Friday, December 19, 2014

Sony Hack

During the 27-year gig we were subjected regularly to "spear phishing" hack attempts.  That's defined by someone contacting internal people via email and soliciting or evoking information that allows for greater intrusion.  It's easy to find someone's internal email address, that's often published or if not, it probably follows a standard format.  If you are any good at talking to strangers you can probably write an email that an employee will respond to.  Generally you want to avoid the representation that you are a Nigerian prince in exhile.

The first was a situation in which a senior employee received an email that appeared to be from USBank.  The logo, font and contact information was all correction.  There was a reply link that took you to a web form, also all correct looking.  At that point it asked for verification of account number, home address, you mother's maiden name, etc.  Our senior employee filled out the form and his Visa card was used about five minutes later in Ireland.

A very recent event, during my last 'transition' months involved a senior accounting member.  On a Friday afternoon they received an email requesting a wire transfer of money for a legitimate project.  The message included the name of the company's CFO and mentioned that he was unavailable according to his calendar but had approved the wire transfer.  The accounting person did several back and forth emails getting further information and was ready to sent the money.  That would have been a significant amount into a black hole. These people are good.  I would have fired the accounting person for even getting that far down the path.

So what is the implication of the Sony hack?  Anything you do on the internet is more or less recorded.  Some companies are good about keeping private what more or less should be private.  Unless you are a terrorist, Google is not going to cough you up.  The North Korean's were able to solicit via spear phishing enough information to get to a senior network administrators user ID and password.  That is all it takes.  In the 27-year gig there were just four of us who had those rights and we check on each other's integrity and practice standards all the time.

You should have complex passwords, something other than your childhood dog's name.  Don't right them down.  Don't give them to you spouse.  Don't ask computer's to remember you.

The Koreans had political intent.  There are just as many security trolls out and about doing this stuff for fun who may just like messing with people and companies.  There is also good money in this as evidenced by the hacks of Target, Home Depot, etc.  My USBank card had been lifted three times and our three small business cards from Wells Fargo have been lifted five times in total.  Cash might be good...although 20% of the $100 bills are fake.

Cloud storage is pretty convenient.  I used it all the time.  Not everything that I store on the cloud is encrypted.  Some of the cloud storage providers are a bit brazen about declaring the security of their systems and the lack of intrusions.  The Sony intrusion occurred through a relatively simple approach and may have destroyed their reputation and put a lot of movie goers under a threat of violence in theaters, and we know there's some bad stuff that has happened there in the past.  Are there Korean sleeper cells her?  That's my conspiracy comment of the day.

The really big hack, bigger than Sony, is that ICAAN was hacked recently.  This is the organization that provides all the addressing and domain assignments for the internet.  A good hack there would affect all internet traffic.

I'm going to rethink my information stored in the cloud, probably ensuring that all of is is encrypted on my side before being uploaded.  I never had a dog as a child but I do remember the name of dog that lived directly across the street.

Saturday, March 8, 2014

Target CIO ... Goodbye


Certainly everyone in a lead IT position has been through the process of identifying the staff and costs to keep the wheels turning, whether that be network infrastructure, support services, application development and support, etc., and without a doubt there has been consideration of security enhancements that are logical...or those challenges where you thing "when I have time and resources we need to address this...it might be a problem." The "budget review" meetings invariably result in the questions "where can you cut?", "has that been a problem?", "can't Joe or Mary pick that up?" or "we need to hold firm on the budget." Despite the fact that the Target CIO was very light on IT per se, we have to assume that there were people aware of the exposure. Whether she was unable to sell the costs or did not know the threat or whether other c-level people were focused on their own areas (ignoring a notion of management reciprocity) it's obviously a disaster for Target and certainly there will be more casualties in the staff ranks.

On the upside this gives us all the opportunity to move security and governance of corporate electronic knowledge and resources higher up on the priority list. Other c-level stakeholders and the money gatekeepers will probably listen this year. Few projects are built with a credit card but clearly company interoperability of systems and the chaotic and uncontrolled consumerization of IT are creating many thin ice situations. It goes without saying that assuming ubiquitous cloud solutions and "there's an app for that" is naive; it's coming but we're going to have corporate hardware for a while.

One of my favorite quotes is from Andy Grove, the former CEO of Intel, who said "...every company is an IT company...they just don't know it yet..." If each and every functional manager outside of IT is not asking hard IT questions and supporting solutions and investment they are being remiss in their corporate responsibility.

The Target CIO position paid $3.5 million per year (unverified) if you want to apply. That's about $300,000/month which would be just fine.

Everyman at CIO-Innovation

Oracle can be a real challenge but it is an amazingly comprehensive collection of integrated solutions. I am immensely satisfied with my past commitment to their solutions.

OracleVoice: Larry Ellison Doesn't Get the Cloud: The Dumbest Idea of... forbes.com

Oracle CEO Larry Ellison (Wikipedia) I don’t know if you’ve heard, but the talk among the chattering classes at Oracle OpenWorld last week was that neither Oracle nor company founder and CEO Larry Ellison gets the cloud. Yes, I know, that seems...

Reflection at Day 102

Everyman at CIO-Innovation
It's now been about 100 days since I left my 27-year gig during which I took no extended time off. The last 3+ months have been remarkably refreshing and reinforces my position that sabbaticals are mission critical for key people (especially IT). Removing oneself from the legacy systems, fiscal constraints, fiscal versus operational decision-making, cubical/office environment gives time to think about your craft and the value points with that practice. IT is, of course, all about process improvement and IT leadership is remarkably well-positioned to understand he breadth of organizational opportunities for innovative IT application, much more than the iFolks with the ever-hollow "there's an app for that." I neglected to mention that the time away gives very clear insights into the politics of IT in the AEC industry.

Inside Scoop on Target Data Fraud

Everyman at CIO-Innovation
http://krebsonsecurity.com/
Bottom line is that it was discovered by the banks and card companies whose fraud departments routinely buy hundreds of stolen credit cards ($20-100 each) and analyze the patterns to find the source of the problem.

This will have an interesting play as we move aggressively forward on software defined networks which will offer even more exposure than the cloud vendors.

Krebs on Security krebsonsecurity.com

Other — 68 comments 22 Dec 13 An underground service that is selling credit and debit card accounts stolen in a recent data breach at retail giant Target has stocked its virtual shelves with a new product: Hundreds of thousands of cards issued by...

ROI: Return On Investment ...or...Restriction On Innovation?

‘Innovation’ is a big word this year for ‘business.’     The bookstores and ‘e-book’ world is filled with publications describing the process to start  an innovation program.  I like that.   I like change and I like innovation.   Bring a structure together, prioritize initiatives, allocate funds, reward idea-creation (‘ideation’ if you are really innovation-hip) and make money from these new ideas.  Harness the creative staff, ‘capture’ their ideas, prioritize them and fund the initiatives.  The 2013 innovation goal appears to be  a structured program for innovation.  The warning in that previous sentence is ‘structured.’   If there are enough checks and balances, committees, prioritization meetings and limited funds we’ve done a good job of creating an innovation bureaucracy.  That’s to be avoided.
A few years ago I initiated a ‘lean process improvement’ program in a $1B company.  We approached this pretty simply doing a five day Kaizen to create a framework of priorities within the overall business process of the organization.  Following that we embarked on a a series of Kaizens at an ever more macro level.  Each facilitated event was teamed with stakeholders, topical experts and disinterested parties who were just good at ‘doing Kaizens.’  The pre-work included goals, objectives, metrics and an event budget.  It was important to leave management out of the events to the extent possible.  Everyone in the event had an equal voice.  At the end of each Kaizen there was a rollout of improvements and a system of measurement to ensure that the changes stayed in place and to monitor bottom line impact.  It was simple, leveraged everyone’s skills and experience and it worked.  Continuous improvement in the ‘lean’ context equates to ‘incremental’ innovation.   ‘Breakthrough’ results from a Kaizen look a lot like ‘disruptive’ innovation.
The Kaizen events resulted in change because the teams were given the freedom to act, to change processes that week and they had money.  It was not a scenario where team members finished an event and then had to get approval to spend; that was part of the pre-work.  Lean deployments result in continuous incremental change.  Every event, regardless of length results in rapid innovation deployment.
The forklift operator  knows when it’s time to replace a forklift.  They deal with performance, function, maintenance and safety every day.  The cost accountant looks at acquisition cost, depreciated cost, maintenance cost, and operating cost.  One of those people is going to focus on return on investment (ROI); the other knows how to get the job done.  Put the operator in a Kaizen and make him/her aware of forklift options and you’ll get to a the better solution whether it be equipment performance, features or even racking system  or loading dock modifications.  Facilitate the innovation opportunities of people doing the real work.  Focus on return on innovation (ROI).
Traditional ROI analysis is required to get past the bean counter numbers.  A lot of innovation dies at the feet of those gatekeepers.  Traditional ROI is rarely tracked after the purchase.  Deployments and implementations start changing parameters on day 2.  I’d suggest that innovators have a seat at the table.  Ensure that return on investment (ROI) does not become a restriction of innovation (ROI).

Looking Forward...Looking Back

Being in the middle of a life ‘re-set’ gives one the opportunity to look forward, to attempt to look around the next corner before you get there.  That’s exciting.  That’s the challenge.
To navigate the next corner you have to know where you’ve been, you have to know what you need to take with you, what you should leave behind and how aggressively to go into the corner.  In a recent blog post, Seth Godin spoke of the value of being forward-looking but also the danger of being too far ahead of the curve.  As I’ve been getting rid of baggage that I’m not taking forward,  I came upon the following conceptual map I designed for my organization’s web presence, circa 1999.  To put 1999 in a web perspective, that was the year I added DSL at my home, it was a time that few people were making purchases on the internet and organization email was the exception.
This was one of those personal archeological finds that reminded me of that danger.  Leverage your perspectives on the future but work on the organizational context; if you cannot bring people along at your pace you may need a new venue, somewhere around the next corner, somewhere all the fast riders want to be.