J Wolfgang Goerlich's thoughts on Information Security
Friday Books and Talks 04/17/2014

By wolfgang. 17 April 2015 10:33

Give and Take: Why Helping Others Drives Our Success
by Adam M. Grant

For generations, we have focused on the individual drivers of success: passion, hard work, talent, and luck. But today, success is increasingly dependent on how we interact with others. It turns out that at work, most people operate as either takers, matchers, or givers. Whereas takers strive to get as much as possible from others and matchers aim to trade evenly, givers are the rare breed of people who contribute to others without expecting anything in return.

Using his own pioneering research as Wharton's youngest tenured professor, Adam Grant shows that these styles have a surprising impact on success. Although some givers get exploited and burn out, the rest achieve extraordinary results across a wide range of industries. Give and Take highlights what effective networking, collaboration, influence, negotiation, and leadership skills have in common. This landmark book opens up an approach to success that has the power to transform not just individuals and groups, but entire organizations and communities.

 

Anticipate: The Art of Leading by Looking Ahead
by Rob-Jan de Jong

Business schools, leadership gurus, and strategy guides agree - leaders must have a vision. But the sad truth is that most don't...or at least not one that compels, inspires, and energizes their people. How can something so essential be practiced so little in real life? Vision may sound like a rare quality, unattainable by all except a select few - but nothing could be further from the truth. Anyone can expand their visionary capacity. You just need to learn how. In Anticipate, strategy and leadership expert Rob-Jan de Jong explains that to develop vision you must sharpen two key skills. The first is the ability to see things early - spotting the first hints of change on the horizon. The second is the power to connect the dots - turning those clues into a gripping story about the future of your organization and industry. Packed with stories and practices, Anticipate provides proven techniques for looking ahead and exploring many plausible futures - including the author's trademarked Future Priming process, which helps distinguish signal from noise. You will discover how to: tap into your imagination and open yourself to the unconventional; become better at seeing things early; frame the big-picture view that provides direction for the future; communicate your vision in a way that engages others and provokes action. When you anticipate change before your competitors, you create enormous strategic advantage. That's what visionaries do...and now so can you.

Tags:

General

Comfortable professionalism

By wolfgang. 17 April 2015 06:57

"I will show you some absolutely terrifying things, as we progress through today and tomorrow, and I will show you things you guys can do to make people very, very, very uncomfortable where you work."

Every time I turn on my car, John Strand’s voice says the above quote. The clip is audio from a SANS course that my car has stuck on repeat. I have heard it thousands of times now.

"Make people very, very, very uncomfortable" came to mind when watching Chris Roberts (@Sidragon1) tweet about plane hacking Wednesday night and into Thursday morning. He tweeted about messing with a plane's oxygen … while on a plane … on the day the FBI released a report on plane security hacks. 

People were indeed very uncomfortable. And the story did not end comfortably for Chris, that day.

I appreciate John’s work and the SANS courses. I enjoy Chris's work and his One World Lab research. Both are fine people, with intelligent ideas, and enjoyable presentations. But let's put hacking aside for the moment.

I wonder if car mechanics get training on how to make drivers feel very uncomfortable. I wonder if medical students have conferences celebrating making patients feel uncomfortable. I wonder the same about virtually any professional services. Perhaps I am a fortunate exception, however, every service I use is staffed with folks who do the exact opposite.

The folks I hire go out of their way to put me at ease, answer any questions, share knowledge without pretense. It is what professionals do. It fosters trust. It is the mark of customer service. It defines their role as trusted advisor for my health, my car, my home, my family.

Returning to hacking and information security, there is no need to make folks uncomfortable. The terrifying things in IT are well publicized. We know. Things are broken. Criminals are misusing technology. We have a lot of work to do. Everyone gets it. 

Let’s make the people we work with comfortable. Let’s look at absolutely practical things. Why? Because that is what professionals do. Let's get some work done.

Tags:

General

Website update

By wolfgang. 11 April 2015 12:33

It has been a busy quarter. With some room to catch my breath this weekend, I took a moment to update my website. Recent articles and interviews are up on:


Tags:

General

Friday Books and Talks 04/10/2014

By wolfgang. 10 April 2015 09:28

Working with Emotional Intelligence
by Daniel Goleman

Do you have what it takes to succeed in your career?

The secret of success is not what they taught you in school. What matters most is not IQ, not a business school degree, not even technical know-how or years of expertise. The single most important factor in job performance and advancement is emotional intelligence. Emotional intelligence is actually a set of skills that anyone can acquire, and in this practical guide, Daniel Goleman identifies them, explains their importance, and shows how they can be fostered.

For leaders, emotional intelligence is almost 90 percent of what sets stars apart from the mediocre. As Goleman documents, it's the essential ingredient for reaching and staying at the top in any field, even in high-tech careers. And organizations that learn to operate in emotionally intelligent ways are the companies that will remain vital and dynamic in the competitive marketplace of today—and the future.

Comprehensively researched, crisply written, and packed with fascinating case histories of triumphs, disasters, and dramatic turnarounds, Working with Emotional Intelligence may be the most important business book you'll ever read.

Drawing on unparalleled access to business leaders around the world and studies in more than 500 organizations, Goleman documents an astonishing fact: in determining star performance in every field, emotional intelligence matters twice as much as IQ or technical expertise.

Readers also discover how emotional competence can be learned. Goleman analyzes five key sets of skills and vividly shows how they determine who is hired and who is fired in the top corporations in the world. He also provides guidelines for training in the "emotionally intelligent organization," in chapters that no one, from manager to CEO, should miss. 

Working with Emotional Intelligence could prove to be the most important reference for bottom-line businesspeople in the first decades of the 21st century.

 

Power Listening: Mastering the Most Critical Business Skill of All
by Bernard T. Ferrari

Listening is harder than it looks- but it's the difference between business success and failure.

Nothing causes bad decisions in organizations as often as poor listening. But Bernard Ferrari, adviser to some of the nation's most influential executives, believes that such missteps can be avoided and that the skills and habits of good listening can be developed and mastered. He offers a step-by-step process that will help readers become active listeners, able to shape and focus any conversation.

Ferrari reveals how to turn a tin ear into a platinum ear. His practical insights include:

  • Good listening is hard work, not a passive activity
  • Good listening means asking questions, challenging all assumptions, and understanding the context of every interaction
  • Good listening results in a new clarity of focus, greater efficiency, and an increased likelihood of making better decisions
  • Good listening can be the difference between a long career and a short one

 

Tags:

General

Friday Books and Talks 04/03/2014

By wolfgang. 3 April 2015 07:45

Extreme Productivity: Boost Your Results, Reduce Your Hours
by Robert C. Pozen

In Extreme Productivity, author Robert Pozen reveals the secrets to workplace productivity and high performance. This book is for anyone feeling overwhelmed by an existing workload — facing myriad competing demands and multiple time-sensitive projects. Offering antidotes to a calendar full of boring meetings and a backlog of e-mails, Extreme Productivity explains how to determine your highest priorities and match them with how you actually spend your time.

 

The Pause Principle
by Kevin Cashman

The constant barrage of information can overwhelm a person's decision-making ability. In The Pause Principle, Kevin Cashman makes the argument that today's leaders need to take the necessary time to deeply pause before acting. Leaders must make an effort to create vision, understanding, clarity and agility. Cashman describes the need to pause to grow personal leadership, develop others, and foster a culture of innovation. By following the pause practices Cashman describes, executives will learn how to step back to lead forward.

Tags:

General

Securing The Development Lifecycle

By wolfgang. 6 March 2015 10:31

One line. Ever since the Blaster worm snaked across the Internet, the security community has known that it takes but one line of vulnerable code. Heartbleed and iOS Goto Fail made the point again last year. Both were one line mistakes. Even the Bash Shellshock vulnerability was made possible by a small number of lines of code.

To manage the risk of code-level vulnerabilities, many organizations have implemented security testing in their software development lifecycle. Such testing has touch-points in the implementation, verification, and maintenance phases. For example, an organization might ...

Read the rest at http://content.cbihome.com/blog/securing-development-lifecycle

Tags:

Application Security | Security

Friday Books and Talks 02/27/2015

By wolfgang. 27 February 2015 17:19

TouchPoints
by Douglas Conant, Mette Norgaard

A fresh, effective, and enduring way to lead—starting with your next interaction. Most leaders feel the inevitable interruptions in their jam-packed days are troublesome. But in TouchPoints, Conant and Norgaard argue that these—and every point of contact with other people—are overlooked opportunities for leaders to increase their impact and promote their organization's strategy and values. Through previously untold stories from Conant's tenure as CEO of Campbell Soup Company and Norgaard's vast consulting experience, the authors show that a leader's impact and legacy are built through hundreds, even thousands, of interactive moments in time. The good news is that anyone can develop "TouchPoint" mastery by focusing on three essential components: head, heart, and hands.

TouchPoints speaks to the theory and craft of leadership, promoting a balanced presence of rational, authentic, active, and wise leadership practices. Leadership mastery in the smallest and otherwise ordinary moments can transform aimless activity in individuals and entropy in organizations into focused energy—one magical moment at a time.


Tags:

Friday Books and Talks 02/20/2015

By wolfgang. 20 February 2015 07:56

Talent is Never Enough
by John C. Maxwell 

Read the headlines, watch the highlights, or just step out your front door: Some talented people reach their full potential, while others self-destruct or remain trapped in mediocrity. What makes the difference? Maxwell, the go-to guru for business professionals across the globe, insists that the choices people make-not merely the skills they inherit-propel them onto greatness. Among other truths, successful people know that:

  • Belief lifts your talent.
  • Initiative activates your talent.
  • Focus directs your talent.
  • Preparation positions your talent.
  • Practice sharpens your talent.
  • Perseverance sustains your talent.
  • Character protects your talent.

It's what you add to your talent that makes the greatest difference. With authentic examples and time-tested wisdom, Maxwell shares thirteen attributes you need to maximize your potential and live the life of your dreams. You can have talent alone and fall short of your potential. Or you can have talent plus, and really stand out.

 

Low-Hanging Fruit
by Jeremy Eden, Terri Long

How can anyone, from the shop floor up to the C-suite, make their companies better? Despite years of corporate initiatives and implementing big fixes, are there really more simple and smart ways to improve productivity? In Low-Hanging Fruit, co-authors Jeremy Eden and Terri Long not only answer that question, they show how to get it. Low-Hanging Fruit is a fast-paced, fun read with 77 different ways to make a difference at your company. Eden, a former McKinsey consultant and Long, a former bank executive use many great examples from working with teams at Fortune 1000 companies helping them cut through the complexity, the politics and the waste. Low-Hanging Fruit gives you the best ideas culled from their experience such as how to deal with the "unintentional squelch" "zombie projects" and why mom was wrong about always doing your best. 

This isn't a theoretical business tome. This is an indispensable guide that should sit on every career-minded person's desk to be referenced regularly. Often contrarian, always passionate, Low-Hanging Fruit has the power to change your career and your organization. 

Tags:

General

Action-Oriented IT Risk Management

By wolfgang. 19 February 2015 06:15

Last week at Chicago’s Camp IT, I presented on IT risk management and concluded with focusing on the intersection of risk and action. This is a CIO Centric Approach that re-prioritizes risks based on an organization’s constraints and IT capabilities. My Chicago talk led to several good discussions, and this article quickly summarizes the method and how you can apply it to your risk management program.

The advantage, for a security owner, is in immediately seeing which concerns, once mitigated, would produce the largest reduction in the organization’s overall risk. We can then produce the annual audit phonebook with a long laundry list of recommendations.

The disadvantage, for the IT owner, is in not factoring in effort. For example, suppose one risk rated 15 takes 12 months to resolve and another takes 3 months. Yet both are listed side-by-side and prioritized equally by the security owner. The trouble stems from the risk rating exercise not bubbling up quick wins and prioritized actions.

Read the rest at http://content.cbihome.com/blog/cbi-action-oriented-it-risk-management

Tags:

Risk Management

Configuring trusted keys and certificates (PCI-DSS)

By wolfgang. 16 February 2015 20:00

PCI-DSS 3 requires that in-scope devices, like cash register computers or payment processing servers, accept only trusted certificates. Specifically, it states:

Protect Cardholder Data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
4.1(b) Are only trusted keys and/or certificates accepted?

Sensitive information must be encrypted during transmission over public networks, because it is easy and common for a malicious individual to intercept and/or divert data while in transit. Secure transmission of cardholder data requires using trusted keys/certificates, a secure protocol for transport, and proper encryption strength to encrypt cardholder data. Connection requests from systems that do not support the required encryption strength, and that would result in an insecure connection, should not be accepted. Verifying that certificates are trusted (for example, have not expired and are issued from a trusted source) helps ensure the integrity of the secure connection.

So, how do you do this in Windows?

First, view the certificates of all payment processing services and document the trusted root certificate. Add to this list of trusted root certificates those that are required for Microsoft Windows to function. (This list is documented here: http://support2.microsoft.com/?id=293781). Create one master list of all certificates that should be accepted. 

Second, open the local computer’s certificate store. (Control Panel > All Tasks > Administrative Tools > Manage computer certificates.) Under Trusted Root Certification Authorities, expand Certificates. Delete all certificate authorities not on the previously created master list. 

Third, configure the computer’s Web browser to not allow the user to continue to Websites with untrusted certificates. This setting varies from browser to browser. In Internet Explorer, the settings are in Local Security Policy under:

Windows Components\Internet Explorer\Internet Control Panel
Prevent ignoring certificate errors

Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn on warn about certificate address mismatch
Check for server certificate revocation

The computer will now accept only those certificates accepted for business purposes. Any invalid certificates will stop the transaction and not allow the user to inadvertently continue. This configuration reduces the likelihood of Man-in-the-middle (MITM) attacks, signed malware, and other attacks against certificate infrastructure. In addition, the computer’s configuration is now in compliance with PCI-DSS 3’s 4.1.b requirement.

Some additional thoughts:

 

Tags:

Cryptography

    Log in