I'll admit it. I've been hacked. Well, not me personally, I'm not yet Borg, but a server that I used to administrate. Here is the surprising part, it ended up being a really good thing.
When I started working my current job, back in the dark ages of pre-1.0 web, my job title was "Web Administrator." These days a Web Admin tends to be nearer to the bottom of the food chain, but back in the mid to late 90s, we were hot stuff. I was working for an office that the campus IS team viewed as having gone rogue. When we launched our first website, we had beaten nearly every other department on campus to the punch, and we were doing it via our own server outside the IS cluster. Records had hired two webmasters before me, but they each left after one or two years as the web industry was quickly ramping up salaries more then the College could pay.
I inherited an old Sun Spark station that was used as the primary server. At the time I was a Mac guy - primarily a graphic artist with an interest in learning new stuff, so Solaris was a fun and interesting challenge. Turns out, though, that keeping an old Spark secure took more then making sure it was patched and Solaris kept up to date. We got hacked, root was compromised, and my little old spark was used as a relay to get into NASA. NASA was none to pleased, and threatened the College with legal action. It was not a fun week. The server (excepting the web ports)was locked down from outside the Loyola IP range, and the hacker had used an open machine on campus to get into ours and used ours to get out to NASA.
There was a big silver lining though. This forced the Loyola IS crew to rethink their stance on "rogue" offices using technology. We were the first but by the time we got hacked, there were several other departments that had been forced to get their own servers in order to have a web presence. Not only web servers, either. several departments (including mine) had application servers running apps that IS had refused to take on. It was a less then ideal situation all around, and had left the campus very open to attack. None of my application servers ever got hacked, but others on campus did. The campus's very conservative IT policies began to shift to encompass the rapidly evolving reality that the College would advance IT, whether or not the IT department was on board.
It has been almost a decade since I got hacked, and policies have changed considerably, if slowly. Some individual offices still have their own web and application servers, but they are all now housed within the IT server room, and given the same security policies and maintenance structure as IT servers. Flexibility and security have both been enhanced, and the College is a much more secure environment because of it.
Subscribe to:
Post Comments (Atom)
I heard once about companies that would hire hackers specifically in order to find the company's security holes. It seems like this would be a great strategy, as it is very hard for someone who has set up or designed a system to see their own system's weak points, but much easier for someone who is used to spotting weak points in systems to do so.
ReplyDeleteThe alternative seems to be what happened in your situation... waiting for the holes to be exposed by someone NOT on your payroll and all of the negative consequences that may follow.