May 21, 2013 By Dan Lohrmann
For some reason, there seems to be an abundance of career advice floating around social media web pages right now. I’m not sure why, but perhaps it is because college seniors are looking for their first “real professional” job. Or, perhaps the job market is heating up and more people are interviewing or looking for a new role. Or, maybe there are millions of people just looking for some practical advice or words of
Regardless of the reason, the google search “career advice” now yields over 436 million page results that are full of tips, tricks, dos and don’ts for getting ahead or making progress or having a vision for the future.
I’m sorry, but I just don’t get most of this “new” career advice coming out. Much of it is situational, and almost all of it fails to inspire or motivate me. Some of the more entertaining ones I’ve read recently include items like the list: Don’t Work Too Hard: 7 Secret Sins at Work.
While I can agree with “Don’t over decorate” and "cut back on multitasking." I disagree with most of the rest. For example: "Don’t be popular? Don’t bring in treats? Don’t talk to HR and don’t work too hard?" Are you kidding me? Is that the best we can do?
If you’re looking for more practical advice examples for the office, try one of the items on this online search list of over 2 billion results of things you should never do at work. Yes, the advice can get overwhelming.
There are certainly plenty of websites you can go to get advice as well, from how to find a job to how to get a promotion. Some of this is well thought out and other advice, not so much. The trouble is that many of the items contradict themselves or is difficult to follow - with many rabbit trails out there.
Advice I like
On the other side, I do like most of the career advice offered in the Forbes piece from last year. For example:
- “Before you put somebody in their place, put yourself in their place….”
- “‘If you want something you have never had, you must be willing to do something you have never done.’ I do not have an author to credit this saying to but the person who wrote this has influenced my life in many wonderful ways….”
I also found this “contrarian” advice for professionals to be helpful:
“… Instead of making a plan around specific positions or salary, think about other ways of defining professional growth. Maybe your career plan is to increase the span of your impact, from local to regional to national. Maybe your work changes from tactical to strategic. These kinds of career goals give you a lot more wiggle room for determining how you reach success….”
My Career Advice
I’ve given plenty of career advice to technology and security professionals through the years. Some of those articles include a series of blogs and articles on: Why security pros fail (and what to do about it). I’ve been told by both technical and non-technical professionals that these items seem to pertain to them as well.
I’ve offered some thoughts and comparisons between roles in the private and public sector in cybersecurity.
I’ve also offered many thoughts on online ethics at home and work, such as this piece on a losing Dr. Jekyll v Mr. Hyde battle that people face when they try to manage online vices.
I’ve also written practical advice on bringing your own device to work.
The Best Career Advice I’ve Received
And while there are other good career tips that I’ve been given over the years, the words that impacted me the most came from my father in the 1980s. He was the one who challenged me early in my career to:
- Get my master’s degree in computer science (when I was sick of going to classes).
- Live my life with a well-informed and clear conscience – which flows from personal integrity.
- Be ready for the hard times, which will surely come.
- Strive to really understand the expectations of my boss/management at work – and to do what I can to exceed those expectations.
- Understand the power of delayed gratification.
- Dream big, take risks and even be open to a move oversees.
But his best, most memorable (and most impactful) advice came from some of his last words to me a few days before he died of cancer:
“My life seems like one long day. This morning I was just a boy playing baseball. At noon, I started my career, traveled the world and married your mother. This afternoon I raised seven children, earned my PHD in psychology and counseled families at our church. This evening I watched my grandchildren grow. And now, it is almost midnight, and I’ll meet my maker.”
Where’s the advice in that?
Plan your career with the end in mind.
May 11, 2013 By Dan Lohrmann
According to the wealth of cyberspace knowledge that is defined by Wikipedia, a “hacker” can mean many things:
For most of my career, I’ve thought of hackers as being the bad guys. As a cybersecurity leader, my mission in life was to stop those who try to access a computer system by circumventing its security system.
More recently, I’ve met more and more people who call themselves or friends “hackers” using the second definition. The new term has a much more positive connotation, with hack days, hackfests, hackathons, codefests and related events springing up all over the country where you can meet other hackers. In fact, the term hacker has almost become synonymous with clever, tech-savvy person – which includes a much wider audience.
So which type of “hacker” are you? What type of hacker am I? How did we get to this point?
Remembering How the Road Began
I often think back to how I got into a technology career in the first place. I almost dropped out of my college major in computer science on several occasions. There were the after midnight calls from Indiana back to Maryland while I was in college. I would wake my parents up ranting, “I can’t do this! It’s too hard. I’m going to fail.”
My parents would patiently listen, occasionally asking a few short questions. After an hour or more of unloading complaints that I won’t repeat, we would agree to some simple steps I could take like meeting with my advisor, getting a tutor, or studying with different classmates.
My mom would always end with words of encouragement. “We believe in you. We’re thinking and praying for you.” Those words now mean far more than I understood at the time.
My parents got me through school with both financial help and constant support. They encouraged “excellence, playfulness, cleverness and exploration in performed activities” – in academics, sports and every area of life.
The Journey Continues
As my technology career progressed, there were many joys and tragedies. I married my best friend. Sadly, my father died. We moved to Europe. I changed employers several times. We had four children. We moved back to Michigan.
Through it all, my mother was there. We’ve talked every Sunday night for more than twenty years. She would listen, encourage, challenge, motivate, celebrate and cry with us.
Meanwhile, I unexpectedly inherited another incredible gift – a second mother that I love. My mother-in-law didn’t detract from the relationship with my first mom. On the contrary, she brought a wealth of joy
and warmth to our family that words cannot described. Remembering her kind support, her interest in my job, the articles and books she sends me and her pointed questions on world events, always brings a smile to my face.
My two mothers have been, and continue to be, a positive model for my life. They have shown me what it means to be a parent, even when the kids are grown up. They teach me all about cyber ethics – without even mentioning a computer. They encourage me by asking questions in public on work-related topics, when I am (secretly) sure that they care little about the answer.
Even at work, I still feel their influence. I preach trust, integrity, self-sacrifice, kindness, perseverance and excellence to employees at work. I wonder: Who has demonstrated more of that complete package than my two mothers over the past 80+ years? I am truly blessed to have these women in my life.
Hackers and Mother’s Day
Tomorrow is Mother’s Day. I initially struggled with the idea of bringing cybersecurity and Mother’s Day together. But the more I thought about it, the more it makes sense.
My two favorite “hackers” (who don't even recognize the new meaning) are:
Thanks mom – for teaching me what it means to be a hacker - using the second definition.
May 4, 2013 By Dan Lohrmann
What will actually happen in (or to) cyberspace on May 7, 2013?
That is the question that many are asking as they prepare for a promised attack from the hacktivist groups this coming week. According to an announcement in an April 24 Pastebin threat to US and Israeli Governments, “We gonna launch a big attack against The USA Network and we gonna make some Damages.”
Some sources say that this is a serious threat, and government and banking enterprises need to be prepared. Govinfosecurity.com reported:
“Security experts say that OperationUSA, a coordinated online attack against banking and government websites slated for May 7, is a serious threat. As a result, organizations should be upping their distributed-denial-of-service attack mitigation strategies to guard against the attacks, which are being coordinated by the hacktivist group Anonymous.
Experts advise that call-center staff should be educated about DDoS attacks, in case customers call in about online outages or experience difficulty accessing accounts. And network and security teams should actively monitor Internet traffic on May 7 and take steps to block specific IP addresses.”
A look at the Twitter-feed or OpUSA yields some interesting tweets, links to anti-USA videos and more. Here is one of those tweets from Cisco Security @CiscoSecurity: “Stay informed about the planned #OpUSA cyberattacks against government and banking infrastructure http://cs.co/9001Xc4N #security”
Is the OpUSA Threat Overblown?
And yet, Krebs on Security reported that the threat may be “more bark than bite.” Brian
“A confidential alert, produced by DHS on May 1 and obtained by KrebsOnSecurity, predicts that the attacks ‘likely will result in limited disruptions and mostly consist of nuisance-level attacks against publicly accessible webpages and possibly data exploitation. Independent of the success of the attacks, the criminal hackers likely will leverage press coverage and social media to propagate
an anti-US message….’
In an interview with Softpedia, representatives of Izz ad-Din al-Qassam said they do indeed plan to lend
their firepower to the OpUSA attack campaign.”
A copy of the full DHS alert is available here.
So what is Michigan government doing? While I won’t list every step taken here, I can say that we are hoping for the best, while preparing for potential issues to occur. There are a variety of scenarios, but I believe that governments need to be prepared for Distributed Denial of Service (DDoS) attacks and possibly worse. In my opinion, this is now the new normal in cyber threats, and enterprises must be prepared.
I tend to also agree with DHS and Krebs that this may not be as big an issue on Tuesday as some predict. Nevertheless, we must treat this in the way that police regularly investigate other types of serious security threats.
Another observation is that this may become the “new normal” regarding cyber threats. Government enterprises need to have procedures in place to react to these cyber threats and potential attacks. There are services that can be purchased from your ISP to address DDOS, and there are also other security steps that enterprises can take regarding people, process and technology improvements. Michigan has experienced a DDoS attack before, and we will likely see similar cyber attacks again.
One final thought. The bad guys use these type of announcements to test our cyber defenses. They see what we do to mitigate risks or raise the alert levels on Tuesday. This information could be used in the future for unannounced online attacks.
For that reason, I suggest that cyber teams deploy only the defense tool needed, when they are needed. We need to have adaptive cyber defenses that are appropriate for the specific attack situation. Or more simply, don’t openly “show your hand” to the adversary.
What are you doing to prepare for Tuesday? Do you think these cyber threat announcements are becoming the new normal around the world?
April 27, 2013 By Dan Lohrmann
There has been a lot of discussion over the past week about Twitter and the power of social media following the breach of the Associated Press (AP) Twitter feed last Tuesday.
After the verified AP Twitter feed was hacked, a message was sent out that read, “Breaking: Two explosions in the White House and Barrack Obama is injured.”
Immediately, the stock market dropped dramatically. Stocks recovered after it became clear what happened.
Other Fake Tweets?
In case you’re wondering, no, this is not the first time that fake tweets have caused a public reaction. Twitter accounts have also been hacked from National Public Radio, CBS 60 Minutes and Reuters News.
In addition, Twitter business accounts for Burger King and Jeep were also hacked in the past. In the case of Burger King, the tweets made their site look like McDonalds. In response, McDonalds tweeted back that they had nothing to do with the breach – or tweets about the Whopper sandwich becoming a Big Mac.
Back in 2009, millions of people were duped by fake Twitter accounts with quotes from celebrities. “A phony account under the name of film star Christopher Walken and bearing his picture is still regularly read by more than 90,000 people.” Since that time, Twitter has cracked down on fake accounts and put “verified” accounts in place.
Digging Deeper Into Fake Tweet Consequences
What is now clear is that reading a tweet from a trusted source may never be the same.
The Huffington Post asked: Does Twitter have a credibility problem? “The latest hack was by far the most significant: the single AP tweet stunned investors and effectively wiped out $136.5 billion of the S&P 500 index's value in a matter of minutes.”
Now the SEC and FBI are even probing the fake tweets for securities fraud. Here’s an excerpt from USA Today:
“Stolen log-ons for financial and social media accounts readily flow through underground forums, and over the past week, there has been a big infusion of freshly stolen data. ‘Hackers are compromising our computing devices and then spreading false information that can be damaging to an individual or a company,’ Sherry says.
In the wake of the Boston Marathon bombings and devastating explosion in West, Texas, "phishers" sent out links to disaster videos in millions of e-mail messages. Clicking on one of these links displayed the video — but also infected the computing device.”
Getting Personal: Knowing Who, What, When, Where and How We Communicate
So how can we learn from recent incidents? What are we to do with an incredible tweet with news from a trusted source?
The first step is awareness. Understand our current social media environment. Know that fake tweets (and fake emails or text message scams) abound. There is even a fake Tweet builder website out there. (Be
aware that fake Twitter followers are a growing multi-million dollar business.)
The second step is to keep a healthy dose of skepticism on dramatic claims/news. We’ve seen denial of service attacks, intellectual property stolen, bank accounts drained, but now this misinformation campaign. So… double check your sources. When announcements come of bombs going off (or worse), check several reputable sites or feeds to gain additional information.
No doubt, this hesitancy takes away some of benefits of tweets and fast information. But what is more important, getting the data or information right or getting it fast? Yes, we want both, if possible. Nevertheless, we now realize that mistakes can and will be made – and cause harm.
Third, use stronger authentication systems on your own Twitter or other social media accounts. Add two-factor logon, when it becomes available. This may require a smartphone pin, email or text message to gain
access, but can make the process more secure. While two-factor authentication will help, it will not make this problem go away. Therefore, we still need steps 1+2.
In conclusion, the recent false alarms with Twitter should signal the need to take a step back and relook at how much trust we place on various channels and real-time messages. Beyond Twitter, there are false messages on websites, Facebook pages and other social media apps. Who is really sending these messages?
Our new high-tech tools provide easier ways to share data quickly, but quality is always hard. For example, I received tweets about the Boston bombers having foreign ties alongside other tweets that said they were definitely acting alone as Americans. Weeks later, we are still sorting out that intelligence information.
Which raises the question, should we be tweeting about those more complex topics anyway? Are our tools being used with proper online etiquette and effective controls? There were many people who displayed bad taste with Twitter during the Boston bombings.
Bottom line, each of us still needs to decide: Can I trust that tweet?
April 21, 2013 By Dan Lohrmann
After the unprecedented events that took place in and around Boston last week, where are we now and where are we going?
As an American living in Michigan who closely watched the events unfolding from Monday through Saturday, my thoughts and emotions are mixed.
Sadness Becomes Relief
I was in my boss’ office on Monday afternoon about 3:30 PM (EST) when I received initial word of the bombings at the Boston Marathon. We turned on CNN for about 20 minutes as the unfolding events were described in detail. Several of us stood around as we watched replays of the bombs going off by the race’s finish line on Patriot's Day in Boston.
My mind instinctively went back to the planes flying into towers on September 11, 2001. I was at work only a few blocks away on that Tuesday morning. While this doesn't appear to be a terrorist incident on the level of 9/11, the attack did hit at an American traditional event that is celebrated with national press coverage.
Our thoughts and prayers go out to the devastated families and victims of the horrible bombings.
There were numerous twists and turns all week. I watched President Obama’s remarks at the interfaith service on Thursday, as he told the world that, “Boston will run again.”
We awoke Friday morning to the news of a gunfight and an armed man in a residential neighborhood. A city with a metro area of several million people was completely shut down on a work day. Wow!
Thanks for the Men and Women in Uniform
Celebrations broke out all over Boston Friday night and Saturday. Crowds chanted “USA, USA!” Others sang the national anthem or screamed, “BPD! BPD!” (BPD stands for Boston Police Department).
Law enforcement -- from firemen to police to FBI and more, were instant heroes again. I am thankful for the men and women in Michigan and all over this nation who serve this country so diligently every day.
And the president reappeared Friday night with another address to the nation after the second bombing suspect was caught. He also made it clear that many questions must still be answered.
By the time that my family happily moved on with “regular life” on Saturday, a whole new set of
questions started popping up. The central question is -- why? What was the suspects’ motive(s)?
Here are just a few of the tough questions that will take some time to answer:
Did these brothers have additional help, training or ties to domestic or foreign terrorist groups?
Does this event signal the increased radicalization of American residents, whether native or immigrant?
Are There Lessons Learned?
There are also some healthy warnings online regarding the dangers of politicizing these events for personal gain. I like this piece from Bloomberg which makes the point: “How to exploit the Boston bombings for political gain.”
Nevertheless, I am going forge ahead and try to highlight developments that taught me a thing or two.
1) Breaking News is Broken – stay away from Twitter – I like this piece from Slate.com which highlights the many failings of our current news organizations over the past week. There were many false alarms and false reports. Their advice?
“When you first hear about a big story in progress, run to your television. Make sure it’s securely turned off. Next, pull out your phone, delete your Twitter app, shut off your email, and perhaps cancel your service plan. Unplug your PC. Now go outside and take a walk for an hour or two….”
Wow. That may be a bit extreme, but the points are compelling if you read the rest of the article.
2) Security is everyone’s responsibility – Several commentators have pointed out that the suspect was caught because an average citizen phoned "911." I like this Washington Post article that reminds us that everyone has a part in homeland security.
3) Crowdsource investigations went wrong – The second lesson is that the self-proclaimed
experts who tried to solve this crime online were badly mistaken. I like this BBC piece on how
Internet detectives got it very wrong. And yes, it did cause some harm and pain for the falsely accused. Here’s an excerpt worth reading:
“Thousands have been tirelessly picking through the evidence -- every piece of video footage, every photo, every eyewitness account they can get their hands on. But this investigation wasn't within the confidential confines of the FBI or local police.
No, these sleuths were working in public -- discussing their theories and "leads" within massive communities such as Reddit, 4Chan, Facebook and Twitter. On Friday, those efforts ended with an apology. After hours of chatter and speculation, the standout suspect identified -- and named -- was the wrong man….”
4) The Internet turned kitchen utensils into weapons of terror -- The bombs did not appear to be made with advanced plastic explosives or cutting-edge technology. The tools used seemed to be rather simplistic, and many people have pointed out that bomb-making instructions were available online. The Boston mayor stated that the brothers acted alone; however, more information is needed on this topic. The UK's Mirror newspaper online reported new information on Sunday -- claiming the detonators were in fact sophisticated and the brothers had help from others.
5) Proud to be an American – The last lesson for me was one that I’ve already learned – but needed a reminder. Yes, I’m proud to be an American. Despite difficulties, our system worked. We don’t yet know how this story will end, but it appears that the perpetrators will be brought to justice.
In summary, a lot of security infrastructure work has been done at all levels of government since 9/11/01, and we’ve come a long way in many areas of local, state and federal law enforcement cooperation, tools and training. The national response to this incident was impressive.
Most of all, I’m glad that Boston will be back to work on Monday morning -- and running a marathon next April.
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.