Category Archives: Perspectives

Should companies create Bitcoin accounts to be ready to pay ransoms?

In the past months, the press made public different security incidents involving companies being victims of ransomware (1)(2). Most of the time, a ransom had to be paid in Bitcoins. It’s logical as Bitcoins are much easier and cheaper to launder the money and hide the recipient than traditional money laundering circuits.

You may decide that dealing with cyber criminals is unacceptable (like for terrorists or kidnappers) but if you don’t have such policies and the amount of the ransom is lower than the overall cost of restoring your services by yourself (including manpower, business losses, public image), you may decide to pay the price. In such case, time is of the essence. In order to limit the impact and to comply with criminal’s conditions, you might have no more than 48 or even just 24 hours to pay your “lack-of-sufficient-security fine”.

But, how do you pay in Bitcoins and keep it under the radar in such a short amount of time. Imagining the time spent debating the question “do we pay or not”, the time left to actually pay will likely be very short. So, you better have your Bitcoin wallet ready and loaded or some agreement with a trusted Bitcoin exchange platform to guarantee the required discretion.  Bottom line, nowadays, it might become wise to include a Bitcoin wallet in your Disaster Recovery Plan.

Whatever you’ll decide, decide now and be prepared.

Security: It’s all about trust!

In the past few days, I had a few discussions and readings that made me think about the importance of the concept of trust in security and in our life more generally speaking.

Think about it. All we do in security management, in training, in penetration testing, in patching or with monitoring is because we don’t trust our employees, our colleagues, our customers, our suppliers or our competitors. That’s why we often have 3 levels of controls, each level controlling the others so we suppose we will always have at least one person who will do the “right” thing. In our line of work, it makes sense.

But how far should we go? When do we start to trust? When do we make this leap of faith in humanity?

I worked with pretty paranoid people (for a reason, not the pathological ones) using their own operating system (Based on reviewed and modified NetBSD source code) on air gap networks. They also had RFID chip in the printer’s paper in order to trigger an alarm if you leave the facility with printed information. Other electromagnetically wiped and physically destroyed (with presses) any hard disk in end-of-life. Some requires 10 months of thorough investigation and background check before letting someone work on their systems. I worked with people having private investigators watching their security guards to ensure they were totally honest (and it wasn’t the case all the time). In the security community, you will easily found people who will not trust any software to handle their very sensitive information as they might always have a backdoor. And it is the same with hardware. And they are right to be suspicious as we found vulnerabilities and backdoors in nearly any system or application. Firmware corrupted by the government of the country manufacturing the processors or motherboards or spyware built-in from the start at the manufacturer’s government request. Routers, operating systems, firewalls, remote access applications, switches, phone equipment, and so on. There is a very long list of known backdoor, Trojan horses, spywares and so on discovered in widely used systems. You can imagine the length of the list of the one we don’t know about (yet).

If we talk about people, it’s even worse. Belgian Secret Services have published a quick card to warn travellers in some specific sensitive industry on how prevent information leakage while being out of the country. The warning is not restricted to the usual suspects (like Korea, Russia, China or USA) but also to our European “friends”. Economic espionage is written in the bylaws of many European country’s intelligence services. According to our States’ Security services, if you belong to the targeted categories of people, the question is not anymore “if” you will be victim of spies but “when”. Humans can be manipulated, blackmailed, bought, threatened, seduced, just pick one. We are no more reliable than the rest.

I know it sounds crazy, even paranoid! Unfortunately it’s just the world as it is.

So, how do we function knowing we can trust nothing and no one?

Obviously, we tend to create redundancies, to multiply the controls and the levels of control. In large organisation you may easily have more than 5 levels of control (Operational control, security, risk management, internal audit, external auditors, compliance, and so on). Even though, we still manage to have incidents. This still doesn’t answer my first question: When do we start to trust?

For me, trusting is part of the risk management process. It also meets the intelligence gathering process of evaluating your information, your sources and how reliable they are. We trust and we verify. We evaluate continuously the level of trust we can grant to our systems and our people. The higher the stakes, the higher our level of paranoia should be. Also, as usual, we must balance between the risk of doing it and the cost of not doing it. If I don’t trust my suppliers, my employees, what will be the cost for my company, my business?

What’s also important is to know that we trust. There is a clear difference between believing without knowing and believing with the consciousness of the fact that we make a leap of faith. The difference resides in the decision. I don’t believe because I do, I believe because I have decided that it is the best choice to make.

Let me take an example: in my car, if I believe that a green light for me means that cars coming from other directions will stop at the red light, without doubting that or even having the conscience it is a belief, I will never pay attention to the other cars. If I understand it is a belief, I can adjust my behaviour and check (monitor, watch) other cars to see if they are compliant with this belief (and obviously hit the brakes if they are not).

On the other hand, I should also give a little trust to my car manufacturer and have confidence in the fact the brakes will stop my car when I hit them. Else, I won’t dare to drive anymore. As always, we need to find the right balance and we need to do it consciously in order to function effectively.

So, question everything and take sound decisions, knowing that you don’t know for sure.

The lost meaning of our (professional) life

First story

Not so long ago, I met a young and intelligent lady working as a student in a big organisation. A Monday morning, she was tasked to review the translation of some official documents. Around 10.30, she was already nearly laying on her keyboard, her head between her hands, whispering that she wanted to be on Friday. Not because she had a special event planned, just because she wanted this week to end.

If you compare her to other students having a holiday job, she was supposed to be lucky as she was actually doing the job she was studying for instead of counting hardware pieces in a store or delivering mail.

At some point we started a discussion and I took the opportunity to ask her:

– What are you gonna do with your life?

– Translator, she answered.

– You are here, doing the job you are preparing yourself to do the rest of your life and after one week, the only thing you can think about is not doing it. Are you sure it is what you want to do with your life?

– It is all I can do!

– Is is what you think or is it what it is? Which evidence do you have?

– None, but I don’t know what else to do!

– Maybe you should figure out that first?

Obviously, it is not the only thing she’s good at and it is not what she really want to do in her life. But somewhere, she became convinced that she had to follow this path and that it was the only one possible. At around 20, she was already in autopilot mode, following a path that is not her but the one her environment offered her.

A few days later she came to me and told me that she will use her time abroad (she was going to study abroad for a few months) to discover what she really wants to do.

 Second story

In a rock festival, I discovered a Belgian New Orleans’ jazz band called Big Noise. The 4 musicians played like if they were possessed or in transe. The drummer was so into it, playing an “infernal swing” that he looked like he was drunk or on drugs. But, evidently, his drug was his pleasure to play. To play music, to play whit friends, with the audience, to have fun, a lot of fun. And the public was seduced, sharing the nearly shamanic transe, powered by the music and the magic of this group sharing the same love for music. From where I stood, at that moment, they had the best job in the world, the one making them happy.

Third story

I discovered recently the new Aaron Sorkin TV show called “The Newsroom”. The series is set behind the scenes at the fictional Atlantis Cable News (ACN) and centers around the team of idealistic journalists working for the news, seeking the truth and aiming to educate their audience. As it was the case before with “West wing”, Sorkin’s wrote again some of the most intelligent scenarios and dialogs ever. I was captivated by the show and found myself excited by each episode. As images of the series where present in my mind the next day, I wondered what was so appealing to me in the show. Obviously, I was probably projecting myself (in the Freudian acceptance of the term) in the show. Something was talking to me. But what? Fortunately, meditation helps a lot to make your mind clear and it became rapidly evident to me that it was the commitment of the characters and their values that was stimulating my soul. These characters are devoted to their work, or, should I say, to their cause. In fact, they don’t work, they do something they believe in it, they live their passion and they stick to their values. They are committed to their life, not someone else’s life.

 Last story

More than a decade ago, I was running a company with my associates and, at the same time, I was coaching young children from 5 to 7 years old to teach them how to swim. Surprisingly, although my daily job was very interesting and I was successful at it, I happen to wait all the week for this moment, on Fridays, when I was in the water, teaching those kids how to float, dive, breath or jump into the water. At first, I tried to ignored this and managed to have so busy weeks that I couldn’t even think about it or anything else than my work and my occupations. Fortunately, at some point, my mind or my body (or both as they are one) found a way to pass the message. And it was clear: something was going wrong in my apparently picture perfect life. Unfortunately, the root cause of this “unhappiness” was not as evident. As I didn’t understood at the time what was laking me unhappy, I started to change nearly all aspects of my life, private and professional. During the process, I was lucky enough, as I often am, to cross the road of wonderful beings that helped me to understand what was missing in my life. At a bit more than 30 years old, I decided to go back studying and found myself on the way to the University to pursue a master in Psychology. It was a very long journey during which I continued to search for the meaning of my life as a sense on “un-achievement” was still haunting my mind. It took me a while, and a lot of these blessed encounters with wonderful people (sometimes through books, sometimes during a very short time or sometimes for a long lasting and beautiful journey) to understand that the meaning of my life was not the goal, the end of the road, but the road itself. I found my direction, my path, my identity as I was able to accept myself as I am, with my paradoxes and my weaknesses as much as with my strengths and my values. I finally understood the true meaning of Steve Jobs saying, in his 2005 Stanford commencement ceremony address: “for the past 33 years, I have looked in the mirror every morning and asked myself: “If today were the last day of my life, would I want to do what I am about to do today?” And whenever the answer has been “No” for too many days in a row, I know I need to change something.” or the “Carpe Diem” from Dead’s poets society. I discovered my values and found my balance to integrate all aspects of my life. Writing this, even if you are just a few hundred to read it, should it even be only one person, is a part of it. I

 Epilogue

Our society is very good at picturing a way of life and making us believe that we must fit into this scheme. Unfortunately, in some aspects, our society has lost her values, or, to be more accurate, I cannot recognise myself in some of these values and, maybe, you don’t either. As Jiddu Krishnamurti once said: “It is no measure of health to be well adjusted to a profoundly sick society.” And unfortunately, our society and most corporations, are so complex that it become difficult to understand what is the goal, the meaning and the role we have to play. And the pace imposed by our “modern” way of life do not often leave time to think about our values, our dreams, our expectations. We must be artists, philosophes or even fools to dare thinking about our purpose, the meaning of our lives or, more simply, what really matters for us, deeply inside. “Stay hungry, stay foolish” was the closing sentence of Jobs’ 2005 speech. Tomorrow is the first day of the rest of our lives. We can be foolish too for this commencement. We can demand the meaningful life we deserve. It is often not so far from where we stand. A few centimetres close even. It is not necessary to change everything, we can just change what is not in line with our values, with the direction we want to take.

According to recent studies, people with a purpose in their life, with a meaning, are happier and are also in better physical condition (less stressed). Corporation, society, should think about the meaning of what they do and the meaning of what their people do. If everyone could find a true meaning (money is obviously not one, as such) at what it does for leaving, nobody would have to work anymore, or at least, we would not have to call it labour because it wouldn’t be labourious anymore.

 

Stay foolish!

 

http://news.stanford.edu/news/2005/june15/jobs-061505.html