Core compentencies

This weekend provided a neatly packaged scenario of exactly why an organization must understand those things that are core competencies and control those capabilities. This is not a sly way to start talking about horribly bad officiating and how the refs completely blew the fumble call on Kurt Warner at the end of the Super Bowl. I digress…

The web site for the city of Cedar Rapids was hacked this weekend. In the process of working a comment on Steve Buttry’s blog, I wanted to pass along a link for contacting our local elected public servants. What I found was every non-document page below the main page had been replaced with a tagged page from a hack. I saved a screen capture of it on my Facebook wall. This kind of stuff happens at times, so I thought it would be good to extend a professional courtesy to the city’s IT staff and make sure they knew of the hack. After multiple numbers and repeatedly ending up talking to an out-sourced message taking service who was either unable of unwilling to put me in contact with an on-call member of the city IT staff, I decided it was Sunday, I had other things to do and they could discover their own problem. I did take time to fire off some ticklers to the Gazette and KCRG about the hack and went about my day. In the end, I have no idea when they were actually alerted to the problem or by whom, but the problem existed for at least 24 hours.
There are some lessons from this real-life scenario. Why invest in an after-hours/weekends/holidays message service that only takes messages for delivery to the person on the next business day? From the capabilities I saw demonstrated, an answering machine from WalMart would fully replace the message service. Please give that one a couple seconds to sink in: the message center folks told me all they could do is take the message and make sure it was waiting for the IT folks first thing on Monday. See, just like an answering machine. Let’s move on to a bit of forensics. I was curious as to the nature of the hack and did some quick research based on the tag page left behind by the hackers. 2006. That was the year this attack was first documented on the internet. Some of the reports even indicated the vulnerabilities exploited in the attacks were old operating systems (e.g. NT) and old versions of IIS. I sure hope our city IT infrastructure isn’t running anything on NT! NT is basically a free range chicken on the IT prairie. Microsoft doesn’t even support it anymore and it is not subject to patches or hot fixes. In short, NT is the figurative red badge of courage for those who like to gamble with their organizations network security.
Here’s the summary for those aren’t already bored of hearing something that is common-sense for 99% of IT professionals:
- If you consider customer service a core competency, don’t out-source it to a note taker. If all you need are phone messages on the next business day, buy an answering machine.
- If you consider network and data security a core competency, don’t rely on old, tired and unsupported technologies.

Reblog this post [with Zemanta]