J Wolfgang Goerlich's thoughts on Information Security
Friday Books and Talks 07/31/2015

By wolfgang. 31 July 2015 08:47

Absolute Value
by Itamar Simonson, Emanuel Rosen

Itamar Simonson and Emanuel Rosen show why consumer behavior has changed while fundamental thinking about marketing has not. Absolute Value answers the question of what influences customers in this new age and describes how a company should design its communication strategy, market research program, and segmentation strategy in order to adopt a new way of thinking about marketing in this new environment.

Beyond Performance
by Scott Keller, Colin Price

In Beyond Performance, McKinsey & Company's Scott Keller and Colin Price give you everything you need to build an organization that can execute in the short run and has the vitality to prosper over the long term. Drawing on the most exhaustive research effort of its kind on organizational effectiveness and change management, Keller and Price put hard science behind their big idea: that the health of an organization is equally as important as its performance.

Escape Velocity
by Geoffrey A. Moore

Geoffrey Moore's now-classic Crossing the Chasm became a must-read book by presenting an innovative framework to address the make-or-break obstacle facing all high-tech companies: how to gain market share from early adopters and from mainstream consumers. Now, Moore's Escape Velocity offers a pragmatic plan to engage the most critical challenge that established enterprises face in the twenty-first-century economy: how to move beyond past success and drive next-generation growth from new lines of business.



Converge Detroit Podcasts

By wolfgang. 21 July 2015 15:43

We did a few podcasts over the Converge Detroit conference. Check them out here:

IT in the D -- Live Broadcast: Converge 2015 Security Conference. Ever had a conversation with a guy who compromised bank security ... in Beirut? How about someone who’s managed to compromise physical security all over the world ... just because scanning and getting into servers is too boringly easy? Know anything about a group that’s out there dedicated to teaching kids about computer security in a way they’ll actually want to learn? Read and listen on, friends ... read and listen on.

Hurricane Labs InfoSec Podcast -- Don’t Bother Trusting, Verify Everything. This podcast was recorded by the Hurricane Labs crew, and special guest Wolfgang Goerlich, at the 2015 Converge Conference. Topics of discussion (and witty banter) include: FBI anti-encryption rhetoric; the Hacking Team hack; Google's social responsibility; and more. Converge and BSides Detroit were fantastic - if you didn't get the chance to make it out this year, you can still view the video presentation recordings here: Converge 2015 Videos. Thanks to Wolf and all the sponsors, volunteers, speakers and everyone who made these conferences possible! 

PVCSec -- Live! At Converge Detroit. Ed & I enjoyed talking with a fantastic audience at Converge Detroit 2015 yesterday. Everyone was in fine voice. Ed & Paul embraced Converge Detroit’s invitation to podcast LIVE! from the event on the campus of Wayne State University in the Arsenal of Democracy, Detroit Michigan U.S. of A. Thanks again to the event, the sponsors, the volunteers, and of course all of those who attended. We had a blast and can’t wait for next year!


Out and About | Security

Friday Books and Talks 05/29/2015

By wolfgang. 29 May 2015 07:12

The Reinventors
by Jason Jennings

For most businesses, success is fleeting. There are only two real choices: stick with the status quo until things inevitably decline, or continuously change to stay vital. But how? Bestselling leadership and management guru Jason Jennings and his researchers screened 22,000 companies around the world that had been cited as great examples of reinvention. They selected the best, verified their success, interviewed their leaders, and learned how they pursue never-ending radical change. The fresh insights they discovered became Jennings's "reinvention rules" for any business.

The Power Presenter
by Jerry Weissman

Jerry Weissman is the presentations coach to Microsoft, Cisco Systems, and many of America's top executives, including founding Yahoo CEO Tim Koogle, Intuit founder Scott Cook, Netflix founder and CEO Reed Hastings, and many others. Now America's top coach reveals the same powerful strategies he teaches to CEOs in expensive private sessions. Learn why your body language and voice are more important than your words, how to present with poise and confidence naturally, and how to connect with any audience emotionally. Filled with illustrative case studies of Barack Obama, Ronald Reagan, George W. Bush, John F. Kennedy, and many others, The Power Presenter will bring out the best in anyone who has to stand and deliver.

by Sophie Scott
Did you know that you're 30 times more likely to laugh if you're with somebody else than if you're alone? Cognitive neuroscientist Sophie Scott shares this and other surprising facts about laughter in this fast-paced, action-packed and, yes, hilarious dash through the science of the topic.


InfoSec Institute: IT Thought Leader Interview

By wolfgang. 27 May 2015 13:31

J. Wolfgang Goerlich is an influential leader and IT management executive with the ability to act as a cultural change agent, driving security initiatives and raising security postures. He currently works as a Cyber Security Strategist for Creative Breakthrough Inc (CBI) and has been in the industry for over 20 years. Areas of expertise include managing culture, ITGRC, security community and mentorship, application security and team leadership.

1. Early this year, you took the position of cyber security strategist at CBI. What exactly does this position entail?

As a security strategist at CBI, my role is connecting people and ideas to develop strategies for improving cyber security. I work with the senior leadership at CBI’s customers to understand their business strategy and collaborate on plans for aligning and maturing their security activities. Within CBI, I provide technical leadership and expertise toward our service lines and vendor partnerships. On select engagements, I work directly with the consulting team to deliver impactful results to our customers.

Another aspect of my position, which I find rewarding, is leading the CBI Academy. I have been mentoring and coaching professionals in my local community for years, so leading the Academy was a natural fit. We often hear CISOs talk about the lack of security talent for staffing their teams. At the same time, we often hear students talk of the difficulty in identifying and gaining the in-demand skills. With CBI Academy, we bridge the gap with an apprenticeship program that accelerates the careers of recent university graduates.

Read the rest at:




Wired: DevOps isn't a job, but it is still important

By wolfgang. 22 May 2015 07:10

"Traditionally, companies have at least two main technical teams. There are the programmers, who code the software that the company sells, or that its employees use internally. And then there are the information technology operations staff, who handle everything from installing network gear to maintaining the servers that run those programmers’ code. The two teams only communicate when it’s time for the operations team to install a new version of the programmers’ software, or when things go wrong. That’s the way it was at Munder Capital Management when J. Wolfgang Goerlich joined the Midwestern financial services company in 2005."

Read the rest at: http://www.wired.com/2015/05/devops-isnt-job-still-important/


Team management

Phone phreaking visits Apple Pay's authentication

By wolfgang. 18 May 2015 08:43

There is a new attack on Apple Pay involving an old phreak tactic. Read about it here:

Has Your Phone Number Been Stolen? Another Apple Pay Fraud Hits the Nation

The fraud works by knowing the mobile carrier and number the target uses for device identification, contacting the carrier to port the number to a phone the criminal has, then using the number to authenticate and add the criminal’s device to the victim’s Apple Pay account. Illegally porting telephone numbers has been around for some time. Criminals are re-using the old technique to subvert Apple Pay’s device authentication mechanism. 

What can consumers do to protect themselves? First, use a telephone number that is not well known for device authentication. Many people use their home landline phone number, which is often easy to discover. Second, inquire with the carrier about their policies around authorizing porting and notifying customers. Third, keep a close eye on Apple Pay for unfamiliar devices.

The ways banks can protect consumers is as old as the tactic of stealing phone numbers. It comes down to account monitoring and fraud detection. Today's behavioral analytics are equally adept at spotting misused credit cards as they are spotting misused accounts linked to Apple Pay. Banks and other financial institutions must review their anti-fraud programs to ensure they apply to emerging payment processes like Apple Pay.

All in all, this is an example of an old tactic being applied to a new payment processing system. When developing new systems, it always pays to consider how previous attacks might apply.


Risk Management | Threat modeling

Starbucks gift card fraud

By wolfgang. 15 May 2015 12:42

Starbucks is in the news as criminals abuse its online services through fraudulent gift card purchases. On the surface, the issue appears to be about consumers’ passwords and the poor practices around their use. There is more to the story, however, and I would argue two deeper concerns are the real issue. The first is in how emerging payment systems are monitored and secured. The second is in how online services are developed and maintained. 

Read the rest at: http://content.cbihome.com/blog/starbucks_giftcard_fraud


Application Security | Risk Management

Friday Books and Talks 05/15/2015

By wolfgang. 15 May 2015 07:36

Reviving Work Ethic: A Leader's Guide to Ending Entitlement and Restoring Pride in the Emerging Workforce
by Eric Chester (Author)

For frustrated managers and leaders, a guide to instilling a strong work ethic in the modern workforce. Work ethic in America is fast declining, plaguing young and old alike. But in Reviving Work Ethic, Eric Chester shows that you do best to focus on your young employees--those whose habits and ideals can still be influenced. He presents an incisive look at the root of the entitlement mentality that afflicts many in the emerging workforce and shows readers the specific actions they can take to give their employees a deep commitment to performing excellent work.

And his advice is crucial to a healthy bottom line: too often, talented-but-difficult-to-understand younger workers stand between your company and its profits. If business owners, managers, and executives are not connecting with them and modeling the key components of work ethic, employees are likely not connecting effectively with customers--leaving all kinds of money on the table.

Reviving Work Ethic is the culmination of years of research as well as presentations to over two million youth. Chester's experience shows in his confident analysis of the seven


Friday Books and Talks 05/08/2015

By wolfgang. 8 May 2015 10:23

The Spider's Strategy
by Amit Mukherjee

To thrive in a world where networks of companies increasingly compete with other networks, managers can no longer focus solely on excellence in planning and execution. In The Spider’s Strategy, top business consultant Amit S. Mukherjee provides the tools you need to sense and respond to unexpected events. He shows how and why managers in your company must apply his four powerful “Design Principles” today.

The Well-Timed Strategy
by Peter Navarro

It’s not enough to understand the business cycle and the industry cycle. In The Well-Timed Strategy, Peter Navarro discusses today’s unprecedented level of macroeconomic turbulence – from oil price hikes to drought and disease. Whether an executive, a strategist or an investor, Navarro provides the tools to align every facet of business strategy, tactics and operations to reflect changing business conditions. Keeping in mind finance, supply chains, production, marketing, HR and more, the author outlines ways to profit from the chaos of business cycle volatility by implementing the appropriate strategy.



Who Watches the Watchers? Firewall Monitoring

By wolfgang. 28 April 2015 10:01

Even in the face of being declared dead -- often and repeatedly since 2004 -- the firewall remains a viable security control. De-perimeterization simply leads to a specialization of controls between IT in the cloud and IT on the ground, with the firewall taking on new roles internally. Especially for payment processing, healthcare, and energy, the firewalled network is still a key element of today’s standards and regulations.

The trouble is, all firewalls share a weakness. It isn’t in the IP stack, firmware, or interfaces. No, the weakness is much more fundamental. All firewalls depend on proper configuration and are a single change away from a breach.

Barracuda Networks is well known for its Web Application Firewalls (WAF) which protect against attacks such as SQL injection and others listed in the OWASP Top 10. Back in 2011, however, a change process went awry and disabled Barracuda’s WAF protection for its own servers. Within hours, some tens of thousands of records were stolen via an injection vulnerability on a Barracuda website. All it took was a single misconfiguration.

FireMon Security Manager 8.0 Tools for firewall change management have sprung up to address these concerns. Centralizing the audit log for all changes on all firewalls is great for looking back, however, as Barracuda experienced, a breach can happen within hours. IT admins require real-time detection and notification on changes, which is one of the many features FireMon offers. It can model complex changes and provide a what-if analysis cross-referencing the firewalls with an organization’s policy and compliance obligations.

Firewalls will continue to be a foundational control for an organization’s internal IT. The control for the controller, the watcher for the watcher, is secure change management. This means change planning, detection, auditing, and alerting. Operationally, it also means tracking history and the ability to troubleshoot issues by comparing changes across time. For organizations running complex segmented networks, management tools like FireMon are invaluable for preventing breach by change.


    Log in