Why “old” skills still have practical value for cyber security -TEISS® : Cracking Cyber Security

Information security / Why “old” skills still have practical value for cyber security

Why “old” skills still have practical value for cyber security

It’s easy to feel overwhelmed by the madcap pace of change in technology. Sometimes it might feel like all our hard-earned technical knowledge was wasted on yesterday’s “top of the line” equipment. Considering how long tech stays embedded in our lives, though, that’s not necessarily the case. That “old” knowledge comes in handy more often than you might expect.

Hopefully, everyone’s come to an agreement on the topic of constant change. This is – as the new interns like to say – “a thing.” We’re living in an unprecedented period of rapid transformational changes in processes, systems, communications, and dependencies.

Think you’ve got a handle on “the cloud”? Bah! That’s so 2018; now the industry is all abuzz over “bottom-up artificial intelligence.” And you can forget all that rusty “client-server” and “Web 2.0” stuff that you crammed for early on in your career. It’s all dead and gone, buried in the environmentally-conscious electronics recycling landfill of history. Right, industry press?

Except … no. To be fair, it’s true that we’re living in a new age of constant change. We’re barely a dozen years into the era of the iPhone, for example, and we’re already gearing up for the thirteenth version of the iPhone operating system.

The tools and services that we depend on in daily life (both at home and in the office) are updated so swiftly that it’s taken for granted that everyone is constantly behind the times. This is a recognized phenomenon; Harvard University even has an elective course in their business school curriculum called Managing the Future of Work.

Along with that sense of constant change is the ever-growing suspicion that every device we use is spying on us, from our voice-activated speaker in the kitchen to our “smart” television sets on the wall to the baby monitor in the kids’ room, to – of all things! – the fish tank. Everything is a potential threat, and the sheer amount of security knowledge that we’re all expected to devour, retain, and apply can feel overwhelming.

As a security awareness person, I have a tremendous well of empathy for all my friends, family, and colleagues who rightfully feel intimidated by the challenge. They’re absolutely right. The volume of cyber security education that people need these days just to deal with common criminal threats is as great as it’s ever been, and it’s only going to increase as more parts of our lives get “upgraded.”

Still … what an astounding time to be alive.

That said, there’s an element to this challenge that isn’t entirely accurate. That’s the idea that all the spiffy cyber security knowledge we learned in past years is now obsolete and can be safely discarded. In truth, the world doesn’t quite work that way. To quote Justin Sullivan out of context, “History [is] just as close as a hand on your shoulder.” [1] Supposedly “obsolete” technologies rarely go away in a timely manner; they accrete like debris washing up on a beach.

Remember IBM’s “OS/2” operating system? It held some niche market share from 1987 through 2001 before getting trounced in the market by better known products. It worked, though. What it might have lacked in device drivers it more than made up for in robustness. That’s why OS/2 is still a crucial component running the New York City subway system today. Seriously. Millions of people rely on that long-obsolete OS every single day.

How about good old Microsoft Windows XP? Nine out of ten cash machines [2] still run on it. The desktop OS went end-of-life back in 2005. Even the embedded version of the OS ran out of “extended support” earlier this year. And yet hundreds of millions of people continue to use cash machines around the world every day.

These “legacy technologies” aren’t aberrations or relics from a bygone age; they’re essential components of everyday life. When something as complex as the NYC subway system or something as ubiquitous as a cash machine network gets tuned to a reliable state, it’s underlying technologies are often left alone to run until the physical components fall to pieces.

It’s neither cost-effective nor practical to upgrade such a massive solution every time the commercial operating system is updated … especially when the operator doesn’t dare take the entire solution down for extended upgrades.

Seasoned technologists know: there’s no such thing as an enterprise-wide technology refresh that ends on time, under budget, or without glitches. The universe simply won’t allow it.

This applies to businesses of all sizes: most every organisation large enough to require a dedicated IT department has at least one obsolete system quietly chugging away in a corner providing a necessary service.

Something that was engineered just enough to work, often with the intent of replacing it with a more sustainable version later one – once the initial deployment target was cleared. Seasoned IT pros will tell you that these “temporary” fixes are rarely ever temporary. More often than not, these kludged-together components will soldier on until they catastrophically fail.

As a highly personal example of this, I managed to secure my first full-time job in Dallas by recognizing an obsolete IT solution that had been left to run until it failed, and then fixed it once it did. I was temping at an aviation training company at the time.

One day, my supervisor and I were returning from lunch and happened to walk by a comms closet that had been left open for maintenance. I recognized an obscure whining noise coming from the bottom of a rack, stuck my head inside to confirm my suspicions, and warned my boss that the noisy device– a 90 MB Iomega Bernoulli drive atop a time-yellowed Macintosh SE – was about to crash.

My boss didn’t believe me … until the next day when it did, in fact, crash from overheating. He overheard the IT people talking about how the unit wouldn’t re-boot and how the contractor who had originally installed the unit as a departmental file server was long gone.

Taking a gamble, my boss volunteered me since I sounded like I knew what I was doing. As it happened, I did: I’d worked with both components in that stack back I was an undergrad. I knew from the sound the drive was making that the disk was failing.

Once it crashed, I figured out what had happened. The original installer had booted the computer from a floppy disk (since it lacked an internal hard drive), then mounted and shared the Bernoulli drive’s volume on the network, and somehow ejected the boot disk while the system was running. That normally wasn’t allowed on a Macintosh, but it could be done.

One bootable floppy disk for a drive scanning utility app later and our company had its peculiar file server back – and I had an offer letter to be converted from part-time to full-time.

Pro-tip: the “showing off your skills” gambit can backfire. If you’re going to gamble your professional reputation on a risky task, be reasonably sure that you can actually pull it off.

I’m not sharing this tale to make myself look good; I was darned lucky. I happened to have some fringe technical knowledge about some uncommon pieces of equipment and leveraged that obsolete systems knowledge to solve a problem.

Even then, none of that knowledge would have been useful if I hadn’t walked by just the right room at just the right time with just the right audience. Still, I did … and it turned out that all that “useless” knowledge concerning “obsolete” kit was still useful.

No, what matters is that we all depend on these sorts of obsolete, abandoned, forgotten, and otherwise archaic technologies every day. Something gets put into production and then is kept hands-off so that it doesn’t break for years afterwards. All those technical and operational skills that we accumulate can be leveraged for years after we thought they’d passed their best-by date.

In fact, I’d wager that the staggering rate of change that we’re experiencing now is only making those legacy skills even more valuable: as the upgrade cycle shrinks (that is, as the time between any two major versions of a product or an OS), the temptation to leave a working solution alone to run itself to death becomes increasingly attractive.

That’s why I counsel my students that the education requirements stemming from our unrelenting pace of change shouldn’t be viewed as a futile exercise. We’re not replacing old learning with new skills’ we’re adding additional speciality tools into an already-impressive mental toolbox. All the “old” skills still have practical value. Maybe not as often, but certainly for quite some time to come.

[1] Lyrics from the New Model Army song “Purity” circa 1990. Highly recommended.

[2] “Cash machine” = “ATM” in the USA.

The following two tabs change content below.

Keil Hubert

Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant. Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.

Comments

Get the latest cyber news in your inbox

Join our community of cyber professionals today!