Rap News 15

In case there is anyone reading me that doesn’t also read Bruce, watch this video:

Hoaxicane Sandy

It’s that time again.

Whenever a major media event happens (like hurricane Sandy), we are inundated with news. Sometimes that news is useful, but often it merely exists to create FUD… Fear, Uncertainty and Doubt. While I have not personally seen any malware campaigns capitalizing on the event yet, it is inevitable. The pattern is generally as follows:

  1. Event hits the news as media outlets try to one-up one another to get the word out.
  2. People spread the warnings, making them just a little bit worse each time they are copied.
  3. Other people create hoaxes to ride the wave of popularity.
  4. Still other people create custom hoaxes to exploit the disaster financially.

A few minutes ago, at least in my little corner of the Internet, we hit stage 3 where this image was posted:


( From here. )

Now, as someone who plays with photography, I was a bit suspicious, but as a security person, I can actually prove some things here.

The first tool I want to discuss is FotoForensics. Check out their analysis.

See how the statue of liberty and land on which she stands is much brighter than the background? That indicates that that image has been pasted on top of the other, so we know it’s fake.

Sometimes, though, this trick doesn’t work. If someone is making a good hoax, they can change the error levels to prevent easy detection. That’s where our next tool comes in. TinEye is awesome.

Look what happens when I do a reverse image search on the suspicious file: here. (TinEye results expire after 72 hours, so if you’re slow to read this, just past the URL of the photo into their search box.)

TinEye, by default, is going to try to find the best match. But that’s not what we want. We want the original. Luckily, when people make hoaxes, they usually shrink the image to make it harder to find the signatures of a hoax. So we just click to sort by size and there we have what it likely the original:

ETA: Original can be found in this set by Mike Hollingshead.

Then it lists a bunch of sites that have stolen this image to use without credit. (That’s a different post.) You can then click on the “Compare” link for the likely original and see what they did. By flipping between the versions, you can see that they added the statue of liberty, the water and the boat, shrunk the image and made it darker… ’cause darker is scarier, apparently.

The important thing to realize here is that the attacker is trying to manipulate you. By spreading fear, they are making you more susceptible to future attacks. By taking advantage of your uncertainty and doubt, they put you in a position where you will do unwise things to gain an element of certainty in your life. Does this matter that much in an image hoax? Probably not. Does it matter when you start getting emails exhorting you to “click here” to help victims of the hurricane, it’ll matter a whole lot more.

Uncertainty and doubt can work against you, but it can also work for you. When the attacks come… likely in a few hours, approach them with suspicion. If you’re in the path of the storm, trust the names you recognize, like Google and The National Weather Service. If you’re not in the path of the storm and want to send aid, go with The Red Cross. If anyone else you don’t know asks for your money or your clicks, ask yourself what they have to gain.

Addressing the Sophos False Positive

Update: Sophos has released official guidance that is better than my post here. You may find it at the revised knowledgebase article.

Today, for the first time in all the years I’ve been using their product, Sophos released a bad update. This update, as has happened with other firms, quarantined files that should not have been. However, unlike other firms that have had this issue, Sophos’s built-in security seems to have gotten in the way of the cleanup. As a result, some in the community have been complaining about the responses. (See, as an example, the initial KB article.)

That said, while the response could certainly have been improved (wider ranged communication, better technical detail early on, better assurance that it was a false positive and instruction to be patient and avoid further damaging the system, etc), it only took a few hours to release a workable workaround. For various reasons, it appeared on Google Plus in a somewhat unpolished form.

Below are the instructions, slightly more polished and hopefully a bit easier to read. Odds are, by the time you see this, an “official” response from Sophos will be out.

RED NOTIFICATION – False Positive detections with ssh/updater-B – UPDATE 15:11 PDT

The Sophos system has experienced a False Positive that is affecting our own binaries. In some instances, this can prevent both the SUM and SAU from being able to update. If this occurs, you will be unable to receive the fix that has been released.

If you are in this situation, there is a manual workaround.

SUM Unable To Update
If SUM is unable to update, it is likely because the updated files cannot be decoded. This happens because they are being falsely detected as Shh/Updater-B. To work around this issue and successfully download the fixed IDE file, follow these steps:

1a. (32 bit Windows): Delete agen-xuv.ide from C:Program FilesSophosSophos Anti-Virus
1b. (64 bit Windows): Delete agen-xuv.ide from C:Program Files (x86)SophosSophos Anti-Virus
2. Restart the ‘Sophos Anti-Virus Service’
3. Update SUM via the Sophos Enterprise Console

Endpoints unable to update
If your endpoints are unable to update due to the issue, follow these steps:

1. Centrally disable On-Access scanning via the policy in the Sophos Enterprise Console (SEC)
2. Select ‘Groups’ in SEC and select ‘Update Now’
3. Once a group has updated, re-enable On-Access scanning via policy in SEC

Once Sophos has an official word (in the morning), I will update this post with a link.

How do you respond when a moose is on the loose?

What would you do if you discovered that attackers had taken over your server and were in the process of stealing all your data?

What would you do if law enforcement came to your place of work and demanded all of your computers as part of an investigation?

What would you do if a tornado hit your building and spread all of your computers across a mile-wide radius?

If you are like most organizations, you don’t have a plan for everything. You can think of security (in an over-simplified way) of having three areas of control: Detective, Preventative and Reactive. We tend to start with Detective. When antivirus was new, it just alerted you when you had a problem. As the technology improved, it became preventative and would stop bad applications from running. Most security technology, in fact, has followed this pattern. Intrusion Detection moved to Intrusion Prevention. Patch Detection moved to Patch Management. Log Analysis moved to full-fledged SEIM systems.

However, this progression ignores a very powerful tool. As an example, here’s a video:

What would you do if you woke up one morning to find a moose in your swingset? Odds are you’d either deal with it yourself or call someone to deal with it for you. Response is key. When things happen, whether it involves an attacker taking over a system, an external agency taking your stuff or a natural disaster, reacting to the situation is important. You can either do it in an ad hoc way, or try to plan everything out.

In general, organizations that trust their people, just let their people do what they need to do. Organizations that do not trust their people, invest in planning and procedures. What’s interesting is that both methods work… though not always particularly well. Sometimes people hide behind policy and avoid doing the right thing. Sometimes, people hide behind uncertainty and avoid doing the right thing.

The problem here is that “right” and “wrong” are not always clear cut. Consider recent occurrences involving United Airlines, Penn State and FedEx. A reasonable response to events like these would be “we can’t trust our people,” and to address the issue by creating policies.

But, for an even more horrifying view of the world, check out this Google News search on “followed policy.” A wider search on this shows that people who follow policy result in death, brain death and murder suspects being released.

So it would seem that this is a “damned if you do, damned if you don’t” situation, right?

It turns out to err is human… but human error can happen whether or not we are constrained by policy. Using policy to prevent bad things from happening requires not only that you have people who will always follow the policy, but also that you have policies that are 100% correct and written by people who can see the future. Perhaps a better approach would be to use policies as guides that people can refer to when they’re confused. Then, build a culture around the fact it’s okay to make mistakes so long as you’re willing to apologize, attempt to fix things and learn from your error.

Not everything can be avoided. Sometimes you just have to deal.

More on the moose is here.

 

This article was originally published on RJS Smart Security.

Employee security awareness: it’s not about “should” or “shouldn’t.”

If there’s one myth in the footwear industry that just won’t die, it’s that everyone should have a pair of shoes. You can see the reasoning behind it, of course. We’ve all heard about the kid that ran around barefoot, stepped on a nail and had to get incredibly painful tetanus shots.

But do accidents like this prove that shoes are a must or is just the opposite? If people everywhere can get foot injuries with or without shoes, doesn’t that suggest that shoes really aren’t all that important?

One of the best examples ever of the limitations of shoes is Abebe Bikila, who won the 1960 Summer Olympics marathon without any shoes at all.

Fundamentally, what society is saying when demanding that people wear shoes is “it’s not our fault” if people take risks – like not wearing shoes – and get injured. But this is false. An individual has no control over where they put their feet and they don’t have the ability to recognize hazards like broken glass, nails or poisonous vipers. After all, is the average person really a match for a vicious snake? Blaming poisonings on a lack of shoes is misguided – particularly given the stabby nature of snake fangs.

I’ll admit, it’s hard to find statistical evidence that supports this point of view. Not surprisingly, shoe manufacturers don’t share data on how protective their products truly are …

That’s probably enough of that nonsense.

In case you didn’t know, this post is in response to Dave Aitel’s recent article at CSO. While I am hardly one to defend the status quo, there are two logical fallacies at play here. The first is binary thinking … effectively saying “if a defense isn’t 100% effective, it’s not worth doing.” The second is the flaw of hand-picking anecdotes to support your premise.

This is regrettable because the bulleted advice on page two of Aitel’s article is good, if somewhat standard. It’s just that instead of following this advice rather than “wasting time on employee training,” it should be done in addition to employee training.

To drastically over-simplify, security involves identifying what you need to protect and then protecting it. In a global security market (which we’ve matured into), you have a second rule … identify what you want and attack until you get it. These two rules play against one another, with both the attackers and defenders constantly increasing their capabilities until a defender somewhere gets compromised or an attacker gets sloppy, caught and removed from the game.

Then, you repeat the cycle ad infinitum.

In a world that operates this way, the weakest entity is going to be the first out, on either side. And, since security is multidimensional, it will be the first entity with weak enough security along any dimension … technology, process or people. By removing your focus entirely from awareness training to focus on technology and process, you defend only part of your organization. By focusing strictly on network-based defenses, you open a massive hole for non-network attacks.

As soon as it becomes easiest for an attacker to bribe an internal employee to sell them data, they will. As soon as it becomes easiest for them to bluff their way through a job interview to steal data, they will. As soon as it becomes easiest to put on a uniform to steal equipment, they will.

The attacker’s game is “whatever works,” and if we only focus on what is easiest for us to do, we open up doors for attacks.

So … stop spending money on awareness if you want … but only do so if you have taken a good view of your entire organization and have identified areas where those resources are better spent. Be aware, though, that just as we lack solid statistics on how bad awareness is as a defensive layer, we also lack solid statistics on how good it is. For every story I can tell on how I’ve found a person not doing what they should in an organization, I have one that talks about how good they are.

If you need contrarian advice, avoid those that are expressed as binaries. Consider the following:

  • Does password rotation cause more trouble than it’s worth? If users are selecting bad passwords because they have to change them often, maybe it’s time to stop doing that.
  • If you have security alerts that are being ignored by your people, your systems probably aren’t being maintained properly. As soon as you stop maintaining your systems, they shift from being assets to liabilities. Thinking about fixing them … or getting rid of them.
  • Are your people overly constrained? If you have customer service employees following scripts, you’ve basically turned them into technology. Turns out that we have technology in the first place because people are bad at that sort of thing. Ponder that.
  • Is a data breach all that bad? In some industries, sure … but if it were universal, it seems as though there’d be a lot more companies going out of business. Think about what a breach would really mean and how you’d handle it. Odds are, you’re far weaker in response capabilities than you are on defense. Instead of shifting defense dollars from people to technology, maybe you need to invest somewhere else entirely.

Basically, the core lesson here is “think before you spend.” Don’t blindly follow the advice of anyone (including me). Assess your environment, consider your goals and the events that could prevent you from achieving them. Then, and only then, look at how you choose to use your resources.

 

(This post was originally published at RJS Smart Security.)

LinkedIn Password Leak – Whose Interests Are Being Served?

As I’m sure most of you have heard, there is a LinkedIn password breach going on. As breaches continue to happen, they seem to move faster and faster. Within 24 hours of the breach occurring, 60% of over six million passwords were cracked. Since people are also reading blogs more quickly these days, I’ll leap straight into what you need to do. Then, you’re still interested, keep reading for a bit of analysis.

  • Change your LinkedIn password to something random, long and complex… at least 20 characters.
  • Do not use this password anywhere else.
  • If you don’t remember these sorts of passwords easily, use a tool like KeePass, LastPass or 1Password.
  • If you are responsible for the security of others, get them to change their passwords too.

That’s it.

Now, let’s look at what happened. First of all, a set of six million encrypted passwords appeared within the attacker community and help was asked for in cracking them. Now, the passwords are referred to as unsalted SHA1. This means that, while the passwords were encrypted using a reasonable algorithm, they were not salted. This means they are much easier to crack and this explains the speed with which they were found out.

The passwords were posted without email addresses. However, it is not reasonable to assume that malicious attackers would ask for help cracking passwords that they couldn’t use, so it is very likely that they have this information. They may well also have a pile of passwords that were NOT posted because they had already cracked those passwords. So, understanding these facets of the attacker community, let’s look at LinkedIn’s response.

  • Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
  • These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.
  • These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

On the face of it, this is reasonable. After all, if LinkedIn sent you an email with a password reset link, it’d look a whole lot similar to a fraudulent email with a password stealing link. So, props to LinkedIn for thinking this through.

However, there is still the matter of trust.

See, the key to this whole response is “Members that have accounts associated with the compromised passwords”. This concerns me as it implies that LinkedIn pulled encrypted passwords from their database and compared them to the PUBLIC breach data. This is will necesarilly miss any accounts that the attackers have not released. This could be accounts with simple passwords or particularly sensitive accounts. Suppose they filtered out all accounts that started as “ceo@” or “president@”. Intelligent criminals would want to keep those sorts of accounts to themselves, even if they took a while longer to crack.

One of the core rules of dealing with a data breach is that if you don’t know how it happened and can prove that it only affected a limited number of accounts, you must assume that they are compromised. In this case, a better security response would be to put information about the breach on the front page. At this time, there’s nothing there. Once I log in, though, there is a tiny link under “LinkedIn Today” that references an article on CNN about the breach. Basically, there is nothing prominent or official other than their blog… which you must be following to notice.

The response that I would like to see would involve the following pieces:

  • Information as to what happened and what LinkedIn is doing to prevent a recurrence.
  • Information about how to select a good password and change it on the system.
  • This information sent out via email, posted on the blog and highlighted after logging in to the system.

Instead, the best we get is this advice, which is inadequate. Let’s pick this apart. The original is in italics. My commentary will be in bold.

Changing Your Password:

  • Never change your password by following a link in an email that you did not request, since those links might be compromised and redirect you to the wrong place.
    • I agree with this.
  • You can change your password from the LinkedIn Settings page. 
    • If your account has been compromised, you should be locked out and unable to access the Settings page. They should direct people to the next bullet instead.
  • If you don’t remember your password, you can get password help by clicking on the Forgot password? link on the Sign in page.
    • This is good, as it requires any password to involve an out-of-band mechanism like access to your email account.
  • In order for passwords to be effective, you should aim to update your online account passwords every few months or at least once a quarter.
    • Bad bad bad! Needing to change passwords frequently implies poor security on the part of the administrators. If they are monitoring their systems and capable of knowing when an event occurs, they will tell you when to change your password. People that are forced to frequently change passwords tend to select weaker passwords and use them on more sites. This means that if ANY site is breached, ALL accounts are placed at risk. This is probably the worst advice they give.

Creating a Strong Password:

  • Variety – Don’t use the same password on all the sites you visit.
    • Good. Also, don’t use the same base. For example, if you pick “password123” as a base, and your LinkedIn password was “password123LI”, it’s not a big stretch to “password123FB” for Facebook or “password123WF” for Wells Fargo.
  • Don’t use a word from the dictionary.
    • I think we put too much emphasis on this. The fact is that the dictionaries we use in the security world are very different from your average Mirriam Websters or OED.
  • Length – Select strong passwords that can’t easily be guessed with 10 or more characters.
    • I think that 10 is too short. I say 20 above. Most of mine are over 30. The longer the password, the more time you have to deal with resets in the event of a breach.
  • Think of a meaningful phrase, song or quote and turn it into a complex password using the first letter of each word.
    • Passphrases are good… completely random strings are better. I like to use passphrases to access my password wallets, and the wallets to store the real passwords.
  • Complexity – Randomly add capital letters, punctuation or symbols.
    • I agree with the general intent here, but humans are bad at randomness. Let a computer generate your passwords and you’ll be a lot better off.
  • Substitute numbers for letters that look similar (for example, substitute “0″ for “o” or “3″ for “E”.
    • Bad advice. Most attacker dictionaries include these substitutions so it only makes things more difficult for you.
  • Never give your password to others or write it down.
    • Well, never give your password to others anyway. If you can’t remember a good password, write it down.  Just store the paper in a secure place… like a safe. Better yet, store it in a password wallet system that keeps the datafile in a digital “safe”, properly encrypted and away from prying eyes.

A few other account security and privacy best practices to keep in mind are:

  • Sign out of your account after you use a publicly shared computer.
    • You know what would be better? “Don’t sign into your account from a public computer.”
  • Manage your account information and privacy settings from the Profile and Account sections of your Settings page.
    • If you understand the privacy settings in each social media system you use, give yourself a gold star. Might be better if sites like LinkedIn had secure defaults and users could choose to weaken them.
  • Keep your antivirus software up to date.
    • Yes, because of all the LinkedIn viruses we see running amok. This is like a car company issuing a brake recall with the advice “remember to only drive on roads”. The truth is that anti-malware systems are needed because our operating system and application vendors have failed in their jobs. It’s not LinkedIn’s fault, but the advice doesn’t really belong here either.
  • Don’t put your email address, address or phone number in your profile’s Summary.
    • Really?  I mean, REALLY?  Isn’t the whole point of LinkedIn to share your contact information with others? Hmm… perhaps LinkedIn’s stock does better if people only contact one another through LinkedIn’s “mail” system. Then again, perhaps more people would use that system if it worked more reliably. Perhaps I’m editorializing a bit more than I should be. ;)
  • Only connect to people you know and trust.
    • This is interesting advice, given that many people use LinkedIn to meet new people and get new opportunities. LinkedIn offers very little to people that would actually follow this rule, as if you already know and trust someone, you already have their contact information. LinkedIn never really took off as a content platform like MySpace, Facebook or even Google+. Everyone knows that no one is going to follow this advice.  Besides, the greater risk here is leaking your personal information to someone you “know and trust” whose account has been compromised. This is a case for a security tradeoff and careful consideration of what you share. A blind prohibition is not useful.
  • Report any privacy issues to Customer Service.
    • Here’s a bit of advice. Only refer people to your customer service when you know it’s good.  Just sayin’.

 

Basically, what we have here is a situation where LinkedIn has strong incentives to downplay the issue. They look bad already, so the smaller and less significant the breach, the less immediate damage they face. They also very much do not want the world to seriously consider the weigh the risks of sharing their personal information via the Internet. After all, the entire business model of social media is riskier than we’d like to think. The sooner everyone figures this out, the less money the owners make and the more people in the industry lose their jobs.

This is in direct conflict with that the users (or product) of LinkedIn need. We need to be able to trust the people we give our information to. We need to know that they are doing what they should, investing in good technology, people and processes and being forthright with us as to what is going on. We need a partner that communicates with us with our own needs in mind, not just their own.

When one person is best served with honesty and the person they are talking to is best served by lying, there are going to be problems. Consider this in the wake of any breach, whatever side you land on. The long term future of any relationship in conflict is less than rosy.

 

 

 

 

 

Flame On!

The security world exploded today with news of a new piece of malware found in Iran. It’s been a very long time since we’ve seen an unfounded industry panic on this scale. Phrases like “most advanced malware”, “super-weapon” and “new era in cyberwar” are being thrown around like confetti. So, let’s take a bit of a reality check.

 

Calm Down

1) Are you in the Middle East?

If not, relax. The evidence suggests that the malware is focused on the Middle East… likely either Iran or Israel. While malware does spread quickly, highly targeted malware focused on information theft does not. After all, if it did, the people running the systems wouldn’t be able to use the information they get. There would be too much of it.

2) Have you updated your systems in the last two years?

If so, relax. While the news is new, it looks like this malware was released in 2010. Modern malware is capable of attacking along numerous vectors, so simply patching may not be enough, but if you’re monitoring your systems properly, you probably would have noticed it by now.

3) Are you profoundly unlucky?

If not, relax. The Kaspersky report that has been widely cited lists the following infection counts: Iran – 189, Israel/Palestine – 98, Sudan – 32, Syria – 30, Lebanon – 18, Saudi Arabia – 10, Egypt – 5. This means that, as of May 28th… after Flame has been out for two years… it has infected 382 systems. In 2010, there were about five billion devices connected to the Internet (probably more now). So your odds of being infected are likely less than 0.0000076%. You are 22 times more likely to be struck by lightning than you are to get infected by Flame.

4) Are you a nation state?

If so, thank you! Most geopolitical entities don’t read my blog. If not, relax. Cyberwar is unlikely to affect you. The goals of Cyberwar are to steal critical intellectual property, identify what other nation states are up to and interfere with the capabilities of other nation states. The only one that really drifts into the private sector is the theft of intellectual property, which can be protected pretty easily.

 

Big Deal

So why are people making such a big deal out of this? Well, the first thing to consider would be who exactly is promoting this and how they’re doing it.

First, you have what I call “set it and forget it AV” companies. Kaspersky and Symantec were among the first to bring this news out. This shouldn’t come as a shock to anyone, as they make a lot of sales when a malware attack makes it all the way to the mainstream news. This is too bad, as both of these firms tend to do excellent technical analysis and it’s sad to see their research skewed into a FUD campaign.

Next, you have the response to these sorts of firms by the vendors that focus on analysis and response. Take at look at these responses by Sophos and Sourcefire. These two firms make their money selling tools that allow a competent administrator to get more done by leveraging analytics and determining appropriate responses.

Then you have a slew of mainstream media articles that reference “cybersecurity experts” (who often have nothing to do with malware) to comment on the issue. I’ve seen and heard quotes from people who do development security, physical security and governmental policy… which seems to be a response to a reporter needing a quick quote to get into the news cycle.

Finally, you have a bunch of individual posts (like this one) of individuals trying to catch the “Flame Wave” and boost SEO ratings. (Hiya Google, how you doin’?) Basically, everyone has a reason behind their actions. Before you start tossing money around to make the scary go away, stop for a minute and think.

 

What To Do

The first thing you should do is, as I stated above, relax a bit. Snap decisions are seldom the ones you want to make. Think about what advanced malware can do and how it gets in. Here are the facts.

Protecting against Flame is EXACTLY like protecting against other malware. Nothing in Flame is technologically new.

Modern malware targets data and takes advantage of missing patches. If you don’t know the Who, What, Where, How and Why of your data, you can’t control it. If you aren’t maintaining your operating systems and the applications that run on them, you are at risk. Also if your users are running as local administrators, there’s not much you can do.

Modern malware does a lot of really neat things too, like infect smart phones, hide its tracks, punitively wipe systems if you tamper with it. Heck, for all I know, it’s also responsible using the last piece of toilet paper and not replacing the roll. However, if you are letting your users run with administrative permissions, you’re not patching your systems and you don’t understand your data, this isn’t going to matter.

Basically, you have to walk before you run… and before you walk, you have understand how. Most organizations that I work with are still at the crawling stage. If you cannot answer “Yes” to each of the following questions, don’t even think about Flame/Duqu/Stuxnet/BoogaThreat. Focus on getting your own house in order first.

1) I know exactly where all my data is.
2) I know that I need all of the data I have.
3) I have classified the data I have according to criticality.
4) I have implemented technology to detect and respond to data as it crosses security zones.
5) I am completely confident that all my operating systems are up to date.
6) I understand each application in my environment, why it is there and am certain that it is up to date.
7) None of my users are using administrative permissions as part of their daily work.
8) I have installed and am maintaining a modern anti-malware stack or application whitelisting solution on each system on my network.
9) I have installed and am maintaining an intrusion detection solution on my network.
10) I pay attention to the alerts from all of my awareness systems and respond appropriately.

If you’ve answered “No” to any of these, that’s where you have to focus. If you have trouble, let me know. I’m here to help. (Guess why I take the time to write posts.)

The Importance of Exercise (and rhinos)

Exercise. With a few annoyingly fit and perky exceptions, we all hate to do it. Even when it comes to business exercises, where we can avoid the serious danger of getting all sweaty and tired, we still avoid it… generally for reasons comparable to the physical: foolishness, arrogance and wasting time.

In business, time is money. We focus on reducing waste and maximizing profit. When times are tough, we avoid future-focused activities in preference for those that we are fairly certain would benefit us right now… even when future gains would likely be much larger. So, even when we know that exercise would help us, we avoid it because there are other things that need doing.

Then there’s the other side. For a business exercise to be useful, we must learn from it. To learn from it, we must encounter something new. This is socially dangerous as it places us in a situation where, to positively respond to the scenario, we risk being viewed negatively by those around us… so there is resistance to trying new things.

Why risk social censure and waste time when you know what you’d do in a bad situation anyway? After all, we’re smart people. We think about things and we know our environment, right? If a problem happened, we’d just deal with it. Our people would have to work overtime, but we’d get the job done… right?

Well, let’s find out. Suppose you work in a zoo. Suppose one of the risks you face is that of an animal escaping. Your job is to figure out how to deal with the event and get the animal back. How would you do it? Take a couple of minutes and think what you’d do. I’ll wait.

Now, watch this video.

Tell me. In your mental model, which animal escaped? Was it dangerous? Was it hard to recapture? Did you think about what would happen if one or more of your people were injured during the escape? What about people at the zoo? Did you think of children, of adults, of any disabled people and how they might escape? Did you think about the potential damage that an animal could cause to the infrastructure both inside and outside of the zoo? What about the possibility that the animal could survive after escaping and create a breeding population of dangerous animals in the city? Did you plan include alerting the news media and trying to control the story?

Even an exercise can show you things that you might not think of on your own. By running through live exercises, you can encounter serious problems in a safe way. You can discover which events need prevention and which ones would require a pre-planned reaction. If your organization’s culture focuses on predictable work, you might find a resistance to working extra hours to make up for what is perceived for someone else’s problem. If your organization is on the other side of the continuum and tends towards interrupt-driven tasks, you may find that your people are closer to exhaustion than you think, and a true disaster could push them over the edge.

This will allow you to engage in a more accurate risk assessment, allocate resources and move to a more proactive stance. So, you could be prepared for any eventuality, from mountain lion to penguin.

Policies, Procedures and Politics

In the United States, you might have noticed that we have an event going on. Theoretically, the purpose of this event is to decide the direction the country for the next four years. As is often the case with these discussions, many claims are being made by both sides. Of course, there are then claims upon claims and discussion and action start to spiral out of control. Luckily, we have a document that we’ve created over the years to help keep things on track.

The Constitution of the United States, the Bill of Rights and associated Amendments serve as a reference and a guideline for how to run the country. They break down as follow:

  • Constitution of the United States, accepted in 1787 – 4,601 words
  • Bill of Rights, adjustments to the constitution in 1791 – 731 words
  • Amendments since 1791 – 2,615 words

This means that in the two hundred and twenty five years that the United States has existed as a country, over four hundred million people, their rights, responsibilities and very lives have been guided by under 8,000 words. In general, it’s worked pretty well.

I make this post with two reasons in mind.

1) If you are going to engaging in political discourse within the US, please take the time to read the 8,000 words (and 7% of that is filler like headers and names). It’s only about 12 pages of text (24 double-spaced), and it will help you to uncover lies and arm you to educate the uninformed.

2) If we can run a country for over two centuries with a policy document that is 12 pages long… that most people don’t bother to read, how many do you think read your information security policy manual?

 

For those that don’t want to bother clicking the links above, below is the text of the US Constitution and all amendments. Please, read it over lunch. You, and the country, will be better off.

Read More»

So you want a new job… adapted from a presentation.

Introduction

This post details the techniques that many people, including myself, have used to find the jobs that we love. However, it is not for everybody. This process requires time… time to think about who you are and what you want. This is a long game and if you’re going to win it, you have to be able to focus on the process.

This means that if you have a job that you can tolerate for a while and want a better one, this is for you. If, however, you are unemployed and out of savings, this is probably not the best path. If you’re in this situation, you are probably better off finding a job that is tolerable. Once you have that, this process should help you on your next search.

If you have just been laid off, this process might be right for you and it might not. This will only work if you can take the time to understand yourself. In Western culture, we tend to derive much of our identity from our occupation. (Just look at some of our last names.) Thus, if we lose our job, we also lose our position in society and our identity within our own minds. It would be best to deal with those issues first. If you have saved up enough resources to do the self analysis and then go through this process, go for it. However, if savings are slim, it would be probably be better to get any job you can, get yourself stable and then start down this path.

Leaving

First of all, you must understand why you want to leave your current job. Common reasons include wanting to do more important work, to make more money, to gain more respect and to gain additional flexibility with regard to how, when and where you work. You may wish to move to a new city or find an organization with a culture that fits you better. You may also not be running to something, but running *from* something. If you are in a situation where legal, moral or abuse issues are driving you to seek another situation, what you need will be very different. Knowing this will help you evaluate new opportunities.

In addition to knowing what you want, it is important to know who you are. I have turned down several offers in the course of my career that would have been perfect for the person that I once was. I’ve turned down offers that involved more traveling that I want and offers that would require me to move to a city that I don’t want to live in. Knowing what is right for me has helped me know when to focus on improving what I have and when it’s time to move on. The following questions should help you determine what you really want to do with your life.

  • What do you love?
  • What do you hate?
  • What would you do for free?
  • Do any moral issues limit your options?
  • What are your short-term goals?
  • What are your long-term goals?
  • What’s your primary goal in looking for something better?
    • More money?
    • More responsibility?
    • Less responsibility?
    • Different work environment?
    • More flexibility?

Visibility

Next up is working on your visibility. This includes things like creating a personal website. Buy your own domain, it looks better that way. As you do work, try to be public about it. This means writing articles, releasing code (when you can) and being generally active on mailing lists. Tie this activity to your web site. The goal is to own the search engines. If you check out my personal site, you can see that I list some articles, some papers and some fun stuff. I also post my resumes, so they get caught up in the interest that my other posts drive. All of this improves Search Engine Optimization (SEO). You can also drive some of this traffic by posting links in social media, but remember that the goal of social media is to be social. You’re more likely to get a job from someone you know via social media than via a link you posted on social media.

The key here is to be as public-facing as you can. For most jobs/careers, being publicly visible is more of an advantage than it is a drawback. This post is very tech focused, as that’s where my personal experience is. However, the more visible you are in (almost) any industry, the more likely you are to be noticed by others. There’s going to be information out there about you anyway. The more of it that created by you, the harder it is to find anything negative that someone else might put up about you. (It does, of course, help to minimize the amount of stupid stuff you do in the public eye.)

I have been lucky that much of what I do is in the public eye, but this has been a progression. Writing white papers, helping with marketing documents, working on open source projects and such all help get your name out there. If you do create public-facing documents for your current company, make sure that they are appropriate to be released. A document that is created for a prospect may need be cleaned up before it’s ready to be shown to someone else. This also applies to items that you may wish to adapt from a forum/mailing list post and turn into an article or blog entry. As you work on this stuff, build a portfolio of items that you can show off in an interview. Then, before the interview, hire a freelance editor to review the portfolio and make sure that there are no stupid typos or grammar issues lurking therein. This can be pricey, but a few hundred dollars spent to fix your mistakes will likely be made up in your first paycheck at the new job.

Lastly, line up freelance work to do in the evenings and weekends. This raises funds to help with the job search (less debt makes it easier to take greater risks) and helps you learn more quickly. I mostly do freelance work in the publishing and education industries (editing, writing questions, etc), but there are many options out there.

 

Resume

So, about the resume… you should focus on two areas. First, each point should link to a story. These stories are what you’d tell in a job interview. They should be written to generate interest, whether in someone browsing on your site or in sitting in front of you. Remember, the resume is primarily a tool to get people to talk to and about you. Secondly, the resume is a tool to get you past the HR filters. This means that you need to write it to match database queries. They have to list your skills and use all the terms that HR is going to use when they search it.

A few SEO tips (Google “SEO” for many many more):

  • Put the name in bold at the top. You want a search for “obscure skill” to link to your name, not “Security Resume.pdf”.
  • Similarly, name the file “<Your Name> – <Prime Skill>.<whatever>”.  For example: “Josh More – Security.pdf”.
    • Recruiters & HR people get lots of resumes. Make yours easy to find.
  • Place any certifications you have at the top. This is what a lot of HR folks are going to search for.
  • Don’t use an objective, use a profile. We’re used to them on social media sites, and they support SEO-happy keywords.
  • Keep each bullet to one line. Keep your writing short and pithy.
  • If you have more than five certifications, put them all on your online resume. You’ll need them to turn up in searches.
  • Printed or emailed resumes need to be shorter and more targeted. Consider limited certifications to just those that are directly applicable so you don’t come across as a distracted learner.

 

Squishy Skills

Once you get in front of someone, you have to be good at talking to them. This is social stuff and those of us in technology are usually pretty bad at it. Tough. If you know you’re bad at something and don’t fix it, you’re lazy and don’t deserve a better job. Fix your social skills by working on them. Books can help (see end of this post). After that, you need practice. Preferably, you need practice in two areas: one-to-one discussion and one-to-many.

For one-to-one, you’ve got to talk to people. Consider volunteering for events in your area. If you run a table with someone, you get to practice talking during the slow times. You can go to lunch or business after hours events. It’ll be uncomfortable at first, but after a few times, you’ll get a lot better at it. In my field, I’ve volunteered for events like Software Freedom Day, CCDC and for local nonprofits. Not only does this provide good practice, but it gives you the ability to get good references from people outside of your current job.

For one-to-many, you need presentation practice, I like BNI and Toastmasters. These groups get you out of your comfort zone, so you can improve much faster. You can also practice meeting and getting along with strangers at various groups. Look for a local Linux or programming user group. If you’re in the security field, look at Infragard, ISSA and your local CitySec group. Most of these groups are desperate for speakers and are very welcoming of people regardless of experience level.

Any time you build skills you run the risk of someone, like your boss, noticing. In my experience, this risk is significantly lower than most people think. Yes, you’re changing and growing as a person. However, it’s the people that like you that pay attention to you. If you were surrounded by people that liked you, you’d probably not be looking for a new job. The fear of “My boss will find out I’m looking and fire me” is almost entirely FUD (Fear, Uncertainty and Doubt) that is promoted by bad bosses because it keeps their people in line. Most people aren’t watching what you do in your off hours because it takes time and TV is more interesting.

If you’re really worried about this, you have to use squishy skills to play your boss. Find a way to make it their idea that you get involved. Saying things like “I was chatting with a friend about <Problem> and they recommended that I work up a presentation for the <Topic> user group, but I’m not sure. Would you mind if I talked about how you helped the team find the solution to this problem?” If you just do a little bit of ego stroking, you can usually get permission. Then, once you have permission, it’s easy to stretch it: “This other group wanted to hear my presentation too” and “The group asked me to write a blog post about it”.  Then, when you’re regularly presenting and blogging, you can slowly stop asking for permission and shift towards informing your boss about what’s going on.

 

Targeting

Remember, you never use a resume to open a door. You use it to drive conversation. You get in through the window. No one is watching the windows. The rest of this post is on picking a window and getting through it.

First, you need to pick some companies/organizations to target. To do this, consider your industry experience. Even if you don’t have much experience outside of your industry, consider peripheral industry types. For example, if you work in a bank, you could look at other banks, credit unions, collection agencies and loan administration groups. If you want out of your industry entirely, look for industries with similar roles. This may mean that it will take you two steps to get your dream job… one lateral move to another industry and then a leap within that industry to where you really want to be (like a knight in chess).

When you’re pondering lateral moves, you should think, not about what you want to do, but what sorts of industries you can to work in and how your current job would blend into that industry. For example, if you do system administration in the Finance sector, you may not be working with the same applications if you move to Health Care, but you would be using similar operating systems and doing similar operations tasks. If you’re doing programming work, you might not use the same libraries, but the languages would be similar.

Once you know your possible industries, pick your geographic area and make a list of all the companies in each target industry. Resources like your local metro area’s _Book of Lists_ and the annual newspaper’s list of “best places to work in <City>” can be helpful here. This will likely result in quite a lot of options, so you’ll need to narrow them down.

I like to first narrow by stability. Look at how long the organization has been in business and what you can determine of their customer base. Look at total number of customers and whether there is a single “megacustomer” that provides most of their revenue. In the latter case, the risk is higher because if that customer leaves, it’ll gut the company on the way out. Then look at the reputation. Talk to competitors, customers and search legal databases to see how often they’ve sued or been sued. You want to make sure that your dream job doesn’t vanish out from under you, so take your time here.

If the list is still too big, look a the technologies that you like. Identify the companies that make each technology and call the person that manages their partner program. Ask that person which other companies in your target area work with their technologies and, in their opinion, which would be the best to work for. It is surprisingly easy to get this information.

If you need to narrow it further, use the tools you have.  Talk to friends about the companies on your list and see what you learn. Use tools like LinkedIn, Google, Bing, Google Groups, Mailing lists, RapLeaf and Maltego to build a “profile” of notes for each company. Then rank them and start with your favorite.

 

Getting In

Now for the fun part. Use LinkedIn, Maltego and eSearchy to build a list of the people who work for that organization and try to sort them by department. For the department you’re targeting, learn what you can about them (Google, Bing, Facebook, LinkedIn, etc) and see if you can map out their interests. See if you have a friend in common or a friend of a friend who can make an introduction. See if you have shared interests and if you can manage to bump into them at a user group. Don’t do anything illegal to get information, but if the information is out there you might as well use it. Think of this as shopping for a boss. Learn as much as you can about the person you want as a boss and about their bosses.

Now search the web site and for their name across all other websites. Look for areas of improvement in their products and services. Forums are excellent sources of information. So are press releases and newsletters. Take the time to figure out their primary competitors and figure out where they fit. Make a feature chart if you can and map out where they may be lacking when compared to the competition and where the industry as a whole is lacking. See if you can come up with ideas to fix things, open up new markets and make the company more “sticky” with respect to their customers.

Remember the squishy skills I said you’d need? This is where you use them. Get an introduction to your hopefully-new boss. Go with friend-of-friend if you can, but if you can’t, see if you can identify a former or current employee to introduce you. People like to be helpful, so let them. A cover letter may or may not help this process. If you are successful in getting a personal introduction, you don’t need a letter. However, if the best you can do is find out the name of the new boss and what they’re looking for, a cover letter is very important.

If you must write a cover letter, keep it simple. Leave your hopes and dreams out of it. Focus on how you’ll help your new boss. Talk about what you think their problems are and how you think you can help. Identify things you’ve done in the past to solve similar problems. Remember that the less you explain *how* you solved them, the more likely you are to be invited in to discuss that process. The goal of the cover letter is not to get a job or to completely explain yourself… it’s to get an appointment.

Once you get the appointment, be prepared to work very hard for a few weeks.

 

Personal Branding

Review your website to make sure that it conveys what you want to the person you’ll be talking to. If you’ve been maintaining it and pruning out comment spam and informality, this should be easy. Next, you’ll need a business card. You can generate your own and have it printed at a local print shop, but if you have a friend in the industry, see if they’ll help you out. Ideally, your business card will be awesome, but if you can’t make it awesome, make it memorable. Think of titles like “Hopeful Job Candidate” or “Revenue Booster”. Think of putting other information on the card like hobbies. This makes you seem more personable and creates additional connections in the target’s brain so they’ll remember you better. Do not use one of those free services. They usually put their name on the back of the card, which splits the brand and makes you look cheap.

Then, update and spell check your resume. Then contact your friends and create a page of references to have ready in case the company asks for them. If time allows, create some blog entries that are written with your target’s customers in mind. Fill enough of your blog/site so that only new content exists on the first page.

Now, pull out your portfolio. Get some folders from your local office supply store and build everything out. You’ll want to have any public handouts, flyers, pamphlets, whitepapers etc in one pocket. Put your list of skills, references (optionally) and resume over top of them, leaving the other pocket empty.  If you get a folder with a spot for a business card, put that in the right spot.

Now you get to fill the other pocket.
Targeted Portfolio

Remember that competitive review you did? Make it look all pretty, put it in the target’s colours and print it out. It goes in the empty pocket.  Remember the research you did on what the company can do to fix problems or add functionality? Write that up too, make it look pretty and put it in the empty pocket.  Consider writing a strategy paper for a new business endeavor, filming yourself presenting and putting it on DVD or coming up with a list of potential clients. Put all of this in the empty pocket. Think of what could be combined with the existing product that could increase revenue through upsells or feature enhancements.

The goal is to have at least five items that show that you are a smart person who is willing to work hard and help out the company. This way, one half of your portfolio is about you… what you’ve done and who are.  The other half is about what you will do… if they hire you. The fact that if they don’t hire you, you might do the same for their competitor is one that you’re best off letting them realize themselves.

If time permits, search your network for someone at the same level as your hopeful new boss. See if they’ll meet with you, perhaps over lunch, and review the portfolio to give you feedback.
Private Portfolio

Finally, build a private portfolio. This would be documents that you don’t want to leave behind and ones that you wish to reference during the meeting. Have a copy of your resume in there, as well as anything that is somewhat sensitive. The most sensitive would be the total compensation calculation.

When the discussion turns to money, it’s tempting to just ask for 10-15% more than you’re making now, but that’s risky. If you take a 10% raise, but give up vacation days or a cell phone stipend, you might wind up with a loss. Make a spreadsheet that lists your current salary, any education and certification maintenance costs, software and hardware costs, benefits like vacation and health insurance and financial considerations like 401K matches, stipends, commissions and bonuses. Figure out how much a vacation day is worth and add that in. Finally, if you’re moving to a new city, figure out what the cost of living adjustment is and adjust your final number by that percentage.  This allows you to directly compare any offer they give you and counter with something made of real numbers.

Now you’re ready to climb in the window and your tools are ready.

 

Interview

Interviews are hard. We only tend to do a few of them in the course of our lives. Naturally, we’re going to be bad at the process so we have to practice. I like to practice with audio books. Listen in the car and, after each question, pause the CD and respond. You’ll look like an idiot talking to yourself in the car, but if you’re going to look like an idiot, it’s better to do it on your own than in the interview itself. Remember not to memorize the answers. You just need to be assured that you *have* the answers and practice flowing through them and not saying “um” and “uh” too much.

When it is time to go to the interview, pre-drive it the day before. This prevents getting lost from being a problem. Also, allocate lots of time. Arrive in the parking lot at least half an hour early, but don’t go inside until about 10 minutes before the interview. Once there, you will be asked to sit. Don’t, it’ll make your clothes wrinkly. Stand and read the company literature. Then have the rest of the day open. If things go well and they bring more people in for you to meet, you could spend all day.  I have had seven, eight and nine hour interviews… that were originally scheduled for one hour. Basically, dedicate the day and be flexible. If they want to go to lunch, go to lunch (don’t order anything messy).

Then the interview(s) will start. When you’re in them, try to ask questions. The interviewer should talk at least as much as you do. Remember, if you did your research, you know more about them than they do about you, so drive the discussion to their passions. If they like programming, answer their questions in terms of programming. If they like their family, spend time talking about yours. Giving factual answers is only 10% of the interview process. The rest is building rapport. Build rapport over time and leave the interview with them more interested in you than when it started.

As you talk, take mental notes. Use the documents you created to illustrate your ideas, but if you guessed wrong, correct the documents in front of them. Then, when you come back for the second (or third…) interview, update the docs and give them the fixed versions. If you have to build a brand new document, do so. The goal is to show learning and improvement, the same way you would in the actual job.

At the end of the interview, try to either close the deal (get a job offer) or get an advance (discussion with a higher-level person or group). Get an appointment, thank them for the opportunity for further discussion, and leave. Don’t stay too long past the “next step” decision, it’s not likely to help and it could hurt. Leave things on a high note.

If you can’t get this, start over with the next company on your list.

If the interview was successful, you’ll have some TODO items. Email the interviewers back with answers to things you couldn’t answer at the time. Include links if appropriate. Send personalized hand-written thank you cards too… but spell check them first. This will give you a nice follow-up that they’ll receive just as they were starting to forget about you.

Loop through this process until you get and negotiate an offer.

 

Notice

Once you have the job, consider the notice process. For some jobs, giving a two week notice is sufficient. For others, you need more so they can find a replacement and you can train them. If you are a billable resource, consider negotiating a corp-to-corp rate so your current company can pay your new company for your time in case something isn’t covered by the time you leave. This can be used as leverage to renegotiate any non-compete that might be in place. Yes, these are generally viewed as unenforceable in a court of law… but who wants to go to court?

When these preliminaries are done, write down the fact that you’re leaving, the status of any projects you have, the length of the notice and, if applicable, any corp-to-corp rates. Put this in the form of a business letter, set up an appointment with your boss, walk in and hand it to them.  They may give you a counter-offer. In almost all cases, you don’t want it. If they threaten you, get a lawyer involved. Otherwise, serve your remaining time and then escape to your shiny new job.

 

Resources

This article is the result of years of reading, learning and thinking. The following books and people were instrumental in helping me understand this process and sharing it with you. Please consider them if you want more information:

Books

  • Don’t Send A Resume by Jeffery Fox laid out the bones for this process.
  • Brag – The Art of Tooting Your Own Horn Without Blowing It by Peggy Klaus taught me how to talk about myself without sounding like an arrogant ass.
  • The Science of Fear by Daniel Gardner discusses the reasons that people act the way we do and how fear is used to manipulate us.
  • Google Hacking 1 & 2 by Johnny Long shows how to use Google (and other search engines) to uncover the information that you really care about.
  • What The CEO Wants You To Know by Ram Charan explained the language that people use in business and why it matters.
  • How To Win Friends And Influence People by Dale Carnegie teaches social skills to people that didn’t bother to pick them up the first time around.
  • The Last Lecture by Randy Pausch helps with understanding what really matters in life.
  • Selling The Invisible by Harry Beckwith explains marketing to non-marketers and why what’s obvious to us isn’t obvious to others.
  • Spin Selling by Neil Rackham finally explained sales in a way that didn’t seem sleazy and full of tricks.
  • Let’s Get Real Or Let’s Not Play by Mahan Khalsa is about the process of identifying when you’re at the point of diminishing returns and how to get out.
  • Sales Bible by Jeffrey Gittomer explains sales in ways that work, but does feel a bit sleazy at times.
  • Getting Things Done by David Allen introduces a method time management so you can do more in less time and stop playing catch-up all the time.
  • Getting To Yes by Roger Fisher and William Ury is about negotiation in a way that matters and works, not just one upsmanship.
  • Good to Great by Jim Collins discusses what businesses need to be successful.
  • The Innovator’s Solution by Clayton Christensen and Michael Raynor explains why disruption is as powerful as it is and how to take advantage of that fact.
  • The One Thing You Need to Know by Marcus Buckingham is actual about several things… but you need to know them anyway.
  • Better by Atul Gawande is a book on improvement. It’s by a surgeon, but the lessons apply to other fields too.
  • Orbiting The Giant Hairball by Gordon MacKenzie is about when corporate culture goes horribly wrong and how to deal with it.
  • Last Chance To See by Douglas Adams talks about figuring out what matters and doing it, a humorous book about a serious subject.
  • Visual Explanations by Edward Tufte helps with conveying your message in a way that is easily and immediately graspable
  • Made to Stick by Chip and Dan Heath helps with crafting your message in a way that is extremely memorable.
  • Presentation Zen by Garr Reynolds gets beyond presentations that don’t suck and into presentations that are actually pretty great.
  • Surely You’re Joking, Mr. Feynman by Richard Feynman is about life and learning and identifying what matters.
  • Tesla by Margaret Cheney explains that brilliance alone isn’t enough.
  • An Unquiet Mind by Kay Redfield Jamison talks about overcoming self limitation by identifying and accepting it.
  • The Complete Greek Tragedies edited by David Grene and Richard Lattimore reminds us that no matter how bad things are, others have had it much worse.
  • The Art of Living by Epictetus shows how life hasn’t changed much since ancient Roman times and suggests that we should stop re-inventing the wheel.
  • Meditations by Marcus Aurelius is a business book… about running the Roman empire.
  • Outliers by Malcolm Gladwell talks about why some of our problems aren’t our fault and how to deal with that.

People

  •  Mike Wagner has personally helped me understand pretty much everything I know about branding and public speaking.
  •  Mike Sansone  has personally helped me leverage the Internet to help me get where I want to go.
  •  Mike Colwell  has helped me understand business by building a community of knowledgable people to leverage.

Tools

  • Inkscape is a tool used to create powerful graphics at zero cost.
  • LibreOffice is a word processing and spread sheet tool that you can use at home for free.
  • Maltego by Paterva helps you find information all over the Internet to gather data for analysis.

There are, of course, many others, but I consider these my core resources.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.