Cyber security tips for working from home #COVID19

Kate CarruthersLeave a comment

C.I.A. is even more important now with #COVID19 – C.I.A. or confidentiality, integrity, and availability of data is even more important now that we are in the era of the novel coronavirus pandemic (known as #COVID19). As companies send their workers home to work during the pandemic for undetermined amounts of time the issue of data security becomes even more critical.

Both organisations and individuals will need to be vigilant. Since the workers are dispersed far and wide and not ensconced safely in the office and directly connecting to the corporate networks so everyone will need to step up their security consciousness and their security operations.

Organisations are about to run a real life test of their business continuity plans. Many will fail. Here are some things to watch out for.

For organisations

Here are a few tips, this is not an exhaustive list:

  • Ensure all machines have properly configured firewalls as well as anti-malware and intrusion prevention.
  • Check your Virtual Private Network and other remote access channels, ensure that they are up-to-date and access systems are fully patched (there have been a number of recent VPN exploits).
  • Test remote access solutions capacity. I suspect that many will need to increase capacity because most organisations did not plan on every single person in the company working offsite.
  • Review business continuity plans and ensure that the cyber security team is in the room.
  • Review your incident response plans and update them to accommodate the dispersed workforce and the increased risk.
  • Ensure that staff know where to find help if they need it, and have multiple channels in case of an incident.
  • Ensure that system monitoring is ready for detection and alerts of abnormal activity.
  • Implement multi-factor authentication for staff (this should ideally be done during normal business and not during a crisis).
  • Ensure that your cyber security posture is maintained. The temptation is to relax controls in response to a crisis, but make sure that any relaxation of controls is risk assessed and mitigating controls are applied.
  • Ensure that staff know how to connect with the cyber security team via different channels.

For individuals

  • Individuals will need to take care and ensure that they do not disclose any personal or corporate financial information in response to emails and text messages – even ones seeming to come from colleagues. Phishing attacks are already happening in respect of COVID19.
  • It is also important to use trusted sources, such as government or medical websites, for current and fact-based information about COVID19. I often recommend the ABC podcast called Coronacast, hosted by Dr Norman Swan, for calm fact-based information about COVID19.
  • Further, it is critical to use trusted wifi or home broadband connections with a VPN (if their company provides one, if their company does not provide one then it would be prudent to buy one yourself). DO NOT USE PUBLIC WIFI unless you have no other choice and then only with the protection of a VPN.
  • Be ready to report any concerns about cyber security or suspicious emails and text messages to their cyber team.
  • Individuals should also ensure that their anti-virus and anti-malware solutions are up to date, and turn on the firewall software on their devices.

 

Image: JohnManuel / CC BY-SA (https://creativecommons.org/licenses/by-sa/3.0)

Ransomware is coming to get us. Prepare. Beware.

Kate Carruthers2 Comments

There are increasing numbers of ransomware attacks on municipalities and governmental organisations in the US, with headlines like this. And Australia will not be immune to these attacks.

Towns Across Texas Hit in Coordinated Ransomware Attack

The state government and cybersecurity groups have mobilized to respond to a mass ransomware attack that simultaneously hit 23 different towns statewide. 

https://www.darkreading.com/attacks-breaches/towns-across-texas-hit-in-coordinated-ransomware-attack/d/d-id/1335567

As Lawrence Abrams noted in Bleeping Computer: “Now that ransomware developers know that they can earn monstrous payouts from local cities and insurance policies, we see a new government agency, school district, or large company getting hit with a ransomware attack every day. For example, this week the Governor of Louisiana declared a state of emergency for the wave of attacks targeting school districts in the state.”

The insurance companies are paying out on these ransomware attacks. But in the very near future insurance companies are going to demand to see evidence of measures taken by the organisation to prevent such ransomware attacks. Based on the ease with which so many cities in the US were penetrated by advanced persistent threats (APTs) they will be entirely right to do so. A good example is the recent Baltimore ransomware attack which will cost the city over $18 million.

However, many organisations are not ready to operate in this kind of world. In the olden days criminals robbed banks because that was where the money was kept. Nowadays the criminals have turned to ransomware because enterprises are the soft target.

Insurers will be under pressure as payouts increase. As was recently noted in the following article payouts are increasing – Ransomware attackers set sights on middle market firms:

“A year and a half ago, the maximum amount we paid was about $7,500, but in many cases, we weren’t paying the ransom because we had the back-ups available to restore the data,” commented Horn. “Now we’re seeing ransomware demands regularly in the seven figures, more like $1 million, $2 million, and a few weeks ago we saw one for almost $4 million.

Do not expect the insurers to continue to take all of the risk. Get organised otherwise organisations will see premiums rocket. This means that every organisation will need to be able to substantiate their preparations to prevent or address ransomware attacks.

The US government has issued guidance on Steps to Safeguard Against Ransomware Attacks.

The Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have released a Joint Ransomware Statement with recommendations for state and local governments to build resilience against ransomware.

The steps that they include are simple:

  1. Back up systems—now (and daily). Immediately and regularly back up all critical agency and system configuration information on a separate device and store the backups offline, verifying their integrity and restoration process. If recovering after an attack, restore a stronger system than the one lost, fully patched and updated to the latest version.
  2. Reinforce basic cybersecurity awareness and education. Ransomware attacks often require the human element to succeed. Refresh employee training on recognizing cyber threats, phishing, and suspicious links—the most common vectors for ransomware attacks. Remind employees of how to report incidents to appropriate IT staff in a timely manner, which should include out-of-band communication paths.
  3. Revisit and refine cyber incident response plans. Have a clear plan to address attacks when they occur, including when internal capabilities are overwhelmed. Make sure response plans include how to request assistance from external cyber first responders, such as state agencies, CISA, and MS-ISAC, in the event of an attack.

 

Featured image: Motormille2 [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)]

Cloud is the future, serverless is the way to go

Kate Carruthers

I’ve been hosting production workloads on Amazon Web Services for over 5 years now, and am also hosting production workloads on Azure and Google Cloud as well.

There seems to be a lot of enthusiasm for containerisation, and many are loving on kubernetes and docker. But this seems to merely be a cul de sac on the road to a serverless future.

There is a real opportunity to leap frog a generation of data centre and container technologies and deliver real value to the business. Many cite vendor lock in refutation of serverless. However, I have found the switching costs between cloud vendors to be minimal (but perhaps that depends upon the quality of one’s team?)

Of course, there are servers somewhere, but I no longer need to be concerned with them, they are always patched and available across multiple high availability zones. This means that I get to spend more of my budget on delivering value for the business rather than on ensuring we won’t get hacked because someone didn’t patch a server.

This serverless future must seem quite terrifying to the folks who have tended to the blinky lights on the machines all of their life. But if they do not embrace this future they will be displaced, because cloud is the future (unless, of course, there is some kind of global catastrophe – in which case we all have bigger problems).

 

Thoughts on digital forensics

Kate Carruthers

I’m studying cyber security and investigations at the moment and the current course is digital forensics. It is fascinating learning about how folks try to hide their digital tracks, and it is also mildly terrifying to realise how much data can be recovered. I’m deep in hex viewers, write blockers, and various tools for analysing data.

It is quite a shock to find that the tools for digital forensics that we are using in class are  mostly trial versions of expensive proprietary tools. Also it appears that there are very few UX people involved in the development of most tools, as they are mostly rather utilitarian.

There are very few open standards and not many open source tools. Among the tools that I have found to be useful are Autopsy and ExifTool.

UPDATE: via some nice folks on Twitter (hi  and ) I’ve discovered some interesting new tools and also Eric’s blog binary foray.

There is a good list here: The Best Open Source Digital Forensic Tools

GhidraInterestingly the the US National Security Agency (NSA) has recently released their GHIDRA tool. This nifty tool is a reverse engineering tool, and its capabilities include disassembly, assembly, decompilation, graphing and scripting. The open sourcing of this tool is a major disruptor of the incumbent’s proprietary and rather expensive toolset. Good idea NSA!

IWD 2019: the possibility of balance

Kate Carruthers

meowrow-catFor 2019 the International Women’s Day theme is “Balance for Better” and with Ribit’s focus on ESTEAM students and accelerating innovation in industry, I am sharing my “own personal story and experience as an employee and employer, how you jumped started your career, leapfrogged your competition into great jobs to advance your career, along with what you look for in a student to hire”

How I got started in tech

I had no plans for a career in technology, I studied arts at university and originally wanted to be an historian. Then, many years ago, I was standing in the kitchen at work chatting with the CEO and happened to mention that there was a problem with the computer system in the office.

[Pro-tip: never casually mention problems to a CEO unless you are prepared to help fix them]

She mentioned that we needed an IT manager and, since I sounded like I knew about that ‘stuff’, asked if I wanted the job.  My ‘prudent’ response (having no experience at all for this job) was “yes”. And that is the true story of how my career in IT started.

Since then I have studied various technical subjects and have done many different jobs in tech and have enjoyed a fascinating career.

How I progressed my career

In the early days I did not even realise that I had a career until a mentor asked what I was doing about my career. At once I realised that it was up to me, I was going to have to drive my career because nobody else was going to do it for me. I started to think about myself as a product, started to look at the skills and qualifications required to progress my career. I started to seek out new opportunities and to learn new technologies.  Knowing stuff is important, and knowing how to apply it is even more important.

Ability to execute is critical

Many people have great ideas, but few have the ability to execute on them. This, together with enthusiasm, is probably the key thing I look for in a new team member. The ability to execute is all about delivery, it means not taking things at their face value, following through and delivering without excuses. It also means closing the loop on things, and ensuring that the item is delivered with the best possible result. 

Decisions are made by those who turn up

This is one of the most important lessons to learn. If you are not at the table then you will not be participating in the decision making. Participation is important, especially when it is accompanied by enthusiasm and an ability to execute. 

This is the second thing I look for in new team members – folks who turn up and are reliable.

Balance?

I must confess that I am very unbalanced by some people’s standards. I work a lot, study, have startup interests, and have family and friends. That is balanced for me. You need to find what is balanced for you. Don’t let anyone else decide for you.

Sometimes you will want to focus on an opportunity and that is okay. Other times you will want to make space in your life for other things. The important thing is doing what is right for you at the time.

An important factor in maintaining balance is being yourself. This means being vulnerable, but I think that it is worth it in the long run.

Another important part of balance is being thoughtful and reflective about how you are feeling, how you are performing and how your relationships are going. This kind of regular temperature check means that you can rectify things if you are starting to get off track – because balance is not just about work.

Perhaps the most important thing in maintaining balance is ensuring that you keep up significant relationships – family, friends, partners. This will ensure that you have other parties who can also reflect on your journey together with you.

 

Critical conversations at work

Kate Carruthers

Managing people is a skill

I’ve been a manager for over twenty years now, managing teams ranging in size from 2 to 263. One thing that I have learned is that if you want to do anything big then you need to work through other people to achieve at scale. And managing through other people to achieve goals is one of the biggest challenges when one shifts from being an individual performer to being a team leader or manager.

The skills of team leadership are not often taught formally to new managers, and they are often learned on the job. One of the scariest things that one is called upon to do as a new manager is to provide negative feedback to a team member. But it is important to know how to build the context around it so that it becomes part of the working relationship and not a surprise to anyone.

Critical conversations

Many problems in workplaces are caused by hesitation in initiating critical conversations. And this does not necessarily mean conversations that are focused on criticism of an individual or their work. It also means conversations that clarify the work to be done, issues and risks relating to the work, and any barriers to getting the work done.

“Know what you want. Clarity is power. And vague goals promote vague results.”
– Robin Sharma.

If teams are not having meaningful conversations with each other on an ongoing basis then, instead of small adjustments in course, it can evolve into enormous delivery and execution issues, and even escalate into an official performance management issue that can result in a job loss. Many times I have seen the performance management issue come as a complete surprise to the individual staff member involved, yet it is rarely a surprise to their team members. This is typically the result of the team leader being afraid to have a critical conversation, and the result of poor ongoing communication between the team leader and the team member.

“Often we go through an entire conversation – or indeed an entire relationship – without ever realizing that each of us is paying attention to different things, that our views are based on different information.”
Douglas Stone, Difficult Conversations: How to Discuss What Matters Most

This means that, as leaders, we need to create an environment where team members (including the team leader) communicate effectively about the work to be done, who needs to do what tasks, when they are needed by, and to what quality standards they need to be done in an objective manner.

Some techniques that I have used to create this kind of environment include the use of specific language. For instance, a team member will often give updates in terms of “I hope to deliver it by Tuesday”.  I make it very clear that hope is not a delivery strategy, and often reply that:

“We don’t hope. We provide a percentage confidence level it will done on time and budget, so what is your confidence level for this task?”

By shifting the language used by the team to talk about delivery and relating it to the reality of getting things done this creates an opportunity to discuss issues and barriers to getting the task done.

Performance management

Once this kind of environment is in place, in the normal course of things, there is little reason for the manager to intervene. However, when it becomes evident that a team member is unable to deliver assigned tasks at the required quality standard and to the relevant timeframe, the manager needs to intervene.

As a manager it is important to have ongoing conversations with team members. Performance issues rarely pop up overnight. They develop over longer periods and there are usually warning signs. If critical conversations happen early and often enough then the issues can be addressed and performance can be  improved. However, it is necessary to understand why people sometimes do not do what they are supposed to do.

Reasons why employees don’t do what they are supposed to do

The starting point for this is to work out why the person is not performing as required. Former Columbia Graduate School professor, Ferdinand Fournies,  interviewed nearly 25,000 managers asking them why, in their experience, direct reports did not accomplish their work as assigned. Here are the top reasons Fournies reported :

  1. They don’t know why they should do it.
  2. They don’t know how to do it.
  3. They don’t know what they are supposed to do.
  4. They think your way will never work.
  5. They think their way is better.
  6. They think something else is more important.
  7. There is no positive consequence to them for doing it.
  8. They think they are doing it.
  9. They are rewarded for not doing it.
  10. They are punished for doing what they are supposed to do.
  11. They anticipate a negative consequence for doing it.
  12. There is no negative consequence to them for poor performance.
  13. Obstacles beyond their control.
  14. Their personal limits prevent them from performing.
  15. Personal problems.
  16. No one could do it

Why Employees Don’t Do What They’re Supposed To and What You Can Do About It

It is always one of these types of issues that is at the root of poor performance. But lack of clarity around tasks and acceptable quality standards has been the most common reasons in my experience, and this is the most easy to remedy.

Healthy workplace conversations

This list above is a good starting point for conversations about performance. But performance is also a result of the team culture, high performing teams tend to experience a lot less poor performance.

Most of the issues listed by Fournies can be discovered by having meaningful conversations among the team about goals and objectives, and open discussions about roadblocks.

“difficult conversations are almost never about getting the facts right. They are about conflicting perceptions, interpretations, and values.”
Douglas Stone, Difficult Conversations: How to Discuss What Matters Most

Don’t wait until someone is performing poorly, look out for the early indicators of problems and initiate conversations about the issues early. Provide relevant feedback, both positive and negative in timely manner – it is much better when the feedback is delivered close to the action.

It is important that it is a conversation too, that is, a dialogue between two human beings – with give and take. So listening as well as speaking is critical. Building a relationship with your team member is important too. If you have taken the time to build a relationship with your team member then the difficult conversation becomes somewhat less difficult.

Some good questions to ask at regular catchups

Here are some questions to prompt the types of conversations we need to have to build healthy and productive workplaces:

  • How are you going?
  • Are there any road blocks you need help with?
  • Is there anything you need me to do?
  • Who are your key stakeholders? What are their issues? How are your relationships with them going?
  • Does that align with the culture we’re building here?
  • Does that align with team/individual KPIs or should you be doing something different?
  • How do you plan to achieve that objective?
  • Are you on track with that?

Resources about difficult conversations

Carmichael, S. G. (2017, May 02). Difficult Conversations: 9 Common Mistakes. Retrieved from https://hbr.org/2010/10/difficult-conversations-9-common-mistakes

Dowling, W. (2014, July 23). 7 Tips for Difficult Conversations. Retrieved from https://hbr.org/2009/03/7-tips-for-difficult-conversat

Fournies, F. F. (2007). Why employees dont do what theyre supposed to do – and what to do about it. New York: McGraw-Hill.

Patton, B., Stone, D., & Heen, S. (2011). Difficult conversations: How to discuss what matters most. London: Portfolio/Penguin.

Riegel, D. G., Healey, T., Roberts, J., Knight, R., & Whitehurst, J. (2016, June 30). When to Skip a Difficult Conversation. Retrieved from https://hbr.org/2016/03/when-to-skip-a-difficult-conversation

Rowland, D. (2016, April 14). What’s Worse than a Difficult Conversation? Avoiding One. Retrieved from https://hbr.org/2016/04/whats-worse-than-a-difficult-conversation-avoiding-one

Sharma, R. (undated). The Giant Achievement Method [and free worksheet]. Retrieved from https://www.robinsharma.com/article/the-giant-achievement-method-and-free-worksheet

Published: Visual Tools for Developing Cross-Disciplinary Collaboration, Innovation and Entrepreneurship Capacity

Kate Carruthers

For the last couple of years I have been working on a book with Selena Griffith, Martin Bliemel and a long list of wonderfully creative and innovative authors from across the globe. Today it has been released for sale in digital and hard copy.

Visual Tools for Developing Cross-Disciplinary Collaboration, Innovation and Entrepreneurship Capacity identifies and documents pedagogical and practice-based visual approaches to scaffolding and developing these capacities in your classes, with your clients or in your teams. The editors have selected a diverse range of best practice case studies and theoretical frameworks from leading international educators and practitioners across a broad range of disciplines to illustrate how visual tools can be used to greatest effect.
P-B3-Postcard_Visual Tools
Divided into four logically sequenced sections, the book will progressively build upon the array of visual tools you can employ in your practice. Initially starting with tools for collaboration it expands to include ways to overcome the challenges of cross-disciplinary collaboration. Building on this foundation you will then explore visual tools for stimulating and supporting Innovation in classrooms, with clients and customers, or your team. The third section introduces strategies for selecting visual tools to aid in Entrepreneurship and entrepreneurial activities. The final section provides you with case studies of fully integrated practice where teams have collaborated to innovate and bring the resultant outputs to market. Visual tools for Developing Cross-Disciplinary Collaboration, Innovation and Entrepreneurship Capacity is the perfect companion for an educator, facilitator or practitioner to help students, clients or teams maximize their potential through the use of visual tools. Read cover to cover or dip in as you need to.

You can order the book at this link.

Huge thanks to Vaughan Rees and Arianne Rourke for their series curation. And to all our Authors

Visual tools for developing student capacity for cross-disciplinary collaboration, innovation and entrepreneurship

Kate Carruthers

Very happy that our book is finally being published – huge thanks to my wonderful co-conspirators, co-editors and co-authors – Selena Griffith and Martin Bliemelbook 2018

Visual tools for developing student capacity for cross-disciplinary collaboration, innovation and entrepreneurship

Common Ground Research Networks, Champaign, IL 2018

“Visual tools for developing cross-disciplinary collaboration, innovation and entrepreneurship capacity identifies and documents pedagogical and practice-based visual approaches to scaffolding and developing these capacities in your classes, with your clients or in your teams.

Divided into four logically sequenced sections, it will progressively build upon an array of visual tools to aid your practice. Initially starting with collaboration it expands to include cross-disciplinary collaboration.

Building on this foundation you will then explore visual methods for Innovation, followed by Entrepreneurship. The final section provides case studies of fully integrated practice.

The perfect companion for an educator, facilitator or practitioner to help students, clients or teams maximize their potential through the use of visual tools.

Contributing authors include in international array of leading educators and practitioners from a diverse range of disciplines.”

Info sec, AI and ethics – some thoughts #codemesh

Kate Carruthers

I’m heading off to speak at the CodeMesh Conference in London shortly and I’ve been thinking about the emerging boundaries between information security, AI and ethics. I will post some thoughts as they evolve.

Developers (and others) and ethical approaches

We need to help everyone, from coders through info sec professionals to senior organisational leaders, to understand that information security, AI and ethics are part of the everyday landscape for everyone now. It is no longer something that someone else does and it needs to become embedded into our everyday practices.

Nobody has all of the answers, and nobody even has all of the questions. But this intersection between information security, privacy, AI and ethics is becoming increasingly important as we start to think about the kind of future we are building. We need to think about to create the kind of future we want and not merely wander blindly into some kind of dystopian future.

In particular, ethics is an area that we do fairly well in academic research. Universities have well-established ethics processes and there is a high level of consciousness among researchers of its importance. But in business this is not even a secondary consideration. There is general theoretical agreement that everyone ought to take an ethical approach to their work, but it is not always welcome in practice. And yet business folks have a part to play in creating ethical workplaces. We all do.

In software development some of the practices that have been proposed – things like Privacy by Design or Security by Design – are interesting,  yet I’ve not seen either in the wild. These are sensible approaches, and Privacy by Design is even part of GDPR so it might even work (eventually). Yet neither of these explicitly focuses on ethics.

And all of this is not much help when a developer is approached by a business person and is asked to develop something that might be ethically a bit shady. Look at the example of the developer for Volkswagen who went to prison for his role in creating software to deceive regulators around the world. There can be real world consequences for poor ethical decision making in the workplace.

VW engineer sentenced to 40-month prison term in diesel case: [he] was a “pivotal figure” in designing the systems used to make Volkswagen diesels appear to comply with U.S. pollution standards, when instead they could emit up to 40 times the allowed levels of smog-forming compounds in normal driving. – Reuters 26 Aug 2017

It all seems to point to a need to develop ways for business people to run an ethical lens over their ideas way earlier than when they approach a developer.

One approach that has merit is something like the Ethics Canvas, which is inspired by notions like the Lean Canvas or the Business Model Canvas. A simple and easy to use tool such as this could provide business folks with a way to consider the ethical implications of things that they ask developers to do. I’ve started to use the Ethics Canvas at work in some projects, it will be interesting to see how it goes.

Header image: By Martin420 [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)%5D, from Wikimedia Commons