Don’t Wait for Scammers – Inoculate Your People First

At the time of writing we are heading into Christmas, we’ve just started the traffic light system, we are getting our vaccine passports, and there are new variants of Covid spreading. Spammers and scammers take advantage of events like these (and the confusion and anxiety that comes with them) to rip us off. So do something about it before the spam hits!

If you watch the security news like I do you’ll know that spammers and phishing gangs quickly adapt their messages and techniques to the latest events. Because their whole modus operandi is to take advantage of fear, people’s better impulses and the urgency of disasters they quickly seize the opportunity when events occur that generate any of these moods in the public. They change what the message is about, they change the appeals (this one is fear, this one is our charitable impulses), but they don’t change fundamentally what they are after: money, identity information, credentials.

In the aftermath of the Christchurch massacre spammers sent emails pretending to be from charities requesting urgent funding. When the US government announced a programme of Covid-19 financial aid, spammers sent emails pretending to be from the government with links to apply for assistance: just provide all your identity details and you’d get your money…oops no you wouldn’t! Every Christmas there are parcel collection scams.

Most organisations I’ve been part of see these messages (usually from diligent staff reporting them) and then issue reactive comms: “We’ve seen spammers sending emails about this: beware!”

But why do they wait? We all know that this will happen after a major event. So be proactive. Use our common sense. Warn our people before they get the first email, before the first person clicks on  that link. Wen we get the message out before the bad guys do we cut down the chance that someone will be fooled by the first email and we cut down the chance that our people or our organisation will suffer.

It is easier if you have some things in place that you can quickly turn to when one of these events occur. Here are some things that I do, and that you might find useful too:

1. Have an action plan in place. Know what you will do when a major event happens.
2. Have templated comms ready. Something that you can update for the specific circumstances. A blog post ready to go. An intranet news article, an all staff email. Coordinate this with any messaging or actions that your service desk or frontline staff will need. 
3. Know which channels you are going to use.
4. Know who is going to send which messages.
5. Tailor the advice to the specific event – don’t just send generic advice about spam and phishing.
6. Remind staff of previous advice and training (what they’ve been told in awareness courses, other campaigns)
7. Be aware that many of these campaigns will be aimed at staff from a personal perspective (they won’t just be looking to gain enterprise credentials, they may be trying to get personal credentials, or scam money off staff). While this isn’t our accountability, show some compassion, and maybe win some brownie points.

Do some of these things and you might just get ahead of the scammers – at least this time.

Relying on backups to protect you against ransomware? Think again

I’ve heard a few people in different organisations mention that they weren’t worried about ransomware because they could just restore from backup. If only it were that easy!

CERT NZ and the US Cybersecurity & Infrastructure Security Agency have recently warned about increases in cases of the RYUK ransomware (specifically affecting the healthcare industry).  This got me wondering about how useful backups are as a protection against ransomware. In theory it should work, right? Ransomware works by encrypting your data on disk and then ransoming your data by offering to sell you the encryption keys so you can decrypt it and get it back. So if you can just restore the backup from before you got ransomed you should be fine. Well if it was that easy why did Garmin pay USD 10 million to that ransomware crew? Why have so many other companies paid ransoms? And why do ransomware gangs appear to be so successful?

If you want to understand why, this DFIR write up of a RYUK attack has some great detail. It describes a real big game ransomware attack and what it involved. You can read the full report (if you are really interested), but here’s my brief summary. First they successfully gained initial entry via a phishing email that infected someone’s desktop with malware. Then they investigated the network, and got privileged access through a server vulnerability (called zerologon). They then moved through the network (a technique called “lateral movement”) to gain control of more important things. Once they had sufficient knowledge of the network, the attacker was ready to start encrypting the victims data, and the first thing they went after was their backups! That’s right, even before encrypting the important data in production, they encrypted the backed up data. There are two reasons for this:

1. Backups are less visible. In general they are not monitored, and an attacker has longer before anyone notices that something untoward has happened.
2. The first thing that the attacker has disabled is the organisation’s primary defence against this ransomware attack.

When you add to this the uncertainty that many organisations have about their restore procedures, backups don’t look like a sure bet for protecting you against ransomware. If you follow CERT NZ’s advice and have 3 backups, one offline then you will have some protection, but I don’t know of many organisation that implement that rigorous a regime – it’s expensive and hard to maintain – good on you if you are!

Now this doesn’t mean that backups are a waste of time – they definitely are important. They offer some protection from a host of threats, and even from simple ransomware attacks, but they aren’t foolproof, and don’t offer good protection against sophisticated gangs.

So what else can you do to defend your organisation from ransomware? Well firstly, update your software, and specifically apply security patches immediately. If the organisation in the report had applied the available security patch from Microsoft this attack would not have succeeded. Most ransomware attacks take quite a bit longer than 5 hours from start to finish, so robust monitoring and alerting would usually help, and good control of privileged accounts is also key (as most of these attacks rely on moving from compromising a normal user account to compromising more powerful accounts such as system administrators (a technique we call privilege escalation). Putting in place these measures will usually help prevent or contain all except the most determined and skilful attackers.

What is Architecture Exactly?

In the past I’ve seen people present to me a list of technologies and tell me “Here’s the architecture of our solution.” But, in my opinion a solution architecture is no more a list of the technologies used than the architecture of a building is a list of the materials that it is made of.

Once I’ve expressed this opinion, I’m sometimes asked “So, what is an architecture?” Or, “What does an architecture look like?” Or, more pointedly “So, what do you think an architecture is?” My answer to this question has evolved over time (and continues to evolve). Here’s my current answer.

If I think about what we are trying to achieve with IT architecture it is a coherent, consistent and effective approach to the delivery of technology change. So, for me an architecture is the set of deliverables that help us achieve that.

When a building architect is explaining an architecture of a building they talk about the people who will use the building, and what they will use it for, the considerations (functional, structural and aesthetic) that determine or constrain the choice of materials, the arrangement of space. So, by analogy, an IT architecture needs to explicitly describe what the business is trying to achieve from its solution and then how the selected arrangement of technology capabilities (products etc.) delivers on that.

I find the IEC/IEEE standard on architecture (42010) quite helpful. It talks about an architecture including multiple views of an architecture which describe the system from the viewpoints of different stakeholders – taking into account their different concerns. The view of a system from a user’s perspective is often very different from that of a senior manager, or someone tasked with supporting and maintain that system. An architecture needs to take that into account and show how it is addressing these different concerns.

So, practically speaking, what do I think architecture documentation should include?

• It should include a description of the components of a solution and how they interact or integrate together. It needs to specify what each component contributes to the solution in terms of functionality that the solution needs (or put another which requirements the component delivers on).
• In the case of a solution that uses cloud platforms, it should include a description of which services are used and what those services are used for – the role they play in the solution.
• For me it is the choice, arrangement and integration of components – not the internals of the components.
• It should include a description of who interacts with the system – and what they see and interact with.
• It should describe the trade-offs made between the different stakeholder concerns – where we have compromised on the ease of maintaining the solution to improve the usability for example, or vice versa.
• I also want to understand how this solution contributes to (or hinders) attempts to increase consistency and coherence of the business and the technology landscape (by analogy think about how the architecture of a building is consistent with the character and planning restrictions of a zone, a district plan, a neighbourhood).

This is different of course to the question (and problem and answer) to what does an architect do? How do we produce one of these? More on this later…

Becoming a Better PM – Time Management

As I discussed in my previous article self management is a key competency of a good project manager, and time management is a significant part of self management. Time management is important for everyone. As I have taken up more senior roles,  I’ve found that I’ve needed it more and more – when I was junior there was often someone else giving me direction, checking whether I had done something. When I started managing projects I realised that this was even more important. What I have found is that so many other people are dependent on the things that I do. If I don’t send that email to the vendor, they don’t start the work. If I don’t pass that message on the staff don’t do the work etc. This magnifies the negative effects of any poor time management on my part. Realising this, I put more effort into improving my time management – and learned a few lessons along the way. So here are a few techniques that work for me.

Spend a few minutes planning my day (and my week).

When discussing projects, we all recognise the truth of the old adage that to fail to plan is to plan to fail, but I hadn’t really understood how much this applies to my personal work as well. Following Dermot Crowley‘s advice I try and take 10-15 minutes at the start of each day to plan out my day. Not in any great detail, but to plan out the key tasks I’m going to try and get done that day, prioritise them, and look at roughly when I’m going to get them done in the context of the meetings and other commitments I have that day.

That’s a pretty short horizon, so I also try and spend 20-30 minutes each Monday to plan out my week. I find that if I don’t plan, then it is easy to find myself just reacting to others – doing the things that I get asked when I get asked, and reacting to whoever is “shouting loudest”.

Write down my tasks when I get them

I don’t try and just remember my tasks, and I don’t wait and write them down later. That certainly doesn’t work for me, and I don’t believe I’ve met anyone that this works for. 

In addition, I’ve learnt to write them down somewhere where they won’t get lost – a single, central task list. I used to have a book for all my meetings, which I used to write all my notes and tasks in. But you know what? I never went back and looked at that book – I used to rely on my memory, which never quite worked. Now I still use a book, but as soon as I’m back at my desk, I copy my tasks from my book into my central task list.

I find that I need two lists: today’s tasks, plus a longer full task list. Each day (during my daily planning session), I look at my complete task list and move the most urgent ones onto the day’s list. Then I look at my emails from yesterday and my calendar (so I can add any required prep onto my daily task list).

Equally with task management, I think about how this differs when I am managing a project – I need to include tasks to follow up with people to make sure they are doing their tasks.

Allocate my time

What I do, is during the sessions where I plan my day, I try to book out my time in my calendar for any important or time consuming tasks, e.g. writing a report. Also, for any recurring task that takes a regular amount of time (e.g. writing a project status report), I put that in my calendar as a recurring appointment. And I don’t just put into my calendar, I try and put n a reasonable amount of time for the particular task, and I make sure that time is marked as busy, so that people won’t try and book meetings over it – those people who respect calendars anyway!

As a project manager, I find it useful to allocate time in my diary for recurring project management activities: writing project status reports, preparing for project meetings etc.

None of these things are earth shattering revelations, but taken together they have helped me improve my ability to manage my own time, and marrying them to specific project management concerns has been a great help. I also won’t take credit for any of these ideas. They have all come from others, notably from Dermot Crowley’s book Smart Work and advice from Lachlan Mollison – who has been a great help in my journey.

What makes a good project manager?

Have you ever asked yourself what makes a good project manager? I know I have. I’ve asked it with respect to good (and bad) project managers I’ve worked with, and I’ve asked it with respect to myself as I manage projects. In conversation with others I’ve batted around obvious talking points like “it’s a combination of the ‘hard’ technical side of project management, plus the softer side of influencing people”. But the best answer I’ve ever seen is in the guide to Project Management for Development Professionals (PMDPro). For me, reading this was a bit of an epiphany. According to PMDPro, project management consists of four competencies (I’m paraphrasing a bit):

• Technical project management – how good are you at scheduling, managing budgets etc.?
• Leadership/interpersonal – how good are you at influencing, communicating.
• Personal/self-management – how good are you at personal time management, organising your own work?
• Domain expertise – how well do you know the area that the project is working in?

I think that this is the best summary I’ve ever seen on the subject. It encapsulates the soft and hard sides of project management, and the balance between being good at managing projects in general and in managing these kinds of projects. This answered that question for me – a good project manager is someone who is good at these four things. And this fitted with my experience: those people who I thought of as good PMs demonstrated excellence in these four competencies.  The big revelation for me was the inclusion of self-management. Since reading this I’ve put a lot of effort into improving that aspect of my work, and that for me is the test of a good model – is it useful, and for me this certainly was.

A Presentation on ICT for Lawyers

This post is a summary of a presentation I gave to a group of lawyers on ICT fundamentals. It represents my own opinion, and not that of my employers or anyone else! I apologies for it being so wordy – but a lot of material was covered.

My presentation walked through some fundamental concepts in ICT, some major trends that are shaping ICT, and how ICT organisations are evolving. The aim is to give a plain english summary to allow ICT lawyers to have sensible conversations about ICT to support the work that they do with ICT professionals. In my view ICT may be hard to do, but it is not hard to understand. At the end of each topic I will include my own personal view. Continue reading →

NZ Government Announces Desktop as a Service

Exciting news (for me anyway)! Last Friday, November 1 2013, the New Zealand Government Chief Information Officer (Colin MacDonald, Chief Executive of the Department of Internal Affairs) announced that the New Zealand government had negotiated contracts for the supply of Desktop as a Service (DaaS).  Continue reading →

What Is the Difference Between Privacy and Security?

When talking with people about privacy and information security I often come across a common misconception – that there is nothing more to privacy than security, or that the two are roughly the same.  In particular this often comes up in discussions around the use of cloud services where people seem to think that if they address security issues with cloud services, then there is nothing more to do from a privacy perspective. Continue reading →

Big News in Virtual Desktops: VMware Acquires Desktone

The big news, from my point of view, from VMworld in Barcelona was the announcement that VMware has acquired the Desktop-as-a-Service (DaaS) vendor Desktone. VMware is probably the leading vendor for enterprise virtual desktop technology (i.e. virtual desktop infrastructure or VDI – with their Horizon product line) – though Citrix might dispute this. Desktone are the leading provider of DaaS technology for service providers – that is virtual desktops delivered from the cloud on an as-a-Service basis. Continue reading →

What Does Cloud Mean For Your Corporate Network?

If you are looking at a significant use of cloud computing, have you considered what this might mean for your network? Corporate networks are an often overlooked factor when thinking about cloud computing. The problem is that cloud computing increases the criticality of your network, because if your network isn’t available then your cloud services aren’t either. Continue reading →