BF-SIRT Newsletter 2013-35

The end of the weeks means a new newsletter to recap what has happened during the week! One of the most notable compromises were the takeover of nytimes.com which came to be from a simple phishing email, while for the Asian market, the DDoS of .cn caused major disruptions. The Syrian Electronic Army stays in the news as well, and Brian Krebs have written a summary of whom he belives are behind the ground which is a well interesting read. Those with Mac OS X should also have a read at the hardening guidelines that the NSA has written up.

Top 5 Security links
Hand of Thief – The Linux Trojan that steals your banking credentials
How the nytimes.com hack came to be
Who built the Syrian Electronic Army?
.cn back after large DDoS attack
Researcher reverse engineer the Dropbox client

Top 5 Business Intelligence links
Mac OS X Hardening Tips from NSA
Android security holes worry FBI, DHS
Stern new data breach reporting requirement takes hold in EU
Facebook produces its first report on government request for Data
Codename ‘Apalachee’: How America Spies on Europe and the UN

BF-SIRT Newsletter 2013-34

One of this week’s biggest events has been that Bradley Manning was sentenced to 35 years in prison. Those interested in hearing how one can turn into a security industry analyst should listen to the interview with Rich Mogull. The end of Windows XP is also drawing nearer (April 8th, 2014) which means there won’t be any patches coming out after that date, meaning also no security patches, so those who still haven’t updated should definitely look into doing so as soon as possible!

Top 5 Security links
How Not to DDoS Your Former Employer
Facebook stands by bug disclosure policy following Zuckerberg hack
Scanning the Internet in 45 minutes
Cracking crypto just got a little easier
ZeroAccess: Millions of Computers In US Infected And It Updates With P2P

Top 5 Business Intelligence links
Bradley Manning sentenced to 35 years in prison
Your perilous future on Windows XP
Google, Mozilla Considering limiting certificate validity to 60 months
FDA issues recommendations on the security of Wireless Medical Devices
How I Got Here: Rich Mogull

Strategic Planning: A 10 Step Guide – Part 2 of 2

In my previous blog post, I gave you a 10 step guide, an introduction to strategic planning and what it’s all about. I will now go further and explain each of the 10 steps in strategic planning.

Step One — Selection and Communication

It all starts with communication. The very first piece of information should be the announcement to all employees that the company is embarking on a planning process for the future. This memo should be sent from the President asking for everyone’s support. (A sample memo is available from stratetect@gmail.com)

The memo will likely announce who the strategy team members are and ask for everyone to congratulate them and provide input at every opportunity. CAUTION: Make sure that you have talked to any employee in advance that was not picked for the strategy team that may feel that they should have been. Once the team is announced and the process starts make sure you continue to keep employees aware of the progress and solicit their input. A minimum of a monthly memo should be issued. The strategic planning process can take from 6 weeks to 12 weeks so it is important to keep everyone informed without releasing too much detail.

The strategy team should include a senior accountant, and should consist of between seven and ten members. Team selection should be based on competence, integrity, work ethic, leadership skills, and future growth potential within the Company.

The team will formulate and present the strategic document to the President/CEO and the Board of Directors. It is critical that all employees are empowered and encouraged to communicate their ideas and issues with any member of the strategy team. This process ensures accountability and ownership of the strategy at every level in the organization.

Step Two — A Vision for the Future (The End Game)

The Vision for the Future (End Game) in business is simply defining what winning the game in your business is really about. What does winning mean. Just exactly what do you want your company to be when it grows up? Ask yourself the following questions from the perspective of looking five to seven years into the future.

  1. What markets should your company be serving five years from now?
  2. What products should you be distributing?
  3. Who are your primary competitors?
  4. What are your strengths?
  5. What are your competitors’ strengths?
  6. How has your marketing strategy changed?
  7. What are your core competencies?
  8. What is the size of your revenue stream?
  9. How is your revenue stream segmented?
  10. Do you have a Human Resource Development plan?
  11. The CEO/Owners should create the “Vision for the Future” (End Game) for presentation to the strategy team.

Step Three — Preparation

Running a strategic planning process is not just designing a template and having the team members fill in the gaps. On the contrary, it means carefully coaching the management team through a thinking process.

Often, the actual strategic plan is even less important than the development and growth of the team members participating in the process. The strategy team should be trained on the process you intend to follow in developing the strategic plan. Once that is competed the CEO/President should present the vision of the future with copies for everyone and then excuse himself from the meeting to allow the strategy team to tear the end game apart and put it back together.

The President will have explained that they have the right and the obligation to challenge the end game if they do not agree with any part of it. However, any challenge to any portion must be accompanied by alternative recommendations. The concept is to finalize a “Vision for the Future” that everyone owns.

Step Four—- The SWOT analysis

The team will conduct a SWOT (strengths, weaknesses, opportunities and threats) analysis to identify critical constraints and potential opportunities for growth.

Step Five — Developing the Critical Core Initiatives from the Vision for the Future

Critical core initiatives are over arching initiatives that are found within the Vision for the Future. An example may be defined as a human resource initiative for becoming employer of choice. There are many independent action steps (Strategic Implementation Plans – SIPs) that will be required to accomplish the Critical Core Initiative (CCI). They may include training, education, leadership development, compensation and benefits etc.

Identifying the CCI’s first is necessary to move on to the next step which is creating SIPs for each CCI.

Step Six— Prioritize the CCI’s and identify individual SIPs for each CCI

A Strategic Implementation Plan (SIP) is a set of tasks that supports a Critical Core Initiative and therefore creates fundamental change in the way you do things. SIP work deals with long-term improvement and change, balancing concern for today with concern for the future and is a fundamental task of managerial decision-making. Work against SIPs deals with improving things for tomorrow.

Each Critical Core Initiative is supported by a set of SIPs that contain a sequenced set of tasks, schedules, and named responsible individuals. The creation of SIPs indicates that the chosen area is one that provides a high payoff in terms of innovation and managed change.

Step Seven — Assign sections of the strategy template to be completed by different team members

Developing the strategy document from team homework assignments completed over the previous weeks is a matter of following the template that has been modified to meet your specific company needs.

Step Eight — The accountability process

The key managerial tool to ensure steady, consistent progress on SIP tasks is the formal Operational Review Meeting (ORM). This is the foundation to insure that the strategic plan is successful. The ORM is held monthly. The purpose of the ORM is to:

  • Clearly understand the status of your key initiatives.
  • Keep executive focus on strategic, rather than just urgent, issues.
  • Facilitate communication and support throughout the executive team and the company.
  • Formulate emergency responses to company-wide threats or opportunities.
  • Leverage all appropriate company resources while maintaining proper accountability for performance.

The ORM should be attended by members of the Strategy Team, executive management and other senior managers. It will follow a formal agenda and discussions will be driven by two objective measurements: performance of Key Performance Indicators (KPIs) and progress of SIP task completion. SIP and action item owners will be held accountable for achieving the desired results by the due date indicated on the plan. The entire team will be held accountable for meeting SIP goals.

Step Nine — Developing the presentation for approval

The strategy team will provide the strategy document to ownership at least one week in advance of the formal presentation. Representatives of the strategy team will present the plan and defend it from a considered corporate challenge. The purpose of the challenge is to ensure that the plan is well thought out and based on a realistic assessment of the company’s risks and constraints.

The presentation will also demonstrate the degree of commitment and ownership by the team. The objective of the meeting is to formally endorse the strategy for the company. If necessary, the team will revise and re-present the plan to obtain ownership approval.

Step Ten —- The Roll Out Process

After formal acceptance, the President and two to three strategy team members should schedule meetings to introduce the strategy to the entire management team and all other employees, thus formally launching the strategy. This should be a big deal and should be completed as quickly as possible. In person presentations by executive management and strategy team members is highly recommended. Strategy Development Overview Strategic planning is a management tool. It is used to help an organization clarify its future direction – to focus its energy, and to help members of the organization work toward the same goals. The planning process adjusts the organization’s direction in response to a changing environment. Strategic planning is a disciplined effort to support fundamental decisions and actions that shape and guide what an organization is, what it does and why it does it, with a focus on where it wants to go and how it is going to get there.

Discipline is a prerequisite to this process because it requires laser like persistence to result in a productive strategic planning initiative. The process raises a sequence of questions that helps planners examine current reality, test assumptions, gather and incorporate information about the present and perform trend analysis on the future industry environment. The prioritization of initiatives and SIPs is an essential step. Although your strategic plan will cover a five to seven year period prioritized SIPs are worked on during the first twelve to eighteen month period based on bandwidth and resources while other CCIs and SIPs are deferred. It is much more effective to completely finish three or four SIPs pertaining to one or two CCI’s than to work on ten or twelve SIPs and accomplish nothing.

Fundamental decisions, actions and choices must be made in order to develop a plan that provides the roadmap to the future. The plan is ultimately no more, and no less, than a set of decisions about what to do, why to do it, when and how to do it.

Strategic Planning: A 10 Step Guide – Part 1 of 2

Strategic Planning

So what is strategic focus?

Leadership models and new business models are key ingredients to success in this new, socially driven and aware business age. Any successful model is built around servant style leadership with a focus on strategic thinking by harnessing the creativity and innovation of the employees.

The vehicle to accomplish this is the strategic planning process.

Strategy serves as the organization’s compass and roadmap to future success. Strategic thinking must be clear and communicated effectively throughout the organization.

  • It is not something you can leverage with technology.
  • It isn’t something you will find in the latest business manual.
  • It is embedded in the minds of the management team and most of our employees.
  • It is our employees who are on the front line and know what is really going on with our customers and markets.
  • It requires effective leadership to release the power of the employees in building a strategic roadmap to the future.

Defining objectives and developing initiatives and action plans to meet those objectives is the basis of strategic planning. However, it all starts with an end game, a “Vision for the Future.”

Strategic planning is a management tool. It is used to help an organization clarify its future direction – to focus its energy, and to help members of the organization work toward the same goals. The planning process adjusts the organization’s direction in response to a changing environment.

Strategic planning is a disciplined effort to support fundamental decisions and actions that shape and guide what an organization is, what it does and why it does it, with a focus on where it wants to go and how it is going to get there.Fundamental decisions, actions and choices must be made in order to develop a plan that provides a roadmap on “How to get there from here.” The plan is ultimately no more, and no less, than a set of decisions about what to do, why to do it, and when and how to do it.

The scope of the strategy development process for any company is dependent upon individual business needs. The strategic planning process is a time and resource-consuming endeavor that involves many people in the organization. This process includes both tactical and strategic application.

The Ten Step Process

Let’s identify the steps first and then we’ll discuss each one in a little more detail. I cannot emphasize enough that the true value of a strategic plan is not in the document itself. It is in the process of creating it, involving many of your employees from the bottom up. This empowers them to be more effective and better-informed leaders, managers and decision makers.

  1. Select the strategy team and send a company wide communication
  2. Create a Vision for the Future (End Game)
  3. Preparation —– Secure an off site location for the kick off meeting which includes training the team on the strategic planning process. Purchase a strategic planning template, download one from the web or e-mail stratetect@gmail.com for a generic sample.
  4. Complete a SWOT analysis. (Strengths, Weaknesses, Opportunities & Threats)
  5. Identify the critical core initiatives that are necessary to support the vision for the future and to achieve its objectives
  6. Develop strategic implementation plans (SIP’s) that support the identified critical core initiatives
  7. Prioritize the CCI’s and SIP’s based on the biggest impact on the bottom line in the shortest period of time. Modify and complete the document template to fit your company strategy
  8. Develop an accountability process based on a structured monthly strategic review
  9. Develop a presentation of the strategy for approval by the CEO, owners or Board of Directors.
  10. Develop a Roll Out Strategy to explain the strategic plan to the entire company.

In part 2, I will go into details about implementing each of the 10 steps.

BF-SIRT Newsletter 2013-33

We’re back! Due to the summer holidays we will give the top links from the last three weeks instead of just last week.
During this time, Defcon and Black Hat has happened, and there’s been a few updates from Microsoft during Patch Tuesday August 2013 and a Joomla! critical exploit that we suggest you update as soon as possible.

Top 5 Business Intelligence links
2013 Browser Security Comparative Analysis: Privacy
Black Hat 2013: What have we learned
New NSA tool exposed: XKeyscore sees ‘nearly EVERYTHING you do online’
Browlock Ransomware Targets New Countries
BGP spoofing – why nothing on the internet is actually secure

Top 5 Miscellaneous Security links
BREACH decodes HTTPS encrypted data in 30 seconds
Michele Catalano Home visit after googling backpacks and pressure cookers
Texas students hijack superyacht with GPS-spoofing luggage
Apple Developer site hack
Washington post site hacked after successful phishing campaign

BF-SIRT Posts
Patch Tuesday August 2013
Joomla! critical exploit

Patch Tuesday August 2013

Another month, another patch Tuesday!
This month, Microsoft have released eight updates for 23 unique security issues which are recommended to upgrade as soon as possible. The updates consist of updates for Internet Explorer and for the operating system itself.

More information
http://technet.microsoft.com/en-us/security/bulletin/ms13-aug

Joomla! critical exploit

There’s an exploit available in the wild for Joomla! version 2.5.13 and earlier 2.5.x versions; and version 3.1.4 and earlier 3.x versions.
The exploit allows an attacker to bypass file upload restrictions (so someone could for example upload a PHP file). It’s recommended to upgrade to version 2.5.14 or 3.1.5.

More information:
http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads

Talking about technology trends

Earlier this summer our Chief Business Development Officer and VP in Sweden, Stefan Månsby, were representing Basefarm in an expert panel, talking about trends in the technology magazine IDG. We thought that you who like technology trends would be interested in reading about what we think about the trends. Below you can see Stefan Månsby’s answers from the magazine.

 shutterstock_70993957

Question1:
Is it reasonable to invest in creating a hosting solution with configuration tools, monitoring, security and other things that comprises the employees own client devices that they bring to work? How flexible should you be when it comes to choice of client devices? Is it best to create a list over a few approved devices or try to handle all of them?

SM: It’s always more effective to let employees work with the tools that they already use or are familiar with. Treat all clients as they were in an open network with as many foreign computers as familiar computers. Then let the systems they work with, qualify if the client should have access or not.

Question 2:
Many vendors, such as HP, is trying to create a toolkit to handle all IT for companies. This solution often means that you are forced to have two solutions because it’s hard to remove older tools. Will it be possible to run entirely with modern solutions in three years, or will we be forced to continue using older tools in parallel?

SM: The important thing is to remember that you first of all create a decommissioning plan for the old tools, and then create a plan for the new tools that are in line with the decommissioning plan. In this way, you avoid to duplicate tools. It’s important that you work with follow-up of the outcome.

Question 3:
How far have Swedish companies come in integrate local recourses with cloud resources in their hosting solutions? Is it a realistic goal to try and do it?

SM: The Swedish companies haven’t gone far in this area. The small percentage that using cloud, use it for e-mail or CRM, which usually isn’t integrated with any internal system. Today, there is too little expertise within cloud integration among Swedish consultants and integrators.

Question 4:
The SOA (Service-oriented architecture) thinking is not that hot anymore, but many companies have actually implemented this type of strategies. Are there any general hosting solutions to manage the services that are created or are proprietary solutions required?

SM: I can’t agree that SOA isn’t still a hot subject. It’s only smaller projects and companies that have started to realize that it’s not profitable to add extra work for SOA. The hosting solution for a SOA or non-SOA architecture have in principle the same set of requirements and needs.