. It was the cutting edge of a new era. PC techs could make over $30 an hour. Now days they typically make more like $15 per hour.

There's too much competition to give IT jobs out to just anybody. A lot of not-real IT folks have been weeded out over the past 10 years. It's not the type of field to get into unless you plan on continuously learning new things. It makes no sense for people who "don't like change" to be an IT person, but I've met a few.

© Alex Cosper. All rights reserved. See privacy notice.