ideas

Ransomware is coming to get us. Prepare. Beware.

by Kate Carruthers2 Comments on Ransomware is coming to get us. Prepare. Beware.
Ransomware is coming to get us. Prepare. Beware.

There are increasing numbers of ransomware attacks on municipalities and governmental organisations in the US, with headlines like this. And Australia will not be immune to these attacks.

Towns Across Texas Hit in Coordinated Ransomware Attack

The state government and cybersecurity groups have mobilized to respond to a mass ransomware attack that simultaneously hit 23 different towns statewide. 

https://www.darkreading.com/attacks-breaches/towns-across-texas-hit-in-coordinated-ransomware-attack/d/d-id/1335567

As Lawrence Abrams noted in Bleeping Computer: “Now that ransomware developers know that they can earn monstrous payouts from local cities and insurance policies, we see a new government agency, school district, or large company getting hit with a ransomware attack every day. For example, this week the Governor of Louisiana declared a state of emergency for the wave of attacks targeting school districts in the state.”

The insurance companies are paying out on these ransomware attacks. But in the very near future insurance companies are going to demand to see evidence of measures taken by the organisation to prevent such ransomware attacks. Based on the ease with which so many cities in the US were penetrated by advanced persistent threats (APTs) they will be entirely right to do so. A good example is the recent Baltimore ransomware attack which will cost the city over $18 million.

However, many organisations are not ready to operate in this kind of world. In the olden days criminals robbed banks because that was where the money was kept. Nowadays the criminals have turned to ransomware because enterprises are the soft target.

Insurers will be under pressure as payouts increase. As was recently noted in the following article payouts are increasing – Ransomware attackers set sights on middle market firms:

“A year and a half ago, the maximum amount we paid was about $7,500, but in many cases, we weren’t paying the ransom because we had the back-ups available to restore the data,” commented Horn. “Now we’re seeing ransomware demands regularly in the seven figures, more like $1 million, $2 million, and a few weeks ago we saw one for almost $4 million.

Do not expect the insurers to continue to take all of the risk. Get organised otherwise organisations will see premiums rocket. This means that every organisation will need to be able to substantiate their preparations to prevent or address ransomware attacks.

The US government has issued guidance on Steps to Safeguard Against Ransomware Attacks.

The Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have released a Joint Ransomware Statement with recommendations for state and local governments to build resilience against ransomware.

The steps that they include are simple:

  1. Back up systems—now (and daily). Immediately and regularly back up all critical agency and system configuration information on a separate device and store the backups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than the one lost, fully patched and updated to the latest version.
  2. Reinforce basic cybersecurity awareness and education. Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing, and suspicious links—the most common vectors for ransomware attacks. Remind employees of how to report incidents to appropriate IT staff in a timely manner, which should include out-of-band communication paths.
  3. Revisit and refine cyber incident response plans. Have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA, and MS-ISAC, in the event of an attack.

 

Featured image: Motormille2 [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)]

ideas

Cloud is the future, serverless is the way to go

by Kate Carruthers
Cloud is the future, serverless is the way to go

I’ve been hosting production workloads on Amazon Web Services for over 5 years now, and am also hosting production workloads on Azure and Google Cloud as well.

There seems to be a lot of enthusiasm for containerisation, and many are loving on kubernetes and docker. But this seems to merely be a cul de sac on the road to a serverless future.

There is a real opportunity to leap frog a generation of data centre and container technologies and deliver real value to the business. Many cite vendor lock in refutation of serverless. However, I have found the switching costs between cloud vendors to be minimal (but perhaps that depends upon the quality of one’s team?)

Of course, there are servers somewhere, but I no longer need to be concerned with them, they are always patched and available across multiple high availability zones. This means that I get to spend more of my budget on delivering value for the business rather than on ensuring we won’t get hacked because someone didn’t patch a server.

This serverless future must seem quite terrifying to the folks who have tended to the blinky lights on the machines all of their life. But if they do not embrace this future they will be displaced, because cloud is the future (unless, of course, there is some kind of global catastrophe – in which case we all have bigger problems).

 

ideas

Thoughts on digital forensics

by Kate Carruthers

I’m studying cyber security and investigations at the moment and the current course is digital forensics. It is fascinating learning about how folks try to hide their digital tracks, and it is also mildly terrifying to realise how much data can be recovered. I’m deep in hex viewers, write blockers, and various tools for analysing data.

It is quite a shock to find that the tools for digital forensics that we are using in class are  mostly trial versions of expensive proprietary tools. Also it appears that there are very few UX people involved in the development of most tools, as they are mostly rather utilitarian.

There are very few open standards and not many open source tools. Among the tools that I have found to be useful are Autopsy and ExifTool.

UPDATE: via some nice folks on Twitter (hi  and ) I’ve discovered some interesting new tools and also Eric’s blog binary foray.

There is a good list here: The Best Open Source Digital Forensic Tools

GhidraInterestingly the the US National Security Agency (NSA) has recently released their GHIDRA tool. This nifty tool is a reverse engineering tool, and its capabilities include disassembly, assembly, decompilation, graphing and scripting. The open sourcing of this tool is a major disruptor of the incumbent’s proprietary and rather expensive toolset. Good idea NSA!

ideas

IWD 2019: the possibility of balance

by Kate Carruthers

meowrow-catFor 2019 the International Women’s Day theme is “Balance for Better” and with Ribit’s focus on ESTEAM students and accelerating innovation in industry, I am sharing my “own personal story and experience as an employee and employer, how you jumped started your career, leapfrogged your competition into great jobs to advance your career, along with what you look for in a student to hire”

How I got started in tech

I had no plans for a career in technology, I studied arts at university and originally wanted to be an historian. Then, many years ago, I was standing in the kitchen at work chatting with the CEO and happened to mention that there was a problem with the computer system in the office.

[Pro-tip: never casually mention problems to a CEO unless you are prepared to help fix them]

She mentioned that we needed an IT manager and, since I sounded like I knew about that ‘stuff’, asked if I wanted the job.  My ‘prudent’ response (having no experience at all for this job) was “yes”. And that is the true story of how my career in IT started.

Since then I have studied various technical subjects and have done many different jobs in tech and have enjoyed a fascinating career.

How I progressed my career

In the early days I did not even realise that I had a career until a mentor asked what I was doing about my career. At once I realised that it was up to me, I was going to have to drive my career because nobody else was going to do it for me. I started to think about myself as a product, started to look at the skills and qualifications required to progress my career. I started to seek out new opportunities and to learn new technologies.  Knowing stuff is important, and knowing how to apply it is even more important.

Ability to execute is critical

Many people have great ideas, but few have the ability to execute on them. This, together with enthusiasm, is probably the key thing I look for in a new team member. The ability to execute is all about delivery, it means not taking things at their face value, following through and delivering without excuses. It also means closing the loop on things, and ensuring that the item is delivered with the best possible result. 

Decisions are made by those who turn up

This is one of the most important lessons to learn. If you are not at the table then you will not be participating in the decision making. Participation is important, especially when it is accompanied by enthusiasm and an ability to execute. 

This is the second thing I look for in new team members – folks who turn up and are reliable.

Balance?

I must confess that I am very unbalanced by some people’s standards. I work a lot, study, have startup interests, and have family and friends. That is balanced for me. You need to find what is balanced for you. Don’t let anyone else decide for you.

Sometimes you will want to focus on an opportunity and that is okay. Other times you will want to make space in your life for other things. The important thing is doing what is right for you at the time.

An important factor in maintaining balance is being yourself. This means being vulnerable, but I think that it is worth it in the long run.

Another important part of balance is being thoughtful and reflective about how you are feeling, how you are performing and how your relationships are going. This kind of regular temperature check means that you can rectify things if you are starting to get off track – because balance is not just about work.

Perhaps the most important thing in maintaining balance is ensuring that you keep up significant relationships – family, friends, partners. This will ensure that you have other parties who can also reflect on your journey together with you.

 

ideas, management

Critical conversations at work

by Kate Carruthers
Critical conversations at work

Managing people is a skill

I’ve been a manager for over twenty years now, managing teams ranging in size from 2 to 263. One thing that I have learned is that if you want to do anything big then you need to work through other people to achieve at scale. And managing through other people to achieve goals is one of the biggest challenges when one shifts from being an individual performer to being a team leader or manager.

The skills of team leadership are not often taught formally to new managers, and they are often learned on the job. One of the scariest things that one is called upon to do as a new manager is to provide negative feedback to a team member. But it is important to know how to build the context around it so that it becomes part of the working relationship and not a surprise to anyone.

Critical conversations

Many problems in workplaces are caused by hesitation in initiating critical conversations. And this does not necessarily mean conversations that are focused on criticism of an individual or their work. It also means conversations that clarify the work to be done, issues and risks relating to the work, and any barriers to getting the work done.

“Know what you want. Clarity is power. And vague goals promote vague results.”
– Robin Sharma.

If teams are not having meaningful conversations with each other on an ongoing basis then, instead of small adjustments in course, it can evolve into enormous delivery and execution issues, and even escalate into an official performance management issue that can result in a job loss. Many times I have seen the performance management issue come as a complete surprise to the individual staff member involved, yet it is rarely a surprise to their team members. This is typically the result of the team leader being afraid to have a critical conversation, and the result of poor ongoing communication between the team leader and the team member.

“Often we go through an entire conversation – or indeed an entire relationship – without ever realizing that each of us is paying attention to different things, that our views are based on different information.”
Douglas Stone, Difficult Conversations: How to Discuss What Matters Most

This means that, as leaders, we need to create an environment where team members (including the team leader) communicate effectively about the work to be done, who needs to do what tasks, when they are needed by, and to what quality standards they need to be done in an objective manner.

Some techniques that I have used to create this kind of environment include the use of specific language. For instance, a team member will often give updates in terms of “I hope to deliver it by Tuesday”.  I make it very clear that hope is not a delivery strategy, and often reply that:

“We don’t hope. We provide a percentage confidence level it will done on time and budget, so what is your confidence level for this task?”

By shifting the language used by the team to talk about delivery and relating it to the reality of getting things done this creates an opportunity to discuss issues and barriers to getting the task done.

Performance management

Once this kind of environment is in place, in the normal course of things, there is little reason for the manager to intervene. However, when it becomes evident that a team member is unable to deliver assigned tasks at the required quality standard and to the relevant timeframe, the manager needs to intervene.

As a manager it is important to have ongoing conversations with team members. Performance issues rarely pop up overnight. They develop over longer periods and there are usually warning signs. If critical conversations happen early and often enough then the issues can be addressed and performance can be  improved. However, it is necessary to understand why people sometimes do not do what they are supposed to do.

Reasons why employees don’t do what they are supposed to do

The starting point for this is to work out why the person is not performing as required. Former Columbia Graduate School professor, Ferdinand Fournies,  interviewed nearly 25,000 managers asking them why, in their experience, direct reports did not accomplish their work as assigned. Here are the top reasons Fournies reported :

  1. They don’t know why they should do it.
  2. They don’t know how to do it.
  3. They don’t know what they are supposed to do.
  4. They think your way will never work.
  5. They think their way is better.
  6. They think something else is more important.
  7. There is no positive consequence to them for doing it.
  8. They think they are doing it.
  9. They are rewarded for not doing it.
  10. They are punished for doing what they are supposed to do.
  11. They anticipate a negative consequence for doing it.
  12. There is no negative consequence to them for poor performance.
  13. Obstacles beyond their control.
  14. Their personal limits prevent them from performing.
  15. Personal problems.
  16. No one could do it

Why Employees Don’t Do What They’re Supposed To and What You Can Do About It

It is always one of these types of issues that is at the root of poor performance. But lack of clarity around tasks and acceptable quality standards has been the most common reasons in my experience, and this is the most easy to remedy.

Healthy workplace conversations

This list above is a good starting point for conversations about performance. But performance is also a result of the team culture, high performing teams tend to experience a lot less poor performance.

Most of the issues listed by Fournies can be discovered by having meaningful conversations among the team about goals and objectives, and open discussions about roadblocks.

“difficult conversations are almost never about getting the facts right. They are about conflicting perceptions, interpretations, and values.”
Douglas Stone, Difficult Conversations: How to Discuss What Matters Most

Don’t wait until someone is performing poorly, look out for the early indicators of problems and initiate conversations about the issues early. Provide relevant feedback, both positive and negative in timely manner – it is much better when the feedback is delivered close to the action.

It is important that it is a conversation too, that is, a dialogue between two human beings – with give and take. So listening as well as speaking is critical. Building a relationship with your team member is important too. If you have taken the time to build a relationship with your team member then the difficult conversation becomes somewhat less difficult.

Some good questions to ask at regular catchups

Here are some questions to prompt the types of conversations we need to have to build healthy and productive workplaces:

  • How are you going?
  • Are there any road blocks you need help with?
  • Is there anything you need me to do?
  • Who are your key stakeholders? What are their issues? How are your relationships with them going?
  • Does that align with the culture we’re building here?
  • Does that align with team/individual KPIs or should you be doing something different?
  • How do you plan to achieve that objective?
  • Are you on track with that?

Resources about difficult conversations

Carmichael, S. G. (2017, May 02). Difficult Conversations: 9 Common Mistakes. Retrieved from https://hbr.org/2010/10/difficult-conversations-9-common-mistakes

Dowling, W. (2014, July 23). 7 Tips for Difficult Conversations. Retrieved from https://hbr.org/2009/03/7-tips-for-difficult-conversat

Fournies, F. F. (2007). Why employees dont do what theyre supposed to do – and what to do about it. New York: McGraw-Hill.

Patton, B., Stone, D., & Heen, S. (2011). Difficult conversations: How to discuss what matters most. London: Portfolio/Penguin.

Riegel, D. G., Healey, T., Roberts, J., Knight, R., & Whitehurst, J. (2016, June 30). When to Skip a Difficult Conversation. Retrieved from https://hbr.org/2016/03/when-to-skip-a-difficult-conversation

Rowland, D. (2016, April 14). What’s Worse than a Difficult Conversation? Avoiding One. Retrieved from https://hbr.org/2016/04/whats-worse-than-a-difficult-conversation-avoiding-one

Sharma, R. (undated). The Giant Achievement Method [and free worksheet]. Retrieved from https://www.robinsharma.com/article/the-giant-achievement-method-and-free-worksheet

ideas

Published: Visual Tools for Developing Cross-Disciplinary Collaboration, Innovation and Entrepreneurship Capacity

by Kate Carruthers

For the last couple of years I have been working on a book with Selena Griffith, Martin Bliemel and a long list of wonderfully creative and innovative authors from across the globe. Today it has been released for sale in digital and hard copy.

Visual Tools for Developing Cross-Disciplinary Collaboration, Innovation and Entrepreneurship Capacity identifies and documents pedagogical and practice-based visual approaches to scaffolding and developing these capacities in your classes, with your clients or in your teams. The editors have selected a diverse range of best practice case studies and theoretical frameworks from leading international educators and practitioners across a broad range of disciplines to illustrate how visual tools can be used to greatest effect.
P-B3-Postcard_Visual Tools
Divided into four logically sequenced sections, the book will progressively build upon the array of visual tools you can employ in your practice. Initially starting with tools for collaboration it expands to include ways to overcome the challenges of cross-disciplinary collaboration. Building on this foundation you will then explore visual tools for stimulating and supporting Innovation in classrooms, with clients and customers, or your team. The third section introduces strategies for selecting visual tools to aid in Entrepreneurship and entrepreneurial activities. The final section provides you with case studies of fully integrated practice where teams have collaborated to innovate and bring the resultant outputs to market. Visual tools for Developing Cross-Disciplinary Collaboration, Innovation and Entrepreneurship Capacity is the perfect companion for an educator, facilitator or practitioner to help students, clients or teams maximize their potential through the use of visual tools. Read cover to cover or dip in as you need to.

You can order the book at this link.

Huge thanks to Vaughan Rees and Arianne Rourke for their series curation. And to all our Authors