May 21, 2013 By Dan Lohrmann
For some reason, there seems to be an abundance of career advice floating around social media web pages right now. I’m not sure why, but perhaps it is because college seniors are looking for their first “real professional” job. Or, perhaps the job market is heating up and more people are interviewing or looking for a new role. Or, maybe there are millions of people just looking for some practical advice or words of
Regardless of the reason, the google search “career advice” now yields over 436 million page results that are full of tips, tricks, dos and don’ts for getting ahead or making progress or having a vision for the future.
I’m sorry, but I just don’t get most of this “new” career advice coming out. Much of it is situational, and almost all of it fails to inspire or motivate me. Some of the more entertaining ones I’ve read recently include items like the list: Don’t Work Too Hard: 7 Secret Sins at Work.
While I can agree with “Don’t over decorate” and "cut back on multitasking." I disagree with most of the rest. For example: "Don’t be popular? Don’t bring in treats? Don’t talk to HR and don’t work too hard?" Are you kidding me? Is that the best we can do?
If you’re looking for more practical advice examples for the office, try one of the items on this online search list of over 2 billion results of things you should never do at work. Yes, the advice can get overwhelming.
There are certainly plenty of websites you can go to get advice as well, from how to find a job to how to get a promotion. Some of this is well thought out and other advice, not so much. The trouble is that many of the items contradict themselves or is difficult to follow - with many rabbit trails out there.
Advice I like
On the other side, I do like most of the career advice offered in the Forbes piece from last year. For example:
- “Before you put somebody in their place, put yourself in their place….”
- “‘If you want something you have never had, you must be willing to do something you have never done.’ I do not have an author to credit this saying to but the person who wrote this has influenced my life in many wonderful ways….”
I also found this “contrarian” advice for professionals to be helpful:
“… Instead of making a plan around specific positions or salary, think about other ways of defining professional growth. Maybe your career plan is to increase the span of your impact, from local to regional to national. Maybe your work changes from tactical to strategic. These kinds of career goals give you a lot more wiggle room for determining how you reach success….”
My Career Advice
I’ve given plenty of career advice to technology and security professionals through the years. Some of those articles include a series of blogs and articles on: Why security pros fail (and what to do about it). I’ve been told by both technical and non-technical professionals that these items seem to pertain to them as well.
I’ve offered some thoughts and comparisons between roles in the private and public sector in cybersecurity.
I’ve also offered many thoughts on online ethics at home and work, such as this piece on a losing Dr. Jekyll v Mr. Hyde battle that people face when they try to manage online vices.
I’ve also written practical advice on bringing your own device to work.
The Best Career Advice I’ve Received
And while there are other good career tips that I’ve been given over the years, the words that impacted me the most came from my father in the 1980s. He was the one who challenged me early in my career to:
- Get my master’s degree in computer science (when I was sick of going to classes).
- Live my life with a well-informed and clear conscience – which flows from personal integrity.
- Be ready for the hard times, which will surely come.
- Strive to really understand the expectations of my boss/management at work – and to do what I can to exceed those expectations.
- Understand the power of delayed gratification.
- Dream big, take risks and even be open to a move oversees.
But his best, most memorable (and most impactful) advice came from some of his last words to me a few days before he died of cancer:
“My life seems like one long day. This morning I was just a boy playing baseball. At noon, I started my career, traveled the world and married your mother. This afternoon I raised seven children, earned my PHD in psychology and counseled families at our church. This evening I watched my grandchildren grow. And now, it is almost midnight, and I’ll meet my maker.”
Where’s the advice in that?
Plan your career with the end in mind.
May 11, 2013 By Dan Lohrmann
According to the wealth of cyberspace knowledge that is defined by Wikipedia, a “hacker” can mean many things:
For most of my career, I’ve thought of hackers as being the bad guys. As a cybersecurity leader, my mission in life was to stop those who try to access a computer system by circumventing its security system.
More recently, I’ve met more and more people who call themselves or friends “hackers” using the second definition. The new term has a much more positive connotation, with hack days, hackfests, hackathons, codefests and related events springing up all over the country where you can meet other hackers. In fact, the term hacker has almost become synonymous with clever, tech-savvy person – which includes a much wider audience.
So which type of “hacker” are you? What type of hacker am I? How did we get to this point?
Remembering How the Road Began
I often think back to how I got into a technology career in the first place. I almost dropped out of my college major in computer science on several occasions. There were the after midnight calls from Indiana back to Maryland while I was in college. I would wake my parents up ranting, “I can’t do this! It’s too hard. I’m going to fail.”
My parents would patiently listen, occasionally asking a few short questions. After an hour or more of unloading complaints that I won’t repeat, we would agree to some simple steps I could take like meeting with my advisor, getting a tutor, or studying with different classmates.
My mom would always end with words of encouragement. “We believe in you. We’re thinking and praying for you.” Those words now mean far more than I understood at the time.
My parents got me through school with both financial help and constant support. They encouraged “excellence, playfulness, cleverness and exploration in performed activities” – in academics, sports and every area of life.
The Journey Continues
As my technology career progressed, there were many joys and tragedies. I married my best friend. Sadly, my father died. We moved to Europe. I changed employers several times. We had four children. We moved back to Michigan.
Through it all, my mother was there. We’ve talked every Sunday night for more than twenty years. She would listen, encourage, challenge, motivate, celebrate and cry with us.
Meanwhile, I unexpectedly inherited another incredible gift – a second mother that I love. My mother-in-law didn’t detract from the relationship with my first mom. On the contrary, she brought a wealth of joy
and warmth to our family that words cannot described. Remembering her kind support, her interest in my job, the articles and books she sends me and her pointed questions on world events, always brings a smile to my face.
My two mothers have been, and continue to be, a positive model for my life. They have shown me what it means to be a parent, even when the kids are grown up. They teach me all about cyber ethics – without even mentioning a computer. They encourage me by asking questions in public on work-related topics, when I am (secretly) sure that they care little about the answer.
Even at work, I still feel their influence. I preach trust, integrity, self-sacrifice, kindness, perseverance and excellence to employees at work. I wonder: Who has demonstrated more of that complete package than my two mothers over the past 80+ years? I am truly blessed to have these women in my life.
Hackers and Mother’s Day
Tomorrow is Mother’s Day. I initially struggled with the idea of bringing cybersecurity and Mother’s Day together. But the more I thought about it, the more it makes sense.
My two favorite “hackers” (who don't even recognize the new meaning) are:
Thanks mom – for teaching me what it means to be a hacker - using the second definition.
May 4, 2013 By Dan Lohrmann
What will actually happen in (or to) cyberspace on May 7, 2013?
That is the question that many are asking as they prepare for a promised attack from the hacktivist groups this coming week. According to an announcement in an April 24 Pastebin threat to US and Israeli Governments, “We gonna launch a big attack against The USA Network and we gonna make some Damages.”
Some sources say that this is a serious threat, and government and banking enterprises need to be prepared. Govinfosecurity.com reported:
“Security experts say that OperationUSA, a coordinated online attack against banking and government websites slated for May 7, is a serious threat. As a result, organizations should be upping their distributed-denial-of-service attack mitigation strategies to guard against the attacks, which are being coordinated by the hacktivist group Anonymous.
Experts advise that call-center staff should be educated about DDoS attacks, in case customers call in about online outages or experience difficulty accessing accounts. And network and security teams should actively monitor Internet traffic on May 7 and take steps to block specific IP addresses.”
A look at the Twitter-feed or OpUSA yields some interesting tweets, links to anti-USA videos and more. Here is one of those tweets from Cisco Security @CiscoSecurity: “Stay informed about the planned #OpUSA cyberattacks against government and banking infrastructure http://cs.co/9001Xc4N #security”
Is the OpUSA Threat Overblown?
And yet, Krebs on Security reported that the threat may be “more bark than bite.” Brian
“A confidential alert, produced by DHS on May 1 and obtained by KrebsOnSecurity, predicts that the attacks ‘likely will result in limited disruptions and mostly consist of nuisance-level attacks against publicly accessible webpages and possibly data exploitation. Independent of the success of the attacks, the criminal hackers likely will leverage press coverage and social media to propagate
an anti-US message….’
In an interview with Softpedia, representatives of Izz ad-Din al-Qassam said they do indeed plan to lend
their firepower to the OpUSA attack campaign.”
A copy of the full DHS alert is available here.
So what is Michigan government doing? While I won’t list every step taken here, I can say that we are hoping for the best, while preparing for potential issues to occur. There are a variety of scenarios, but I believe that governments need to be prepared for Distributed Denial of Service (DDoS) attacks and possibly worse. In my opinion, this is now the new normal in cyber threats, and enterprises must be prepared.
I tend to also agree with DHS and Krebs that this may not be as big an issue on Tuesday as some predict. Nevertheless, we must treat this in the way that police regularly investigate other types of serious security threats.
Another observation is that this may become the “new normal” regarding cyber threats. Government enterprises need to have procedures in place to react to these cyber threats and potential attacks. There are services that can be purchased from your ISP to address DDOS, and there are also other security steps that enterprises can take regarding people, process and technology improvements. Michigan has experienced a DDoS attack before, and we will likely see similar cyber attacks again.
One final thought. The bad guys use these type of announcements to test our cyber defenses. They see what we do to mitigate risks or raise the alert levels on Tuesday. This information could be used in the future for unannounced online attacks.
For that reason, I suggest that cyber teams deploy only the defense tool needed, when they are needed. We need to have adaptive cyber defenses that are appropriate for the specific attack situation. Or more simply, don’t openly “show your hand” to the adversary.
What are you doing to prepare for Tuesday? Do you think these cyber threat announcements are becoming the new normal around the world?
April 27, 2013 By Dan Lohrmann
There has been a lot of discussion over the past week about Twitter and the power of social media following the breach of the Associated Press (AP) Twitter feed last Tuesday.
After the verified AP Twitter feed was hacked, a message was sent out that read, “Breaking: Two explosions in the White House and Barrack Obama is injured.”
Immediately, the stock market dropped dramatically. Stocks recovered after it became clear what happened.
Other Fake Tweets?
In case you’re wondering, no, this is not the first time that fake tweets have caused a public reaction. Twitter accounts have also been hacked from National Public Radio, CBS 60 Minutes and Reuters News.
In addition, Twitter business accounts for Burger King and Jeep were also hacked in the past. In the case of Burger King, the tweets made their site look like McDonalds. In response, McDonalds tweeted back that they had nothing to do with the breach – or tweets about the Whopper sandwich becoming a Big Mac.
Back in 2009, millions of people were duped by fake Twitter accounts with quotes from celebrities. “A phony account under the name of film star Christopher Walken and bearing his picture is still regularly read by more than 90,000 people.” Since that time, Twitter has cracked down on fake accounts and put “verified” accounts in place.
Digging Deeper Into Fake Tweet Consequences
What is now clear is that reading a tweet from a trusted source may never be the same.
The Huffington Post asked: Does Twitter have a credibility problem? “The latest hack was by far the most significant: the single AP tweet stunned investors and effectively wiped out $136.5 billion of the S&P 500 index's value in a matter of minutes.”
Now the SEC and FBI are even probing the fake tweets for securities fraud. Here’s an excerpt from USA Today:
“Stolen log-ons for financial and social media accounts readily flow through underground forums, and over the past week, there has been a big infusion of freshly stolen data. ‘Hackers are compromising our computing devices and then spreading false information that can be damaging to an individual or a company,’ Sherry says.
In the wake of the Boston Marathon bombings and devastating explosion in West, Texas, "phishers" sent out links to disaster videos in millions of e-mail messages. Clicking on one of these links displayed the video — but also infected the computing device.”
Getting Personal: Knowing Who, What, When, Where and How We Communicate
So how can we learn from recent incidents? What are we to do with an incredible tweet with news from a trusted source?
The first step is awareness. Understand our current social media environment. Know that fake tweets (and fake emails or text message scams) abound. There is even a fake Tweet builder website out there. (Be
aware that fake Twitter followers are a growing multi-million dollar business.)
The second step is to keep a healthy dose of skepticism on dramatic claims/news. We’ve seen denial of service attacks, intellectual property stolen, bank accounts drained, but now this misinformation campaign. So… double check your sources. When announcements come of bombs going off (or worse), check several reputable sites or feeds to gain additional information.
No doubt, this hesitancy takes away some of benefits of tweets and fast information. But what is more important, getting the data or information right or getting it fast? Yes, we want both, if possible. Nevertheless, we now realize that mistakes can and will be made – and cause harm.
Third, use stronger authentication systems on your own Twitter or other social media accounts. Add two-factor logon, when it becomes available. This may require a smartphone pin, email or text message to gain
access, but can make the process more secure. While two-factor authentication will help, it will not make this problem go away. Therefore, we still need steps 1+2.
In conclusion, the recent false alarms with Twitter should signal the need to take a step back and relook at how much trust we place on various channels and real-time messages. Beyond Twitter, there are false messages on websites, Facebook pages and other social media apps. Who is really sending these messages?
Our new high-tech tools provide easier ways to share data quickly, but quality is always hard. For example, I received tweets about the Boston bombers having foreign ties alongside other tweets that said they were definitely acting alone as Americans. Weeks later, we are still sorting out that intelligence information.
Which raises the question, should we be tweeting about those more complex topics anyway? Are our tools being used with proper online etiquette and effective controls? There were many people who displayed bad taste with Twitter during the Boston bombings.
Bottom line, each of us still needs to decide: Can I trust that tweet?
April 7, 2013 By Dan Lohrmann
Recently, my family was discussing lesser known facts about our first President, George Washington. The intriguing conversation centered on George Washington’s 110 Rules of Civility & Decent Behavior in Company and Conversation.
If you’re not familiar with this important corner of history, here’s a brief excerpt from the introduction to George Washington’s rules, drawn from Foundations Magazine online:
These rules proclaim our respect for others and in turn give us the gift of self-respect and heightened self-esteem.
Richard Brookhiser, in his book on Washington wrote that “all modern manners in the western world were originally aristocratic. Courtesy meant behavior appropriate to a court; chivalry comes from chevalier – a knight. Yet Washington was to dedicate himself to freeing America from a court’s control. Could manners survive the operation? Without realizing it, the Jesuits who wrote them, and the young man who copied them, were outlining and absorbing a system of courtesy appropriate to equals and near-equals. When the company for whom the decent behavior was to be performed expanded to the nation, Washington was ready. Parson Weems got this right, when he wrote that it was ‘no wonder everybody honored him who honored everybody.’”
What can we learn from George Washington’s rules today? That was our family’s discussion around the dinner table. What was the most fun, however, was adapting these rules for Internet use. How can these apply to modern life and social media today? We picked our top ten and attempted to translate (with a few laughs along the way). Here they are:
1. 1st & 65th Rules – “Every action done in company, ought to be with some sign of respect, to those that are present. Speak not injurious words neither in jest nor earnest scoff at none although they give occasion.” (Translation for Internet - Be nice online. Written words and posted pics may never go away in cyberspace.)
2. 2nd & 7th Rules - “When in company, put not your hands to any part of the body, not usually discovered. Put not off your cloths in the presence of others, nor go out your chamber half dressed.” (Translation for Internet – No sexting allowed, or plucking hairs or scratching body parts while on Facetime or Skype.)
3. 5th & 6th Rules – “If you cough, sneeze, sigh, or yawn, do it not loud but privately; and speak not in your yawning, but put your handkerchief or hand before your face and turn aside. Sleep not when others speak, Sit not when others stand. Speak not when you should hold your peace. Walk not on when others stop.” (Translation for Internet – Stop and think before you connect. Or, get an avatar to represent you.)
4. 17th Rule - Be no flatterer, neither play with any that delights not to be play'd withal. (Translation for Internet – Stop sending spam. Be careful when “the deal” online looks too good to be true.
5. 18th Rule - Read no letters, books, or papers in company but when there is a necessity for the doing of it you must ask leave. Come not near the books or writings of another so as to read them unless desired or give your opinion of them unask'd. Also look not nigh when another is writing a letter. (Translation for Internet – No reading your email or surfing in meetings. Leave the room if you get an emergency call.
6. 22nd Rule – “Show not yourself glad at the misfortune of another though he were your enemy.” (Translation for Internet – Stop the boasting, mean comments or mean-spirited ranting on Facebook, sports sites or blog posts. Ask: How will the other people feel after the “fun” ends?
7. 25th Rule - Superfluous complements and all affectation of ceremony are to be avoided, yet where due they are not to be neglected – (Translation for Internet - Don’t forget to post ‘Happy Birthday’ on Facebook for friends. But be careful not to overdo office celebrations. On the contrary, don’t neglect meaning accomplishments or milestones.
8. 38th Rule - In visiting the sick, do not presently play the physician if you be not knowing therein. (Translation for Internet – Become a trusted source online. Stop the fraud or misrepresentation. Don’t be something you’re not online or present your resume, expertise or online profile in an exaggerated way. Others will see it and label you as someone without integrity.
9. 50th & 89th Rules - Be not hasty to believe flying reports to the disparagement of any. Speak not evil of the absent for it is unjust. (Translation for Internet – Stop believing urban legends or spreading false gossip or slander. Go to www.snope.com to check facts or do some real research. Deal with disagreements with the individual(s) who is part of the solutions.
10. 60th & 71st & 81st Rules - Be not immodest in urging your friends to discover a secret. Gaze not on the marks or blemishes of others and ask not how they came. What you may speak in secret to your friend deliver not before others. Be not curious to know the affairs of others neither approach those that speak in private. (Translation for Internet – Keep personal ‘secrets’ off the social media websites. They will be forwarded to others. Also, hacking into other people’s passwords or social media sites will lead to trouble.)
I could go much further, but in order to abide by Washington’s brevity advice, I think it is best to stop. I urge your t take 15 minutes and read George Washington’s original rules. Better yet, discuss them with family, colleagues and friends. I’d also love to hear your thoughts (in the comments section) for how to apply these words to social media decency today.
I’ll leave you with perhaps my favorite rule from George Washington’s list. Rule 110 says, “Labor to keep alive in your breast that little spark of celestial fire called conscience.” That sums it all up for me.
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.