May 2015 - J Wolfgang Goerlich

Archive for May, 2015

Friday Books and Talks 05/29/2015

Posted May 29, 2015 by Wolf Goerlich

For most businesses, success is fleeting. There are only two real choices: stick with the status quo until things inevitably decline, or continuously change to stay vital. But how? Bestselling leadership and management guru Jason Jennings and his researchers screened 22,000 companies around the world that had been cited as great examples of reinvention. They selected the best, verified their success, interviewed their leaders, and learned how they pursue never-ending radical change. The fresh insights they discovered became Jennings’s “reinvention rules” for any business.

The Power Presenter
by Jerry Weissman

Jerry Weissman is the presentations coach to Microsoft, Cisco Systems, and many of America’s top executives, including founding Yahoo CEO Tim Koogle, Intuit founder Scott Cook, Netflix founder and CEO Reed Hastings, and many others. Now America’s top coach reveals the same powerful strategies he teaches to CEOs in expensive private sessions. Learn why your body language and voice are more important than your words, how to present with poise and confidence naturally, and how to connect with any audience emotionally. Filled with illustrative case studies of Barack Obama, Ronald Reagan, George W. Bush, John F. Kennedy, and many others, The Power Presenter will bring out the best in anyone who has to stand and deliver.

Why we laugh
by Sophie Scott
Did you know that you’re 30 times more likely to laugh if you’re with somebody else than if you’re alone? Cognitive neuroscientist Sophie Scott shares this and other surprising facts about laughter in this fast-paced, action-packed and, yes, hilarious dash through the science of the topic.

InfoSec Institute: IT Thought Leader Interview

Posted May 27, 2015 by Wolf Goerlich

J. Wolfgang Goerlich is an influential leader and IT management executive with the ability to act as a cultural change agent, driving security initiatives and raising security postures. He currently works as a Cyber Security Strategist for Creative Breakthrough Inc (CBI) and has been in the industry for over 20 years. Areas of expertise include managing culture, ITGRC, security community and mentorship, application security and team leadership.

1. Early this year, you took the position of cyber security strategist at CBI. What exactly does this position entail?

As a security strategist at CBI, my role is connecting people and ideas to develop strategies for improving cyber security. I work with the senior leadership at CBI’s customers to understand their business strategy and collaborate on plans for aligning and maturing their security activities. Within CBI, I provide technical leadership and expertise toward our service lines and vendor partnerships. On select engagements, I work directly with the consulting team to deliver impactful results to our customers.

Another aspect of my position, which I find rewarding, is leading the CBI Academy. I have been mentoring and coaching professionals in my local community for years, so leading the Academy was a natural fit. We often hear CISOs talk about the lack of security talent for staffing their teams. At the same time, we often hear students talk of the difficulty in identifying and gaining the in-demand skills. With CBI Academy, we bridge the gap with an apprenticeship program that accelerates the careers of recent university graduates.

Read the rest at:

http://resources.infosecinstitute.com/interview-j-wolfgang-goerlich-cyber-security-strategist-for-creative-breakthrough/

Wired: DevOps isn’t a job, but it is still important

Posted May 22, 2015 by Wolf Goerlich

“Traditionally, companies have at least two main technical teams. There are the programmers, who code the software that the company sells, or that its employees use internally. And then there are the information technology operations staff, who handle everything from installing network gear to maintaining the servers that run those programmers’ code. The two teams only communicate when it’s time for the operations team to install a new version of the programmers’ software, or when things go wrong. That’s the way it was at Munder Capital Management when J. Wolfgang Goerlich joined the Midwestern financial services company in 2005.”

Read the rest at: http://www.wired.com/2015/05/devops-isnt-job-still-important/

Phone phreaking visits Apple Pay’s authentication

Posted May 18, 2015 by Wolf Goerlich

There is a new attack on Apple Pay involving an old phreak tactic. Read about it here:

Has Your Phone Number Been Stolen? Another Apple Pay Fraud Hits the Nation
https://www.mainstreet.com/article/has-your-phone-number-been-stolen-another-apple-pay-fraud-hits-the-nation

The fraud works by knowing the mobile carrier and number the target uses for device identification, contacting the carrier to port the number to a phone the criminal has, then using the number to authenticate and add the criminal’s device to the victim’s Apple Pay account. Illegally porting telephone numbers has been around for some time. Criminals are re-using the old technique to subvert Apple Pay’s device authentication mechanism.

What can consumers do to protect themselves? First, use a telephone number that is not well known for device authentication. Many people use their home landline phone number, which is often easy to discover. Second, inquire with the carrier about their policies around authorizing porting and notifying customers. Third, keep a close eye on Apple Pay for unfamiliar devices.

The ways banks can protect consumers is as old as the tactic of stealing phone numbers. It comes down to account monitoring and fraud detection. Today’s behavioral analytics are equally adept at spotting misused credit cards as they are spotting misused accounts linked to Apple Pay. Banks and other financial institutions must review their anti-fraud programs to ensure they apply to emerging payment processes like Apple Pay.

All in all, this is an example of an old tactic being applied to a new payment processing system. When developing new systems, it always pays to consider how previous attacks might apply.

Starbucks gift card fraud

Posted May 15, 2015 by Wolf Goerlich

Starbucks is in the news as criminals abuse its online services through fraudulent gift card purchases. On the surface, the issue appears to be about consumers’ passwords and the poor practices around their use. There is more to the story, however, and I would argue two deeper concerns are the real issue. The first is in how emerging payment systems are monitored and secured. The second is in how online services are developed and maintained.

The Starbucks security hole is simple enough. The criminal breaks into the coffee-loving victim’s account by guessing their password or using the password reset features. They then load a Starbucks gift card using the victim’s stored payment information, and transfer that card to themselves. This is usually automated so that several gift cards can be filled and stolen in a short period of time. The attack normally ends only when the victim receives notices on the gift cards and resets their Starbucks password.

Starbucks reportedly processed $2 billion in mobile payments last year. That’s a serious amount of business that requires a re-adjustment of their risk appetite to reflect the target their business has become. Moreover, as retailers and emerging payment systems develop bank-like functionality (funds transfer, cards), they need to start thinking more like banks. Anti-fraud techniques such as behavior monitoring for unusual activity is a prime example. Another is offering consumer protections such as reimbursements (at this point, Starbucks defers consumers to work with PayPal or their credit card company.) When transactions are into the billions, it’s time for mobile payments to offer credit card equivalent security for consumers.

The other aspect of consumer protection is the online service itself. In , threat modeling is one of the first steps. The goal is to look at the functionality being developed and to identify ways it could be abused. With this in mind, security and privacy requirements can be defined. After Starbucks built their services, they could have performed scenario-based penetration tests to ensure the controls met the requirements, and the requirements prevent the threat. Given that gift card fraud is well known and that the controls in place are lacking, it’s clear that Starbucks did not complete these steps as part of their development program.

In summary, yes, consumers need to watch their password hygiene and monitor their accounts. But there’s more to the story. As companies build online services that handle billions in payments, they must mature their processes in handling fraud and building applications. We need credit card equivalent security for transactions. Developers need a secure development lifecycle for preventing their services from being abused. Starbucks is today’s example of organizations falling short on both areas, and leaving the consumers with the tab.

Cross posted from: http://content.cbihome.com/blog/starbucks_giftcard_fraud

Friday Books and Talks 05/15/2015

Posted May 15, 2015 by Wolf Goerlich

Reviving Work Ethic: A Leader’s Guide to Ending Entitlement and Restoring Pride in the Emerging Workforce
by Eric Chester (Author)

For frustrated managers and leaders, a guide to instilling a strong work ethic in the modern workforce. Work ethic in America is fast declining, plaguing young and old alike. But in Reviving Work Ethic, Eric Chester shows that you do best to focus on your young employees–those whose habits and ideals can still be influenced. He presents an incisive look at the root of the entitlement mentality that afflicts many in the emerging workforce and shows readers the specific actions they can take to give their employees a deep commitment to performing excellent work.

And his advice is crucial to a healthy bottom line: too often, talented-but-difficult-to-understand younger workers stand between your company and its profits. If business owners, managers, and executives are not connecting with them and modeling the key components of work ethic, employees are likely not connecting effectively with customers–leaving all kinds of money on the table.

Reviving Work Ethic is the culmination of years of research as well as presentations to over two million youth. Chester’s experience shows in his confident analysis of the seven.

Friday Books and Talks 05/08/2015

Posted May 8, 2015 by Wolf Goerlich

The Spider’s Strategy
by Amit Mukherjee

To thrive in a world where networks of companies increasingly compete with other networks, managers can no longer focus solely on excellence in planning and execution. In The Spider’s Strategy, top business consultant Amit S. Mukherjee provides the tools you need to sense and respond to unexpected events. He shows how and why managers in your company must apply his four powerful “Design Principles” today.

The Well-Timed Strategy
by Peter Navarro

It’s not enough to understand the business cycle and the industry cycle. In The Well-Timed Strategy, Peter Navarro discusses today’s unprecedented level of macroeconomic turbulence – from oil price hikes to drought and disease. Whether an executive, a strategist or an investor, Navarro provides the tools to align every facet of business strategy, tactics and operations to reflect changing business conditions. Keeping in mind finance, supply chains, production, marketing, HR and more, the author outlines ways to profit from the chaos of business cycle volatility by implementing the appropriate strategy.