I remember the first time I saw an AIantivirus program. I was amazed, impressed, and sure that it would be something we’d want to use back at my day job. After the conference, I leaned over the cube wall of the AV Manager and started to tell him what I saw.
He smiled, kind of cut me off, and said, “I’ve heard of those guys and another vendor that does a similar thing. However…” He swung his monitor so I could see it. It showed his admin dashboard for AV installations. “I need one of these. I can’t have any AV product unless I get to see an enterprise dashboard that tells me who has it installed and who doesn’t.”
That was at a global megacorporation. PCI, HIPAA, and other regulations require that any PC that connects or even might connect to a sensitive network have antivirus software installed and running. The regulations do not specify that the antivirus actually has to work, just that it be installed and running. The primary concern in the big company is in delivering a report to an auditor that shows the AV software is installed and running on every PC in the company.
As for dealing with viruses, that’s a simple matter. Download the latest signature, test it against a development environment, verify that it doesn’t break production, then roll it out. While it’s true that most AV packages can’t deal with a zero-daythreat, it’s also true that most threats are from the dim and distant past. Remember CIH? Melissa? Nimda? Well, they’re still out there. They’re out there with all of their old-school buddies from 20 years ago, and that AV program is there to keep all the known threats out of the PCs it protects.
Flashy new products are nice, but the big firms need to know where they’re installed. Until the flashy new product can deliver that information, it won’t be installed. Even if the product can identify virus writers and have them proactively incarcerated, if the AV manager can’t show that it’s on every PC, it won’t be installed.
At the other end of the business size continuum, the key factor is price. Really small firms will have each employee download a personal version of a free AV program and just hope that the Business Software Alliance never knocks on the door. Once the small business is big enough to be on the BSA’s radar, it’s likely that the margins there are so thin that if an AV solution isn’t free or near-free, it’s a non-starter. If the flashy new product can’t meet that price target, then the small firm is going with a near-free vendor that can protect against those legacy threats just as well as the flashy new product that might also be able to stop zero-day exploits before they happen. The thing is, that proactive stuff comes at a cost they can’t afford.
The mid-sized company that’s outgrowing its near-free AV solution but still isn’t yet ready to bow down at the altar of big corporatedashboards may be the best chance for that flashy new product to find a customer. That being said, the flashy new product has an uphill fight against the name recognition of the existing major players. Who’s been fighting against all those viruses for 20 years and more? Not the Johnny-Come-Lately product.
And that new AV product will also have to be sure that it never, ever, ever, never no never not ever takes down production. All those cool new algos and AI learning potential come up face to face with the stark reality that, every so often, a production application does stuff that’s very much like a virus.
Maybe the developers took advantage of a Windows security hole to take care of a task. Maybe a developer copied and pasted some evil code into an app. These things can happen at any size of firm, and present real security issues.
I recently ran into this at a mid-sized company where I noticed that there were devices launching brute-force passwordattacks at file servers. We traced the attacks to PCs that were all in the same department. As it happened, they all used a particular application specific to their field that contained the brute-force code.The attacks continue as we wait for the vendor to issue an update that doesn’t include that code. The app was already white-listed with their AV program, so it didn’t get shut down, even though it was doing some horribly evil things on the network.
Then there’s the botnet I discovered one day in the badge readers at a large corporation. Those devices had enough Windows embedded in them to support the botnet, but not enough to be able to run the AV program. At least most of the company was running AV on their Windows workstations, so they were protected from becoming part of the badge reader botnet.
While the malware threat from whitelisted apps and IoT devices can be at any size company, there’s one particularly nasty threat that is more pervasive the smaller a firm is: users with local admin rights.
If users have local admin rights, and they typically do at the smaller firms, they can do all kinds of terrible things to their PCs, from accepting the installation of malware along with their Veeblefetzer searchbar add-on, on up to disabling their local AV program so that they can run their torrenting software without being interrupted about the malware that goes with those torrents. Large firms will also have local admin abusers, but the large firms are also more likely to be actively policing for that kind of abuse.
On the whole, I think small firms have it hardest when it comes to getting an AV solution. They have to deal with tight budgets, unchecked developers, and local admin rights for all, so they’ve got the hardest battle to fight. As the firms get larger, the better they get at fighting yesterday’s wars, but remain open to tomorrow’s surprises.
My choice of the title is based on the fact that the size of the business matters when we define security solutions. We don’t just consider the budget available, but the staffskill levels, user population, and overall levels of departmentalization.
Consider what can happen if a firewall admin notices a stream of outbound traffic to an unusual IP address that resolves to Minsk in Belarus…
At a small company, the admin will walk down the hall to where the CEO sits and ask if it’s cool to block traffic going to Belarus. “Sure,” says the CEO, “we don’t do any business with Belarus. Block the whole country.” Once the traffic is blocked, the firewall admin, who is really an all-around IT person, checks the PC that was sending traffic and makes sure its antivirus software is up-to-date. Maybe that’s when it’s discovered that their AV licenses have expired and they need to have a quick conversation with their vendor about renewal…
At a medium company, the firewall admin may notify his manager and wait an hour or two for a response to block just that IPaddress, since they may expand business to Eastern Europe at some time in the near future. Maybe. Once authorized to block, the admin may dash off an email to the desktop admin to check out the client at 10.1.2.3 that was the source of outbound traffic.
At a large company, the SOC may be up to its eyeballs in preparing reports for auditors to even notice just one more stream of traffic going to a Bad Place. Maybe they do notice it and generate an alert. That alert goes to the level one helpdesk person who then has to follow up with engineering about approval of a change request to shut down the traffic. In the course of the escalation, other teams get involved and start to build a full forensic picture over the next few days and they confirm that, yes, the traffic is originating from 10.1.2.3 and going to a Bad Place in Belarus. As they debate about what to do – they can’t just block the IP, since it’s a major ISP in Belarus that they use for B2B communications – the flow of traffic stops… so they decide to wait and see if it happens again before doing anything final.
Now those aren’t the only possible outcomes, but they illustrate the differences between getting security at different levels of business. I’d like to start a conversation of “war stories” that can help other professionals understand all the wrinkles involved in implementing security solutions, so that we can be more aware of those wrinkles as we discuss security with the decision-makers at those firms.
So what are your impressions and experiences, working at different levels and types of organizations?
Can coronavirus COVID-19 impact your network? The short answer is “yes”, if your firm hastily adopts a remote work policy without considering some common sense security precautions.
1. No personal email. The only exception for this would be to contact helpdesk about being unable to accesscorporate email. Personal email is not typically set up to properly archive and retain messages that could later be subject to a legal hold. The very use of personal email for business purposes can potentially expose your firm to liability costs that would exceed the value of whatever business you planned to get done.
2. No personal file sharing. This is right up there with personal email. Personal anything is not allowed for business use, mmmkay?
3. No Remote Desktop Protocol (RDP) use over unsecured Internet. If I had a nickel for every person that told the network team to open up port 3389 on the firewall so that they could work from home, I’d be comfortably well off. Yes, RDP means you can access your desktop or server from home. It also opens up great work from home capabilities for attackers. They will guess your username and password. It’s only a matter of brute force time.
4. No low-security options on the VPN configuration. While I’ll allow you to use RDP through a VPN connection, I’ll only allow it if your VPN is not just secure, not just really secure, but only if it is really really secure. That means not just IKEv2 and the best AES that your system will support, but also secured authentication that uses more than a username/password combo. Let there be a certificate or software token as part of 2-factor authentication.
5. No split tunnels. It’s tempting to let a local ISP handle all the Facebook and YouTubetraffic that users consume in between productivity spurts, but don’t. Either pass all that traffic through your own network, or block it with a message that VPN bandwidth is limited due to whatever reason you want to provide in order to justify blocking that traffic. My point being that a split tunnel approach allows for an attacker on the Internet to bridge their attack through your user’s PC.
Can there be more possible pitfalls? Sure. These are just the five biggest ones. If your firm is anticipating a stretch where a large percentage of employees must work remotely, then take the time to bake some security into that plan so that reducing healthrisk doesn’t increase IT risk.
On 12 December 2019, Chinese broadcaster CCTV announced that a new viral outbreak had started in the city of Wuhan. While the first confirmed case was on 17 November, it was not until more cases came to the attention of authorities – in a way that they could not ignore – that the Chinese government began to publicly acknowledge something new was underway. Following that 12 December announcement, the world began to transform. As output ground to a halt in much of China, factories depending on Chinese raw and intermediate goods had to slow or stop production. The lesson learned was both sharp and timely – “just in time” methods of production left firms vulnerable to disruptions in the supply chain. If firms kept a reserve of parts, those could have lasted through at least some of the lapse, if not all of it, and would have allowed for less economic dislocation.
Part of the “just in time” mentality of go, go, go all the time is the ideal of “five nines” or even “six nines” – 99.999% or more uptime for all systems. While, yes, this does mean the product always moves out the door, it also means that the things making those products go unpatched and unprotected for long stretches of time, making them prime targets for attackers. Those vulnerabilities leave the firm just one click on an email attachment away from utter ruin.
Just as there’s an argument to be made for adding some storage capacity to help weather supply chain shocks, we need to talk about “two nines” uptime as a way to avoid eventual “infinite zeroes” uptime conditions. If you give me 100 minutes each week, I can get a breathing space to apply needed patches on production servers and equipment. If I don’t need a week’s 100 minutes, let it roll up into next week – maybe I’ll need more time to apply the next patch, who knows? But let me have a reserve of time during the working year so I can do my job to patch and protect. Let me reboot gear that needs its queues cleared, let me stop and restart services on servers, let me keep things up to date so we can spend the other 99% of the time feeling more confident about the resiliency of the environment… just in case, ok?
I’m aware that executives in most nations have a fiduciary duty to maximize shareholder value. That’s a short term goal that is itself replete with abuses when it considers employees as expenses as opposed to capital or when it looks at wages as a race to the bottom. I’ll leave those criticisms of neoliberalism for another paper at another time. But here is where I criticize those fiduciary duties as regards security. Maximizing shareholder value means minimizing expenses in the short run, and security is seen as an expense, not as an investment. Current accounting structures blind the books to an ability to properly assess the value of a security system in its ability to provide long-term stability and constancy. I would love it if share prices for a firm jumped every time it announced it was undertaking a security project. Sadly, they’re more likely to drop as those expenditures for security are seen as short-term profits lost, not long-term profits gained.
In the meantime, I’m reading headlines about increases in ransomware and other attacks using email attachments with references to coronavirus, COVID-19, and even SARS-CoV-2 to successfully penetrate those PCs bridging traffic between the raw Internet and the corporateVPN, because it was cheaper to use a split-tunnel solution than to backhaul all the Internet traffic through the corporate networks – and also because it was seen as “nicer” than banning non-business related Internet usage for devices on the VPN. I know I’m getting into just one of the technical weedpatches of issues, there are others… and if firms could see their way towards working more for the long haul than the short-term gain, we’d likely have the right solutions instead of the cheapest and easiest, which are never the strongest.
I work for a security vendor and I see into many customer environments. Often, the thought pops in my head, “If I were an attacker, I’d really get them if I [REDACTED].” And if I don’t think I can get them with [REDACTED], then [REDACTED], [REDACTED], [REDACTED], and [REDACTED] round out my top five most common ways to break into an organization and have access to quite a lot that I shouldn’t have access to.
It’s not that these methods necessarily have something to do with the product I support. Some do, like [REDACTED], [REDACTED], and [REDACTED]. But [REDACTED] and [REDACTED]? Well, that’s some other vendor that helps out with those weaknesses.
Now, as you read those paragraphs, what thoughts do you have that fill in the blanks I left? Unless you’re someone that works in the same line of security that I do, I’d dare say your top five exploits list is different from mine, in part or in whole. What’s more is that we may even have some of the same customers, and we may, between all the people that work in security at that customer or on behalf of that customer, we may actually know dozens of things that fill in those tantalizing [REDACTED] blanks.
Now, I know that the customer might want to know all the details of everything I notice, but I’m often noticing things that are out of the hands of the people I’m directly working with. They can only report up to their manager, and that communication only goes so far before it drops in urgency and loses its audience. Or, worse, it’s just added to the list of security things to fix, right behind [REDACTED], which got noticed last week in an audit finding.
So, let’s ask the question: what are the things that are the hardest to fix that leave organizations the most vulnerable? There are a number of “10 Quick Security Fixes” articles out there. Everyone knows how to pick low-hanging fruit. What I want to ask about are the projects that nobody wants, the projects that get people fired, the projects that land everyone in the [EXPLETIVE DELETED]. Because these are the ones that don’t get done, get done but badly, or get done only to such a point as a box on a checklist can be ticked, and then no more. For example, nearly everywhere I’ve been to has firewalls set up. That’s good. But when we talk about turning the firewallconcept inside, to regulate traffic in a segmentationproject, then I know I’m going to have an uphill fight in getting information about which apps use which ports.
Why will I have that uphill fight? Because I have to ask for netflow, that’s why. And then we need to talk to different teams about when they run their apps so that we’re sure to not block anything that runs only once per year. And then we have to deal with how Microsoft recommends that we leave open ALL. THE. PORTS.So that’s just one type of project that is practically a mission impossible.
What projects do you face that are nearly impossible, but fill in those [REDACTED] blanks?
I promise the dear reader that this will not be just a rant about how nobody takes security seriously or anything in that vein. Read on, and I’ll get to the actionable items. I just need to set some things up in order to give credence to my conclusions.
Some years ago, the Polish science fiction author Stanislaw Lem wrote an essay about weapons development titled “The Upside-Down Evolution”. In it, Lem called out several interesting trends: miniaturization, dehumanization, and deformalization. The key trend gave the essay its title: rather than developing smarter and smarter AI, the true breakthrough Lem foresaw was not in artificial intelligence, but in artificial instinct. Lem postulated that a weapon need not be coded to handle all types of situations. It only needed to be able to perform a certain range of tasks under certain conditions, nothing more.
Combined with miniaturization and dehumanization, limited weapons systems – artificial insects, in Lem’s parlance – also allowed for the deformalization of war. No more a matter of exchanged ultimatums and formal declarations, war in Lem’s future would be constant and acts of aggression difficult to attribute. Consider a swarm of artificial insects each carrying a fractional amount of fissile material that converge on a location to create a critical mass for a nuclear explosion. If all the artificial insects are destroyed in the explosion, who could say what actor or actors was behind the event? Could it be an attack by a foreign power or a false flag attack used to justify an attack on another foreign power? Or could it be done to frame a third party?
Once deformalized like that, warfare would be constant. Natural disasters could be no more than just that, or they could be the products of an attack by a hostile party. There would be no way to tell the difference.
While we are yet to see Lem’s artificial insects on a grand scale, we *do* see the next closest thing – cyberattacks.
Cyberattacks check all the boxes of the upside-down evolution. They are mere digital streams of signals – miniaturized. They are often products of algorithms – dehumanized. They are always out there, always attacking in the ways they are set up to attack – deformalized. And they only do that *one* set of operations that they have to do – artificial instinct.
Lem’s essay did not go into matters of defense except to say that the need for uniforms, marching, parade drills, and generals all went by the wayside. At best, those were worthless vestiges of another age. At worst, they hindered responses that had to be just as rapid and ruthless as the attacks. Lem only considered nation-states, but we now live in an age with a myriad of players having access to these attacks – and a myriad of defenders still trying to fight the last war.
Old-timers will remember Clifford Stoll’s epic, The Cuckoo’s Egg. The story is of a humantracking and trapping another human. At the time, the FBI was uninterested in the case, as no large sum of money was involved (less than $1) and no classified files were accessed by the attacker. While we may look back on that and shake our heads the way modern combat veterans would react to how various World War One generals dismissed the power of the machine-gun, that was the FBI still fighting the last war.
Well, Stoll went on to write in 1995 that the Internet was just a fad and would never catch on as a platform for commerce and information exchange. Yes, he still kicks himself over that article, but at least he’s aware of the irony and how outdated that thinking was. And though I talk of a mindset fighting the last war, that was the 1986 mindset. People today may have moved beyond that, but not much. Most are still expecting a Stoll-like boffin to do the investigative work to catch the baddies and bring them to justice. That’s because the events described in The Cuckoo’s Egg are those of a previous war.
To be perfectly honest, most firms aren’t even thinking about fighting a war. They’re not built to do so. At no point is there an MBA class on Sun Tzu’s Art of War that ever tells the students, “You know, this really isn’t allegorical when it comes to IT.” I know this because I have yet to work with a customer in the business world that doesn’t underline the principle that security won’t interrupt business as usual.
I’m sorry, but that’s quite the paradox, Mr. Customer. Do you want business as usual without security, or do you want to change how you do business in order to have security? Are you still forming soldiers into phalanxes of spearmen for operations on an open field of battle, or do you plan to tell them about the need to disperse and entrench so as to avoid being overwhelmed by large-area effect weapons? If still the masses of spearmen, I have a rude surprise waiting for them when the drone with a fuel-air explosive arrives on the scene…
… and even that analogy is out of date, as the actual attacks coming at us every day are not even needing drones in order to do their damage. Worse, because we put emphasis on doing business first, we’re only looking at security as a bolt-on. That means the underlying systems will always be more vulnerable that necessary.
So what keeps this article from being another mass of groanings about how things are? What are my fixes, my takeaways that businesses can put into place? All right, all right, I’m ready to get to my point.
You’ve got to apply upside-down evolution to your systems. Doing so will give them higher immunity and better resiliency against attacks. It will mean more interruptions to business, but of less total time than what would happen to your business if there was a successful denial of service attack against it. Moreover, the interruptions will be localized, not general.
Automate your responses to any breach of standards, and make those responses harsh. Do not exempt anything. I grant that the last sentence is more a starting negotiation position than a final state, but I stand by it, all the same. When the endpoint or server or application goes wrong, shut it down immediately and get it fixed just as fast. Then, when it comes back online, it is fresh and ready to defend itself.
And if your shutdown actually caught an attacker, so much the better. The swift action meant limited damage. Do you know how Taiwan had such a low infection rate in the recent pandemic? It shut down ALL travel to the island. Nations that made exceptions got hit hard. Taiwan made no exceptions, and that swiftness and harshness saved lives.
What is your return on investment? Your business stays open, allowing you to continue to get returns on all your other investments, that’s the ROI. The coming years will see attacks that are more miniaturized, more dehumanized, more deformalized, and more artificially instinctful. Trying to stay open 24/7 in that world will be like leading those spearmen in a charge against a tactical nuclear warhead. Automate, be strict, and accept small downtimes now instead of permanent downtimes later. Fight the current, upside-down evolution-born war, not the one where we trace a 1200 baud modem connection back to Bremen after months of investigation.
I’ve been back in IT for 7 years now, after over 10 years teaching high school. With 14 years of IT experience and 16 in teaching, I can tell you all something that you’re not going to like, but you need to hear it. A lot of people that learned how to lie their way through high school have figured out how to lie their way through a career, and they may very well be working for you, over you, or as a peer. I can spot them when I see them, but an untrained eye and ear is almost always baffled by the BS these people know how to put up to screen their incompetence.
I’ve seen some people with below-average skills muddle through in various areas of IT. As long as they can stay in their lane, they do well enough to justify getting paid to do their work and there doesn’t have to be much worry about damage that they can cause. But when the work moves to security, things get very complicated and multidisciplinary very quickly, and those people with below-average skills find themselves in a stressful situation.
When we put people into stressful situations where their knowledge and expertise play an important role in getting a successful outcome, we want people to be honest with us and to let us know when they need more help and guidance. Often, employers want to see their best employees get better. Frequently, we make mistakes that we have to learn from – but the learning is a good thing, and a positive in career development.
But what about people who don’t learn from their mistakes? What about people who aren’t honest about their shortcomings? They know they’re in over their heads and that they have to use survival strategies to keep from getting fired. What are their typical go-to behaviors that keep them employed, no matter what damage they may do?
1. Control Information Flows This is a major survival strategy, one of the best. If all information passes through the employee, that employee can control what form it takes when it gets passed along. Did a vendor explain a complicated solution that they can’t understand? Tell the manager that the vendor has no clue what’s really going on. Does the manager want to speak directly to the vendor? Poison the well by saying things like “good luck, I can never reach the guy, and when I do, he just blows smoke…”
I’ve worked with people who somehow seemed to never get along with other teams, ever. They were impossible to work with, they didn’t know their jobs, they didn’t do their jobs, they were complete train wrecks. Could I talk directly to those other teams? Well, wouldn’t you know that when the people who never got along with those teams tried to send invites, they never got a response? Wow, what dumb luck, that. I guess these guys are tough to work with…
… except they’re not. Seriously, I’ve seen this before when kids never got notes back to their parents or the parents didn’t seem to care about the notes. So I called the parents directly to work things out. Suddenly, I’m talking to people who care and who had no clue how their kid was forging signatures on report cards for years. They think he’s got good grades because he’s also been forging the report cards! Truly, it’s amazing what modern color printers can do these days…
But, yeah, when I was told that the other teams were impossible to work with, I didn’t waste time arguing. I said that that was just unacceptable and got hold of a manager to let him know that we couldn’t get our project going without help from the other teams. When the manager set up meetings, it was like day after night. I found the other teams were a delight to work with and a fount of valuable information. And that the guy who threw them under a bus was himself unable to keep up with the discussions we were having, even on a basic level. Once the information flow control is broken, it’s much harder to stay incompetent.
2. Escalate Emotions Not really bullying all the time, although bullying would fall into this category. Emotional escalation goes like this: you’re about to be shown up as a fraud by a line of discussion, so you start to make things personal. You get mad. You come out and demand to know if the other party in the discussion is casting aspersions on you. Are you being insulted? Are you being called an idiot? A liar?
Kids do this all the time, with the benefit of an often-sympathetic classroom audience. But this stuff works just as well in one-on-one situations.
Most people back away and never bring that up again, as it’s embarrassing. The next most common response is a corresponding escalation, verbal battle, and then having to apologize for having said things you later regret. Maybe the person who starts the escalation can get a response so toxic and nuclear that it’s the competent responder that gets let go and not the incompetent instigator.
If you back down, you lose power and respect in the relationship. If you escalate, you lose possibly your job. To win, you have to take a different path, the one teachers are taught to take: abide.
To abide means to follow the rules, but to remain unchanged, to endure. Remember that “follow the rules” means following the rules of the company, not this guy’s personal bending of the rules for his survival. Companies have rules on civil conduct. It’s very easy to say, “There’s no need to raise your voice. If I’m doing anything wrong, let’s take it up with HR/our manager/some other authority.” That usually prompts consolation, apologies, and other rapid de-escalations so that it does not go up the chain of authority to someone who might issue a reprimand for the escalation.
If you accept the de-escalation at face value, be prepared to be blindsided by this guy controlling the flow of information and getting you fired before you get him fired.
If this happens in a meeting that got recorded, get a recording of the meeting ASAP. If this happened in front of other people, get their witness statements ASAP and document your own recollection ASAP. If this was one-on-one, go to your HR/manager/some other authority ASAP before this guy gets to them and fires torpedoes into your career. When this guy raised his voice to you, he declared war. Machiavelli teaches us that war does not end until one or both parties are vanquished or no longer have the motive and capability to attack each other.
3. Odd Working Hours Why is so-and-so late or not coming in today? Does so-and-so claim to have been in a very early or very late meeting with a team that nobody else has any real contact with? If that’s the case, it’s time to develop some contacts to see if the meeting actually exists and if so-and-so does anything useful in it.
If a teacher falls for excuses like this, the kids will never show up to class and will skate by because their sob stories earned them makeup work exemptions without penalties and other goodies like that. You have to do a little digging, if you want to be sure of things…
If the meeting actually exists, well, you may not have much to go on except to watch out for the other behaviors. If the meeting doesn’t exist or he isn’t really needed in the meeting, then you’ve got evidence this guy is faking things. Not only does the meeting mean he basically gets paid to take a nap during that time, it also means less total time in front of people who can call him out on inaccuracies. Double bonus, there.
Long lunch hours because of bad service? Having to leave early to avoid traffic? Coming in late because of traffic? Missing meetings when remote because of a home emergency? If these excuses come up once in a great while, then they’re either genuine… or the person making them just needed a 2-hour vacation and maybe you just let that slide. But if these happen frequently, it’s a strong sign that the person making the excuses has every intention of reducing interaction so as not to be fired for incompetence, and he knows that most people are sympathetic enough to let even a habitual behavior like this go on, if it’s wrapped up in a good enough story.
I once worked with a guy who didn’t show up for work for 2 days. The manager called and was devastated when he got the reason: the guy’s wife had just been diagnosed with cancer and he was overwhelmed by it all. He got a few free days off of work, not charged against his PTO, and we bought him and his wife a nice bouquet. Now, this guy never was one for punctuality in all the time he worked there, and his lunches always seemed to go long. But, he also bought lunch for guys on the team frequently, so it was “our little secret”.
Another set of missed days came up and the manager called again. Again, he was devastated by the reason, as it was the same one from a few months ago: his wife had just gotten diagnosed with cancer. This time, the manager’s devastation was in realizing that he had been played for a fool. A quick call later to the wife revealed that she did not, in fact, have cancer. Nor had she ever had cancer. She had, however, kicked the husband out of the house because he was always turning up drunk after these multi-day benders and she’d had had enough of that garbage.
It shouldn’t have taken that second time through the excuse to notice that the excuses weren’t real, and that there’s a difference between letting something slide every now and then and letting those things slide all the time.
4. Look! A Distraction! So here’s the scene… we’re having a technical discussion or we’re in a working session… and this person starts with the small talk. Before long, nobody’s working on anything technical and we’re instead considering the truly weighty matters of the world that everyone has an opinion on but nobody can prove.
I knew when students were drawing me out to tell stories. To be honest, if we had the time, I’d tell the story. But I always held everyone accountable for their work, on schedule. It’s pretty much the same in business.
During lunch or dinner or in the elevator, this stuff is fine. If we’re all chatting in the five minutes before the main call starts, no problem. It’s team building or something like that. Building camaraderie or whatever. But if we’re on the clock, time is money, and we’re being paid to do the work we said we’d do.
Now, it’s one thing to have a discussion of sports, issues, the paranormal, and like topics as we wait for a power cycle or other time-consuming operation to complete. We may have already done all our email for the day, it’s 2AM on an overnight change cycle, and we know the patch takes 2 hours to download and apply. We are going to talk about non-work related stuff and that’s fine.
But when we’re in the middle of the business day and are doing non-trivial tasks, these distractions are attempts to steer things away from where they’re vulnerable – technical topics – and to areas where you are vulnerable. After all, if you spend time chattering away on the company dime, aren’t you as guilty as the distractor? Or maybe even more so, if he can claim he was only making small talk, but you’re the one who derailed the work session…
5. Activate the Blame-thrower! I’ve played enough FPS video games to know that the guy with the flamethrower is pretty much going to get us all killed. Either his fuel tank gets shot and explodes or, more likely, he opens fire from a position of cover (so as to avoid the fuel tank being shot) and then kills all the team members in front of him. A blame-thrower works on the same principle, but with the lethality transferred to the career rather than the person’s life.
I’ve also had plenty of students that, when brought before the principal, start to spew the wildest stories about one and all. That’s why I know how to deal with this behavior.
When something goes wrong, an honest person admits where one contributed to the failure. A dishonest person plays up the confessions of others and makes none of their own. If directly confronted, they will let the blame fly out towards everyone. If it’s groundless, the accusers will have spent time proving it so. If there’s a shred of truth, no matter how small, then, “See! I told you so! It’s not my fault!”
In teaching, the response had to be direct: “This is not about others. This is about what you did.” The same thing applies here. Don’t allow the person to use questions that start with “What about…?” in their defense. Don’t allow speculations or random accusations, either. Chances are that this guy’s got a personal file on everyone he works with, all stored in his mind, and when he’s pressured, he knows how to dangle details that put others in a bad light. The hope being that the questions coming at him stop because of other concerns or because the questioner fears that the next set of details will be personally directed. If someone says to a dishonest person using the blame-thrower tactic, “Let’s keep this all between just us”, the blame-thrower wins.
If you’re the victim of a blame-thrower, you have to fight fire with fire, I’m afraid. But your fight doesn’t start all at once. The ground must be prepared. When I was a teacher, I spoke with a principal about potential serious discipline issues as they manifested themselves to me. I spoke with other teachers and department chairs. When the eruption happened, nobody was surprised.
For your defense, as soon as you have a suspicion, talk about it with your manager. That way, when you have to defend yourself, it’s not a surprise to your manager. Your manager will have a situation in which an incompetent employee is wrongfully accusing a competent employee who has previously been concerned about said incompetence. The decision in that situation is much easier to make than one in which the accusations of incompetence suddenly emerge. Do you want your manager to respond to your defense with a question: “Why didn’t you tell me this sooner?” If not, tell your manager sooner.
Hopefully, the above descriptions set of some thoughts in your head about times you were dealing with someone covering up their own incompetence and help give you some tools for dealing with that so that you protect yourself and your career from the pitfalls these behaviors create.
The USA unemployment news today is twice as grim as it was last week: 6.6 million more unemployed, bringing unemployment to 9.9% in just two weeks. More hard numbers are coming, and that means all businesses need to revisit their HR standards.
Do NOT Mind the Gap: jobs have been lost through no fault of the employees, or even the firms they’ve worked for. When you see that the last job worked ended around the time the pandemic hit hard, don’t ask about it. Don’t worry about it, either.
This means also making sure the algorithms used to find resumes are tuned to not look for employment gaps. If you ask me, the best algorithms are real people looking at real applications and making reasonable decisions to arrange interviews based on common sense. When algorithms sort through resumes, they have blinders on. They can’t see what certifications are equivalent to the ones they’re told to look for. They don’t know what lines of work are very close to the experience desired. Humans can figure out that stuff. And if you think I’m encouraging the use of people and the discontinuation of automated job boards, you’re absolutely right. If you’ve got jobs that have gone unfilled for months with automated resume screeners, it’s time to go back to the humans again.
Keep Your Friends Close, and Keep Your IT Closer: When we have staff that’s worked somewhere for years, they know things that only people who worked there for years would know. No outsourcer can match that. If you treat those IT workers with respect and consideration, you’ll keep that knowledge and expertise in your firm. That’s not just good for productivity, it’s good for security. They will know where the holes are and which ones are most important to patch up and repair. If they have a long-term stake in your firm, they’ll be ready to point out what needs work, and they won’t try to charge you extra for items not on the SoW.
Contractors CAN Become FTEs: If you have a rule against hiringcontractors for full-time positions, written or unwritten, get rid of that rule. With the massive layoffs, lots of IT people may have to pick up a contract here or there to make ends meet while they search for their next FTE role. Lots of contractors have been trapped by senseless no-contractor rules that would be excellent assets as FTEs in your firm. And those excellent assets are going to be on top of things which brings us back to security. It’s much better to have a security role filled by a former contractor than to have that role unfilled because of a, frankly, nonsense rule.
No Experience Means NEW Experience: If someone has a general IT background and is interested in a security role, don’t shy away. If you’re about to take on a new project with a new technology, that candidate knows as much about the new technology as everyone else in your firm: that is to say, nothing. They’re going to learn just like everyone else would, so why not let that person start there? That person with no security experience is a good choice for getting some new experience.
Training Is Compensation, Not an Expense: IT pros *want* training. When your firm cuts the trainingbudget, that’s like cutting their salaries. When your firm promises one course per year, that’s a great thing. But if a person asks for a week off to take the course and gets told to maybe consider doing online learning on their own time, that’s a beatdown. I know we have to consider remote learning options during the pandemic, but a live teacher is so much better for interaction than a recorded training film. Keep them in vendor courses and general courses – and there’s lots of security training out there – and you’ll keep your IT pros not only happy where they are, but eagerly soliciting their contacts to apply for openings at your firm when they open up.
The world is changing around us. Make sure your employee hiring and retentionpolicies change with the world.
The city of New Orleans just got attacked and that made me think of the song about a train by the same name, whose chorus opens with that line… but this time, the question lacks the soft charm and slow nostalgia of Steve Goodman’s folk song. This time, the question is cold, jarring, unnerving. It’s not the first major US city to be attacked and made to be dark and it won’t be the last. The cities and other local governments of the USA simply aren’t going to be able to deal with cyberattacks on their own, so they’re going to be target-rich environments for state actors and the criminals they hire to detonate hand grenades to cover their tracks… or just the criminals who blow things up, you never can tell.
We can tell the cities and counties and states of the USA all we want about security and be met with the tired, nodding heads and empty eyes of IT staff that tried to tell the same message to their higher-ups. They know. They’re not idiots. They’re just faced with small budgets and political imperatives to get stuff done, no matter what. They know that when their town / county / state experiences a major breach, it will lead to the first time that entity seriously considered spending time and money on security measures. It will lead to the first time IT is allowed to do what it knows needs to be done, even if it’s done on top of the rubble and ruin of the past.
Do they have a perimeter firewall? Sure, but there was the time somebody high up got mad about traffic being blocked, so it’s set to permit all traffic by default. Do they have a datacenter firewall? Yes, indeed, right here in this box in the storeroom. It is fresh and ready to go. Do they have antivirus running on every PC? Absolutely. Well, we can only tell for sure on PCs that have antivirus running on them… we don’t know about the ones that have fallen out of communication with our software maintenance platforms.
Need I continue? Some of you are already at the point where you can bear the horror no more, but I must press on! You must see more, that you know the depths of their helplessness! Do you see the unsecured Internet line in that office, terminating on a Windows server with RDP running, no limit on logon attempts? Do you see the flat network, with telnet still running on switches and routers? Do you see massive file shares with no permissions set to halt normal users from deleting or changing files? Do you see the backup server that constantly fails its nightly backups, with the backup operator simply clicking through the errors on his shift because he was told long ago to just ignore them? Do you see the gear that all respond to the SNMP community “public”?
And there is more horror in there, I say. I didn’t even get to the Windows NT 4.0 server that’s still on the network. Why? Well, the payroll application couldn’t upgrade to run on Windows 2000, so we keep it going on that server over there… and there is yet more, deeper and deeper into hell.
Who knows what static routes lurk deep within the network, routes that bypass the firewall entirely for special IP addresses in faraway lands where US lacks extradition rights? And are there programs on unsuspected and unsuspecting systems that are just counting down the days until the dust settles, things revert to normal, and the problems of the past make themselves available for mayhem once again? Clean up all you want, but what do you do if that payroll server on NT 4.0 is infected? The only person who can rebuild that system died 3 years ago. If it’s infected, maybe we can just put it behind a firewall and only open the ports needed for Windows and Active Directory. Oh wait, that’s all of them…
So what is the solution? Is this where the federal government steps in and supplements the IT budgets of local government entities? Or would that lead only to swollen management salaries with pittances spent on actual new technical hires? Is this where the feds create a system of firewalls to filter all traffic entering and leaving the nation, such as the Chinese do?
Actually, that might be what we need. It wouldn’t do anything for completely domestic attacks, but it could do at least something to halt attacks from outside the USA, right?
Except… how do we know the difference between legitimate traffic from abroad and traffic with malicious intent? Encryption doesn’t allow one to peek into the packets very easily. Banning known bad source IP addresses just leads to attackers compromising systems with other IP addresses and then launching attacks from there.
But maybe the protection is on the outbound side, with a massive proxy server cutting communications with scam sites and other evil online in other countries. But for how long would the proxy server be protecting us only from malware and fraud? Wouldn’t law enforcement argue that we need to be protected from terrorist propaganda? How broad is that classification? Wouldn’t entertainment firms want to protect us from download sites? Would they also want to “protect” us from foreign entertainment outlets that didn’t allow them to act as middlemen brokers for their content? Would we also be “protected” from foreign news sources that didn’t go along with the administration’s views? Blocking Russian state news propaganda I wouldn’t mind, but I sure would mind if a CBC or BBC investigative journalism programme that was critical of a US firm or governmental policy was blocked.
I hate to suggest this, as it’s highly exploitative, but we could allow recent grads to learn IT and then work for pathetic, near-volunteer wages for local government entities in order to pay off their student debts. I hesitate to introduce a scheme to offer pardons for nonviolent offenders that do pro bono IT work, since fraud and cyberattacks are, themselves, nonviolent crimes…
The City of New Orleans owns Louis Armstrong International Airport. Did this recent attack penetrate into the airport? Or was the firewall that is supposed to sequester it also permitting all traffic because there’s a full trust between its AD domain and the City’s? Or for some other reason, I don’t care. It’s all a nightmare, and when I wake up, there’s some shadow moving across my screen, saying, “g00d m0rn1ng 4m3r1c4, h0w r u?”
I don’t know how to answer that question. I normally don’t want to curse the darkness without lighting a candle, but I’m at a loss for answers to all the questions I asked. Cyberattacks can produce near-nuclear results, if done on a sufficient scale and with intent to destroy, not just encrypt and demand ransom. Perhaps lasers and hypersonic missiles can defend the USA from sudden attacks launched from bombers, ICBM silos, or nuclear submarines. What good are those against cyberattacks that target our highly vulnerable small government entities?
