J Wolfgang Goerlich's thoughts on Information Security
Wired: DevOps isn't a job, but it is still important

By wolfgang. 22 May 2015 07:10

"Traditionally, companies have at least two main technical teams. There are the programmers, who code the software that the company sells, or that its employees use internally. And then there are the information technology operations staff, who handle everything from installing network gear to maintaining the servers that run those programmers’ code. The two teams only communicate when it’s time for the operations team to install a new version of the programmers’ software, or when things go wrong. That’s the way it was at Munder Capital Management when J. Wolfgang Goerlich joined the Midwestern financial services company in 2005."

Read the rest at: http://www.wired.com/2015/05/devops-isnt-job-still-important/

Tags:

Team management

Phone phreaking visits Apple Pay's authentication

By wolfgang. 18 May 2015 08:43

There is a new attack on Apple Pay involving an old phreak tactic. Read about it here:

Has Your Phone Number Been Stolen? Another Apple Pay Fraud Hits the Nation
https://www.mainstreet.com/article/has-your-phone-number-been-stolen-another-apple-pay-fraud-hits-the-nation

The fraud works by knowing the mobile carrier and number the target uses for device identification, contacting the carrier to port the number to a phone the criminal has, then using the number to authenticate and add the criminal’s device to the victim’s Apple Pay account. Illegally porting telephone numbers has been around for some time. Criminals are re-using the old technique to subvert Apple Pay’s device authentication mechanism. 

What can consumers do to protect themselves? First, use a telephone number that is not well known for device authentication. Many people use their home landline phone number, which is often easy to discover. Second, inquire with the carrier about their policies around authorizing porting and notifying customers. Third, keep a close eye on Apple Pay for unfamiliar devices.

The ways banks can protect consumers is as old as the tactic of stealing phone numbers. It comes down to account monitoring and fraud detection. Today's behavioral analytics are equally adept at spotting misused credit cards as they are spotting misused accounts linked to Apple Pay. Banks and other financial institutions must review their anti-fraud programs to ensure they apply to emerging payment processes like Apple Pay.

All in all, this is an example of an old tactic being applied to a new payment processing system. When developing new systems, it always pays to consider how previous attacks might apply.

Tags:

Risk Management | Threat modeling

Starbucks gift card fraud

By wolfgang. 15 May 2015 12:42

Starbucks is in the news as criminals abuse its online services through fraudulent gift card purchases. On the surface, the issue appears to be about consumers’ passwords and the poor practices around their use. There is more to the story, however, and I would argue two deeper concerns are the real issue. The first is in how emerging payment systems are monitored and secured. The second is in how online services are developed and maintained. 

Read the rest at: http://content.cbihome.com/blog/starbucks_giftcard_fraud

Tags:

Application Security | Risk Management

Friday Books and Talks 05/15/2015

By wolfgang. 15 May 2015 07:36

Reviving Work Ethic: A Leader's Guide to Ending Entitlement and Restoring Pride in the Emerging Workforce
by Eric Chester (Author)

For frustrated managers and leaders, a guide to instilling a strong work ethic in the modern workforce. Work ethic in America is fast declining, plaguing young and old alike. But in Reviving Work Ethic, Eric Chester shows that you do best to focus on your young employees--those whose habits and ideals can still be influenced. He presents an incisive look at the root of the entitlement mentality that afflicts many in the emerging workforce and shows readers the specific actions they can take to give their employees a deep commitment to performing excellent work.

And his advice is crucial to a healthy bottom line: too often, talented-but-difficult-to-understand younger workers stand between your company and its profits. If business owners, managers, and executives are not connecting with them and modeling the key components of work ethic, employees are likely not connecting effectively with customers--leaving all kinds of money on the table.

Reviving Work Ethic is the culmination of years of research as well as presentations to over two million youth. Chester's experience shows in his confident analysis of the seven

Tags:

Friday Books and Talks 05/08/2015

By wolfgang. 8 May 2015 10:23

The Spider's Strategy
by Amit Mukherjee

To thrive in a world where networks of companies increasingly compete with other networks, managers can no longer focus solely on excellence in planning and execution. In The Spider’s Strategy, top business consultant Amit S. Mukherjee provides the tools you need to sense and respond to unexpected events. He shows how and why managers in your company must apply his four powerful “Design Principles” today.

The Well-Timed Strategy
by Peter Navarro

It’s not enough to understand the business cycle and the industry cycle. In The Well-Timed Strategy, Peter Navarro discusses today’s unprecedented level of macroeconomic turbulence – from oil price hikes to drought and disease. Whether an executive, a strategist or an investor, Navarro provides the tools to align every facet of business strategy, tactics and operations to reflect changing business conditions. Keeping in mind finance, supply chains, production, marketing, HR and more, the author outlines ways to profit from the chaos of business cycle volatility by implementing the appropriate strategy.

Tags:

General

Who Watches the Watchers? Firewall Monitoring

By wolfgang. 28 April 2015 10:01

Even in the face of being declared dead -- often and repeatedly since 2004 -- the firewall remains a viable security control. De-perimeterization simply leads to a specialization of controls between IT in the cloud and IT on the ground, with the firewall taking on new roles internally. Especially for payment processing, healthcare, and energy, the firewalled network is still a key element of today’s standards and regulations.

The trouble is, all firewalls share a weakness.

Read the rest at: http://content.cbihome.com/blog/who-watches-the-watchers-firewall-monitoring

Tags:

Friday Books and Talks 04/24

By wolfgang. 24 April 2015 10:06

Best Practices Are Stupid 
by Stephen M. Shapiro

What if almost everything you know about creating a culture of innovation is wrong? What if the way you are measuring innovation is choking it? What if your market research is asking all of the wrong questions? It's time to innovate the way you innovate.

Hire people you don't like. Bring in the right mix of people to unleash your team's full potential. Asking for ideas is a bad idea. Define challenges more clearly. If you ask better questions, you will get better answers. Don't think outside the box; find a better box. Instead of giving your employees a blank slate, provide them with well-defined parameters that will increase their creative output. Failure is always an option. Looking at innovation as a series of experiments allows you to redefine failure and learn from your results.

Nonstop innovation is attainable and vital to building a high-performing team, improving the bottom line, and staying ahead of the pack.

 

Flash Foresight: How to See the Invisible and Do the Impossible
by Daniel Burrus, John David Mann

Flash Foresight offers seven radical principles you need to transform your business today. From internationally renowned technology forecaster Daniel Burrus—a leading consultant to Google, Proctor & Gamble, IBM, and many other Fortune 500 firms—with John David Mann, co-author of the Wall Street Journal bestseller The Go-Giver, comes this systematic, easy-to-implement method for identifying new business opportunities and solving difficult problems in the twenty-first century marketplace.

 

How I use sonar to navigate the world
By Daniel Kish

Daniel Kish has been blind since he was 13 months old, but has learned to “see” using a form of echolocation. He clicks his tongue and sends out flashes of sound that bounce off surfaces in the environment and return to him, helping him to construct an understanding of the space around him. In a rousing talk, Kish demonstrates how this works and asks us to let go of our fear of the “dark unknown.”

Tags:

General

Friday Books and Talks 04/17/2014

By wolfgang. 17 April 2015 10:33

Give and Take: Why Helping Others Drives Our Success
by Adam M. Grant

For generations, we have focused on the individual drivers of success: passion, hard work, talent, and luck. But today, success is increasingly dependent on how we interact with others. It turns out that at work, most people operate as either takers, matchers, or givers. Whereas takers strive to get as much as possible from others and matchers aim to trade evenly, givers are the rare breed of people who contribute to others without expecting anything in return.

Using his own pioneering research as Wharton's youngest tenured professor, Adam Grant shows that these styles have a surprising impact on success. Although some givers get exploited and burn out, the rest achieve extraordinary results across a wide range of industries. Give and Take highlights what effective networking, collaboration, influence, negotiation, and leadership skills have in common. This landmark book opens up an approach to success that has the power to transform not just individuals and groups, but entire organizations and communities.

 

Anticipate: The Art of Leading by Looking Ahead
by Rob-Jan de Jong

Business schools, leadership gurus, and strategy guides agree - leaders must have a vision. But the sad truth is that most don't...or at least not one that compels, inspires, and energizes their people. How can something so essential be practiced so little in real life? Vision may sound like a rare quality, unattainable by all except a select few - but nothing could be further from the truth. Anyone can expand their visionary capacity. You just need to learn how. In Anticipate, strategy and leadership expert Rob-Jan de Jong explains that to develop vision you must sharpen two key skills. The first is the ability to see things early - spotting the first hints of change on the horizon. The second is the power to connect the dots - turning those clues into a gripping story about the future of your organization and industry. Packed with stories and practices, Anticipate provides proven techniques for looking ahead and exploring many plausible futures - including the author's trademarked Future Priming process, which helps distinguish signal from noise. You will discover how to: tap into your imagination and open yourself to the unconventional; become better at seeing things early; frame the big-picture view that provides direction for the future; communicate your vision in a way that engages others and provokes action. When you anticipate change before your competitors, you create enormous strategic advantage. That's what visionaries do...and now so can you.

Tags:

General

Comfortable professionalism

By wolfgang. 17 April 2015 06:57

"I will show you some absolutely terrifying things, as we progress through today and tomorrow, and I will show you things you guys can do to make people very, very, very uncomfortable where you work."

Every time I turn on my car, John Strand’s voice says the above quote. The clip is audio from a SANS course that my car has stuck on repeat. I have heard it thousands of times now.

"Make people very, very, very uncomfortable" came to mind when watching Chris Roberts (@Sidragon1) tweet about plane hacking Wednesday night and into Thursday morning. He tweeted about messing with a plane's oxygen … while on a plane … on the day the FBI released a report on plane security hacks. 

People were indeed very uncomfortable. And the story did not end comfortably for Chris, that day.

I appreciate John’s work and the SANS courses. I enjoy Chris's work and his One World Lab research. Both are fine people, with intelligent ideas, and enjoyable presentations. But let's put hacking aside for the moment.

I wonder if car mechanics get training on how to make drivers feel very uncomfortable. I wonder if medical students have conferences celebrating making patients feel uncomfortable. I wonder the same about virtually any professional services. Perhaps I am a fortunate exception, however, every service I use is staffed with folks who do the exact opposite.

The folks I hire go out of their way to put me at ease, answer any questions, share knowledge without pretense. It is what professionals do. It fosters trust. It is the mark of customer service. It defines their role as trusted advisor for my health, my car, my home, my family.

Returning to hacking and information security, there is no need to make folks uncomfortable. The terrifying things in IT are well publicized. We know. Things are broken. Criminals are misusing technology. We have a lot of work to do. Everyone gets it. 

Let’s make the people we work with comfortable. Let’s look at absolutely practical things. Why? Because that is what professionals do. Let's get some work done.

Tags:

General

Website update

By wolfgang. 11 April 2015 12:33

It has been a busy quarter. With some room to catch my breath this weekend, I took a moment to update my website. Recent articles and interviews are up on:


Tags:

General

    Log in