Career

Cybersecurity Executive Briefing – Why Defense in Depth

This started as an email to a few people but as the word count climbed, I started thinking that there may be other SMB IT folks out there trying to explain cybersecurity to Executive teams. I am NOT a security ‘expert’, but I do keep as up to date as possible. I hope this helps.

There are two key concepts in cyber-security today – Defense in Depth and Assumed Breach.  To understand them fully is an entire career of knowledge and research but we can boil it down to a few base principles.

Back in the Olden Days,  there were no smartphones, a few laptops, and the main concern was Keep the Bad Guys Out.  We installed firewalls to block access into our networks, some filters for email viruses and called it done.

Alas, the villainous hordes were not so easily defeated! The increasingly mobile user started being a Typhoid Mary, carrying in bad things from the outside.  Since it’s on a ‘trusted’ device, it’s welcomed into the ‘safe’ network.

Oops.

Like a sick child brings home colds and flu, these mobile devices coming back from the outside world brought back various malicious software ( MALWARE ).  Some were like viruses and spread from machine to machine by infecting documents or programs. Some were worms that moved through the network by tunneling around the files and folders accessible to a “trusted machine”. Some simply downloaded remote control software and awaited instructions as part of a robot network of attackers (BOTNET). All of this happens inside the ‘safe’ perimeter.

The way to defend against this is a posture of “Assumed Breach”. Stated simply, this is acknowledging that at some point an infected machine/file will be on your network. Now what? Detections and Containment are usually the first steps. This is done by implementing machine level firewalls, restricting network shares, routine backups and scans.

The best practices of today all recommend a ‘Defense in Depth’ strategy. Conceptually this is pretty straightforward, but a little trickier to implement. The base idea is like a soldier in a hostile country.

  • At the most personal level, our trooper has a helmet and body armor. On your laptop, this is limiting administrative authorities, disk encryption, and anti-malware software.
  • Next out are the protections for the group. For our troopers, it’s walls and gates with guards. Your network has a firewall with intrusion detection and filters to keep the bad stuff out.
  • Finally, there is air support. For our trooper, this may be a group of fighter jets flying around to detect and intercept incoming ‘bogeys’. For our network, this is a cloud-based filter that stops problems before they even get to the perimeter.

The issue with many corporate solutions goes back to the whole “mobile” concept. When our troopers are out in the jungles of the cyber world (aka the Airport Lounge), they don’t have the group protection of the firewall layer. With no cloud-based systems, it’s down to just body armor or what security they have locally installed.

Just like how our troops have more advanced body armor than their great-grandfathers in World War II, advances in weapons require advances in protection. It’s an arms race between the security experts and the bad actors, and it’s a fast-moving one.

Keeping up is difficult even for large companies with dedicated security staff, and it’s exponentially more difficult for smaller companies where the technical staff are forced to wear more hats. That’s why SaaS ( Software as a Service) offerings are so attractive. Most well reviewed SaaS products are very good at early detection and protection from outside attacks. The best will also prevent a botnet compromised machine from ‘reporting back’ for instructions. A few thousand per year is still cheaper than a very public breach or hiring a dedicated security person! Some Executives will have doubts if it’s worth it to have all this security. Sure, responsible leadership has a cybersecurity clause on their business insurance. Even with multiple layers and backups, you may still get hit. To switch analogies a bit, we all have a theft clause on our homeowner/renter insurance, right? We also still lock our doors when we leave.

So what’s the answer?  What is the solution that fixes all of this so we can move on with business? Sadly there is a no one size fits all solution. The answer is ‘It Depends”.  What is your budget? What is your tolerance for risk? A very small business with few digital files would likely be ok with a daily or weekly backup to a drive stored off line. You could call that 1.5 layers. Larger businesses with a larger digital presence and less tolerance for loss of files and capability will need more protection. 

 

Packing up for Ignite!

Everyone has their own opinions about what to take when packing for a conference. Obviously a lot of the conferences are smaller than Ignite and that makes for a slightly different packing list.

Here are a few of the things on my checklist :

1. Two pairs of shoes. It seems silly, but I can vouch for the fact that swapping shoes every day makes a difference. I for one usually don’t walk 17,000 steps in a normal day. However, at Ignite, a 17k day is not unusual for me. Good, well broken in, comfortable shoes are invaluable.

2. Powerbanks. Those little USB power chargers will keep your phone juiced up all day. Power plugs can be scarce at times. Having a big battery to tide you over can be the difference between being able to tap out a quick note VS having to write it down in a pad.

3. A notebook. As much as you try, you may run out of juice and need to take notes the old fashioned way. I prefer the half size spirals. Usually there are some vendors in the Expo/Hub giving away branded notepads as well.

4. Light jacket/windbreaker. The temperature can swing wildly from hot outside and warm in the halls to chilly in the rooms for breakouts. I like to take a light warmup jacket that will fit easily in my pack.

5. USB multiport charger. I have a little USB charger with 5 ports that plugs into a regular wall plug. This is for your hotel room to charge all of your stuff at the same time. There are never enough plugs accessible in hotel rooms.

6. Hand sanitizer. You will be shaking hands a lot. Nuff said.

7. Business cards. If your company does not provide them, most Office Depots will make you a set of 50 or 100 inexpensively and ready in a couple of hours.

8. Extra space. You will be bringing back t-shirts and other swag. Even if you don’t want the stuff, it’s nice to bring it back to your team. Either only pack your suitcase 2/3 full or bring an empty gym bag in your main suitcase. It’s amazing how many t-shirts can be stuffed in a decent size gym bag!

Of course, some of these seem obvious, but I personally have forgotten at least a few of these things! Trust me, it’s much cheaper to bring these things than to buy at the airport or hotel.

Other than that, eat and drink responsibly, stay hydrated, and have fun. If you tend to be a little introverted, step out of your comfort zone and introduce yourself to at least one other attendee per day. Vendors do not count since they are working at meeting YOU!

That about sums it up for now. I’m going to try to post more during the week, time permitting.

2018 – Ready, Set, GO!

We all know the usual platitudes around the new year. We’ve heard them, we’ve said them, and it’s the same every year. “New Year, New Me”, “This is my year!” or the ever-increasing spate of diet and fitness articles books and well-meaning resolutions. It’s our traditional or perhaps even natural tendency to look forward optimistically, to prepare to succeed in the New Year. Sometimes, that’s where we stop.

Our seemingly bottomless pit of procrastination seems to be dug with a shovel labelled “Preparation”. We have phrases like “Proper Preparation Prevents Piss Poor Performance”, and “He who fails to prepare, prepares to fail”. These truisms exist because they are true.  But coupled with an overactive ‘inner critic,’ preparation quickly spirals into the abyss of procrastination.

Most people have experienced this. We plan to do things. We make lists, we study, we prepare. But then things slip to the side a bit. We feel uncertain or hesitate for whatever reason. So, we review the lists and plans. This of course leads to revising the lists and plans and the cycle starts again. Notice what is missing? The ‘doing of the thing’.

Stop preparing to prepare!  –Matthew Parks, Sr  (paraphrased)

We’ve all been guilty of it to some degree, but it seems to be far worse when venturing into unfamiliar territory. We want to be certain that we’re not making a mistake, or that we won’t look foolish. In short, we fear failure.

How do we break the cycle? Honestly, I’m not sure the ‘best way’. Trying to find the best method/cure/path to righteousness/whatever is how we get stuck in that cycle to start with! So I propose to simply pick a path, perhaps not the “best path”, just “a path”.  Take a few steps and see if it hurts. See if there are any obvious pitfalls ahead. You can usually change course if it looks too bad. Meanwhile each step takes you further from the Pit of Procrastination.

I’m not saying to go against all the truisms and advice and just jump into things without preparation or caution. That would be foolishI’m saying let’s try to not get stuck in the prep and never do the thing.  How will it turn out? We’ll just have to see, won’t we?

Meanwhile I’ve written an entire blog post on procrastination, based on my thoughts about how to stop procrastinating on writing a blog post. <shakes head>

“Dilly Dilly!”

Have a great year!

Whose Job Is It Anyway?

Disclaimer: This is a generalized rewrite of an article I wrote for a company newsletter. I’m adding here because I think we ALL need a little reminder.


Actually the better way to phrase that would be “Whose career is it anyway?” Right? I mean most of us prefer to think of how we spend our days as a career and not just a job.  We’ll come back to that later. For now let’s just think at the ‘job level’. What you do today, tomorrow and even maybe next week.

I’m aiming most of this to those of us who are employeed by someone else. Self-employed people and business owners usually are well aware of “Who’s responsible for my skills”

Who is responsible for making sure we keep up with the changes in the business world, or at least our little corner of it? Of course your supervisor is supposed to make sure you meet the minimums required to do your current job. That works if all you want to do is be a minimum employee, and punch the clock every day. Maybe you’ll be able to do that until you retire, but more likely your job function will change and you’ll find you don’t have the basic skills required to be even minimum. That, my friends, is all on you.

The company is responsible for making sure you meet at least the minimums, sure. Some of us are fortunate enough to work for a company that offers educational programs of several different types. There are reimbursement programs for job related education, there are company sponsored training sessions.  All of that doesn’t really have an effect if you don’t invest at least your time and maybe even some of your money to improve your skillset. I spend my own money (in addition to company education) to pay for my continuing education in my chosen career. I know, some of you are saying “But I’m not an IT person, I’m just a ”. I could go on and on about how that shouldn’t matter or I can simply quote the man who said it best.

 “..Even if it falls your lot to be a street sweeper, go on out and sweep streets like Michelangelo painted pictures; sweep streets like Handel and Beethoven composed music; sweep streets like Shakespeare wrote poetry; Sweep streets so well that all the host of heaven and earth will have to pause and say, “Here lived a great street sweeper who swept his job well.”” – Dr. Martin Luther King, Jr.

There are many morals to that quote but the one I want to draw your attention to today is this. Take pride in what you do and be the best possible at what you do. Your manager is not responsible for your mortgage or rent, you are. Your supervisor isn’t responsible for feeding your family, you are. The ‘Company’ isn’t responsible for your career, YOU ARE.

Spend a little of your time improving your skillset in whatever you do. If you want to improve and don’t have a clear direction, ask your manager, and if they can’t tell you, then ask their manager. Get online and use Google to search for “warehousing best practices” or “call center best practices”. Take an online class in Accounting Principles. Watch a YouTube video on something other than cute cat tricks. Read a book. LEARN something.

Even if what you learn doesn’t immediately apply, it will give you a depth of understanding of why to do your job in a certain way, or even inspire you to think of a better way to do it! That’s what increases your value, helps you move up in position and pay, and incidentally, makes it more likely you’ll stay employed.

At the end of the day, you can lose your job. However, if you’ve invested in your career and yourself, not only would it be easier to get a new job, but you’ll be better at your current job. So don’t just be “minimum”, be exceptional!