I grew up immersed in security. My father was a US Marine and going on and off base meant... security. My father worked avionics, which meant I was also exposed to flightline security. On a Marine Air base, you will definitely see a base within a base with respect to security. That's a good thing. I then went off to college at The Citadel and guess what? More security. Security like barracks and campus lockdown if a rifle count came up wrong. Then into the US Air Force and once again, more security. It was in the USAF that I saw the real need for IT security.
We had a vendor working on an application which had its data in a Sybase database. This was when Sybase was still a major player. My management wasn't so sure that the application was being developed securely and the servers were properly protected. That application was to process orders on computer equipment. Some of the information would be considered sensitive, but not Secret. So while it was in development but about to go live, I was called into my major's office along with a hotshot senior airman. Our orders: hack the servers if we could. They wanted us to start after lunch.
Ten minutes into the penetration attempt, we had the database server. We broke in via the administrator account because it had a weak password. What were we doing the first 9.5 minutes? Trying to find Mountain Dew. Our management was less than pleased, but at least we had caught the issue before the system went live. The vendor was brought in and read the riot act. Of course, they couldn't deny we had been in, because we left a text file on the desktop of the Administrator account. It simply read, "Hacked by Lt Kelley and SrA Silva," if I remember right.
That event happened in the 1990s. It's ancient history in terms of IT security. Today the world is a lot more frightening place. Every day I see multiple reports of sensitive data being compromised. Hospitals. Financial institutions. Educational Facilities. The information gathered is useful for identity theft. It can be sold. And as a result, IT security has evolved from the days when you had to worry about rambuctious teenagers with too much time on their hands to now where we are facing the fact that organized crime groups are involved.
Even with this realization, security still takes a back seat in most circles. None of us want our personal data in the hands of folks who will sell it off. We expect that the organizations in question should do the right thing and lock things down. We know better. Playstation Network, anyone? What about in our own organizations? How are we doing? Are we cooking security into our application design from the start? Are we actively working to build good security models for our databases? I think most of us would say, "Not like we should." And that's a shame.
I took a look at the PASS Summit offerings for this year and I think I found 3 security focused talks. Other than mine, I recognize the other two: Denny Cherry (blog | twitter) and Don Kiely. No new names in that field. I've kept an eye on a lot of the SQL Saturday sessions, too. Same deal. Just not a lot on the security side. And this worries me, especially as attacks continue to evolve and technology continues to become more complex. It really feels like everyone is saying security is important, but that it isn't, until it's breached. Then it's too late. That's a shame.
I've thought about how to make security more appealing. Far smarter folks than I have considered this, too. No real success on that front, I'm afraid to report. We know this because we continue to have poor security awareness, not just among end users, but also among developers and IT pros. Quite often, we find that it is the developers and IT pros using their knowledge to bypass security controls rather than setting the example and sticking by them. If we, the pros, don't consider it worth our time, why should they? And that's a shame, too.