I did have a photo for today's post, but the person I met requested they be kept anonymous, so this will be today's photo instead. Today's post will probably be quite short, as I'm trying to keep things vague in order to avoid accidentally giving away their identity.
One of the frustrating things about being a software engineer is that software isn't tangible. When you look at a building being built, you can roughly guess how much progress has been made by how much of the building looks finished. Most people have seen buildings of various types before, and have a pretty good idea what a finished building should look like. It's also possible for you to talk a walk through a building and see whether it has the things you would expect it to have, like stairs, doors, windows, walls.
Not so easy with software. There's a lot of stuff you can see, like the UI, but there's also a lot of stuff that goes on behind the scenes that's not nearly as visible, and you only see the affect it has on the UI. (Though I guess that's kinda true of buildings as well, because they will often have wiring and pipes going through the walls, and you can't tell whether they're working or not until you try to turn a light on or flush the toilet.)
A similar thing applies to cybersecurity. If someone breaks into your house and steals stuff, you're pretty likely to notice: the window might be smashed in, your electronics are missing, and if you catch them in the act, they'll be right there in front of you. If someone breaks into your software system, they might be there for years before anybody even notices, and even if their presence is detected, they're likely halfway across the world, and all they need to do to get away is to disconnect from your server. Who knows how much stuff they stole in the meantime? As far as you can tell, your data is still there. Or even worse, what else have they left behind that shouldn't be there?
The person I met works in cybersecurity (that explains the paranoia, right?), and we talked about the industry as a whole. They said that one of the challenges in the field is to stop people from being reactive. Most companies will have a team that deals with the fallout of a breach, but will often neglect to have a team that tries to look for the early warning signs that a breach is about to take place. Part of the reason is that it's really hard to quantify the monetary benefit of prevention, and part of the reason is that the whole industry is still new, and finding the people with these skills is hard.
Something they said that really hit me is that cybersecurity isn't just about keeping up-to-date with patches, and making sure you have strong network protections, it's also about understanding people. How do they behave? What kinds of people are likely to attack you? Why are they attacking you? Sure, there are people who attack with the thought of profit in mind, but hacktivism (a portmanteau of hack and activism) is becoming a larger field. Are they angry that you released a AAA game and then made it pay-to-win? Do they disagree with the idea that you are against BSDM? The kind of resources available to state-sponsored hackers is going to be wildly different to the kind of resources available to the average script-kiddie, so having an idea of who your attackers might be will also help you work out what your vulnerability is, and how far you need to go in order to protect yourself.
Depending on who you are, it's not unlike having an intelligence agency put out feelers and try to work out where an attack might be coming from. Obviously, the person I met is speaking from the point of view of a large organisation, and many people are unlikely to need this kind of service in their day-to-day life. But I've always loved spy movies / books, and hearing about this stuff is as close as I'll ever get in real life.
It's funny, I thought my psychology degree was going to be completely wasted in the software field, but it seems to be becoming more and more relevant as time goes by.
And that's about all I can report that doesn't give away their identity. I felt like I learned a lot, and I'm sorry that I can't share that with you, but I want to respect their desire for privacy.
No comments:
Post a Comment