What I Know It’s About Experience

29Mar/10Off

Pwn2Own 2010 News

Pwn2Own is the brain child of Dragos Ruiu, the founder and director of the CanSecWest security conference.  This is an annual conference held every year in Vancouver, Canada (usually late March).  If you have never been to it I highly recommend the event. This is probably the most technically advanced conference world wide, even more so then events like Blackhat or Hack In The Box.  It tends to be smaller, about 200 people.  The Pwn2Own is an event where conference attendees are challenged to hack a fully patched device.  The first contest began in 2007 with just a Macbook laptop, but has grown to include items such as a Windows laptop and iPhone.  What makes this contest different then other hacking events is the caliber of contestants.  You literally have some of the best exploit developers in the world. They are motivated with a total of $100,000, but in addition gain tremendous bragging rights.  Many of the contestants said it took them 1-2 weeks to develop the exploits, in some cases two people worked together.  That averages 80-160 man hours to create an exploit. This year at the contest the following fully patched systems were successfully hacked.  
 
Firefox on 64-bit Windows 7
  Internet Explorer 8 on 64-bit Windows 7
  Safari on Mac OS X
  iPhone
So, what does that mean to us?  In general three things.
  1. Developing a new exploit takes a lot of work, however with enough time and talent anything can be hacked, even something fully patched.
  2. In general, most criminals are simply too lazy or do not have the skills to develop such advanced exploits.  But then again, they don't have to.  The simple, well known exploits and vulnerabilities are working just fine.
  3. The only organizations that would have to worry about such attacks are high-value targets. If you believe you are such a target, and that threats may target specifically you, contests like this demonstrate that no matter how much prevention you implement it can be bypassed. Detection and incident response are just as important as prevention. 
via HoneyTech Security Update
Tagged as: , , , , , No Comments
22Sep/09Off

The Burden of planning

Hi and سلام to All

Or rather, why there should be a Planning Phase in the project plan?

From all the staff at whatiknow.net a great Eid Muburak to all our Islamic readers and greetings to all others.

I have been asked to blog about the requirement for planning in IT, that is; what is planning? what does it do? and why should I do it? The reason for this topic is extremely funny (to me that is) but not to my fearless project manager friend who eats, breathes and sleeps according to PMBOK. Yes, I would like to call him 'grasshopper'. His story goes along the line of (from the horse's mouth so to say);

I am engaged at a client who wanted some documentation done, simple stuff. Operational processes and procedures, you know what I mean? How difficult is it to run a project for and to deliver documentation?

At this stage, I nearly drowned on the sip of tea I had taken. Ha, a project that has the deliverable 'documentation' hidden somewhere in it's Charter and Scope is more of a nightmare than say meeting your bank manager in the unemployment queue. So, how is documentation related to planning? Well, put it this way, remember the carpenter/dress making saying; 'Measure twice, cut once'?

Planning allows you to do this. Measure what is expected and plan the delivery.

Now, the client has a Quality Management System (QMS) in place (ISO 9002) which stipulates certain requirements for documentation, how it is created, stored, distributed and communicated. Yes, the company actually has a 'template' for an operational process and procedure that was signed off by the QMS board. So? What's the problem? Nothing if you are the client, aches and pains if you are my friend!

My friend then went on to tell me that his company had been given the work to "Compile, Approve and Implement" the processess and procedures and you guessed it, the sales person did not even ask the subject matter expert for expected time frames. After all, you can write a process in say 3 days, 10 processess equals 30 days less 5 as you will not have to do all from scratch. So, total man-days is 25 (including discount). And the deliverables? Draft, Approve and Implement 10 business processes and procedures (process and procedure seen as 1 document).

Simple? Yes. Understandable? Yes. Doable? Yes!

The question is, will it meet the client's expectations? No. Why? The client's QMS requires all documents to be reviewed by relevant internal parties and to follow a change management process. One of the requirements of the change management process is the 'Reason to create and/or modify the document' and this is where the tremors started, went to 9.5 on the Richter Scale and ended up with a Tsunami with the different departments at the client getting along like a house on fire, No survivors!

Lets see, my friend has been there for 4 months now, he is running the project at a loss and his company can not withdraw due to contractual obligations. I estimate that they will be at the client for another 3 months.

So, what will planning have told us?

  1. That there was a QMS in place and what was required.
  2. The process to follow to create, modify or delete a document.
  3. Certain default document requirements as in, Who, What, Where, When, Why and How?
  4. Identified all relevant parties and departments.
  5. Confirmed the template.
  6. Confirmed the content.
  7. Confirmed the 'Implementation' process.
  8. Confirmed that the client did all processes and procedures following Business Process Management principles.
  9. Allowed my friend to motivate why 3 days per document was not sufficient and to request a 'Change of Scope'. That is, to manage the project by Scope Change :mrgreen: .

So, what would the planning phase have included?

  1. Meet with the client, Subject Matter Expert NOT Salesperson.
  2. Identify documents to be delivered with the client (their buy-in and agreement).
  3. Understand client's methodology and requirements (QMS and DMS).
  4. Agree on the content of the documents (what has to be in, their buy-in and agreement).
  5. Roles and Responsibilities (you can not have the QMS board meet to agree on a document).
  6. Get the client to understand why the project is bigger than what was specified.
  7. Identify key role players.
  8. Schedule the meetings in advance.
  9. Agree on the deliverable template (Word, Excel, Visio, Open Office etc).
  10. Know the dynamics of the client's site. Who sits higher in the tree and who may prevent you from getting paid.

Taking this into account, what do you charge the client? I believe that all work done at a client for the client is chargable, maybe at a lessor rate as no intellectual property should be required. Shjould it be free? No, as the client may see this as a business process management exercise and delay the start of the project resulting in a delay to your payment.

What are your thoughts, next up, planning for technology roleout.

Filed under: Article, Awareness, General, Tips&Tricks 1 Comment
2Sep/09Off

Is there ethics in business?

Hi and سلام to All

To all Islamic readers, Happy Ramadan!

Thanks to all who have asked me to post other subjects and have enjoyed the posts?

I have a question for the people out there; what is the difference between and Ethics and Morals? Look further down for the answer. :-D

This subject is something close to my heart as I have two different opinions on the subject.

If you look at the economic climate today and the amount of people who have been retrenched you could say that there is not. Why do I say this? Easy, it was caused by the hunt for more money and higher profits which would result in more money in the person's pockets. So, the rich got richer, the poor become poorer and the middle income lost a lot.

On the other hand, if you look at companies that have a social responsibility programme, such as Vodafone which made the decision not to install cellular masts in certain areas and is in the process of making a decision on whether it will remove all mats from major motorways to prevent people from talking and driving at the same time. Or the case of BHP Billiton who chose to close a very profitable mine as there was a chance of loss of life.

When I talk to people about ethics, I have always told them that in my opinion. When you live at home, you get and learn your ethics and morals from your parents, when you reach your teens; you get it from your friends and from your parents. However, when you leave home and you go to work, this changes. You, if you choose to, now get your business ethics from your management. Why? To further your career.

Taking all of this into account and from experience, the ethics of the business is determined by the appetite for risk that management have. If management is willing to discuss and act on the requirement for Risk Management and Corporate Governance, you will find that the company has a high level of ethics However; if management is not bothered you will find that the company has low or no ethics. You can also see it in the way that the company deals with its staff, do they treat them well or are they just paid slaves? Does the company put social responsibilities before profits or put profits before anything else?

This brings the question of how do you improve profits? Many financial people will give you a formula on what it is and how it is made but most seem to miss out on the 'Human' factor. To increase profits, you must lower your costs or improve the efficiency of your work force. One way of lowering your costs is to automate the processes or to simply retrench some employees and get the remaining staff to work harder. This is what I call the cost of service, service in this instant could be a physical object, a call centre or customer support. When a company starts losing profits what is their first reaction? Yes you have it! Retrench, Retrench, Retrench. Look at what the major banks have done, they caused the current financial problem and their first action was to retrench. They do NOT retrench management; they did retrench the normal employee. On the other hand, some companies have, when faced with a loss of profits have chosen to keep the staff and cuts the salary and perks of management as management should have seen it coming over the horizon.

The European Union and especially the French have started to look at limiting the salary and perks of senior management. Why? They identified the fact that a company loses its ethics when management have the opportunity to increase their salary and perks. I hear the UK is about to do the same. Will it work? I believe so! Do you?

In summary I believe that there is ethics in business but that it is shown in few companies as the majority of companies are after the profits and the ability of management to improve their salary and perks. The companies that want profits but are will to limit their expectation based on their social responsibilities prove that there is ethics but unfortunately, these are few and far between.

Will governments be able to regulate and enforce social responsibility in companies? Only time will tell. I will not hold my breath and neither should you.

An ethical person is like a married man who knows he should not cheat on his wife. A moral man will not. I got it from NCIS which is a great show. Do you agree with the statement?

Cheers and We Aleichem As-Salam until next time,

Enjoy the rest of the week and may you and yours travel safely.

1. The primary function of a supplier,

2. The primary function of a consultant,

3. The differences between client and supplier,

4. The differences between supplier and consultant,

5. The differences between client and consultant,

6. Ethics as a consultant,

7. Ethics as an employee and

8. Is there ethics in business.

Filed under: Awareness, General 1 Comment
17Aug/09Off

Examples of Ethics as an Employee

Hi and سلام to All

In this post, the use of the male ‘him/he‘ is used for easy reading and can be replaced by ‘her/she‘ depending on who is reading the post. For the ladies out there, I make a profuse apology.

I have been asked by reader to give examples of situations I have been in that have or may have impacted upon my ethics.

I must comment here that not all of you will have experienced all of them but I am sure you have experienced at least one.

The first example goes back to my time in the military where I was a corporal; I was in charge of a platoon and was responsible for their health and well being as well as their discipline. During an inspection by the commanding officer, he noted that the one toilet bowl was a bit 'grey'. I checked it and the bowl was stained but not dirty, so, the toilet bowl would never be 'white'. I informed him about this to which our Lieutenant took exception to. After the inspection was over, the commanding officer said that it was good and to continue. The Lieutenant on the other hand, must have thought it had cost him his name 'good' versus 'excellent'. He told me to punish the platoon by taking them for a forced march (20 Kms) and to drill them for at least 2 hours after the march. I disagreed with him and told him so, I even refused to do it and ended up in front of the commanding officer who stated; 'Ferreiro you are an un-commissioned officer who will take orders from officers and carry them out EVEN if you do not agree with them.' I again refused to do it and asked for a transfer to another unit (32 Battalion) which was approved. I left the unit 3 days later. I actually saw the Lieutenant a few years later to his surprise when I was a sergeant, he lost this time as we were working with mature soldiers aged 25 and up which you treat differently to soldiers who are 16 thru 18 years. He tried the same stunt, telling his platoon sergeant to punish the platoon, again the sergeant refused and took it to the Regimental Sergeant Major who agreed with him, the end result is that the officer ended up doing a lot of extra duties to teach him about leadership. I do not believe to this day that he did.

The second example skips a few years ahead when I worked for a supplier. I was responsible for a security tool called ESM from Axent Technologies (who were later bought by Symantec). We were tasked by the client to perform a comparison test between 3 products which measured baseline security compliance to a standard, these being; Axent, Computer Associates and Digital. In the review following a testing methodology, it was found that the CA product was not up to scratch and may meet 30% of the client’s requirement. The Axent and Digital products were very much the same mainly due them both being created by Raxco which developed tools for VAX VMS. Both products would meet at least 90% of the client’s requirement. The sales person who was responsible for the account, told me to bias the report to show that the Axent product was better. In doing so, he could make the sale. I disagreed and he went to the MD who also told me to do it. Again I refused and told them I would give them the report and that they could change it to suit their requirements. Needless to say, the client had actually expected me to bias the report and when they received the report were pleasantly surprised that it was not. The MD had chosen not to change the report as his name would have had to be put on the report. We got the sale as the opposition were tasked to do the same investigation and they biased their reports. We received other work from the client and the company made money. I resigned from the company and cited the experience as one of the reasons. The MD promised me that it would not occur again, but once bitten twice shy.

The third example skips a few years ahead to when I was a manager at a big company. The company made a great deal of money so I thought they would have a feeling of better responsibility for compliance. In this instance, I found that some people are motivated only by money and not what is ‘right’. ‘Right’ in this sense being the fact that you do not contravene laws such as Intellectual Property and Copyright or report back to management about instances that are cannot be proved. In this case, I was told not to answer a vendor’s request for licensing information on their product. Along the same lines, I was told not to tell management about a report that I compiled showing the serious lack of licence management and the associated cost to ensure licence compliance. I was also told by management that I was to do an investigation into an employee to prove that they had done ‘something’ wrong. After doing all the checks and verifying the balances, it actually identified that the manager’s ‘friend’ had planted the evidence against the employee. When I reported this with facts and figures, the manager told me that I must have been wrong and that his ‘friend’ would not do anything of the sort even thought the evidence showed differently. I was moved to another division so had nothing else to do with the manager again other than to audit his operations and raise comments and associated risks. I have since left the company after understanding that even in a large company ‘ethics’ is based on how much money ends up in your back pocket. I have since heard that the company is under investigation by the Business Software Alliance (BSA) and that they face legal litigation both civil and criminal.

The last comes from a project that I was involved in where the client was informed that the contractors knew what they required and to accept the deliverables. When prompted by the lead consultant and myself about best practices and frameworks such as 27001, eTOM, COBIT and TOGAF we were told to keep quiet and do the work which we were tasked to deliver. When asked to design a solution which following all practices requires the client’s input, we were told to ‘just deliver’ and not to trust the client. Again, this is against all principles of client engagements for each of the multi-nationals involved in the project with perhaps one not even having one. The lead consultant was removed from the project for I quote ‘bringing the consortium into disrepute’. In a later meeting, I was informed that the solution must meet the client’s requirements of a 360 degree Information Security view. When I prompted the consortium of what was required to deliver this, I was told by the multi-national that this could be discussed and that they would ‘HACK’ their product to deliver a 360 degree view even though it was not able to do it. I have since left the project.

There are many other examples that I could use but I believe that highlight what I have been saying in my posts.

Cheers and Wa Alaikum As-Salam until next time,

Enjoy the rest of the week and may you and yours travel safely.

Filed under: Awareness, General, News 1 Comment
27Jun/09Off

Software Protects You From ‘Shoulder Surfers’

Some guy has developed software that allows only an authorized person to see what is on the screen, everyone else just sees gibberish. Sounds interesting, I’d like to see it in action though.

Chameleon uses gaze-tracking software and camera equipment to track an authorized reader's eyes to show only that one person the correct text. After a 15-second calibration period where the software essentially "learns" the viewer's gaze patterns, anyone looking over that user's shoulder just sees dummy text that randomly and constantly changes.

source:hardocp

Tagged as: , No Comments
24May/09Off

I’m back and some pointers on what I would like to write about (amongst others)

Hi all (سلام),

I have been out of the Kingdom for 6 months now and let me tell you, I miss it.

Well, I have not been doing nothing and have learnt a few things about people of my home country South Africa, some of them good some of them bad. Unfortunately, the bad seems to outnumber the good.

Since I have been back in South Africa, I have engaged with many people and have been involved in 2 projects, both of them worth a lot of money for the supplier and a major cost to the client. After spending 20 months in the Kingdom, some of the experiences are the same for both others are particular to South Africa and to the Kingdom individually. Lets see if the readers can see which fits where?

I will be writing about the following subjects across the next few weeks, at least twice a week and hopefully get comments from the readers in either Arabic (which I believe Fahad will translate) and English. Each discussion will have both person's thoughts, clients, supplier and/or consultant.

  1. The primary function of a client,
  2. The primary function of a supplier,
  3. The primary function of a consultant,
  4. The differences between client and supplier,
  5. The differences between supplier and consultant,
  6. The differences between client and consultant,
  7. Ethics as a consultant,
  8. Ethics as an employee and
  9. Is there ethics in business.

By the way, if you want to chat to me outside of this blog, send me a mail message at gavin.ferreiro@gmail.com or, speak to my good friend Fahad who will be a father soon. Remember, I am 1 hour behind or at GMT +2.

Wa Alaikum As-Salam until Tuesday,

Gavin

Filed under: Awareness 5 Comments
8Nov/08Off

Documentation and Auditors

I was involved in a dicussion with a few close friends and collegues of mine last week where the subject of 'documentation'  came up. Just to give you an indication of what business disciplines were around the table; 1 x lawyer, 3 x IT gurus, 2 x project managers (IT and Civil), 1 x business analyst, 1 x business process consultant (BPC) and myself (GRC). The subject came up due to 2 IT guys being hammered by an external audit performed on their division. The term 'Auditors, what do they know? It is not a perfect world!'.

To my surprise, everyone agreed except for myself and the lawyer. When we asked for more information which they saw as 'the spanish inquisition', it turned out that the auditors requested documentation. Needless to say, there was 'some', not 'much' but 'some'. When pressed for the meaning of 'not much' it turned out that the documention was a visio diagram. You have it, a 'picture'. When asked what the picture showed, it came out that there were pictures showing how the systems were placed or located on the network including all network devices. When asked 'Do you know what the systems do? Does your subordinate? Does your manager?' the answer was "yes, should hope so, will ask if they don't know".

From an auditing perspective this is foolish, why? Simply put, documentation saves you from all types of unpleasant experiences in life. Lets take two examples;

  1. You have a contractual problem with a person, you go to a shark, oops lawyer, what does he ask for first (other than money), yep you got it, paperwork, proof so to say.
  2. You need a loan, you go to the bank, what do they ask for? Yep, your salary advice slip and your monthly expenses (unless they are loan sharks then they ask you if you have insurance just incase you default).

Simply put, no documentation results in nothing.

Back to Auditing, simply put, if it is not written down it does not exist! Auditors work with proof, evidence or better still 'show me the money' and yes, while a picture is better than a 1000 words it does not show 'Who, What, Where, When, Why and How'. 

So, when thinking about documentation, think about what you will need to prove you did your job!

Tagged as: , No Comments
8Nov/08Off

The concept of Accountability

A cornerstone of Risk Management in an enterprise is 'Accountability'. Maybe you have heard the term spread around like butter on a slice of bread. What does this mean? Well, depending on who you talk to, it means different things to different people. Similar to 'different strokes for different folks'. In my experience the understanding depends on how high you are in the food chain. Yep, it all comes to where you are on the corporate ladder. As a system administrator, your manager holds you 'accountable' for the availability of the system you are 'responsible' for. His/her manager holds him/her 'accountable' for your performance and so up the food chain. This is where it gets interesting, how is it possible to be 'accountable' if you are only 'responsible' for the system. What about 'Ownership' and 'Authority' surely, these two play a major role in the 'Acountability' framework. Yes they do, how can you be accountable for the availability if you do not have the 'authority' to purchase new hardware or the 'ownership/authority' to tell people what they may or may not do on the system. Again, my experience has taught me that while management expects 'accountability' they are hesitant to give 'ownership' and 'authority' due to potential 'political' repercussions, one of them being financial. Another matter is that there is the expectation that a document, whether it be a Policy, Process, Procedure, Control or Standard enforces 'accountability' is again up to debate. A legal policy does, provided there are certain controls in place to ensure or at least measure awareness and conformance. However, I have found that a policy that governs the administration of a system does not deliver 'accountability' as there are too many reasons as to why something was not done unless it is written in a Standard. The standard is however based on the 'business' requirements accepted by management. In a nutshell, 'ACCOUNTABILIY' can only be enforced if there is associated documented proof of 'OWNERSHIP', 'RESPONSIBILIY' and 'AUTHORITY'. In other words, the explicit not the implicit, ownership and authority usually found in job descriptions.

Filed under: Article, Awareness, General No Comments
27Oct/08Off

Business requirements versus Technology

This is my major bug with IT staff especially those in security and administration. When you sit around a table talking to IT people, their eyes shine when you start talking about technology. The newest and the greatest....Well, what are toys for, but to have men spend time on them. 

Talking bits, nibbles and bytes to IT is not a problem provided you have no requirement for motivating the purchase of the technology to business. This is when the wheels come off the proverbial geeky cart, ask IT to deliver a business requirement specification that sells the new technology to business and wait.

It all usually starts with, 'uhm', followed by, 'you know', then by....(pause) 'they need it'! Maybe they do, but how do you sell it? Well, 'it has x CPUs, 4 Gbyte RAM, can handle 20 quadzillion processes' and for additional money, it can make coffee.:mrgreen:

Well, lets see, business does not know what a quadzillion is, has no idea about the RAM and the CPUs. It may be interested in the coffee but surely a coffee machine is better suited? This is where Service Management comes to play. Business has a requirement, what is it and what do they need to meet it?

At this point, all the techies start saying, 'how are we supposed to know what they want, we know what they have to have'. Nope, wrong again! Business needs to see what it costs and what the benefits will be. Point to note; NEVER mention Return on Investment (ROI). Gartner trashed that one by stating that it was never measured after the fact.

The solution is simple, take off the techie hat and put on the business analyst hat, very similar to baking a cake. Talk to business of their requirements (make some up if you don't  think they know) and confirm this with management. Taking what they want, measure what technology they have and see what is lacking. Take the stuff that is lacking and look to see if any of the current could be upgraded or if a purchase is required. With the investigation, you should determine what the risks are to business if they do not upgrade or purchase.

You now have the reasons for;

  1. the current stuff will not meet business requirements
  2. the list of stuff that will meet business requirements (for at least 18 months)
  3. Strategic/Tactical/Operational Risks

Based on the business requirements and the reasons, you have the business motivation to purchase your new toy.

Tagged as: 1 Comment
8Oct/08Off

HoneyTech Security Awareness – Are You Hacked?

بالتعاون مع موقع HoneyTech احب ان اقدم لكم الرساله التوعويه لشهر اكتوبر والهدف منها لهذا الشهر هو توعيه المستخدم في حاله الشك او التاكد بان الجهاز قد تم اختراقه ماذا يفعل؟ وماهي الدلائل اللتي قد تدل بان الجهاز قد تم اختراقه :)

اتمنى ان تحوز على استحسانكم :)

العربية

Newsletter  Poster

الانجليزية

Newsletter  Poster

Tagged as: 1 Comment
   

Calendar

September 2010
S S M T W T F
« Aug    
 123
45678910
11121314151617
18192021222324
252627282930  

RSS Free Softwares

Tag Cloud

Announcement Antivirus Apple auditors benchmark Beta1 Browser Business Risk Information Security Debug documentation Editions Education Certification Knowledge Experience Federated Search Forensic Hacked Hardware HITB 2008 I'M A PC Internet Broken Live MacBook Micorosft Microsoft Microsoft ads Microsoft ICE nVidia Defective Oracle PDC 2008 Projects Recorder Security Security Awareness Security Talk Snow Leopard Sun SuperFetch UAC USB 3.0 video Wave3 Windows Windows7 Windows 2008 R2 Windows Vista WP-RTL

Posts Archives

Friends