During the 27-year gig we were
subjected regularly to "spear phishing" hack attempts. That's defined
by someone contacting internal people via email and soliciting or
evoking information that allows for greater intrusion. It's easy to
find someone's internal email address, that's often published or if not,
it probably follows a standard format. If you are any good at talking
to strangers you can probably write an email that an employee will
respond to. Generally you want to avoid the representation that you are
a Nigerian prince in exhile.
The
first was a situation in which a senior employee received an email that
appeared to be from USBank. The logo, font and contact information was
all correction. There was a reply link that took you to a web form,
also all correct looking. At that point it asked for verification of
account number, home address, you mother's maiden name, etc. Our senior
employee filled out the form and his Visa card was used about five
minutes later in Ireland.
A
very recent event, during my last 'transition' months involved a senior
accounting member. On a Friday afternoon they received an email
requesting a wire transfer of money for a legitimate project. The
message included the name of the company's CFO and mentioned that he was
unavailable according to his calendar but had approved the wire
transfer. The accounting person did several back and forth emails
getting further information and was ready to sent the money. That would
have been a significant amount into a black hole. These people are
good. I would have fired the accounting person for even getting that
far down the path.
So
what is the implication of the Sony hack? Anything you do on the
internet is more or less recorded. Some companies are good about
keeping private what more or less should be private. Unless you are a
terrorist, Google is not going to cough you up. The North Korean's were
able to solicit via spear phishing enough information to get to a
senior network administrators user ID and password. That is all it
takes. In the 27-year gig there were just four of us who had those
rights and we check on each other's integrity and practice standards all
the time.
You
should have complex passwords, something other than your childhood
dog's name. Don't right them down. Don't give them to you spouse.
Don't ask computer's to remember you.
The
Koreans had political intent. There are just as many security trolls
out and about doing this stuff for fun who may just like messing with
people and companies. There is also good money in this as evidenced by
the hacks of Target, Home Depot, etc. My USBank card had been lifted
three times and our three small business cards from Wells Fargo have
been lifted five times in total. Cash might be good...although 20% of
the $100 bills are fake.
Cloud
storage is pretty convenient. I used it all the time. Not everything
that I store on the cloud is encrypted. Some of the cloud storage
providers are a bit brazen about declaring the security of their systems
and the lack of intrusions. The Sony intrusion occurred through a
relatively simple approach and may have destroyed their reputation and
put a lot of movie goers under a threat of violence in theaters, and we
know there's some bad stuff that has happened there in the past. Are
there Korean sleeper cells her? That's my conspiracy comment of the
day.
The
really big hack, bigger than Sony, is that ICAAN was hacked recently.
This is the organization that provides all the addressing and domain
assignments for the internet. A good hack there would affect all
internet traffic.
I'm going to rethink my information stored in the cloud, probably ensuring that all of is is encrypted
on my side before being uploaded. I never had a dog as a child but I do
remember the name of dog that lived directly across the street.
Friday, December 19, 2014
Saturday, March 8, 2014
Target CIO ... Goodbye
Certainly everyone in a
lead IT position has been through the process of identifying the staff
and costs to keep the wheels turning, whether that be network
infrastructure, support services, application development and support,
etc., and without a doubt there has been consideration of security
enhancements that are logical...or those challenges where you thing
"when I have time and resources we need to address this...it might be a
problem." The "budget review" meetings invariably result in the
questions "where can you cut?", "has that been a problem?", "can't Joe
or Mary pick that up?" or "we need to hold firm on the budget." Despite
the fact that the Target CIO was very light on IT per se, we have to
assume that there were people aware of the exposure. Whether she was unable
to sell the costs or did not know the threat or whether other c-level
people were focused on their own areas (ignoring a notion of management
reciprocity) it's obviously a disaster for Target and certainly there
will be more casualties in the staff ranks.
On the upside this gives us all the opportunity to move security and governance of corporate electronic knowledge and resources higher up on the priority list. Other c-level stakeholders and the money gatekeepers will probably listen this year. Few projects are built with a credit card but clearly company interoperability of systems and the chaotic and uncontrolled consumerization of IT are creating many thin ice situations. It goes without saying that assuming ubiquitous cloud solutions and "there's an app for that" is naive; it's coming but we're going to have corporate hardware for a while.
One of my favorite quotes is from Andy Grove, the former CEO of Intel, who said "...every company is an IT company...they just don't know it yet..." If each and every functional manager outside of IT is not asking hard IT questions and supporting solutions and investment they are being remiss in their corporate responsibility.
The Target CIO position paid $3.5 million per year (unverified) if you want to apply. That's about $300,000/month which would be just fine.
On the upside this gives us all the opportunity to move security and governance of corporate electronic knowledge and resources higher up on the priority list. Other c-level stakeholders and the money gatekeepers will probably listen this year. Few projects are built with a credit card but clearly company interoperability of systems and the chaotic and uncontrolled consumerization of IT are creating many thin ice situations. It goes without saying that assuming ubiquitous cloud solutions and "there's an app for that" is naive; it's coming but we're going to have corporate hardware for a while.
One of my favorite quotes is from Andy Grove, the former CEO of Intel, who said "...every company is an IT company...they just don't know it yet..." If each and every functional manager outside of IT is not asking hard IT questions and supporting solutions and investment they are being remiss in their corporate responsibility.
The Target CIO position paid $3.5 million per year (unverified) if you want to apply. That's about $300,000/month which would be just fine.
Oracle can be a real challenge but it is an amazingly comprehensive collection of integrated solutions. I am immensely satisfied with my past commitment to their solutions.
OracleVoice: Larry Ellison Doesn't Get the Cloud: The Dumbest Idea of... forbes.com
Oracle CEO Larry Ellison
(Wikipedia) I don’t know if you’ve heard, but the talk among the
chattering classes at Oracle OpenWorld last week was that neither Oracle
nor company founder and CEO Larry Ellison gets the cloud. Yes, I know,
that seems...
Reflection at Day 102
It's now been about 100
days since I left my 27-year gig during which I took no extended time
off. The last 3+ months have been remarkably refreshing and reinforces
my position that sabbaticals are mission critical for key people
(especially IT). Removing oneself from the legacy systems, fiscal
constraints, fiscal versus operational decision-making, cubical/office
environment gives time to think about your craft and the value points
with that practice. IT is, of course, all about process improvement and
IT leadership is remarkably well-positioned to understand he breadth of
organizational opportunities for innovative IT application, much more
than the iFolks with the ever-hollow "there's an app for that." I
neglected to mention that the time away gives very clear insights into
the politics of IT in the AEC industry.
Inside Scoop on Target Data Fraud
http://krebsonsecurity.com/
Bottom line is that it was discovered by the banks and card companies whose fraud departments routinely buy hundreds of stolen credit cards ($20-100 each) and analyze the patterns to find the source of the problem.
This will have an interesting play as we move aggressively forward on software defined networks which will offer even more exposure than the cloud vendors.
Bottom line is that it was discovered by the banks and card companies whose fraud departments routinely buy hundreds of stolen credit cards ($20-100 each) and analyze the patterns to find the source of the problem.
This will have an interesting play as we move aggressively forward on software defined networks which will offer even more exposure than the cloud vendors.
Krebs on Security krebsonsecurity.com
Other — 68 comments 22 Dec 13
An underground service that is selling credit and debit card accounts
stolen in a recent data breach at retail giant Target has stocked its
virtual shelves with a new product: Hundreds of thousands of cards
issued by...
ROI: Return On Investment ...or...Restriction On Innovation?
‘Innovation’ is a big word this year for ‘business.’ The
bookstores and ‘e-book’ world is filled with publications describing the
process to start an innovation program. I like that. I like change
and I like innovation. Bring a structure together, prioritize
initiatives, allocate funds, reward idea-creation (‘ideation’ if you are
really innovation-hip) and make money from these new ideas. Harness
the creative staff, ‘capture’ their ideas, prioritize them and fund the
initiatives. The 2013 innovation goal appears to be a structured
program for innovation. The warning in that previous sentence is
‘structured.’ If there are enough checks and balances, committees,
prioritization meetings and limited funds we’ve done a good job of
creating an innovation bureaucracy. That’s to be avoided.
A few years ago I initiated a ‘lean process improvement’ program in a $1B company. We approached this pretty simply doing a five day Kaizen to create a framework of priorities within the overall business process of the organization. Following that we embarked on a a series of Kaizens at an ever more macro level. Each facilitated event was teamed with stakeholders, topical experts and disinterested parties who were just good at ‘doing Kaizens.’ The pre-work included goals, objectives, metrics and an event budget. It was important to leave management out of the events to the extent possible. Everyone in the event had an equal voice. At the end of each Kaizen there was a rollout of improvements and a system of measurement to ensure that the changes stayed in place and to monitor bottom line impact. It was simple, leveraged everyone’s skills and experience and it worked. Continuous improvement in the ‘lean’ context equates to ‘incremental’ innovation. ‘Breakthrough’ results from a Kaizen look a lot like ‘disruptive’ innovation.
The Kaizen events resulted in change because the teams were given the freedom to act, to change processes that week and they had money. It was not a scenario where team members finished an event and then had to get approval to spend; that was part of the pre-work. Lean deployments result in continuous incremental change. Every event, regardless of length results in rapid innovation deployment.
The forklift operator knows when it’s time to replace a forklift. They deal with performance, function, maintenance and safety every day. The cost accountant looks at acquisition cost, depreciated cost, maintenance cost, and operating cost. One of those people is going to focus on return on investment (ROI); the other knows how to get the job done. Put the operator in a Kaizen and make him/her aware of forklift options and you’ll get to a the better solution whether it be equipment performance, features or even racking system or loading dock modifications. Facilitate the innovation opportunities of people doing the real work. Focus on return on innovation (ROI).
Traditional ROI analysis is required to get past the bean counter numbers. A lot of innovation dies at the feet of those gatekeepers. Traditional ROI is rarely tracked after the purchase. Deployments and implementations start changing parameters on day 2. I’d suggest that innovators have a seat at the table. Ensure that return on investment (ROI) does not become a restriction of innovation (ROI).
A few years ago I initiated a ‘lean process improvement’ program in a $1B company. We approached this pretty simply doing a five day Kaizen to create a framework of priorities within the overall business process of the organization. Following that we embarked on a a series of Kaizens at an ever more macro level. Each facilitated event was teamed with stakeholders, topical experts and disinterested parties who were just good at ‘doing Kaizens.’ The pre-work included goals, objectives, metrics and an event budget. It was important to leave management out of the events to the extent possible. Everyone in the event had an equal voice. At the end of each Kaizen there was a rollout of improvements and a system of measurement to ensure that the changes stayed in place and to monitor bottom line impact. It was simple, leveraged everyone’s skills and experience and it worked. Continuous improvement in the ‘lean’ context equates to ‘incremental’ innovation. ‘Breakthrough’ results from a Kaizen look a lot like ‘disruptive’ innovation.
The Kaizen events resulted in change because the teams were given the freedom to act, to change processes that week and they had money. It was not a scenario where team members finished an event and then had to get approval to spend; that was part of the pre-work. Lean deployments result in continuous incremental change. Every event, regardless of length results in rapid innovation deployment.
The forklift operator knows when it’s time to replace a forklift. They deal with performance, function, maintenance and safety every day. The cost accountant looks at acquisition cost, depreciated cost, maintenance cost, and operating cost. One of those people is going to focus on return on investment (ROI); the other knows how to get the job done. Put the operator in a Kaizen and make him/her aware of forklift options and you’ll get to a the better solution whether it be equipment performance, features or even racking system or loading dock modifications. Facilitate the innovation opportunities of people doing the real work. Focus on return on innovation (ROI).
Traditional ROI analysis is required to get past the bean counter numbers. A lot of innovation dies at the feet of those gatekeepers. Traditional ROI is rarely tracked after the purchase. Deployments and implementations start changing parameters on day 2. I’d suggest that innovators have a seat at the table. Ensure that return on investment (ROI) does not become a restriction of innovation (ROI).
Looking Forward...Looking Back
Being in the middle of a life ‘re-set’ gives one the opportunity to
look forward, to attempt to look around the next corner before you get
there. That’s exciting. That’s the challenge.
To navigate the next corner you have to know where you’ve been, you have to know what you need to take with you, what you should leave behind and how aggressively to go into the corner. In a recent blog post, Seth Godin spoke of the value of being forward-looking but also the danger of being too far ahead of the curve. As I’ve been getting rid of baggage that I’m not taking forward, I came upon the following conceptual map I designed for my organization’s web presence, circa 1999. To put 1999 in a web perspective, that was the year I added DSL at my home, it was a time that few people were making purchases on the internet and organization email was the exception.
This was one of those personal archeological finds that reminded me of that danger. Leverage your perspectives on the future but work on the organizational context; if you cannot bring people along at your pace you may need a new venue, somewhere around the next corner, somewhere all the fast riders want to be.
To navigate the next corner you have to know where you’ve been, you have to know what you need to take with you, what you should leave behind and how aggressively to go into the corner. In a recent blog post, Seth Godin spoke of the value of being forward-looking but also the danger of being too far ahead of the curve. As I’ve been getting rid of baggage that I’m not taking forward, I came upon the following conceptual map I designed for my organization’s web presence, circa 1999. To put 1999 in a web perspective, that was the year I added DSL at my home, it was a time that few people were making purchases on the internet and organization email was the exception.
This was one of those personal archeological finds that reminded me of that danger. Leverage your perspectives on the future but work on the organizational context; if you cannot bring people along at your pace you may need a new venue, somewhere around the next corner, somewhere all the fast riders want to be.
Subscribe to:
Posts (Atom)