Posts for Tag: blastfromthepast

"People don’t value what they get for free", including Security Consulting

Anyone who has either studied or works with technology knows the drill, "hey, can you fix my computer/phone/tablet/alien healing machine?" I once had a t-shirt from a Microsoft conference that said, "No, I will not fix your computer". That wasn't entirely true because goodness knows I've fixed a number of computers/phones/tablets/alien healing machines in my day. I've fixed systems for the young and the not-so-young. I had to chuckle when I was helping an older man (over 75) whose "neighbor" had used his computer and ended up getting adult content on the system, along with some annoying spyware. I told him to not let his "neighbor" browse for that sort of content on his laptop because malicious stuff hangs out on those sites. I felt bad because the man's daughter was non-technical and his granddaughter wasn't old enough to be of use yet. I have even helped out office workers at medical facilities figure out what was wrong with their computer1 (maybe I need to obfuscate my profession when filling out documentation). Twitter abounds with tales of woe of computer science students who are called upon to fix computers.

Of course, I am tech support for my mother, and was even tech support when my father was alive, as well. Back in 2003 I remember him calling me up to ask what this "wiffy" thing was that he kept seeing everywhere. I told him I needed more context. "It's on the door at Panera and Starbucks." Ah, I thought. "Wi-Fi. It's free Internet service." Since they didn't have laptops, and phones didn't use Wi-Fi back then it didn't come up again, but "wiffy" stuck as a term and it's what my family uses to discuss Wi-Fi. If someone doesn't know the story they think I'm an idiot, of course, the way we snicker when we hear someone call an older operating system Dee-Ohh-Ess (DOS) or refer to a server-side web programming platform as though it were a snake (ASP) To be fair, initialisms are difficult and those examples are opposites.

(I wonder if other families have an insider language, such as when my husband and I use "defiantly" to mean "definitely" - we got tired of seeing "definitely" spelled as "defiantly" in numerous social media comments. Instead of "possibly" we say "possumably" and I put paramecium cheese on my pasta. If folks don't know that's on porpoise... ;-)

So, anyhow, our parents brought us into the world, did not kill us during our teen years, and may have assisted in educational expenses, so I figure we do owe them free tech support. With parents there is a quid-pro-quo that goes on and I don't feel an imbalance. One gets compensated in some fashion.

80% of all troubleshooting is cable-related.

Things change when it's not parents. I'm sure you all have heard the stories of people who are starting any sort of business and are asked by friends or more distant family members to do something for free. My husband was telling me about a photographer in his cycling group who was asked to shoot a wedding for free. An acquaintance who runs a service to coach event planning was asked to provide the service free to a friend and her entire bridal party (hmmm...there is a trend developing there....) I know of graphic designers who are asked to design logos for free, in order to get a job or project. They have a name for that in their profession: spec work, short for speculative work. The client asks for a sample or runs a contest, but the presumption is the sample is a complete design. The designer submits the work to the client who takes it, doesn't offer the job, and runs off with a free design. There is a No Spec movement among designers, in fact.

Here is a parody video that highlights how clients can de-value consultants:  

(My advice when dealing with friends or family who are artisans: ask them how much their rate is. If they wish to offer a friends and family discount that is their cue to do so but do not expect one.)

Cybersecurity professionals are not immune from this scourge. I wish I had captured the tweet when I saw it, but a young cybersecurity professional was asking for advice on how to tell her uncle that she wasn't going to set up security for his small business for free. It was that tweet that inspired this blog post. What we do has value and if we give it away for free others will not value it.

Another way of looking at free work is to call it unpaid work. Traditional examples of unpaid work include domestic labor (cooking, cleaning, laundry, childcare, elder care, etc.) but also tidying up at the office, taking notes, and planning parties. These services have a cost to them and it can be figured out by calculating how much someone would have to be paid to do them if there weren't a volunteer around doing them. Free or unpaid work is often viewed as low status and the people performing the work are viewed as low status, as well. This is particularly the case with women.

From a purely practical standpoint, if one gives away one's services for free one has no money to live on and can end up living in a van, down by the river, or worse.

Despite knowing that free/unpaid work is not in your best interest, if an uncle or a cousin or a parent's old college friend needs cybersecurity consulting and asks or hints that you should do that for free that is going to be an uncomfortable situation. Fortunately, other professionals have been through this and have advice:

Really lame reference to a popular music singer

Some of you might be wondering at this point, "what about pro bono work?" That is an excellent point! There is, in fact, a difference between giving your labor away for free, which could be called volunteering, and pro bono work. Pro bono - "for the public good" - work is often associated with attorneys, 

as the American Bar Association encourages attorneys to do 50 hours of pro bono work a year and some states require evidence of pro bono work to maintain licenses. One does not need to be a lawyer to offer pro bono services, but the person must be offering professional services for which they would otherwise be paid. Pro bono services can be offered without charge or at a reduced charge, but documentation must be kept under generally accepted accounting principles (GAAP) to be considered as a business tax deduction. The language used with the recipient is important; emphasize you are doing pro bono work and provide an invoice showing the cost of your services. There is a formal pro bono program set up for providing cybersecurity to nonprofit organizations through the Crowdstrike Foundation

Helping others is an important part of being a human. We want to make the world a better place. We need to make sure, though, that we don't kill the goose that lays the golden eggs. If we give cybersecurity services away without emphasizing their value - their economic value - society will not respect those cybersecurity services properly. 


1I told her to watch this video when she had time 

The Child Becomes the Parent

Nearly everyone who is in a technical field provides technical support for their relatives, and perhaps even their friends. I got a t-shirt at a conference once that says, "No, I will not fix your computer." I don't actually wear it, because, truth be told, I will fix your computer. I might (okay, will) whine about how messed up it was afterward, and how can anyone possibly be productive with a computer set up that way, and why aren't you on Windows 10 yet? but I will fix your computer.

Especially, I will fix my mom's computer. 

I don't mind - she gave birth to me and refrained from killing me when I was a teen - that has to count for something!

I've got a list started of all the things I will be taking care of, technology-wise when I next visit her. Recently, though, it occurred to me to add one more thing to the list: her router. I have to confess I've never looked at her router before. Bad security person! Bad!

Here are three articles that list and reinforce the dangers lurking in home routers: 

I'm really hoping Mom doesn't have an ISP-provided router: apparently those are one big security hazard waiting to happen, mostly because they have credentials that cannot be changed, but are well-known by bad folks. Also, I don't ever recall Mom saying something about "firmware". Yikes. I think the router is older than 2012. My mom isn't eating cat food but she can't really go throwing money around so I have to come up with a good business case for getting a new one. Oh, I know I could use scare tactics - or, heck, Merry Christmas! Here's your new router you didn't know you needed! but my mom is an intelligent woman and needs to be treated like one...

Which brings me to a larger point about parents and technology and support: there is so much snark going on out there about how clueless folks over a certain age are. I've even seen my own age group included in the clueless group (yes, the older members of GenX are apparently speeding toward senility %-/) Moving forward, I call upon all geeks, regardless of age, to not treat folks who are older as clueless by default. Becoming older might mean they say "huh?" more often but it doesn't mean they've lost the ability to understand how things work. If we treat them like children (which is funny, because if you've ever seen a kid have their first go at technology they are fearless, persistent, and ultimately successful) they might start thinking this current tech stuff is too hard for them to learn. It's not. It's not brain surgery, nor is it rocket science:

What if we, the kids, are abducted by space aliens? Do we really want to set up our older relatives for failure by teaching and then reinforcing helplessness? What if we did treat them like actual children behave? Encourage them to play around with the technology and figure it out. As long as stuff is backed up, does it matter if everything needs re-configuring? Do you make that sighing noise (you know the noise) and get impatient when you're teaching little kids how to do something? Okay, after you've had coffee? I read a book once that said you should treat people like you'd treat the Pope, for instance. If you had Pope Francis over for dinner and he accidentally knocked his glass over, would you yell at him and tell him he was a clumsy oaf? (if so, hope you can dodge lightning quickly ;-) No, you would clean it up and try to make sure you didn't put the next glass by his elbow or something. If your parents or other older relatives do something with their computers - and I do include getting ransomware in this - don't yell at them and treat them like they are awful stupid people. Help them fix it and then help them understand how to help themselves. Help them get a backup system in place so if ransomware happens they don't have to figure out Bitcoin give into the demands. Help them set up a router firewall (and it doesn't hurt to have a software firewall system, too) properly so that countermeasures are in place to catch malware before it catches them.

Be the sort of tech support parent you wish you could have, because one day the younger cohort will want to help us out with those fancy brain implants ;-)

"You must lose a fly to catch a trout"

Security has to belong to the business folks in the organization. The technology/IT people need to support it, and the CISO might very well hail from that territory originally, but the business folks need to "own" it. That's the only way security will ever be given money before the organization shows up as a trending Twitter hashtag.

In the words of Frederick Avolio: "Security is an investment, not an expense. Investing in computer and network security measures that meet changing business requirements and risks makes it possible to satisfy changing business requirements without hurting the business's viability."

I was talking to a business friend about how data had to go through this (and one could argue it still is) process of being adopted by the business side of the organization in order to be taken seriously. Of course, that means there is a tension between the technology folks and the business folks about who controls the data, but data governance is beyond the scope of this blog entry.

Security governance, though!...

But, seriously, until the business side of the organization - those who hold the purse strings - realize that security is an investment and not merely a cost center and that promoting security helps the business meet its business goals modern businesses will not run as well as they could be. Security is not an after-thought, begrudgingly assigned leftover scraps from the head table. Just because we don't put security in the mission statement doesn't mean it doesn't matter.

Risky Business

I live about an hour's drive away from work so I rely on podcasts to make productive use of the time. One of my favorite podcasts is Note to Self, about society and technology. (I used to even donate money to them until they had an episode on going vegan after which I pulled my support and gave it to local no-kill cat shelter, but I digress...) The latest episode featured an AI tool called Replika (https://replika.ai/): https://www.wnyc.org/story/replika-artificial-intelligence/. It seeks to create a virtual AI-based representation of oneself - the creator built it from texts and email messages from a dead friend. It was almost along the lines of the movie Transcendence The idea, I have to admit, sounded a bit intriguing (yes, even though Transcendence was a creepy concept): I'm a very curious person and I figured, hey, what could it hurt to try this thing out? I'm also extremely cautious, though (in Emergenetics terms my Yellow and my Blue are constantly at war)

I decided to do some searching about Replika. It's free, which really made me wonder how it made money. Oh, I know how most "free" things make money: ads (every app that isn't paid for) or selling data (every social media platform). Replika's FAQ seemed to indicate it wasn't selling data and its origin story sounds like an altruistic endeavor. But, still....more looking.

I happened upon Reddit. One of the things mentioned in the podcast was that it was a sort of therapy to have a conversation with a bot version of oneself. I know a young man who has high-functioning autism and one of the aspects of that is that communication is something he's not as experienced with as a typical kid his age. I wondered whether folks with autism were using Replika. I found a post written by another young man with autism who was enjoying having conversations with his AI replica. Hmmmm. Well, that's a good use case, but I'm still wanting more information. I went to the main subreddit for Replika: https://www.reddit.com/r/replika/ and browsed the post. I found a disturbing post, based on an Imgur capture (strong language warning): 

WHAT THE FUCK REPLIKA
 

Oh, wow. Okay, this is the Internet and it's easy to make things up, Photoshop and all....but, those other negative and scary posts... 

I've decided against Replika. There was a big part of me that wanted to try it out, but I've got the willies from what I've read on Reddit.

It's not worth the risk.

But, what risk?

If I had to explain in logical terms to someone why I wouldn't recommend using the tool I'm guessing "gave me the willies" is not going to cut it. There are many things in our information lives that make us go "I've got a bad feeling about this", 

but if we want others to take our concerns seriously - or put money toward alleviating those concerns - we need a structured framework for identifying risk and a plan to deal with the risk once identified. There may be times when we have to proceed down a path we have a bad feeling about, but we can make ourselves feel better by putting security controls into use and monitoring the situation. 

I can't think of any security controls that are going to prevent Skynet, though, so no Replika for me ;-)

Skynet xkcd

Issue Specific Security Policies and the Home User

I once took a class where I had to create an Issue Specific Security Policy (ISSP) for home use. Since I'm the fun sort of person who brings up Multi-factor Authentication at football tailgate parties this was right up my alley!

I've always thought it is useful to think of one's household as a business - whether that is one person, or one person and a pet, or two people who are roommates, or a romantic couple, or a romantic couple with children, or even a romantic couple with or without children who are also taking care of an elderly adult and a pet - I think I've listed a few sitcom plots right there...actually, my friends and family at this point think my idea of having an authentication credential policy for a household is a sitcom waiting to happen - and that's after I deleted all the items about picking usernames and just left in the password details.

Hey, at least I didn't bring up death! :-D

(to be fair, I wanted to, but thought that would have to be its own issue specific security policy and while SANS has a great pandemic template, I didn't see one for death - maybe the disaster recovery one could work...)

The way that technology is ubiquitous in our lives means that homes have to think of information security the same way any business would and at least consider having plans for their technology and its uses. (Homes also need to think of fiscal issues like any business would, starting with "what business problem are we trying to solve?" whenever a new purchase is being decided on, and identify all stakeholders, but that's another post for another time.) I read recently from a security awareness expert, Lance Spitzner, of SANS' Securing the Human organization, that if you can convince people of the utility of information security for their own personal lives they're more likely to understand why it matters at work. An organization could kill two birds with one stone by encouraging employees to think about their at-home security.

My ISSP was predicated on there being at least one Technical Adult in the house, who was then part of the Lead Technical Adult (LTA) team. (I specifically mentioned "adult" because studies have shown the good-decision-making parts of the brain are not fully formed until after age 25; a teen may understand the technology, but is a teen consistently capable of making good decisions?) There might not be such a technical adult in the household. The nearest technical adult might be a grown child or grandchild, or perhaps someone from the community who does nice things out of the kindness of their heart. Or, it might be someone from down the street who seems nice and is really just playing the non-technical adults in order to win their trust so they can get scamm...oops, sorry, my white-ish cat just jumped into my lap and I went all evil for a moment. She's jumped down now :-) 

I suppose I open an entire can of worms by pointing out (which I have done in other venues) that technology products are not necessarily non-technical user friendly. Imagine for a moment someone who cares nothing about the ins and outs of technology and security, because they're busy doing other things like operating on people in an emergency room, or building houses, or teaching kindergartners. Imagine them setting up a new router to provide wireless service to the plethora of mobile devices they and their family members and any guests might have. (Okay, stop shouting at the monitor - you know the people in the movies can't hear you and they are going to open the closet door, anyhow.) Router setups have come a long way since 2003, when I set up my first wireless access point, but there are things that people who have nightmares about security failures - it's no coincidence that IT and that evil clown have the same characters in their name, is it? - know about securing home networks that non-technical people don't even know that they don't know. I can't suggest that vendors supply a complimentary technical adult with every purchase (well, I could, but that wouldn't be practical), but how are we going to solve the problem of people bringing home a shiny new baby technology toy and being left at home with it when they haven't the first idea what to do with it? If we don't start thinking of household technology and the security that implies in a structured way that will lead to chaos.

(Yes, I just argued for structure. Shhhh, don't tell anyone 😏)

Security policies aren't only for businesses, and they aren't only for the super-geeky. It's possible to help non-technical users get a handle on managing their technology even when they don't have ready access to a technical adult. Issue-specific security policies can help.



Fully Operational Contingency Plans

"Because I could not stop for Death – He kindly stopped for me..."  - Emily Dickinson

Small talk is not a skill I possess. I prefer big talk...important things, like, say, death. Death is a favorite topic of mine. Not that I want to die anytime soon, nor because I take pleasure in others' deaths (well, generally :-), but because everyone seems so unwilling to talk about it and they really need to. Death, you see, in the realm of contingency planning is an adverse event - it has the potential to really mess things up. When someone dies death goes from being an incident candidate to a full-blown incident. Death, being inevitable, needs an incident response (IR) plan to go along with it. 

Okay, how is death relevant to an infosec blog?

It's an attack against information assets - what you know, including how what you know gets you into more information assets, is gone after death happens. Death is pretty efficient when it does its thing so its chance of success is high. Death definitely threatens the availability of your information assets, although one could make an argument for enhancing the confidentiality of them. 

It's important for an organization to plan for deaths of its employees, from the C-suite to the cleaning crew. No, not plan to kill them (although one wonders sometimes...), but a plan for how to react and recover after death occurs. From an obvious perspective, at the very least whatever tasks the person was assigned to do will not be getting done and someone else will have to do them. It's easier to respond when a plan is in place than make things up on the fly - and if the death is of someone close to the people making the decisions their thinking will be affected, even if the death is expected. The story of how a small organization handled the death of one of their founders provides a good foundation for planning on that level: http://www.smallbusinesscomputing.com/tipsforsmallbusiness/business-survival-after-death.html

On a personal level, contingency planning for death is even more vital. This summer I had a long-distance friend die unexpectedly. No one can get into her digital assets, so her Facebook page and LinkedIn account remain open as though she is still alive. Her non-technical family doesn't even know where to begin - and no one wants to bring up the specifics of how those accounts can be closed by the vendors. (Someone did inform her employer.) Not talking about death doesn't make it go away. In the past couple of months I know of more people recently who have died unexpectedly, leaving their families to deal with digital legacies on top of the grief and expenses. No one wants to go up to the widow and say, "hey, I know you're in shock and numb with grief right now, but have you thought about how to get into your partner's digital accounts?" Not even I am that goth. (Yes, I'm thinking it, but my mother raised me better than to say it out loud :-) 

The recent Equifax breach gives criminals a chance to capitalize on their theft by making it easier to purloin the identities of the deceased: unless the deceased was receiving Social Security payments there is no automatic notification to the credit bureaus that someone has died and that their accounts should be marked that way (see http://www.bankrate.com/finance/credit/happens-dead-persons-credit.aspx for more details). My friend's credit report looks like she's alive. She's not there to notice anything sketchy coming up. Of course, she's dead, and had no dependents, so no one is being directly hurt if someone absconds with her identity, but, still.

Everyone dies at some point. This incident will occur. There are many logistical aspects of death that don't necessarily involve digital assets that need to be secured, but in our modern times nearly everyone has digital assets. We all have some sort of device, either a computer or a mobile device. We probably have email assets and social media assets. While financial service relationships typically have a physical aspect, many people access their financial service accounts digitally, with authentication credentials. How about e-commerce? Kindles? What about Alexa (who might be able to help solve the case) or Siri (who is more helpful to the perpetrator)?

I'll pause. I admit this has to be overwhelming to anyone who hasn't thought about it before. 

Because death is such a scary concept, let's talk instead about space alien abduction. There is a chance that if someone is abducted by space aliens they could return. But, while they are being entertained by the space aliens one would not have access to their digital assets unless one had a contingency plan in place. So, it's like death, but not exactly death. 

Think about how people back home would carry on with your digital activities if you were abducted by space aliens. How should they react? How would they recover? If you've planned now, before the abduction, they have a list of what to do after they have detected that the aliens have zoomed away with you. They can then focus on acquiring, preserving, and securing the assets you have left behind, for instance, your mobile device (presuming it wasn't destroyed in the abduction process).

More organizations are offering practical advice for digital contingency planning. https://www.funeralwise.com/learn/digitallegacy/ is an example. It's important to note that legislation has not caught up to digital realities. It's unclear in many jurisdictions how digital legacies are to be handled and the most obvious option, impersonation, might not be exactly legal, even if it's not exactly illegal, even if an executor is given specific authorization by the deceased space alien abductee.

Whether you plan for this adverse event, or not, it will happen. Think of setting up a contingency plan for securing digital assets in the event of death as a kindness to those left behind - a final gift.

I'm A Frayed Knot - How Projects Unravel and Fail

Project failure is seriously much more interesting to discuss than project success. I think people remember bad things more than good things: a kid is more likely to remember the time they put their hand on a hot stove more than the hundreds of times they saw their parents not touch a hot stove. (Some people need to touch hot stoves more than others to get the message, but that's another topic for another time.

Real-life project failures abound, and some of them can be interesting, depending on how they're written up. Fictional project failures, though, because they can be over-the-top, are inherently more interesting, involving, say, dinosaurs, or, another of my favorites, Star Wars. I've used scenes from the Star Wars movies to discuss social engineering:

Star Wars in general is full of information security metaphors. Kellman Meghu, a Canadian security professional, did a SecTor 2012 talk, "How NOT to do Security: Lessons Learned from the Galactic Empire" (http://2012.video.sector.ca/video/51119497) It's nearly an hour long, but worth every moment. Darth Vader is cast as the CISO at one point, if you need further incentive to watch.

Another entertaining (and shorter) video presentation is from Darin on YouTube, who uses Star Wars to explain industrial control system security to people who know nothing about security: "Securing your ICS with Lessons Learned from the Death Star

I literally guffawed when this slide came up:

Daniel Solove, a privacy scholar, penned "If the Empire in Star Wars Had Big Data..." (https://www.linkedin.com/pulse/empire-star-wars-had-big-data-daniel-solove) as a privacy parable, but goes into data security, as well. Perhaps Equifax could learn from his tip on good data breach response.

Even the latest Star Wars movie, Rogue One, gets the information security treatment: Carol Pinchefsky's "5 lessons IT can learn from 'Rogue One: A Star Wars Story'" (https://insights.hpe.com/articles/5-lessons-it-can-learn-from-rogue-one-a-star-wars-story-1702.html) details some very relevant information security parallels, including the importance of authentication and encryption. Not to mention, was everyone else as horrified as I when they realized that there was no offsite backup of the data center on Scarif?

To tie this all back to project management specifically, Emily Bonnie did a hilarious infographic: "10 Reasons the Death Star Project Failed" at https://www.wrike.com/blog/10-reasons-the-death-star-failed/ She includes the usual project management failure suspects such as incomplete project requirements, bad risk handling, poor leadership, failure to look at alternatives, and bad resource handling, among others:

10 Reasons the Death Star Failed infographic
Wrike Project Management Software>

Fictional comparisons can help non-technical stakeholders, particularly the ones in decision-making capacities, understand project managment and security management by presenting the concepts in a non-threatening and diverting manner. It's easier to understand a nebulous idea when one can point to a concrete big-screen example. Humor helps, too - people retain information presented with humor more than information presented without.