Technology – Technology News and Information by SeniorDBA

Starting Your Cybersecurity Career

Cybersecurity as part of an overall Information Systems environment has existed for many years, but recent cyber-attacks have forced companies of all sizes to focus on cybersecurity to enhance security, protect sensitive customer and employee data, and to prevent damage to their corporate brand. Maybe you are looking to jump into a cybersecurity career? I have some basic tips to help you make the leap to a rewarding career in cybersecurity.

Skills – A company only wants to hire the best employees, usually for the lowest wage possible. Your salary is usually based on your skills, experience, and the local market. If you haven’t got any relevant experience, and you can’t demonstrate relevant skills, you may never get a cybersecurity job and you’ll definitely be underpaid if you do get a job. The best way to demonstrate skills without experience is an industry recognized certification. While having a degree in cybersecurity will open some doors, an EC-Council Certified Ethical Hacker (CEH), CompTIA Security+, or many other certifications will help demonstrate you have the knowledge and skills to tackle the complexities of cybersecurity. Look at job postings to see what types of certifications are needed or common for the type of job you want to pursue. You can get a free certification called Certified in Cybersecurity from (ISC)², the same cybersecurity professional organization known for the popular CISSP certification. Just sign up as an (ISC)² Candidate. When you’re ready to sit for the exam, you can find your exam promo code on the Candidates benefits page. Please note that you may only use the exam promo code once. To register for your exam at a Pearson VUE test center, visit https://www.isc2.org/Register-for-Exam
Experience – This can be the most difficult thing for a beginner to accomplish. How can you be expected to gain experience if you can’t get a job without experience? You can try internships, a part-time job, freelancing for a few friends or associates, volunteering at a local non-profit, or complete Capture-the-Flag (CTF) challenges. These are all great ways to gain hands-on experience in cybersecurity, maybe without giving up your normal job. These initial experiences will not only help you determine if this career is right for your personality and lifestyle, but it will also build your skills and experience to enhance your resume.
Awareness – Most of what is happening in cybersecurity isn’t mainstream news. You need to follow some basic industry news sites (securityweek.com, thehackernews.com, bleepingcomputer.com, etc.) to learn about new attack methods, attend cybersecurity conferences to listen to experts and vendors, participate in free webinars to learn new skills, and join online or local communities to meet your future coworkers. These relationships and information are usually free (or low-cost) ways to stay informed about emerging threats, hacking tools, and industry best practices in the field. Being a well-informed cybersecurity professional adds value to your portfolio and can attract interest from an organization during an interview.
Relationships – By networking and building professional relationships, you can create a strong professional network that can possibly offer you mentorships, job referrals, information about recent job posting, or just someone to talk to when you need a pep talk.
Attitude – You’ll probably meet a few people who still think of security professionals as teenagers living in their parent’s basement trying to hack into the Pentagon or the local video game store. You’ll need to demonstrate your professionalism in actions and appearance. Cybersecurity professionals have access to critical and sensitive business information, so you’ll need to demonstrate you can handle that responsibility with the highest standards of conduct, ethical behavior, and professional demeanor. This includes while at a job interview, attending a conference, and while talking to colleagues or friends. Don’t give anyone a reason to second-guess the opportunity to recommend you for a job.
Focus – Learn everything you can and stay focused on the prize. Don’t take half steps toward getting that dream job in cybersecurity. There are entry-level jobs out there, you just need to be persistent and patient to find the hiring manager willing to give you a chance. The more you know, the more you’ll find out how much you don’t know about cybersecurity. Accept your limitations and lean into finding an entry-level position. Stay curious and accept you have a ton to learn, but demonstrate a willingness and ability to learn.

These are the basic building blocks to finding a rewarding career in cybersecurity. Some people find it easy and get an entry-level job a few weeks into their job search, while others can spend months without any luck. It doesn’t mean you are doing something wrong. Stay positive and focused and you’ll eventually find success.

What is an Enterprise Architect?

Wikipedia defines an Enterprise Architect (EA) as is “a well-defined practice for conducting enterprise analysis, design, planning, and implementation, using a holistic approach at all times, for the successful development and execution of strategy. Enterprise architecture applies architecture principles and practices to guide organizations through the business, information, process, and technology changes necessary to execute their strategies. These practices utilize the various aspects of an enterprise to identify, motivate, and achieve these changes.”

On a daily basis, an EA’s activities can change quickly and dramatically. I won’t go into organizational models of enterprise architecture organizations. but we’ll explore the role and responsibilities of an EA. Understanding the role of an EA will help us understand the typical daily challenges.

Skills

Technology expertise is an obvious skill required for a true EA, but technology skills are not the only skills you will need. There are other essential skills:

Motivational – EAs must be able to motivate and inspire. A large part of the job is to influence or evangelize ideas.
Negotiation – There will be times at meetings when an EA must negotiate to get things accomplished.
Critical Thinking – Being able to think quickly and see the “big picture” is essential
Problem Solving – EAs must be able to evaluate and solve problems
Big Thinking – An EA must avoid tunnel vision and being able to look at a problem from multiple angles
Business savvy – To really understand how technology will affect the business
Process Orientation – Thinking in terms of process is essential for an EA
People Skills – An EA’s job requires interacting with people constantly

Challenges

There are impacts to multiple areas, each of which has its own unique set of challenges. The three major areas that should be considered are:

Production Processes – These processes support the promotion of software to production environments, change management, and support of solutions after they are in production.
Production Systems – Systems that are in the production environment are often not isolated; they are deployed and configured into environments that have dependencies and restrictions.
Production Teams – Teams that support and deploy these solutions have unique processes and procedures. There is both a process and an organizational perspective on this.

Production Processes

EAs should be mindful of production processes because they affect the cost, quality, and resiliency of software. EAs can have a positive impact on these processes by being involved in the following core production processes:

Configuration Management – EAs can optimize these efforts, both in the design of the architecture and in providing insight into the rest of the organization, possibly standardizing this process.
Change Management – EAs are typically not involved in this process, but they need to be mindful of the impacts to solutions since they could have many different relationships with other solutions and altering a solution could create downstream challenges.
Incident Management – EAs do not generally engage in this process either, but they need to be mindful of it because incident management data can be of great value. The data collected here can correlate with other data to help EAs gauge how much an architecture costs.

Production Systems

EAs perform a set of activities that involve existing production systems quite often. By doing so, they serve multiple roles, both in participation and leadership for the following activities:

FutureState Architecture – When EAs determine a direction for a set of business problems, a solutions road map and architecture envisioning occurs.
CurrentState Review – This process involves an EA engaging with a LOB owner or post-production maintenance teams.
Strategic Initiatives – EAs can shape strategic initiatives that result when other forces besides a formal planning process trigger evaluation of current solution architectures.

EAs encounter both technology and operational aspects when reviewing and re-architecting solutions. It’s important to keep in mind that these concerns are not just related to software, but can include a mix of hardware, communications, and software aspects. These aspects stem from a set of enterprise functions, which include:

Shared Services – EAs consider whether or not particular solutions should use shared services.
Solution Dependencies – Solutions often communicate with other solutions for additional functionality. Unless the current state architecture is fully mapped, there is a seemingly endless amount of interdependencies throughout enterprises.
Environments – EAs often consider unified management and consolidation of platform environments.
Constraints – EAs take in limitations or constraints to architectures for various reasons. Some COTS-based solutions limit the API usage, for example, while other custom-developed solutions are built not to be extensible.

Production Teams

Various post-production maintenance teams are required to do most work on existing architectures, because design documents are created during the SDLC process that can quickly become outdated. Unless the architecture is fully documented through the post-production life cycle, EAs rely on these teams. Teams that are engaged usually consist of:

Maintenance Team
Operations Team
User Support Team

These teams offer perspective into multiple domains of consideration when making architecture decisions.

You can find more information on EAs here.

Don’t be Stupid

Are you a man in IT that thinks a women can’t do your job? Do you think that what you do (writing software code, creating database objects, or managing a project) is just too hard for a woman? Yes, there are still people who believe this and they are also stupid and sexist. This interesting article explains why this outdated thinking is stupid, and where this type of thinking it still exists today.

This is “Amazing” Grace Hopper. She took leave from Vassar to join the Navy, where she invented or helped invent the entirety of all modern computer science, including nearly every wimpy-ass tool your wimpy ass laughingly refers to as “coding.” Compared to her, you’re nothing but a little kid playing with Tinker toys. Tinker toys she invented, by the way.

You want to see hardcore programming? I’ll show you hardcore programming:

This is what real hardcore coders do. No compilers, no syntax checkers, just a teletype machine and a bunch of fucking switches that change the computer’s memory and registers directly.

And you know what? For her, that was luxury. She and all the other early computer programmers–almost all of whom were women, by the way–started out programming by plugging patch cords into plugboards, because that’s how they rolled.

Women have a long and important history with technology, and your time would be better spent on improving technology instead of wasting time thinking men are better than women.

6 Ways Employees Bypass Security Policies

As an Information Technology professional, one of the things you will find yourself doing is creating and enforcing security policies. You will need to support good technology security by creating policies at outline the things a good employee must do to support good corporate security. All the other employees are hired for what they are good at doing, and that usually means finding ways to get the job done, regardless of your security requirements. That means good employees may be your biggest security threat.

You can hopefully understand the reason for this effort to ignore the tedious security requirements published by various technology professionals. The average person has to now memorize numerous user accounts, understand document transfer policies, deal with applications with missing or buggy functions, and work with web site filtering that may block access to important data. They must deal with all your security controls and rules while trying to get their job done, and they know there is a “better” way. So, what are some of the most common workarounds used by your company employees?

Offline Bypass – Many security features are only enabled while the device is online. In one case, users were blocked from attaching USB devices to their computer or laptop. The software was only able to alert the security team if the device was connected to the corporate network. The users simply disconnected the device from the network when they wanted to connect their USB hard drive or cellphone to copy files from their local PC to the external device. Make sure your controls work as expected.
Bypass Session Time-out – Most systems and applications have automatic session time-out features, based on a defined idle period. Vendors will also employ utilities to make connections seem used, even if the vendor isn’t using the connection, so they don’t have to restart VPN connections.
Simple Passwords – The average person today has scores of personal and professional accounts. Changing 30 or 40 passwords every ninety days (what is commonly recommended) results in creating and recalling more than 100 passwords each year. It’s understandable that people use easy-to-remember passwords, but simple passwords neutralize much of the security benefit of password-based authentication. Studies have shown people are horrible at selecting secure passwords. And beware of the clever users that bypass the password-reset problem altogether by calling the help desk claiming to have forgotten their password. Administrators will often reset problem user’s passwords by bypassing the regular password reset requirements. Some people may use various bypass methods to keep the same password for several years.
Post-It Notes – One survey found that many people record their passwords somewhere, sometimes in a spreadsheet or text files, but usually on simple post-it note. This means someone with access to the device probably has access to the post-it with the user’s login information written down for them to use without delay.
Internet Document Storage – You have strict security settings on network shares and documents stored on your network. You may think you have met corporate requirements on who gets access to specific data and information, but you probably don’t have any idea of the volume of data transferred outside the corporate network. Users will find ways to get the data to their coworkers, and that probably means storing the files on the internet. The mobile workforce demands anytime-anywhere access to their documents and data. Many mobile workers aim to streamline their productivity by circumventing your security protocols: emailing sensitive documents to themselves, storing files in a personal Dropbox account or other public cloud, and even taking photos/screenshots with a smartphone and texting those images to friends or vendors.
Disabling Security – One of the most popular security workarounds is simply turning off security features that hinder your productivity. With the growth of BYOD environments, where employees have greater control over the enabled security features, it is common to find even the most basic security features disabled.

As an IT professional you need to assist the hard-working and well-intentioned employee get their job done without putting the network at risk. Your security policies should avoid restrictions without any explanation, leaving the end user with productivity loss and no apparent improvement to their lives. Your organizations should implement security training for all employees, showing your team specifically how security protocols protect against data leakage, data breaches, and other threats while highlighting how workarounds put data (and their jobs) at risk. This will help the typical employee keeping security top-of-mind with regular communications and meetings with staff.

Bringing Cybersecurity to Work

Many businesses want a better cybersecurity posture at work, but they don’t know what to do or how to do it. If you want to be successful at implementing cybersecurity changes to your workplace, there are a few simple steps you can perform today to move towards a stronger security stance as you face increased attacks from cyber-criminals.

Knowing that most small to medium businesses can’t withstand a successful cybersecurity attack, you should be aware that a modern business needs to perform specific steps to bring awareness to the workforce.

Criminals like the easy target, and that is true if we are talking about a subway mugging or a cyber-attack to your email. Cybersecurity is all about making your business less of an easy target and helping everyone at your company understand risky behavior so they can help prevent your business from becoming a target by malicious attackers.

Top-Down Acknowledgement – Start with the boss, and have them acknowledge that cybersecurity is important. If they embrace the need and start behaving like cybersecurity is important, the entire company will accept the changes and participate in educating the workforce. This may include communications from leadership speaking about the importance of cybersecurity to the entire team, but also making sure any efforts are properly funded and supported. If the boss avoids the new plan, everyone will think they have the as option.
Policies and Procedures – Written policies and procedures are thee first step in documenting what everyone is supposed to do in your organization. The polices state what is acceptable, and who is responsible for each section of the required response. The procedures describe how to be compliant with the policies. If the policy says everyone is responsible for reporting phishing emails, the procedures describe how to identify and report a phishing email.
Security Awareness Program – Once everyone agrees that your company needs to be more cybersecurity aware, there needs to be a formal program to implement training and awareness programs. This could include formal classroom training, online training videos, periodic emails, etc. It really depends on what you think will work at your company, and one right answer doesn’t mean that process won’t change as your employee needs change. Be flexible and target a solution that works. This will take serious effort month-after-month to keep an effective program as employees needs change, but the program must also change as the threat profile of your attackers change.
Work on the Basics – From a technology perspective, start with the basics and work towards a more robust and sophisticated solutions. Start with basic network security around how your network is designed, and worry about more complicated solutions once you have the basics in place. You don’t need complicated and expensive security systems in place if you don’t have basic security tools configured. These first steps can include some common techniques such as enforcing strong and complex passwords, using multi-factor authentication, installing anti-virus utilities on every computer, applying vendor security patches within 30 days, enforcing least-privilege access to corporate systems and file shares, and blocking employee access to risky internet sites.
Make IT the “Yes” Team – The IT department is often seen as the team that always says no when other departments have ideas. This is usually because the ideas don’t include realistic expectations or even any planning for cybersecurity risk. But if you pivot and provide ideas to fix the other team’s ideas with suggestions on how to make their ideas work you can help them realize their ideas while not breaking any cybersecurity rules. This strategy will take much more work, but you’ll see that IT will be included in more planning meetings if you are seen as someone who can tweak less than perfect ideas instead of someone who always shoots down half-baked schemes.
Accept that Things Change – As the business changes, an effective cybersecurity plan must constantly evolve. As employees rely more on cloud applications, social media, and working remotely you must change your cybersecurity toolkit to protect users in that new disconnected environment. You do this by selecting vendors that understand and value cybersecurity, as well as training employees that being on the road can also mean they have to take more responsibility for their own cybersecurity.
People Resist Change – You may have some fairly major alterations to your IT environment planned to bring your organization into modern thinking on the concept of cybersecurity, but you must understand the organization may fight you every step of the way. Employees may fight the implementation of stronger passwords, and they may hate you blocking internet sites that are attempting to steal their personal data. What seems obvious to you may be seen as overstepping the boundaries of modern computing by at least a minority of your employees, and even some of the IT department. Be prepared to deal with those people who are willing to undermine your efforts and are willing to side-step any cybersecurity controls to implement. Don’t take it personal, but have a plan to bring the non-compliant employees into an acceptable level of compliance.
Measure to Improve – Be prepared to measure your success if you ever want to improve the process. Your gut may tell you that blocking a social media site has helped the business, but you need to measure the before and after to demonstrate success. If you feel employees are wasting their time and potentially posting too much corporate data on Facebook then you monitor Facebook for a few weeks to gather some data on specifics, then measure again after the site is blocked. Did your change really make the employees more productive, or did they just start using a different social media site. Did they really stop posting company data or just share the data using a different tool?
Seek Experts – If you aren’t sure what to do next, engage an expert to analyze your cybersecurity posture and recommend specific changes. This can be as easy as asking you questions for a few hours, or a more complicated analysis could include a penetration test to validate if your network controls are properly configured to keep out potential cyber-intruders. You can also think about bringing a security-specific member onto your technology team.
Responding to a Bear Attack – In a bear attack, your first instinct is to run from the bear. You don’t have to be the fastest runner when fleeing a bear attack, just faster than someone else in your group. Your slower friend will get caught by the bear and you will get away. Cybersecurity is similar in that you don’t have to spend millions of dollars buying the very best in security tools, you just have to spend just enough to be more secure than most other companies. When the cyber-criminals attack, you don’t have to be the most secure in the country, you just have to be more secure than their other targets so they get compromised and you get away.

Start small and you can quickly accelerate your cybersecurity efforts as you can demonstrate success. Small incremental changes can help limit resistance and generate momentum to your cybersecurity efforts while also keeping risk low.

Kanban vs. Scrum

If you are wondering if you should move from a traditional Waterfall development methodology to something new, but can’t pick between Kanban and Scrum, here is some information that might help you pick a new path.

Kanban

Kanban is a simple methodology that focuses on the tasks your team is currently performing. The tasks are displayed to all participants so you and your team can track the progress and easily see what tasks are currently active. A good practice is to organize your development process using a Kanban board to show the status of each task, from “to-do”, “in progress”, “testing”, “ready for release”, and finally “released”. This simple methodology gives the team more flexible planning options, a clear focus on specific tasks, transparency on what is coming next, and a faster output by helping them focus on just a few tasks at any one time.

Continue reading “Kanban vs. Scrum”

Kanban vs. Scrum

If you are wondering if you should move from a traditional Waterfall development methodology to something new, but can’t pick between Kanban and Scrum, here is some information that might help.

Kanban

The team should concentrate only on the tasks which are currently emphasized by being marked as “in progress” . Once a task is done, the team moves on to the next item at the top of the backlog, marked as “to-do”. The product owner (traditionally a manager) is free to change, re-prioritize, and even re-organize the tasks in the backlog as any changes outside the current “in progress” list won’t seriously affect the project.

Team members are given the responsibility to focus on the active “in progress” tasks and are expected to work only on those tasks. The methodology works well for unexperienced personnel and even teams that have just started working together. It is flexible enough to allow teams to reassign tasks between team members or reshuffle tasks based on what each person feels like working on today.

It seems to work best when:

Focused on continuous delivery
Helps improve productivity
Personnel need help adapting to change
Shorter time between task assignment and expected results
New or inexperienced personnel need to be productive

Scrum

If you need a lightweight development framework to manage complex development efforts, you are probably looking for Scrum. This method is iterative and flexible strategy involves the whole team, working as a unit to significantly increase productivity. Scrum is a simple set of roles, responsibilities, and meetings. that helps helps the entire company cope with changes, provide better project estimates, and increase the quality of the solutions delivered. The work done by the development teams is performed in a series of fixed-length iterations called “sprints”.

A sprint is a period of time during which a specific work should be done and ready for preview. The duration of each sprint is fixed and agreed in advance, usually between one and four weeks. Each sprint starts with a planning meeting, and during the sprint the team must attend a short daily scrum meeting, usually at the same place and time every day.

Scrum has just three specific roles: Product Owner, Scrum Master and the Development Team. Since your scrum team is cross-functional, your development team will include include, developers, designers, testers, technical writers, and anyone else that will be involved in the sprint.

The Product Owner represents the process owner and will set the priority of the assigned tasks, sprint duration, and determine the tasks assigned to each sprint.

The Scrum Master keeps the development team working on the proper tasks and helps identify items that are slowing the team down or blocking expected results. If the Scrum Master sees something that needs attention, the Scrum Master and Product Owner meet to decide how they should resolve the problem to get the tasks done correctly and finish the sprint as planned. The development team is mostly self-organized and responsible for the completion of their assigned tasks.

It seems to work best when:

Experienced development team needs little or no supervision
Project is long and complex
Focused on continuous delivery
Business requirements are constantly changing
Continuous feedback to corporate management is required

Microsoft Office is an in-demand job skill

Finding a job can be tough, so knowing what skills are in demand and acquiring those skills is an important factor in making sure you find a great job. In research conducted by IDC, we find that Microsoft Office skills are one of the first things employers are looking for in new candidates. In this article from Microsoft, we see their take on the study results.

If you’re thinking that that your school or classroom already focuses on these “soft” skills, you’re probably right. Skills like critical and creative thinking, problem solving and collaboration are the foundation of curricula worldwide. They’re also at the heart of some of Microsoft’s most popular classroom tools –like OneNote, Office Mix, Sway and Skype in the Classroom.

The research does give us a new way of looking at these critical skills, though. The cross-functional nature of employers’ most required skills suggests that we focus on job-readiness, not job training. In other words, focus on skills with the broadest applicability to success.

We can think about these skills in three buckets:

Communication, integration, and presentation (CIP) skills. IDC found that CIP-related skills (for which Microsoft Office is the technology enabler) are required for over 40 percent of all job postings. They comprise eight of the top 20 skills required for all positions, and 10 of the top 20 for high-opportunity positions.
Entrepreneurialism and related skills. This category includes “self-starting/self-motivated” – the #10 most frequently required skill for high-opportunity positions.
Microsoft, Microsoft Office, and other software skills. IDC found that 12 percent of high-opportunity occupations call for Microsoft Office–related skills. Combined with positions explicitly requiring Microsoft Office, the percentage of tomorrow’s high-opportunity positions requiring Microsoft Office or related skills grows to nearly 20 percent.

Deadly Developer Career Mistakes

Lots of people can tell developers what to do, including the best choice for language, best new technologies, etc. What this article is trying to tell you is what not to do. In this article from Paul Heltzel, we learn his top 7 tips:

Staying too long – He says that you should stay at least 2 years, but not longer than 4 years.
Job Jumping – Varies by type of position, but stay at least through the current project.
Passing on Promotion – Promotion means more money, but at what cost. Skipping promotion opportunities might also signal you aren’t committed to the company.
Not paying it forward – Always find time to mentor junior developers.
Sticking to your stack – Broaden your knowledge to make yourself more valuable.
Neglecting soft skills – Learn social skills to be a better person.
Failing to develop a career roadmap – You need a plan on where you want to be, and create a plan to take you from where you are today to that target destination.

I think those are all really great notes, and I agree with them all. My one criticism is it leaves off my number 8, focused on business:

8 . No Business Knowledge – Learn how business works, not just how to leverage technology. Leverage your knowledge of technology and a better understanding of business to drive better decisions, better solutions, and better ideas.

Creating Your Future Today

People have said “You can’t create your future with the tools of the past” to explain why technology is important. Unfortunately, most people can’t visualize what technology will be important for tomorrow, much less what technology might be invented to solve business problems in 10 or 20 years from now.

I have spent many years talking to non-technical business people, and they are sometimes trying to catch up with the technology of the past so they can’t be bothered to understand the latest and greatest technology of today. I find many non-technical people are still trying to figure out how to effectively use their smartphone, as an example, and can’t even begin to wrap their minds around augmented or virtual reality devices like Google Glass or HoloLens devices.

I was talking to a guy charged with understanding the technology options for his company so he could help communicate the changes to his 800 field managers, and he considered a new analysis service too complicated because it required him to access the service using his network username and password. He couldn’t jump the mental hurdle of logging into the service, something most of us have been doing for many years, to even evaluate the service to help determine if it was useful to his field managers.

Some of you might ask how this guy got into this important position if he finds logging into the network too difficult. I think you need to accept this isn’t that uncommon and then explore the not too obvious: his company is not unique or alone in this leadership problem. He was honest enough to share what he really thought, but the people you work with may not be so honest. Maybe they tell you the technology is unproven, too expensive right now, will require too much training to justify the cost, or isn’t powerful enough to meet their business needs. Are those just excuses because they can’t understand the technology?

When you go to your doctor, do you want him to use the technology and techniques he learned while in medical school, or do you want him to use the latest technology and techniques of today? You want a business to look at all the technology available today and select those items that are useful and important to make their business grow and be successful.

My point is that the people making the technology decisions for your company need to be prepared to use the technology of today to create the future of their company. Maybe you work at a company that embraces technology, but maybe your company is stuck in the past for a reason. Maybe the decision makers are unable to adopt new technology that might help their company be more successful.

What is a technology-focused person to do to solve this issue? What can you do to uncover this issue and solve the problem at your company?

You need to identify the people standing in the way and help remove their metal barriers, educating them on why technology is important, and informing those that are reachable about what is possible with new technology.
Target those people that you think are willing to learn about technology and then boost their access to the technology.
Use your access to technology to get identified leaders access to the technology you think would be helpful to them and will be used to solve business problems.
Tutor co-workers on why you think a specific new technology is important for solving the problems of today, and demonstrate there is a path to the future using a new technology.
Be honest with yourself and the business leaders about any proposed technology.

Do you have any thoughts on solving this problem?

PCI Compliance and DVR Malware

Credit Card compliance is difficult and costly, without faulty vendor software causing additional security issues. Some people have said that faulty firmware found in some security cameras sold by at least 70 vendors may be a contributor to many of the credit card breaches that have recently proved costly to retailers. Rotem Kerner based his research on a paper on the Backoff malware that RSA published back in December 2014. This malware was used to steal payment card details processed by point-of-sale systems at multiple retail locations. The U.S. Secret Service says it impacted over 1,000 U.S. businesses, including Neiman Marcus, Michaels, Target, and UPS Store.

Kerner reviewed the data that RSA collected from computers that were infected with Backoff, and found that many were running small web servers with open ports on 81, 82, and 8000. “Cross Web Server” is running as DVR (digital video recorder) software, which is used by many retailers for video monitoring. But the server software, open to the internet, was left running on the same network as payment card systems. This is an obvious potential security risk that should have been addressed.

The article provides a step-by-step analysis of the code and how to exploit the code to gain access to the target system. He also provides a list of vendor systems impacted by this vulnerability.

In order to exploit it I had to overcome few obstacles I’ve identified –

Can’t use spaces or newlines + server does not understand URL encoding
Length in between the slashes is limited.

I was able to bypass the no-space restrictions with something called ${IFS} . Basically IFS stands for Internal Field Separator, it holds the value which is used by the shell to determine how to do field splitting. By default it holds “\n” which is exactly what I needed. So this is my new attack vector –

/language/Swedish${IFS}&&echo${IFS}1>test&&tar${IFS}/string.js

And it worked! the file has been written. Lets do another test –

/language/Swedish${IFS}&&echo${IFS}$USER>test&&tar${IFS}/string.js

outputs –

root

Great success!! As with many embed systems this one is using BusyBox so what i decided to do is invoke netcat in order to get a nice and comfy reverse shell.

Robots Are Taking Your Job

Robots have existed in business for many years, mostly in manufacturing. With recent technological advancements, it is now safe to say that robots are probably coming to take your job. While it may seem impossible that a robot can do your job, a serious look at what you do will probably reveal that at at least some, if not all, of your daily responsibilities can be performed by a robot.

This includes service jobs (servers at a restaurant, cashiers at your local supermarket, department store shelf stockers, cleaning staff at hotels, middle and high school teachers, etc.) at almost every level. While it is probably required to employee some humans to provide interactions with other humans, robots can provide cheap labor for repetitive tasks.

Professional jobs (computer programmers, paralegals, nurses, pharmacists, financial planners, police officers, etc.) are not immune to this process either. While it is impossible to replace many of these positions with a robot, they can be used to augment humans to lower labor costs and reduce human errors.

In a book by Martin Ford, Rise of the Robots: Technology and the Threat of a Jobless Future, we learn about a near-future world where robots have taken over most human jobs.

In Rise of the Robots, Ford details what machine intelligence and robotics can accomplish, and implores employers, scholars, and policy makers alike to face the implications. The past solutions to technological disruption, especially more training and education, aren’t going to work, and we must decide, now, whether the future will see broad-based prosperity or catastrophic levels of inequality and economic insecurity. Rise of the Robots is essential reading for anyone who wants to understand what accelerating technology means for their own economic prospects—not to mention those of their children—as well as for society as a whole.

Martin Ford recently appeared on Wharton Business Radio (SiriusXM channel 111) to talk about how the robot revolution has affected businesses, what it means for your job, and what other impact robots may have in coming years.

On Wall Street, most trading is now done by algorithms. There have been lots and lots of jobs that have disappeared already, and again, the important thing is that in many cases, these are skilled jobs. It’s not about the skill level or how much education you have. The primary question is, is the job on some level routine, repetitive and predictable? In other words, can the actions that a worker undertakes in that field be predicted based on what they’ve done in the past?

If the answer to that is yes, then it’s going to be susceptible to machine learning, which is really the central technology that’s driving all of this. It’s a huge range of jobs, and it includes a lot of jobs that are good jobs that people need to go to school for. So that really kind of throws a wrench into our conventional thinking about how all of this has worked in the past.

A recent study (pdf) published by the State of Tennessee said 50% of jobs in Tennessee could be replaced by automation efforts.

• 1.4 million Tennessee jobs have a high probability (70 percent or higher) of replacement by automation. This represents 50 percent of Tennessee’s current workforce. Vulnerable jobs as a share of total employment range from 35.7 percent in Bledsoe County to 59.6 percent in Sevier County.

• Lower-wage occupations are more vulnerable to replacement by automation. The average hourly wage of jobs with a 70 percent probability of automation is $14.56, which is $5 lower than the state’s current average hourly wage for all jobs.

• If automation occurred in the occupations with at least a 70 percent probability of automation, 37 percent of the wages of workers in Tennessee could be lost.

• Rural counties are more vulnerable to the disruptive effects of automation. Of Tennessee’s 17 urban counties, only Hamblen, Loudon, and Bradley are ranked in the most vulnerable two-thirds of Tennessee counties.

• Tennessee regions most vulnerable to future workforce disruption are Northwest Tennessee and the Upper Cumberland. The Northern Middle and Greater Memphis regions are least vulnerable.

• Within the Southeast states, Tennessee is ninth-most vulnerable to future workforce disruption, where a rank of one represents high vulnerability and a rank of 12 represents low vulnerability. Virginia is the least vulnerable state (12); Mississippi is the most vulnerable.

Reasons IT Professionals Leave a Job

In a todays job market, people move from job to job for various reasons. When you investigate the common reasons that contribute to job churn in the technology marketplace, there are some fairly typically reasons technology professionals want to leave their job:

Advancement Opportunities – Once you determine you are stuck in a position without any chance to get a promotion, the decision to move on the the most common next step.
New Challenges – If you are in a position that is boring and doesn’t require you to learn anything new, you will probably start looking for something new.
Inadequate Salary – Technology jobs pay well, but not all technology jobs pay the market rates. If you find yourself in a position that offers lower than market salary or lacks benefits/perks, you will find it difficult to justify any long-term commitments to that company.
Training Opportunities – If your boss doesn’t want you to obtain any new skills or never wants to pay for any training, that is a sure sign that you aren’t valued and should consider moving to a new company.
Poor Leadership – You boss doesn’t offer leadership, lacks basic communication skills, or doesn’t provide the required direction to keep you motivated. That is something you can’t control and will probably cause you to change employers.

If you are a manager of technology professionals, you have to remember that in a highly competitive IT job market a good leader will spend time with your staff members discussing their job satisfaction.

6 Ways Employees Bypass Security Policies

You can hopefully understand the reason for this effort to ignore the tedious security requirements published by various technology professionals. The average person has to now memorize numerous user accounts, understand document transfer policies, deal with applications with missing or buggy functions, and working with web site filtering. They must deal with all your controls and rules while trying to get their job done, and they know there is a “better” way. So what are some of the most common workarounds used by your company employees?

Offline Bypass – Many security features are only enable while the device is online. In one case, users were blocked from attaching USB devices to their computer or laptop. The software was only able to alert the security team if the device was connected to the corporate network. The users simply disconnected the device from the network when they wanted to connect their USB hard drive or cellphone to copy files from their local PC to the external device.
Bypass Session Time-out – Most systems and applications have automatic session time-out features, based on a defined idle period. Some organizations take this security feature a step further by using proximity detectors that time out a user’s session as soon as they step out of range of the detector. Many users of these systems “beat” this security feature by placing a piece of tape on the detector, or by placing something over the detector to defeat the security offered by these simple devices. Vendors will also employ utilities to make connections seem used, even if the vendor isn’t using the connection, so they don’t have to restart VPN connections.
Simple Passwords – The average person today has scores of personal and professional accounts. Changing 30 or 40 passwords every ninety days (what is commonly recommended) results in creating and recalling more than 100 passwords each year. It’s understandable that people use easy-to-remember passwords, but simple passwords neutralize much of the security benefit of password-based authentication. Studies have shown people are horrible at selecting secure passwords. And beware of the clever users that bypass the password-reset problem altogether by calling the help desk claiming to have forgotten their password. Administrators will often reset problem user’s passwords by bypassing the regular password reset requirements. Some people my use various bypass methods to keep the same password for several years.
Post-It Notes – One survey found that many people record their passwords somewhere, sometimes in a spreadsheet or text files, but usually on simple Post-It notes. This means someone with access to the device probably has access to the Post-It note with the users login information written down of them to use without delay.
Internet Document Storage – You have strict security settings on network shares and documents stored on your network. You may think you have met corporate requirements on who gets access to specific data and information, but you probably don’t have any idea of the volume of data transferred outside the corporate network. Users will find ways to get the data to their coworkers, and that probably means storing the files on the internet. The mobile workforce demands anytime-anywhere access to their documents and data. Many mobile workers aim to streamline their productivity by circumventing your security protocols: emailing sensitive documents to themselves, storing files in a personal Dropbox account or other public cloud, and even taking photos/screenshots with a smartphone and texting those images to friends or vendors.
Disabling Security – One of the most popular security workarounds is simply turning off security features that hinder your productivity. With the growth of BYOD environments, where employees have greater control over the enabled security features, it is common to find even the most basic security features disabled.

As an IT professional you need to assist the hard-working and well-intentioned employee get their job done without putting the network at risk. Your security policies should avoid restrictions without any explanation, leaving the end user with productivity loss and no apparent improvement to their lives. Your organizations should implementing security training for all employees, showing your team specifically how security protocols protect against data leakage, data breaches, and other threats while highlighting how workarounds put data (and their jobs) at risk. This will help the typical employee keeping security top-of-mind with regular communications and meetings with staff.

My 5 Technology New Year’s Resolutions for 2016

Keeping the new year in mind, have you created your technology New Year’s resolutions? This isn’t about losing weight or working out more often, it is instead about what technology changes you promise to make in 2016. First, let’s discuss the items from 2015:

Learn C# – I said I was going to start using C# by learning and embracing C# as my primary programming language. I don’t do much programming, so this was difficult for me personally, but I did push other people under my influence to move from their existing language of choice to C#. I think I was able to move between 4-8 people to make C# their primary programming language.
Embrace the Cloud – I promised to put together an intelligent and coherent strategy for using the cloud. In 2015 I assisted my company in moving from a 100% on-premise environment to one that uses AWS and Azure. While we are not 100% cloud, we have definitely moved to a company that is open to cloud solutions on a case-by-case basis.
Windows 10 – 2015 was the year I promised to organize and plan the move to Windows 10 the corporate users at my company. I met mush more resistance to this idea than I thought possible. I was thinking the technical team would be happy to get users onto a new operating system, especially one as great as Windows 10. It turns out they would still be using Windows XP if I would allow that, and they have no desire to learn or support anything new or challenging.
Consolidate Databases – I knew this effort would be difficult because the instances range from SQL Server 2000 to 2012, and the Windows versions range from Windows Server 2003 to 2008 R2. I was unable to build the type of team consensus that leads to the mindset that makes this project possible.
Attend User Group Meetings – I promised to support my user groups more by attending more meetings. I had more difficulty in scheduling around business meeting than in previous years, and failed to make this goal possible.

I have a few changes I want to make, and I am resolving to make it happen in 2016:

Embrace the Cloud – With cloud based technologies becoming more popular, I will continue to investigate the cloud as possible solution to all projects. In 2016 I promise to continue using a strategy for using the cloud as much as possible.
Windows 10 – I currently am using Windows 10 on my Surface Pro 3. I still think Windows 10 is the best solution for Windows users, and I still don’t like Windows 8 or 8.1. This year I still plan on organizing an effort and promoting a plan to move my corporate users to Windows 10.
Consolidate Databases – This year is the year to consolidate my SQL Server instances into two or three primary instances. This still has great benefits that include simpler administration and reduced licensing costs. This will still be difficult to complete, but I haven’t surrendered.
Read Technical Books – I enjoy learning and appreciate a good technical book. I have browsed and skimmed several books in 2015, but I intend to completely read at least 4 technical books in 2016.
Technology Leader – I plan on making a more complete move from technical expert to technical leader. This means doing less detailed technical work, and spending more time educating and leading my team (and this blog) on how to make good technology decisions.

What are your technology promises for 2016?

SSD and HDD Prices Nearing Parity

Storage is important, from file servers to SQL Server databases, and you always want the largest amount of storage with the fastest drive speeds for the lowest price possible. It looks like Solid State Drive (SSD) pricing is trending toward parity with traditional Hard Disk Drive (HDD) based on the study by DRAMeXchange.

Next year, SSD are expected to be in 31% of new consumer laptops, and by 2017 they’ll be in 41% of them, according to DRAMeXchange senior manager Alan Chen. “Branded PC vendors and channel distributors are holding back on their SSD purchases due to lower-than-expected notebook sales,” Chen said. “However, 256GB SSD will be moving close to price parity with mainstream HDD in 2016, so the adoption of SSD in the business notebook segment will rise.”

While SSD pricing has dropped dramatically over the past three years, HDD pricing hasn’t. From 2012 to 2015, per gigabyte pricing for HDD dropped one cent per year from 9 cents in 2012 to 6 cents this year. However, through 2017, the per-gigabyte price of HDD is expected to remain flat: 6 cents per gigabyte.

Cloud Computing Cost Jobs

If companies buy less technology hardware because they are moving to the cloud, more job positions will be cut by technology companies. The reasoning is as basic as this: “If you don’t need as many salespeople to sell those new servers, then you also might not need as many Sales Managers, or accounting people, or payroll people, etc.” While the movement of companies to a powerful and inexpensive cloud environment is seen as important to technology, you probably haven’t thought about the impact on technology-related employment.

The jobs I’m talking about are really traditional middle-class positions, which are usually stable and well paying career positions at successful businesses.

I’m not saying that is a totally bad thing. From a business perspective, the seller might not need as many employees to remain competitive. From a buyers perspective the new lower overhead will allow the seller to price their hardware at an even lower amount.

Just remember, as you stop buying hardware in favor of cloud solutions, there is an impact to the labor force that will continue to impact jobs for many years.

What is an Enterprise Architect?

On a daily basis, an EAs activities can change quickly and dramatically. I won’t go into organizational models of enterprise architecture organizations. but we’ll explore the role and responsibilities of an EA. Understanding the role of an EA will help us understand the typical daily challenges.