Quickbase Blog 

Posted on by
Reply

From 2014-2016, I wrote occasional pieces on collaboration and spreadsheet-related topics. These have been removed from the site, but here are a few of my favorites.

Interview with IT Manager Paul Lanzi

Posted on by
Reply

Paul Lanzi is the COO and co-founder of Remediant, an IT security startup that has created a product to protect privileged accounts. Prior to this startup, he worked for many years as an IT manager in the biotech field, managing various engineering teams for Genetech and then Roche.

Back 11 years ago when he started at Genentech, the first security problem he helped tackle was dealing with managing multiple accounts. “Everyone had multiple accounts and multiple passwords, and we built our own home-grown system to consolidate these accounts, and make it easier for everyone to use a single username and password to get all of their work done. That actually improved security, since lessened the chance that someone would have to write down their multiple passwords somewhere — but it also made it easier to ensure that every employee had the right access to do their job.”

Of course, today we have both single sign-on products to federate identities, such as Okta and Ping Identity, and identity governance products such as Sailpoint and RSA Archer. But back then this was hard work.

Lanzi’s best security tool has been multi-factor authentication. “I turn it on wherever I can, it is truly one of the most under-appreciated tools around. While it isn’t perfect, this technology sits in that rare sweet spot between simplicity and security,” he said. In his present firm he uses a combination of Google Authenticator and Yubikey Nano devices for this purpose. “I am amazed at how much crypto they can cram into that Nano form factor,” he said, which is about the size of thumbnail (shown here).

A decade or so ago, Lanzi was involved in rolling out 110,000 iPads globally at Genentech/Roche. “At the time, it was the largest non-education deployment of iPads in the world, and we used the MobileIron’s MDM software to protect both our data at rest and in flight. Their MDM-based security capabilities gave us the ability to remotely wipe the fewer than 20 devices that were lost or misplaced each month. Its combined capabilities gave us assurance that when those devices were lost, the data on them was still secure. We could also enforce minimum OS version standards, to ensure that users were keeping them up to date with OS security updates.”

Genentech/Roche had a very unusual security staff, composed of folks from different departments. “We had separate teams for patching desktops, maintaining our network infrastructure, an IT Security policy writing group, an account provisioning engineering group for maintaining that piece, and an overall Security Architect as well. They contributed to an overall defense in depth because they were mutually supportive and worked together. That isn’t going to be possible in every enterprise, but we had terrific coverage across the various skills and potential threats areas. And given that we had personnel split across South San Francisco, Madrid and Basil, Switzerland, it was pretty impressive.”

How has security changed among his various employers over the years? “It really depends on the level of support at the executive level. At Genentech/Roche, we had executives who understood the risks and the investment needed to minimize the security risks. Other places were behind the curve and more focused on creating policies and lagged with their investment in security infrastructure. Part of the issue is that unlike in the retail or government sectors, biotech hasn’t had the big-news breaches to motivate organizations towards security improvements.”

Like what you are reading?

Subscribe to Inside Security!



How women were one of the first computers

Posted on by
4

Back in the 1940s and 1950s, computers were people, not machines. And one group of these human computers worked at a NASA research lab in southern Virginia. An upcoming movie, Hidden Figures, focuses on how three of these human computers helped with John Glenn’s historic first US orbital flight in 1962. As you probably know, Glenn died earlier this week at the ripe old age of 95.

I haven’t yet seen the movie — it will be out in a few weeks. But the underlying story is terrific. The three human computers turn out to be three black women mathematicians, including Katherine Johnson (shown above) who recently received the Congressional Freedom Medal.

One of the interesting historical notes was Glenn insisted that Johnson check the electronic computer’s calculations of his orbit, to make sure they were accurate. This was back when computers filled rooms and were slower than the CPUs that are found in the average smartphone nowadays.

Johnson continued to work at NASA until 1986 combining her math talent with electronic computer skills. Her calculations proved critical to the success of the Apollo Moon landing program and the start of the Space Shuttle program, according to this NASA writeup.

There are a lot more video interviews with both the actresses Octavia Spencer, Taraji Henson (who plays Johnson) and Janelle Monae (shown above) and the real people behind the story here at NextGov.

In addition to the movie, there is a book by Margot Lee Shetterly that just was published.Why did it take so long for this story to come out? Shetterly apparently learned about the achievements of these women computers from her father, who “casually mentioned it to her in an offhand comment,” according to Rudy Horne, a math professor at Morehouse College and a consultant to the movie production. Horne got involved because his college was used as a film location (the college campus is used to simulate the NASA Langley campus in southern Virginia where the story takes place), and the director wanted a real math professor to check his calculations. One of the wonderful coincidences is that the current NASA administrator and Horne himself are both African Americans.

Horne was brought on early in the production, before the script was finalized, to ensure that the math checked out. I called him and asked about his role. “In the beginning of the film, the young Johnson is shown solving a series of equations on a blackboard. They originally showed her solving a functional analysis problem, which is more of a college level math course. I suggested a set of quadratic equations, which would be more appropriate for a younger student.” Horne made several other suggestions for the sets and props to show other math formulas. When I asked him what his favorite math-themed movie was, he said, “Good Will Hunting got the math right and had very believable scenes that showed how math professors interact. I am glad that was a consultant to this movie, and it is great if it will inspire other students to study math and science.” As an undergrad math major, me too.

SecurityIntelligence blog: Avoiding Threat Management Rookie Mistakes

Posted on by
Reply

What do a Finnish HVAC company and a set of American car dealerships have in common? Both have been doing a poor job running their computer systems and, as a result, both experienced a series of four embarrassing threat management blunders.

In my latest post for IBM’s SecurityIntelligence blog, I describe these two incidents in more detail. They point out easily fixable threat management mistakes. As a result of weak security, several apartment buildings went without heat and millions of customers and employees of car dealerships had their data stolen. But both consequences are preventable, especially with the benefit of hindsight.

Regaining Trust: What to do AFTER a Security Breach

Posted on by
Reply

In the past few years, it seems that large-scale data breaches have been occurring with depressing regularly. While it’s incredibly important to establish trustworthiness in any product, re-establishing trust after it has been violated is much harder to do. There is far less room for error when dealing with a customer base that already has reason for concern about an organization’s digital security.

untitledWhen breaches do occur, the best plan to regain trust is use webpages with plain language that contain plenty of specifics and constructive suggestions for issue resolution. In this article for UXPA Magazine, a professional journal for the user experience community, Danielle Cooley and I use the example of four recent breaches (Cici’s Pizza, Home Depot, Wendy’s Restaurants, and Omni Hotels) to see how each firm tried to regain its customers’ trust.

FIR B2B #61 podcast: The care and feeding of fake news

Posted on by
Reply

We  are awash in a sewer of fake news stories, and we only have ourselves to blame. It has become an epidemic, and a profitable one at that for these purveyors of click-bait that sound like the truth but are far from it. In this episode, Paul and David discuss why this has happened, who are the players who profit from these stories, and what the major web operators such as Google and Facebook can do about it.

Listen to the 12 minute podcast here:

DDoS for sale: what is a booter or a stressor and why you should care

Posted on by
Reply

DDoS attacks are on the rise, and one of the reasons is the plethora of service providers that make it easy to mount your attacks, especially if you are a lazy or inexperienced criminal. A blog post this past summer says, “potential hackers do not have to know the first thing about conducting a DDoS attack. They can simply purchase attack services to carry one out for them. Today, attackers are now abandoning GUI and script tools and opting to pay for attack services.” It is a big growth industry.

The high demand for DDoS services makes it a very profitable business and can generate thousands of dollars a week for these criminal operators.

Sadly, there are dozens if not hundreds of these booter or stresser services, as they are known. The latter name comes from the fact that they hide behind a legitimate service of testing out the resilience of your network connections and webservers. Yeah, you could say that. But they are really illegal. They have one big advantage, in that they automatically can obscure the identity of the attacker, since their websites proxy the attack origin. For the ultimate in configurability, they offer multiple attack vectors and protocols, such as DNS or NTP-based attacks. You can target particular websites via geolocation and automatically skip VPNs.

Some security researchers have found that rental fees for DDoS service providers can range from $15 to $40 a month to produce from 15 to 200 Gbps attacks, and they even come with 24×7 email support too. One hacker even posted a screencast video that rates one hacker’s top five stressor tools, giving you a matter-of-fact demo like they were showing you some Excel feature. It was quickly removed from YouTube.

Brian Krebs, whose server was the subject of one such attack, delves further into this strange world. Like any DDoS attack, the idea is that they can leverage a botnet army to clog up your website with requests, so that the regular folks can’t get any bandwidth and access your site.

Krebs’ research shows that the criminal providers make use of one shady domain registrar called namecentral.com. Ordinarily, as Krebs points out, most registrars have thousands or millions of domains, and certainly some are bad apples. But namecentral has been used to register just 38 domains – ever. Most of these are bad guys, such as the registrar for the vDOS operation that was at the center of the attack on Krebs. Krebs gets the 19 year-old owner of the service to exchange emails with him, and of course the owner plays the innocent.

What is interesting about namecentral is they are also in the business of selling DDoS protection services against the very DDoS attack providers that make use of the same registrar. “In other words, a classic protection racket,” as Krebs says in his post. Not only is this the case, but selling these mitigation services also preventst heir competition from taking their DDoS efforts offline with another DDoS attack on their own servers. Nice.

Certainly, DDoS attackers getting better at harnessing more and more bandwidth to bring down their targets. Sadly, these booter and stressor services are here to stay, and will only get more potent.

iBoss blog: The challenges and opportunities for managing the Internet of Things

Posted on by
Reply

The Internet of Things (IoT) has been in the news lately for facilitating numerous DDoS exploits across the planet. A global non-profit think tank called the Online Trust Alliance (OTA) has published a paper entitled IoT, a vision for the future. It outlines how the IoT can grow and thrive, especially given that “users’ confidence that their data is secure and private is at an all-time low.”

You can read my latest post for iBoss’ blog here.

Everyone is now a software company (again)

Posted on by
3

Several years ago I wrote, “everyone is in the software business. All of the interesting business operations are happening inside your company’s software.” Since then, this trend has intensified. Today I want to share with you three companies that should come under the software label. And while you may not think of these three as software vendors, all three run themselves like a typical software company.

The three are Tesla, Express Scripts, and the Washington Post. It is just mere happenstance that they also make cars, manage prescription benefits and publish a newspaper. Software lies at the heart of each company, as much as a Google or a Microsoft.

In my blog post from 2014, I talked about how the cloud, big data, creating online storefronts and improving the online customer experience is driving more companies to act like software vendors. That is still true today. But now there are several other things to look for that make Tesla et al. into software vendors:

  • Continuous updates. One of the distinguishing features of the Tesla car line is that they update themselves while they are parked in your garage. Most car companies can’t update their fleet as easily, or even ever. You have to bring them in for servicing, to make any changes to how they operate. Tesla’s dashboard is mostly contained inside a beautiful and huge touch LED screen: the days of dedicated dials are so over. These continuous updates are also the case for The Washington Post website, so they can stay competitive and current. The Post posts more total articles than the NYTimes with double the reporting staff of the DC-based paper. That shows how seriously they take their digital mission too.
  • These companies are driven by web analytics and traffic and engagement metrics. Just like Google or some other SaaS-based vendor, The Washington Post post-Bezos is obsessed with stats. Which articles are being read more? Can they get quicker load times, especially on mobile devices? Will readers pay more for this better performance? The Post will try out different news pegs for each piece to see how it performs, just like a SaaS vendor does A/B testing of its pages.
  • Digital products are the drivers of innovation. “There are no sacred cows [here, we] push experimentation,” said one of the Post digital editors. “It is basically, how fast do you move? Innovation thrives in companies where design is respected.” The same is true for Express Scripts. “We have over 10 petabytes of useful data from which we can gain insights and for which we can develop solutions,” said their former CIO in an article from several years ago.
  • Scaling up the operations is key. Tesla is making a very small number of cars at present. They are designing their factories to scale up, to where they can move into a bigger market. Like a typical SaaS vendor, they want to build in scale from the beginning. They built their own ERP system that shortens the feedback loop from customers to engineers and manages their entire operations, so they can make quick changes when something isn’t working. You don’t think of car companies being so nimble. The same is true for Express Scripts. They are in the business of managing your prescriptions, and understanding how people get their meds has become more of a big data problem. They can quickly figure out if a patient is following their prescription and predict the potential pill waste if they aren’t. The company has developed a collection of products that tie in an online customer portal to their call center and mobile apps.

I am sure you can come up with other companies that make normal stuff like cars and newspapers that you can apply some of these metrics to. The lessons learned from the software industry are slowly seeping into other businesses, particularly those businesses that want to fail fast and more quickly as their markets and customers change.

The changing nature of IT security: Bryan Doerr, CEO at Observable Networks

Posted on by
Reply

Bryan Doerr has been involved with tech companies for decades, most recently leaving Savvis/Century Link as their CTO before agreeing help bootstrap Observable Networks. I asked him to reflect back on his career and where the infosec industry is headed in general. “There is a lot of security industry maturation still to come, a lot of wood left to chop,” he told me in a phone interview last week. “While there are still some pockets of maturity here and there, they usually are only found with the largest companies who can afford it.”

Looking back more than a decade, the biggest change has been being able to deliver security as a subscription service, he said. “First we had pre-built security appliances, but lately we have seen managed detection and response services,” such as what his company delivers. “And it isn’t just a change in how protection is delivered, but how the subscription service can be more affordable for mid-market customers.”

Another big change is how end user customers finally are getting some benefit from sharing threat intelligence. “No one wanted to talk about where or how they were attacked and share these specifics with anyone else,” he said. This intelligence sharing has made the subscription service vendors more potent and compelling and has boosted the ability to respond effectively to threats.

“Ten years ago security was built on a simple idea: that we know about our attackers and threats, and through some means we could prevent those bad guys from getting inside our networks. Back then, we had a limited number of threats, so we could more readily recognize and block them. That is so far from where we are today. The fundamental nature of what is a threat and how attacks use technology has changed completely. The idea of tracking attack signatures makes a lot less sense when every attack is unique.”

Doerr agrees that the days of the perimeter being the sole point of defense are also long over. As an example, he points out the recent IoT botnet attacks.

One benefit from the last decade has been the move towards increasing virtualization. “This absolutely was a positive influence, and helped us to better design and operate more secure systems and more complex infrastructure,” he said. Before virtualization, we had too many different fiefdoms dedicated to particular circumstances. Each one had different configurations and staffs who were maintaining them. All of that variation left us vulnerable.”

But with virtual machines, “a lot of automation has been brought to bear to keep a consistent environment running. That means we can provision VMs, kill them off, and recreate them easily. This makes it more efficient to scale up and down and we don’t have to spend our time patching systems.”

Another issue is the nature of modern network traffic. “Our networks are becoming increasingly encrypted, we can’t even see what is going on over the wire and view the payloads, and this adds another layer of difficulty. Right now less than half of all traffic is encrypted, but it won’t be long before it becomes 100%. We won’t be able to readily examine any of this traffic, which will make networks harder to defend and detect exploits.”

When he was at Savvis, one memorable experience was upgrading one of their data centers. Thanks to a routing bug the entire data center couldn’t come back online. “We tripped over it on a Saturday, and didn’t immediately understand what we were doing. It was easy to miss a single use case that caused the problem. That was a humbling experience and gave me an appreciation of the magnitude of the business that we had running. You don’t feel it until something terrible happens and you see how significant these outages are.” The situation drove home the point that he needed to stay in touch with his technology and understand that it is not just an abstraction, but also a very real entity.

I asked him who had the better job, the CTO or the CIO? He was firmly behind the CTO position. “CTOs will have jobs for forever, because they help organizations understand the evolution of technology and anticipate the direction of that evolution. The CIOs still have some soul searching to do.”

Like what you are reading?

Subscribe to Inside Security!