Linux support on-site, on-line and in the cloud.

Why IT security can’t be trusted.
Security in transmission.
An example from the Public Sector.

---

Why IT security can’t be trusted.

The IT industry, unsurprisingly, is at pains to reassure the public that IT systems are safe and secure. The government takes the same line. It is thought to be vital to the growth of the economy and perhaps more importantly to profits, to convince the population that someone is taking care of us.

Ok, you’ve already worked out that I take a rather more jaundiced view, but this isn’t I assure you paranoia or political posturing. It is a view developed and hardened through 35 years experience in both public and private sector, in the City, in Europe, the States and North Africa.

The vulgar reality is, that if your data is on-line, it is not confidential, and it is not safe.

There are a number of reasons why this is case but this is most important. the holders of the information have priorities other than data security.

It may be the pursuit of profit in the case of private companies or large corporates, or it may be service delivery, getting the job done, as in large sections of the public sector, but, approve of the motivation or not, the reality is that security gets only as much attention as is absolutely necessary to comply with the law and then, only when it is actively enforced. Privacy, the punters privacy, gets almost no attention at all.

There are always other more peripheral issues as well, like lack of resources, ignorance and plain stupidity but in the end it comes back to the same thing, security is not the main priority.

I’m not going to convince you by reasoned argument any more than I was ever able to convince senior managers that their systems are vulnerable. (The priority of a successful "go getting", "customer focused" "high flying" manager is always, first and foremost to keep their jobs and secondly to move on to a higher salary. Nothing wrong with that, but its not IT. If you’ve ever wondered why such fortunes are spent on consultants to install, develop and run corporate and public sector systems, it is quite simply this. If a manager is seen to be engaging large well known companies to select, install, develop or support their systems, then they are likely seen to be blameless when things go wrong. If a manager attempts to understand the problems themselves or uses in house staff with genuine expertise on the systems in use, and even more importantly, with expertise on the way those systems are used and relate to other systems in the organisation then, if an error is made, it may not be possible to restrict the flack to the foot soldiers, some of it may come in the direction of the managers. Questions may be raised about "failing to provide adequate resources", "insufficient training", "lack of supervision", "taking their eye off the ball" or "not keeping a finger on the pulse".

So in the meanderings that follow let me give you some examples of the kind of thing that happens quite routinely, day in and day out, throughout the worlds of commerce and public service.

Security in transmission.

Well many of us now know about or have at least heard of things, like data encryption, public key exchange and all the other security jargon which is rolled out to reassure us all. Well the good news is that where it is in place and is used, it’s pretty good. Yes I know there are all sorts of issues and vulnerabilities not least of which is password selection but in many practical situations, in combination with other things, encryption is pretty good. The bad news is that much of the time, at critical moments, it’s not used at all.

An example from the Public Sector.

I was administering a data base system for a city authority which maintained data on public health, trading standards, environmental health, noise pollution health and safety, that kind of thing.

Under central government aegis a new system was being developed that would integrate data from multiple authorities to a much "bigger" and "better" centralised management system. You’ve heard of this kind of caper many times before I think.

I suspect in this instance few, other than a small group of enthusiasts who saw and were excited by the potential, gave more than fig for the development but hey there was central government funding involved, it cost the authority nothing to do it, there were expenses available for the participants, a profit to made, regardless of outcome, by the developers and the authority got it’s data cleansed by a major corporate for nothing (something of which I did approve).

There came a point in the system development cycle when the developers needed a substantial quantity of real data with which to test, and subsequently demonstrate the new system. I was instructed to provide this data on magnetic media to the development company which was about 100 miles away (bear with me that fact is important for the story as you will perceive shortly).

Now there was no reason on earth, that I could see, why we could not use secure electronic transmission systems to move the data but no, it needed to be archived on to CDs and sent to the developers.

I explained the risks to the Senior Service Manager and the Assistant Director and invited them to consider what might happen if

a) personal details, witness statements, complaints and prosecution evidence got into the wrong hands and

b) what repercussions there might be if knowledge of a) got into the hands of the press, a far more worrying prospect from any local authority’s perspective.

If the data was not to be sent electronically we needed, I insisted, to use a secure data courier system.

But, you know, the council had a policy. And as part of that policy the council had a contract and the council had confidence in the terms of that contract, and a courier services had succeeded in the competitive tender process for that contract and the long and the short was that we had to use that service. That, you see, was the priority.

I was aghast when the package was picked up by a hippy on on a bicycle. Now I have nothing against hippies. I was one myself back in the late 60s and early 70’s, long before becoming involved in computing, but there was no formal handover, no documentation, no locked case chained the cyclists wrist, just a hippy on a bicycle. He threw the package into a loose shoulder bag with lots of other packages and peddled off down the road.

Well the package did arrive you’ll be glad to here and as far as we know, and the reality is we don’t know at all, without being copied while in transit. I called the software company to ask if they had seen its arrival at their premises as I was curious as to how this pedal power crew were getting packages cross country. Well surprise surprise, it was delivered by the post office parcel service along with a lot of other packages, and no, it wasn’t registered, recorded or special D.

Security. My eye.

Clifford W Fulford

---