hit by “wannacry” (may be you deserve it) …

hit by “wannacry” (may be you deserve it) …

Guys

Again a ransomware outbreak on the news.

May I say I am not surprised at all?

And may I say that the media coverage has been ridiculous and instead of presenting the event as something that should highlight the incompetent behaviour of managers targeted by this issue they claims about “cyberattack” which is a completely different thing.

And yet people asking why? how come? how this can be possible? again really?

We know that CyberSecurity is always a side though from most of the management no matter where. The proof, beside the claims from CEO, IT Managers and generally speaking CxO, is always there, on the data of the malware spreading.

Today is wannacry (wannacryptor or whatever you want to call it), tomorrow will be something else.

 

But for once let us try to be serious on those stuff….

First dig it a little on the specific here:

https://securityintelligence.com/wannacry-ransomware-spreads-across-the-globe-makes-organizations-wanna-cry-about-microsoft-vulnerability/

not ask ourselves a few questions.

Why Ransomware Strike?

ransomware are becoming increasingly common. The spread is due to 3 main reasons:

  1. a ransomware is a damn easy peace of code to write, because it leverage the read, write and modify rights to access files so does need any Rocket Science behind to make damage.
  2. the cryptocurrency gave to ransomware what was needed, the possibility to monetize the attack in a fairly secure way. Before bitcoin and co was quite difficult to make money transfers without being caught…
  3. the security level of the IT in the world is still at the caveman age surrounded and filled by incompetence and a great deal of stupidity.

Let us be clear, the patch to close the vulnerability used by this last piece of ransomware was available since a few… but it is quite interesting to notice how, as of now, patching is still considered a minor activity in many IT infrastructures.

Who is responsible of this situation? Of course of a higher management blind and irresponsible that does not even think for a moment (till it is too late) that nowadays we all depend of our digital infrastructure.

the infection start with a mail or a usb infected key…. really?

How long we will avoid to train properly our workforce to teach them how to deal with email and attachment?

the infection leveraged a vulnerability on windows that were already covered by a patch from Microsoft… really?

How long we will consider patching the systems a useless activity or, at least, a minor one?

Sad truth sometimes would be easy to protect from those outbreak just simply implementing a minimum sound IT system, good backup policies, good patch management and … but we are telling those things since the very beginning of time.

The whole point is that till we will not manage the security aspects of our digital infrastructure in a serious and comprehensive way we will be exposed to this spread of junk again and again. And the more we rely on computers and digital infrastructure the more we will become targets.

So when you ask yourself who is to blame for this or other outbreaks, who is behind this worldwide attack?

 

Blame our stupidity.

Next could be worse.

 

 

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

hit by “wannacry” (may be you deserve it) … was originally published on The Puchi Herald Magazine

weak manager style

weak manager style

In a previous post (http://www.thepuchiherald.com/2016/03/04/management-style-common-error-to-avoid/)  I tried to put some rationale on my thoughts about management, designing some of the characteristics a manager usually have (bad ones of course).

One of the biggest “Ahas!” new and experienced managers (and the people who work for them) have experienced  is the realization that being a strong manager doesn’t mean being forceful or domineering.

It’s just the opposite — strong managers are strong enough to lead through trust, whereas weak managers have to use the force of their job titles to make people listen to them.

Most of the management style depicted (not all) were management style that needs leading thorough fear, since they does not use, require or being able to use trust as a management tool.

When we talk about fear-based management, it’s the weak managers we are referring to! You can spot a weak manager at a hundred paces or more, because weak managers are the ones who raise their voices, make threats and generally keep their teammates off-balance and worried about pleasing the manager when our customers need them to be happily focused on their work.

Strong managers lead through trust. They trust their teammates and their employees trust them. They don’t have to be right. They don’t care whether they are right or not, as long as the right answer emerges from the conversation. They don’t have to be bossy. They trust their employees to know what to do and to ask for help if they need it. But we know trust is a bi-directional thing.

Weak managers don’t trust themselves enough to lead that way! And moreover do no trust the others because they project their mindstate on other behaviours.

Here are five sure signs that your manager is a weak manager pretending to be strong.

We can feel sorry for him (really?!?) or her but you don’t have time to waste in a workplace that dims your flame. If your manager is not a mentor and an advocate for you, you deserve to work for someone who is!

Can’t Ask for Help

When a weak manager isn’t sure what to do next, he or she won’t ask the team for help. Instead, the weak manager will make up a solution on the spot and say “Just do it — I’m the manager, and I told you what I want!” A weak manager cannot ask for input from people s/he supervises. If you try to reason with your weak manager, s/he’ll get angry.

Needs a Handy Scapegoat

When a weak manager notices that something has gone wrong, he or she has one goal in mind: to find somebody to blame! A strong manager will take responsibility for anything that doesn’t work out as planned, and say “Well, what can we learn from this?” A weak manager can’t take on that responsibility. He or she must pin the blame on somebody else — maybe you!

Can’t Say “I Don’t Know”

A strong manager can say “I don’t know what the answer is” many times a day if necessary, but a weak manager is afraid to say “I don’t know.” He or she will lie or start throwing figurative spaghetti at the wall to see what sticks.

Strong managers learn fast because they learn from successes and misfires, both. Weak managers are not as open to that kind of learning, because so much of their mental and emotional energy goes to deflecting blame when something goes awry.

Measures Everything

Strong managers focus on big goals. They follow the adage “The main thing is to keep the main thing, the main thing.” Weak managers get sidetracked with small, insignificant things. That’s why a weak manager will know that you worked until nine p.m. last night averting disaster, but still call you out for walking into work five minutes late the next morning.

Weak managers rely on measurement instead of judgment when they manage people. They have a yardstick for everything. They will say “I manage by the numbers” when in fact, they aren’t managing at all.

Can’t Say “I’m Sorry”

The last sign of a weak manager is that this kind of manager cannot bring him- or herself to say “I’m sorry” when a stronger leader would. They can’t be criticized and they can’t accept feedback, however compassionate. They can’t take it in, because their ego is too fragile to acknowledge any room for growth.

Life is long, but it’s still too short to waste time working for someone who can’t be human and down-to-earth at work. Work can be a fun and creative place, or a sweat shop where you count the minutes until quitting time.

One of the biggest determining factors in your satisfaction at work is the personality of the manager you work for. Don’t you deserve to be led by a person with the courage to lead with a human voice?

People say many things about management, but one thing they seldom say is that the job is easy. If it were, we wouldn’t have chronically dismal employee engagement rates hovering nationally around the 30 percent mark. Accordingly, here are five basic skills to focus on – attributes, actually – five areas where it’s easy to stumble, but where improvements can make the difference between failure and success and are a portrait of strong managers.

Patience

Who doesn’t need more patience in a managerial role? I know I did. There are about 600,000 things – from your own boss, to deadlines, to the grinding pressure “to do more with less,” to those nettlesome customers and employees! – that can stress you out. Besides, patience has a long tail. Employees appreciate being treated with patience when things go a little off track. They’ll often remember it and reward you with better effort.

Patience means you think and evaluate things, weight them and make your dcision based on solid fact and not upon the heat of the moment.

Courage

Have the fortitude to hold your people accountable for the big stuff they need to get right. It’s easy to default to pesky micromanagement on trivial details, but what most matters as a manager is keeping the important work on track: the complex projects, the big-ticket budget items, the key strategic initiatives.

Numerous studies show managers have chronic problems with accountability. So focus your energy in the areas where it’s most needed – with the courage to hold people responsible for the results your organization requires.

There is another site of the accccountability, courage means also to protect your people when they need to, we know corporate environment is all but fair, so a manager must have the courage to erect a shield when its people is under attack.

Thoughtfulness

Have the thoughtfulness to take the modest amount of time required to praise your people when it’s deserved. Avoid the all-too-common trap of being parsimonious with praise. To what end? Well-placed praise is one of the simplest and best management investments you can make. It costs nothing and motivates effectively. Why don’t managers use it more? I never fully understood the reticence.

Praising people can goes to a “good Job” at coffe machine, to a fair setting of goals and evaluation. Not recognizing efforts will make your people just stop trying.

Fairness

Avoid the natural tendency to play favorites. Indeed, this is a perfectly natural human tendency. Some employees are just more likable, others more difficult. Good managers keep their personal emotions in check. Resist the understandable tendency toward favoritism. Fight it. Subdue it. Defeat it. You’ll be respected for it.

And try to push the same attitude in your group, if such problem arises better to deal them or, sooner or later, they will strike back harder.

Execution

Simply put, execution is everything. Business is no academic realm of abstract ideas. To the contrary. An excellent idea counts for nothing if not properly executed. As Ross Perot used to say, “The devil’s in the details.” Operations matter. Trains have to run on time. As a manager, you’ll be judged on execution. On results (hopefully). How effectively does your team get done what they need to? Were desired targets reached? Keep your eye always on the executional ball – it can make the difference between managerial success and failure.

Do not micromanage, but be ready to move away obstacle that can avoid your group to reach theyr (and your) goals. Work with your group to solve issues, not be part of the problem.

One thing I always liked about management was that it was a fundamentally practical exercise. Tangible and results-oriented. It’s by no means a simple job, but small improvements can yield big results.

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

weak manager style was originally published on The Puchi Herald Magazine

Are we using a double standard in IT security?


chinatousaAre we using a double standard in IT security?

In the last years Cyber Security has raised as a major concern in any sector of our lives, from government to business and even at private and personal level. But I am wondering if there is a sort of double standard when we judge facts happening when they are related to cybersecurity.

Let’s make some example:

We all have read concerns rising form the rumoured new rules that china will impose to companies selling IT equipments in some sensitive sector like financial, western expert have raised all so of questions pointing out that this will damage western IT companies and claim this will be a protectionist move. So let us think a little bit about this. The new China rules are not clear right now, there are rumours that it will impose to release source code to the Chinese government and the same will impose back-door to the equipments.
The claimed reason is that it is to protect key assets in China, because government cannot trust vendors. The western answer is that this is pure speculation and a move to rise protectionist barriers against foreign IT competitors.
What is lacking in those analysis is that if those rules will be as rumours claims they will have a negative impacts on Chinese companies too.

In order to be able to sell their equipment abroad Chinese IT companies will have to, literally, duplicate their line products one for China and one for the rest of the world. Different codes will be a mandatory need to be able to sell their equipment outside the country, and they will find a competitive landscape that would be even more hostile than the one we have now, dramatically  rising costs.

At the same time is interesting to note how in some western countries, take USA as an example, the fact to be a Chinese company is enough to be banned from federal tenders just because they “could” contain back-doors used by Chinese government, companies like Huawei and ZTE are facing this sort of fate in USA. No proves or facts have to be presented, the suspect is enough. The Rogers committee voiced fears that the two companies were enabling Chinese state surveillance, although it acknowledged that it had obtained no real evidence that the firms had implanted their routers and other systems with surveillance devices. Nonetheless, it cited the failure of those companies to coöperate and urged US firms to avoid purchasing their products: “Private-sector entities in the United States are strongly encouraged to consider the long-term security risks associated with doing business with either ZTE or Huawei for equipment or services. US network providers and systems developers are strongly encouraged to seek other vendors for their projects. Based on available classified and unclassified information, Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems.”
I wonder why nobody rise the protectionist flag in this case, probably because suspects are credible?
So while upon suspects of working for a government we are allowed to ban a company, in front of solid facts as

  • the NSA activities of espionage (see Edward Snowden revelations and Greenwald articles),
  • back-door implanted by companies upon state requests (think of the RSA BSAFE default crypto algorithm DUAL_EC_DRBG affair or the old FBI magic lantern trojan not detected by Norton and other antivirus)
  • Backdoors implanted modifying HWSW by NSA on major IT vendors intercepting the equipment before they reach the customers (ANT programs) without vendors agreement or knowledge see also:

https://nex.sx/blog/2015-01-27-everything-we-know-of-nsa-and-five-eyes-malware.html

http://blog.thinkst.com/p/if-nsa-has-been-hacking-everything-how.html

 

we consider it normal and trust USA equipment.

Still wondering why Chinese government do not trust western stuffs for key areas?

Another interesting example of dual behavior when talking about cyber-security is the well-known recent Sony pictures Hack. No doubt on the media has been done about the North Korean identity of the attackers, but a few solid facts (actually no one) have been presented to sustain it. On the other side Cyber-security experts have tried to rise some perplexity on this quick attribution. Sony has a long story of failed cyber security protections and successful hacks, I wrote on this since the first PSN network problem, but at those times nobody were pointing so easily to a suspect. So why media have identified this time the bad guys while cyber-security expert sill have concerns? Taia global was probably the first company to rise public concerns about this too quick attribution, followed by other serious sources, companies and researchers. If you read the news now doubts on North Korea attribution is widely accepted but in the public opinion the guilt is clear.

We could continue to show other examples, it’s common to find statistics showing that the major source of cyber attack is China, but forgetting to mentions what is the rate of attack that China face or a minimum explanation of why could there be so many sources to be used. May be if you visit China you would find out that mobile internet is so widely common that would not be a surprise to imagine how easy should be to install botnets here. Just walk on the street, you’ll see an incredible number of people walking and playing with their smart phone (there 4G connection are normal) and then using the computer at home. And where there are home users and bandwidth there  you have botnets.

We should probably change the dual standard mode and start to consider CyberSecurity as a worldwide complex problem that need neutral metric to be correctly evaluated otherwise we will base our decision on prejudices and not facts.

var aid = ‘6055’,
v = ‘qGrn%2BlT8rPs5CstTgaa8EA%3D%3D’,
credomain = ‘adkengage.com’,
ru = ‘http://www.thepuchiherald.com/wp-admin/post.php’;
document.write(”);

Are we using a double standard in IT security? was originally published on The Puchi Herald Magazine