STEM Education – Gotta be in it to win it

As a mainframe programmer and business executive, I’ve learned all about the necessity of educating the next generation of systems programmers and application developers. But how soon is soon enough to influence these people?

My dad was one of the first programmers at his insurance company. He took me under his wing as a 12 year old and kept me excited about programming. My junior high school had teletype HP 2000 computers, punch card machines and a variety of wire on board IBM systems. I took typing in 9th grade to reduce my punch card error decks. Nerd, yes, but thinking of a career already.

National Engineer’s Week beginnings

Years later, attending a seminar hosted by the National Reconnaissance Office, I heard an elderly (70-ish) engineer explain how he and his peers had formed the basis of National Engineers Week to attract the next generation. Based on national pride and a common goal set by President Kennedy to get a man on the moon, he and his peers had gone into engineering to meet those goals. He questioned where today’s call to arms was. Where was the national pride to make a difference? A good question, that I don’t know the answer to either. His goal was to continue to make a difference in his own way.

Business Internships

Likewise, I’ve attempted to make that one of my career goals. No, make it a life goal: mentoring a new generation. When my son graduated high school, I offered internships at IBM to anyone that desired them. One student took me up on the offer after a year of college. Five the next year and a couple more after that. But the result was one high school class of 90 students resulted in five students with full-time jobs at IBM. This is the same school that has the only Future Farmers of America chapter in the county. My job was to open doors and pave a path. The students had to convince hiring managers (internship and full-time) of their value and did.

Elementary School After School Programs

I’m beginning a four-week after school program for grades 3 to 5 in my school district. It started by trying to recruit people at IBM to come to the district for National Engineer’s Week. It didn’t take long for me to decide to do it myself. With the assistance of a local teacher and the school principal, we decided to make this an after school club, once a week, for the month of February. It’s “math” centric, but the reality is, it’s about patterns. Patterns are everywhere in math, science, art, music, programming and business solutions. I had the pleasure to go into the school and give each class a tutorial on patterns in business and the evolution of programming. That was the teaser to getting them to attend the after school program. I don’t know how many will attend the program, but there was a tremendous amount of interest shown in the class. Some immediately grasped the discussion and could predict what I would say next. Several told me that they already wanted to become engineers. This was great news.

Become a coach. Pay it Forward.

We’ve developed a syllabus based on six topic areas and then gathered a large number of websites to aid the kids on their own. There are some terrific resources out there available to anyone that wants to do this themselves. Kids need a challenge, but they could also use a coach. I encourage anyone reading this to volunteer to make a difference in someone else’s career. Pay it forward and you, as well as your students, will reap the benefits in the future.


Mainframe Security – How good is it?

Two things about security that have been true for a long time:

  1. The Mainframe is the most secure platform in the industry
  2. Security is about People, Process and Technology

These are not mutually exclusive concepts. What’s important to realize, though, is the mainframe shouldn’t get a “Pass” on security processes because of its reputation. Unfortunately, I have encountered some really poor security management practices associated with mainframes at a wide variety of customers. These poor practices have put those businesses at risk. Mainframe technology and architecture can inhibit a number of security issues that other platforms regularly encounter, such as buffer overflows that enable viruses and Trojan Horses. However, poor management of data access, protection and audit can lead to data loss, theft and network attacks.

The Mainframe is NOT Hacker proof

There, I’ve said it and I’ve said it before. Mainframe systems have been hacked. There is one obscure case where some very old open source code was running on a mainframe. That open source code had been successfully hacked on other platforms. The attackers used a similar technique to get “inside” a business. Network attacks that drive a denial of service have also been successfully initiated. Both of these types of attacks were clearly avoidable. The worst attacks have come from insiders. Sometimes by accident, but unfortunately, sometimes on purpose. Not unlike Edward Snowden and Wikileaks, insiders have released confidential information stored on mainframes. In each of these cases, better security practices and the use of additional products and monitoring could have inhibited these data thefts.

Who is responsible for Mainframe Security?

Another problem that I’ve seen is lack of diligence by a business over the people managing the mainframe. The worst case scenario dealt with an outsourcer. The outsourcer mistakenly assumed that the mainframe was “hacker proof”. The owning business assumed the outsourcer knew what they were doing and didn’t audit the security of the systems nor the outsourcers running the systems. It turns out, the outsourcer wasn’t auditing the security either. In this instance, network ports were left open that enabled attackers a way into the system. Data sent over the network wasn’t encrypted, allowing attackers to sniff for critical data. Perhaps worst of all, many of the systems programmers had operational access to modify all system datasets without going through change management.

It doesn’t mean that anything negative happened at this customer. But it certainly could have happened. And even within that particular outsourcer’s business, they had other customers that were properly protected. This seemed to be a local anomaly. The lesson learned, however, is that the owning business should own audit responsibilities and the analytics associated with their security operations and data protection. Simple tools could be deployed and routinely run to “health check” their operation. Either the outsourcer or the business can run those tools, but the business should check the results as a normal part of grading their outsourcer.

“Knowledgeable” People may be your worst enemy and largest risk

Social engineering is a terrific mechanism to get access to restricted data. I’m not going to give examples, other than to say that asking the right questions of the right people can result in acquiring data or privileges that someone isn’t supposed to have. Again, the human element at work in circumventing security. One of my favorite “social engineering” episodes was visiting the security director at a large bank. Physical security was tight. The team there asked if I could break into the building. My normal response is never on the first time, but usually on a second pass, it is possible. As I left the cold building in December, I realized I left my jacket in the Director’s office. The security guard told me to go back up to the third floor unescorted. I was in the Director’s desk chair when he returned from the rest room. Isolated incident? Unfortunately not. That’s just my favorite example, without the details.

Replicated data doesn’t mean that security control is replicated

It doesn’t matter what platform or server you are using for a database. Far too many businesses make a copy of production data so that the Quality Assurance team can do system modifications and stress test before making updates to a production system. Application developers might also have access to this production data to test the next iteration of a business application. QA and development may be outsourced to another business. That business could be in another country. Without audit or security management of the test and development copies of the data, there is the very large possibility of data theft or leakage.

The weakest link is the End user interface – PC’s, Smartphones, Tablets

Plenty is known about the security problems associated with end-user devices.  Management of those devices falls on the owner of the device. Where Bring Your Own Device or BYOD is allowed, then the management practices for the devices will differ by the number of devices. Unfortunately, users save the userid and passwords of back-end servers on these devices. As a result, any server that these devices access is at risk of mismanagement or spoofing of credentials of the end-user if that device is stolen or hacked.

There is hope. Collaborative security should be the norm.

Earlier posts of mine discuss collaborative and hybrid computing. This is as important with security as it is for business resilience, storage management and application development. By looking across the IT infrastructure, a business can identify risk more clearly than a business that has fiefdoms protecting their smaller domains. Analytics, audits, identity management and data protection done across the IT infrastructure will help a business reduce risk and save on overall costs.

Don’t let security by obscurity result in the unintended consequence of data loss. Stay vigil. Keep an eye on your systems, your system administrators and your users.