J Wolfgang Goerlich's thoughts on Information Security
Friday Books and Talks 06/06/2014

By wolfgang. 6 June 2014 21:53

How the Best Leaders Lead
by Brian Tracy

In How the Best Leaders Lead, Brian Tracy reveals the strategies he teaches top executives to achieve astounding results in difficult markets against determined competition. You will learn how to set clear goals and objectives for yourself and others, set priorities and focus on key tasks, solve problems faster and make better decisions, determine the ideal leadership style for any situation, motivate your people, and develop an exciting future vision for your business.

The Coaching Manager
by Joseph R. Weintraub, James M. Hunt

When managers communicate a genuine interest in helping rather than evaluating their employees, they create opportunities for everyone to learn. Managers who try to help employees learn and become more productive in the process. In The Coaching Manager, James Hunt and Joseph Weintraub introduce an easy-to-implement developmental coaching model based on their extensive work with thousands of managers, executives and MBA students. The goal is for managers to help employees learn to be more productive on a day-to-day basis. This model encourages employees to take greater responsibility for their learning and development while forging a healthy relationship between manager and employee.

 

How sampling transformed music
By Mark Ronson

Sampling isn't about "hijacking nostalgia wholesale," says Mark Ronson. It's about inserting yourself into the narrative of a song while also pushing that story forward. In this mind-blowingly original talk, watch the DJ scramble 15 TED Talks into an audio-visual omelette, and trace the evolution of "La Di Da Di," Doug E. Fresh and Slick Rick's 1984 hit that has been reimagined for every generation since.

Comics that ask "what if?"
By Randall Munroe

Web cartoonist Randall Munroe answers simple what-if questions ("what if you hit a baseball moving at the speed of light?") using math, physics, logic and deadpan humor. In this charming talk, a reader’s question about Google's data warehouse leads Munroe down a circuitous path to a hilariously over-detailed answer — in which, shhh, you might actually learn something. "And I love calculating these kinds of things, and it's not that I love doing the math. I do a lot of math, but I don't really like math for its own sake. What I love is that it lets you take some things that you know, and just by moving symbols around on a piece of paper, find out something that you didn't know that's very surprising. And I have a lot of stupid questions, and I love that math gives the power to answer them sometimes."

What ants teach us about the brain, cancer and the Internet
By Deborah Gordon

Ecologist Deborah Gordon studies ants wherever she can find them — in the desert, in the tropics, in her kitchen ... In this fascinating talk, she explains her obsession with insects most of us would happily swat away without a second thought. She argues that ant life provides a useful model for learning about many other topics, including disease, technology and the human brain.

Tags:

Team management

Friday Books and Talks 05/30/2014

By wolfgang. 30 May 2014 16:51

Change the Culture, Change the Game
by Roger Connors, Tom Smith

Roger Connors and Tom Smith show how leaders can achieve record-breaking results by quickly and effectively shaping their organizational culture to capitalize on their greatest asset-their people. Change the Culture, Change the Game joins their classic book, The Oz Principle, and their recent bestseller, How Did That Happen?, to complete the most comprehensive series ever written on workplace accountability. Based on an earlier book, Journey to the Emerald City, this fully revised installment captures what the authors have learned while working with the hundreds of thousands of people on using organizational culture as a strategic advantage.

Open Leadership
by Charlene Li

"Be Open, Be Transparent, Be Authentic" are the current leadership mantras-but companies often push back. Business is premised on the concept of control and yet the new world order demands openness-leaders do not know how to be open and be in control. This must-have resource will help the modern leader understand how to lead in the new open world-where blogging, twittering, facebooking, and digging are becoming the norm. the author lays out the steps that leaders must take to transform their organizations and themselves into being "open" -and exactly what that will mean.

 

Color blind or color brave?
by Mellody Hobson

The subject of race can be very touchy. As finance executive Mellody Hobson says, it's a "conversational third rail." But, she says, that's exactly why we need to start talking about it. In this engaging, persuasive talk, Hobson makes the case that speaking openly about race — and particularly about diversity in hiring — makes for better businesses and a better society.

 

Tags:

Team management

Friday Books and Talks 05/23/2014

By wolfgang. 23 May 2014 19:10

Tribal Leadership
by Dave Logan, John King, Halee Fischer-Wright

Within each corporation are anywhere from a few to hundreds of separate tribes. In Tribal Leadership, Dave Logan, John King, and Halee Fischer-Wright demonstrate how these tribes develop—and show you how to assess them and lead them to maximize productivity and growth. A business management book like no other, Tribal Leadership is an essential tool to help managers and business leaders take better control of their organizations by utilizing the unique characteristics of the tribes that exist within.

 

Tribal leadership
By David Logan

David Logan talks about the five kinds of tribes that humans naturally form — in schools, workplaces, even the driver's license bureau. By understanding our shared tribal tendencies, we can help lead each other to become better individuals.

Why good leaders make you feel safe
By Simon Sinek

What makes a great leader? Management theorist Simon Sinek suggests, it’s someone who makes their employees feel secure, who draws staffers into a circle of trust. But creating trust and safety — especially in an uneven economy — means taking on big responsibility.


Tags:

Team management

Friday Books and Talks 05/16/2014

By wolfgang. 17 May 2014 12:58

Multipliers
by Liz Wiseman, Greg McKeown

Are you a genius or a genius maker? A diminisher or a multiplier? In this executive book summary, you will learn the difference between these two leadership styles, how to become a multiplier of talent and people and how multiplying can have a resoundingly positive and profitable effect on your organization.

A thought-provoking, accessible, and essential exploration of why some leaders (“Diminishers”) drain capability and intelligence from their teams, while others (“Multipliers”) amplify it to produce better results. Including a foreword by Stephen R. Covey, as well the five key disciplines that turn smart leaders into genius makers, Multipliers is a must-read for everyone from first-time managers to world leaders.

 

What it takes to be a great leader
By Roselinde Torres

There are many leadership programs available today, from 1-day workshops to corporate training programs. But chances are, these won't really help. In this clear, candid talk, Roselinde Torres describes 25 years observing truly great leaders at work, and shares the three simple but crucial questions would-be company chiefs need to ask to thrive in the future.

The key to success? Grit.
By Angela Lee Duckworth

Duckworth, the recipient of a 2013 MacArthur Foundation "genius" grant, may be most known for her work in studying the role of grit, rather than intelligence, in predicting success in students. But this talk is also a worthy reminder for leaders of the attributes they should look for in people -- perseverance, self-control and sustained interest in long-term goals -- as well as that they should work on in themselves.

 

Tags:

Team management

Friday Books and Talks 05/09/2014

By wolfgang. 9 May 2014 12:46

Mojo
by Marshall Goldsmith, Mark Reiter

Mojo comes from the moment we do something that is purposeful, powerful, and positive, and the rest of the world recognizes it. In his follow up to the New York Times bestseller What Got You Here Won’t Get You There, #1 executive coach Marshall Goldsmith lays out the ways that we can get — and keep — our professional and personal Mojo.

360 Degrees of Influence
by Harrison Monarth

The best leaders influence those who are below and above them, as well as people external to the organization, such as customers and partners. In 360 Degrees of Influence, Harrison Monarth provides advice on how to gain the trust and respect of those around you and how to expand your influence well beyond your immediate environment. Providing valuable insight into human emotion and behavior, Monarth reveals the secrets to knowing what people are thinking and feeling — maybe better than they do.

 

What makes us feel good about our work?
By Dan Ariely

What motivates us to work? Contrary to conventional wisdom, it isn't just money. But it's not exactly joy either. It seems that most of us thrive by making constant progress and feeling a sense of purpose. Behavioral economist Dan Ariely presents two eye-opening experiments that reveal our unexpected and nuanced attitudes toward meaning in our work. (Filmed at TEDxRiodelaPlata.)

Everyday leadership
By Drew Dudley

We have all changed someone’s life — usually without even realizing it. In this funny talk, Drew Dudley calls on all of us to celebrate leadership as the everyday act of improving each other’s lives. (Filmed at TEDxToronto.)

 


Tags:

Team management

Friday Books and Talks 05/02/2014

By wolfgang. 2 May 2014 17:46

Here are some of the books I enjoyed this week. 

Focus
by Daniel Goleman

In Focus, Daniel Goleman uses cutting-edge research and findings to delve into the science of attention in all its varieties. He persuasively argues that now more than ever we must learn to sharpen our focus in order to contend with and thrive in a complex world. It requires what he calls “smart practice” to improve habits, add new skills and sustain excellence. In the mental gym, the specifics of practice can make all the difference.

Compelling People
by John Neffinger, Matthew Kohut

What makes some people irresistible and others forgettable? John Neffinger and Matthew Kohut introduce us to two qualities –– strength (the root of respect) and warmth (the root of affection) –– and they detail the signals that broadcast each of these. Drawing on the latest social science and the authors’ own work,Compelling People reveals the basic framework we use to judge each other and what we can do to earn both respect and affection.

 

For parents, happiness is a very high bar
By Jennifer Senior

The parenting section of the bookstore is overwhelming — it's "a giant, candy-colored monument to our collective panic," as writer Jennifer Senior puts it. Why is parenthood filled with so much anxiety? Because the goal of modern, middle-class parents — to raise happy children — is so elusive. In this honest talk, she offers some kinder and more achievable aims.

Should you live for your résumé ... or your eulogy?
By David Brooks

Within each of us are two selves, suggests David Brooks in this meditative short talk: the self who craves success, who builds a résumé, and the self who seeks connection, community, love — the values that make for a great eulogy. (Joseph Soloveitchik has called these selves "Adam I" and "Adam II.") Brooks asks: Can we balance these two selves?


Tags:

Update on Story-Driven Security

By wolfgang. 29 April 2014 18:12

I continue to expand the Story-Drive Security concept that I discussed a few years back. Over the past six months, I have fleshed out its role in the security program (GrrCON), the method for creating the models (Circle City Con), and its use in driving change (BSides Chicago). Below are links to talks that cover these areas. Check it out, give it a try, and please provide me feedback. 

Beautiful Models @ GrrCON 2013

We need beautiful models. Models attract and hold your attention. They excite you. They prompt action. And action, excitement, and focus is exactly what is needed to defend IT. By models, of course, we mean threat models. Intricate and beautiful, a good threat model tells a story. It indicates what we are protecting and where the attacks may come from. Done right, modelling highlights both the strengths and weaknesses of our IT. It becomes a means for strengthening and focusing our efforts. We need beautiful models to see what is and what could be. This session will explore threat modeling as part of the secure development lifecycle. A case study will be presented. The stories are real and only the names have been changed to protect the innocent. Beautiful Models answers the question: what is it that makes a threat model beautiful and actionable?

How to create an attack path threat model @ Circle City Con

Everyone advocates for threat modeling. Few actually do it. This session aims to close that gap by demonstrating the #misec Attack Path methodology. First, we will select and analyze a security incident. Using threat modeling, we will break the incident down into the path the attacker followed through the network. Second, we will perform a table top exercise to identify the detective and preventative controls along that path. Using a controls assessment, we can determine our actual defense-in-depth for this particular attack. Third and finally, we will create a security exercise that tests the controls along the path. The session will conclude with a discussion of using the Attack Path for incident response drills.

Aligning Threats and Allies through Stories @ BSides Chicago 2014

Successful defense occurs when the interests of a security team’s stakeholders intersect with the attackers actions. This session provides a three-part management methodology to enable defense-in-depth through effective stakeholder and threat management. Internally, the method models the political power of our target audience, the audience coverage of our message, the timing, and the benefits used to influence our audience. Externally, the method models the attacker’s objectives, tactics, techniques, and mitigating controls. Using this story-driven security methodology, we can identify what our allies need, identify what our attackers want, and build business cases to satisfy one while thwarting the other.

(Updated: 2014-06/18 following CircleCityCon)

Tags:

Security

Friday Books and Talks 04/25/2014

By wolfgang. 25 April 2014 17:16

Here are some of the books I enjoyed this week. 

Grounded
By Bob Rosen

Internationally renowned CEO advisor Bob Rosen proposes a new approach to leadership in Grounded in which leaders at every level can become more self-aware, develop their untapped potential, and drive better results for themselves, their teams and their organizations. Rosen’s Healthy Leader model highlights six personal dimensions that any leader can master: physical, emotional, intellectual, social, vocational and spiritual health.


The strangeness of scale at Twitter
By Del Harvey

When hundreds of thousands of Tweets are fired every second, a one-in-a-million chance — including unlikely sounding scenarios that could harm users — happens about 500 times a day. For Del Harvey, who heads Twitter’s Trust and Safety Team, these odds aren’t good. The security maven spends her days thinking about how to prevent worst-case scenarios while giving voice to people around the globe. With deadpan humor, she offers a window into how she keeps 240 million users safe.

Tags:

Friday Books and Talks 04/18/2014

By wolfgang. 18 April 2014 11:49

Great Work, Great Career
by Jennifer Colosimo, Stephen R. Covey

Do you have a good career, a mediocre career, or a great career? How do you know? And how do your create a great career? The most respected business thinker of our time, Dr. Stephen R. Covey, and change consultant Jennifer Colosimo offer a complete handbook for anyone seeking answers.

"The energy you invest in regularly and frequently building your village will pay dividends not only in advancing your career, but also in personal satisfaction. You will get into the habit of service, which is the foundation of a great career. With a synergy mindset, you will learn from the best people in your life. And when you need them, they’ll be there for you because you have been there for them."

"The village you build might ultimately be your greatest career achievement. It might even become the source of great new advances in understanding your field. It’s a natural principle that you cannot achieve anything truly worthwhile alone –– at least not in the world of work."

 

Tags:

Team management

Attacking hypervisors without exploits

By wolfgang. 3 January 2014 16:58

The OpenSSL website was defaced this past Sunday. (Click here to see a screenshot from @DaveAtErrata on Twitter.) On Wednesday, OpenSSL released an announcement that read: "Initial investigations show that the attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration." The announcement led to speculation that a hypervisor software exploit was being used in the wild.

Exploiting hypervisors, the foundation of infrastructure cloud computing, would be a big deal. To date, most attacks in the public cloud are pretty much the same as the traditional data center. People make the same sort of mistakes and missteps, regardless of hosting environment. A good place to study this is the Alert Logic State of Cloud Security Report, which concludes "It’s not that the cloud is inherently secure or insecure. It’s really about the quality of management applied to any IT environment."

Some quick checking showed OpenSSL to be hosted by SpaceNet AG, which runs VMware vCloud off of HP Virtual Connect with NetApp and Hitachi storage. It was not long before VMware issued a clarification.

VMware: "We have no reason to believe that the OpenSSL website defacement is a result of a security vulnerability in any VMware products and that the defacement is a result of an operational security error.” OpenSSL then clarified: "Our investigation found that the attack was made through insecure passwords at the hosting provider, leading to control of the hypervisor management console, which then was used to manipulate our virtual server."

No hypervisor exploit, no big deal. Right? Wrong.

Our security controls are built around owning the operating system and hardware.  See, for example, the classic 10 Immutable Laws of Security. "Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore. Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." Hypervisor access lets the bad guy do both. It was just one wrong password choice. It was just one wrong networking choice for the management console. But it was game over for OpenSSL, and potentially any other customer hosted on that vCloud.

It does not take a software exploit to lead to a breach. Moreover, the absence of exploits is not the absence of lessons to be learned. Josh Little (@zombietango), a pentester who I work with, has long said "exploits are for amateurs". When Josh carried out an assignment on a VMware shop recently, it was using a situation very much like the one at SpaceNet AG: he hopped onto the hypervisor management console. The point is to get in quickly, quietly, and easily. The technique is about finding the path of least resistance. 

Leveraging architectural decisions and administration sloppiness is valid attack technique. Scale and automation, that is what changes with cloud computing. It is this change that magnifies otherwise small mistakes by IT operations and makes compromises like OpenSSL possible. Low quality IT management becomes even worse.

And cloud computing's magnification effect on security is a big deal.

Tags:

Security | Virtualization

    Log in