Insights For Success

Strategy, Innovation, Leadership and Security

Strategy

Your cloud provider is making you a target

GeneralEdward KiledjianComment

Phishing is a powerful and effective tool and a favorite in the threat actor arsenal. So what happens when your cloud provider gives threat actors a roadmap to steal from you?

A couple of weeks ago, Workday sent a security advisory to its customers regarding a phishing campaign targeting its customers. Although details of the attack campaign are light, here is what I believe is happening based on discussions on various darknet forums.

What was the Workday phishing attack model?

First, none of this is a weakness or vulnerability in Workday or any of its systems or processes. The threat actors send an email to employees, pretending to originate from a high ranking executive (CFO, CEO, SVP HR, etc.) and are asking, asking them to log into "Workday" to fix an issue. This fake Workday site harvests the credentials which then allow the threat actors to log in and change direct deposit accounts for employees thus stealing money. 

Based on reports I have seen, these emails are professionally written (so they do not contain the telltale signs of being a scam) and are currently not being caught by many large spam filtering services.

How did Workday facilitate this attack?

Like many SAAS and cloud service providers, Workday proudly displays a ling list of satisfied customers on its webpage. This marketing list basically becomes an attack plan for these threat actors by knowing exactly which customer to target with which SAAS provider name and which attach to use. 

Security is a balancing act. It always has been and always will be. Ultimate security means severely reduced usability and no marketing. More marketing and usability means less security.
 

Security is a balancing act

Marketing is tasked with growing the business and nothing helps more than social proof (aka showing others that have made the same decision you are thinking about). The fact Workday marketing is publishing hundreds of customer names on its website is aligned with their objective of supporting business growth. After all, why should marketing avoid using all of the tools available to it just to protect the business from some attack that may or may not occur?

Even if marketing hadn’t published an exhaustive list, they probably would publish a press release when a new big-name customer was signed. This means a determine attacker could build his own list of high-value targets. Right?

As an example, they published this press released in April entitled “Workday Continues Momentum in Canada.” This wonderful piece of marketing includes this section:

To be clear, this is not a Workday issue but a generalized cloud services provider issue. As an example, a service provider called CVM solutions has a customer search on its webpage:

 

Where does marketing end and security start? 

Stop making it easy

In addition to publishing a customer list, most Software As A Service (SAAS) companies publish a custom login page for each customer (which is usually pretty easy to find).

In Workday's case, you go here

Enter the customer name of a customer and find their login page

Again this is a common practice by many large SAAS providers. Even a giant like Microsoft does this for their Office 365 in the cloud offering. I searched the web for Microsoft Office 365 success stories and stumbled on blog post. 

So I know the American Cancer Society uses Office 365. I then need an email address to plug into the portal page so Microsoft switches me to their customized Office 365 login portal. In this case, I chose to use a service called Jigsaw.com (from Salesforce.com) and found the email address of their CEO.

Keep in mind that finding email addresses is easy. There are billions of them on the web. There are dozens of hacked site database dumps every week. This is trivial but I chose Data.com just to show it visually here.

You then are sent to the appropriate login page for authentication.

If you are a threat actor, you scrape this page, register a close-looking URL and then target all of the users of Cancer.org you can find (remember there are huge lists everywhere on the web and darknet if you know where to look).

Let's be real

Marketing is a business necessity and every company has an obligation to maximize its top line by leveraging everything it legally can. As a potential customer, I love hearing about other customers that have already chosen the product I am evaluating and learning how they leveraged it to improve their operations (Social Proof - Social Influence). If a vendor tells me that one of my main competitors chose their product and that it is contributing to their success, I really want to know more. How can I leverage their tool too?

If I am a threat actor and determined to phish a particular company, there are other means for me to collect the data I need. A popular technique is called Open Source Intelligence (OSINT for short) and the folks at Rapid7 provide a nice example here

Using OSINT techniques, they provide a list of customers that include SAAS providers in their publicly available SPF records.

So the question is how easy to we want to make it for threat actors? OSINT is intelligence gathered from public legal sources but it still requires a more sophisticated attacker. Publishing a list of customers on your website means even the most garden variety kiddy "attacker" can easily target your customer.

I've spent half my career on the consulting and services provider side and understand the hugely powerful tool of social proof. If I tell a small shop owner other small shops (like his/hers) are using a tool and have found it immensely useful, that is a huge motivator. People love seeing others like them making the same decisions. It validates their choices. 

The company I work for recently conducted product reviews for various security tools, and  having spoken to another large multinational customer was one of the reasons we chose that product. It validated our findings and also showed others (like us) made the same conclusions.

There is no real answer

I'm going to disappoint you and say there is no magical silver bullet . Obviously user awareness is critical, since most often, the human firewall is what will allow or prevent an attack. 

Companies have and will continue using customer names to convince the next prospect to jump on-board. Threat actors will always continue to be create and find news ways to do bad things to good companies.

I believe the only solution is to ensure marketing and security are talking regularly and openly about strategy and impact. It is only through tight collaboration built on mutual respect and trust, that companies can decide what the right balance is between public disclosure and security.

To a hammer, everything looks like a nail. To a security professional, everything looks like a security vulnerability, but it is important to remember that sales is the only reason you are around. Our job as security professionals, is to provide enough security to protect our customers and support our business objectives. 

9 most important questions to determine if a project is worthwhile

GeneralEdward KiledjianComment

George H Heilmeier was a DARPA director and developed 9 questions to help the agency determine the worthiness of project being submitted to it for funding. These 9 powerful questions as referred to as the "Heilmeier Catechism" and have become a core operating paradigm for DARPA [Defense Advance Research Projects Activity] And IARPA [Intelligence Advance Research Project Activity].

These questions are so powerful, they are used in the business world day in and day out. I first learned about these questions while having lunch with a VC in San Francisco. He explained that many of his peers also use these questions when determining the funding worthiness of a proposal.

There have been variations to the questions but I recommended sticking with the original 9:

  1. What are you trying to do? Articulate your objectives using absolutely no jargon.  What is the problem?  Why is it hard?
  2. How is it done today, and what are the limits of current practice?
  3. What's new in your approach and why do you think it will be successful?
  4. Who cares?
  5. If you're successful, what difference will it make?   What impact will success have?  How will it be measured?
  6. What are the risks and the payoffs?
  7. How much will it cost?
  8. How long will it take?
  9. What are the midterm and final "exams" to check for success?  How will progress be measured?

This is a variation on the journalists who, what, where, when, why and how strategy. Obviously answering these questions will not change the world or guarantee the success of a project. They will greatly reduce the risks you take by ensuring the key concepts are thought off and understood

The dangers of using that Facebook personality game

GeneralEdward KiledjianComment
Image by  Ludovic Bertron  used under Creative Commons License

Image by Ludovic Bertron used under Creative Commons License

Tends to find fault with others o these questions look familiar?

  • Tends to find fault with others
  • Is relaxed, handles stress well
  • Is emotionally stable, not easily upset
  • Is easily distracted
  • etc

A large percentage of Facebook users have played with these "personality analysis" games at least once in their life (some do them regularly). Why not? It's a fun way of finding out if a "test" will evaluate you the same way you evaluate yourself... right? WRONG!

These online games and questionnaires are known as the OCEAN test and rate you against 5 psychological traits:

  1. Openness
  2. Conscientiousness
  3. Extraversion
  4. Agreeableness
  5. Neuroticism

What may seem like a fun way to spend a few minutes and then boast to your friends about the results may be a firm performing deep psychometric analysis of you. 

We believe companies like Cambridge Analytica have been using these Facebook games as a toolkit to build psychological profiles representing millions of users worldwide. 

The company claimed it had data on around 230 million adults in the USA and approximately 4000 “data points” on every one of them, including gym and club memberships, charity donations, and card transactions.
— First Post, https://goo.gl/SxG5dK

They collect this incredible treasure trove of data by creating enticing Facebook games and questionnaires. Usually they provide a quick peak at your OCEAN score summary but then using Facebook tools, they can associate that psychological snapshot with your Facebook profile and real name. This link to your online/offline self is what makes this practice controversial and the term used to describe it is onboarding.

Cambridge Analytica has said they have 3000-5000 data points for each of the 230 million psychological profiles they track. These data points may include age, income, debt, hobbies, criminality, purchase history, religious/secular beliefs,etc.

The pedigree

Cambridge Analytica is a spin-off of British firm SCL (Strategic Communication Laboratories  https://goo.gl/iuh9gz) which is known tp have performed PsyOps (Psychological Operations) counter-terrorism in war torn countries like Afghanistan.

The Trump efffect

During the last hotly contested US election, the media repeated a fact over and over "that the trump campaign wasn't using traditional media advertising". The media was right. Instead of traditional macro targeting, Trump turned to Cambirge Analytica (first used by his adversary Cruz) to win voters or dissuade voters of his opposition.

When you bake a good cake it’s the sum of the ingredients ... it’s actually flour, and eggs, and ginger, and everything else. And that’s what we’re looking at,[...]
— Alexander Nix, CEO Cambridge Analytica to NBC News - https://goo.gl/uqs0GA

The real problem lies with lax privacy laws implemented in the US. In Europe, most countries have strict data protection and privacy laws severely limiting the second or third hand use of personal data about their citizens. The US has no such protection for its population which means data brokers can access a treasure trove of (often) very private and personal data about its targets. This is how true, powerful and proven micro-targeting is implemented at its best.

Facebook is doing very well. They successfully moved to mobile and their increased profitability from advertising shows it. They are sticky now with 1.71 billion monthly active users. Stickiness doesn't tell the true story. The question is how much was each user worth to Facebook? 

  • A global user generates $3.82 a user per year (up from $2.76 a year ago)
  • A USA user generates $14.34 a user per year (up from $9.30)

The power of Facebook advertising isn't so much the reach but the micro-segmentation it makes available is. This micro-segmentation is possible because facebook knows who you are, where you live/work, who your friends are, what you like/dislike, how much you make and much more. I wrote an article entitled Facebook knows more about you than you realize

What are dark posts?

To continue the discussion, we need to talk about something called Dark Posts or Dark Ads. In simple term, they are posts using news feed style layouts visible in your feed but not actually posted in it. Confused yet? Because they aren't traditional advertising posts cluttering up your newsfeed, you are less likely to "hide" the advertising which otherwise would look like spam. Imagine how powerful this becomes for companies performing A/B testing.  They could run multiple ads against the same person in one day without looking like SPAM.

Think of these as special newsfeed items seen only by the person being targeted, all the wile looking like "normal" posts (not jumping out as advertising) and being temporary. 

Let's make the cake

So take the power of Cambridge Analytica and merge it with the hidden advertising of Facebook dark posts and this is (we believe) what allowed Trump's digital marketing team to serve the right ad to the right voter at the right time. 

A good example is the divisive issue of gun ownership. A gun owner profiled to be anti-establishment could be shown ads about how the opposition wants to weaken the USA by taking guns away (the national anthem playing in the back with a flag waving in the wind). A gun owner with strong religious family values could be shown a pleasant message about how father and son could bond over hunting, alone in the wilderness [but that the opposition would make guns illegal and take this beautiful bonding opportunity away].

Dark ads with good psychological profiles can also be used to create apathy and encourage some opponent voters not to turn out therefore reducing the power of the opponent. Trump created anti Hillary ads pushing out negative messages (Hillary claimed to carry hot sauce with her (link))

Conclusion

What may seem as a simple and fun way to spend 5 minutes could allow a company, well funded group or government to psychologically manipulate you without you ever becoming consciously aware. 

I hope that by sharing this blog article, you will be a little more careful and a lot more distrustful about what you see on Facebook.

How to deal with stupid negotiators in business and life

GeneralEdward Kiledjian1 Comment

In addition to Information Security, I have negotiated hundreds of contracts over the last 20 years totalling in the billions of dollars.

There are many schools teaching different “techniques” but the worst of the worst are those that have a win/lose strategy. These dinosaurs negotiations models believe in “winning at all costs” and are very easy to spot in the wild.

Techniques of the stupid negotiator

The win/lose strategy negotiators are the stupidest of the bunch. As previously mentioned, the techniques are easy to spot and I wanted to share some of them with you here:

  • lowballing They typically start the negotiations with unreasonably low bids and then never make significant concessions. They make small insignificant moves. Any flexibility on your part is seen as a sign of weakness and will fuel their “cheapness”.

  • no authority negotiators They typically send low-level henchmen into the negotiations and do not give them any authority to make concessions. This means every request has to be sent back to the home base for analysis making the process painfully slow.

  • Emotional attacks They typically see emotions as a weakness and will use it against you. This means they may try to bully you. Walk out of the talks at various points in the negotiations infuriated by something you requested. In extreme cases they may use someone of the opposite sex who will break down (often crying) during the negotiations to “win” the negotiations.

Now that you know some of their tactics, you will quickly realize you are negotiating with the “stupid” negotiator and typically you may want to simply walk away and find other options. If other options are not available, ensure you clearly set your negotiation parameters ahead of time (minimum price, volume, important terms, etc.) and ensure you stick to them. Don’t allow yourself to be played.

There is no pie

In this 1980’s style of negotiation (the stupid win/lose style), participants believe that there is a finite amount of pie and that you must fight to win the biggest piece.

The problem is that with this style of negotiations, both parties typically end up with sub-optimal results regardless of who actually “won” the negotiations.

Modern negotiations

The modern negotiator understands that the best outcome is a win/win scenario where the needs of each party are met as much as possible. A good healthy negotiation means everyone wins and everyone is optimally satisfied.

Let’s say you need to acquire outsource IT services and you manage to beat a vendor over the head and “convince” them to accept an unreasonably low rate. You may think you won because you got a “good price” but the reality the vendor will now do everything to cut corners to control costs. This means they will spend all their energy cutting, negotiating and arguing instead of figuring out how to help optimize service delivery.

The secret to modern negotiation

There is one undeniable secret weapon in the modern negotiators arsenal : trust. Without trust, there cannot be a win/win negotiation.

This means that even before you start “negotiating”, it is important to build a relationship with the other party. Spend the time to learn about each participants goals and needs. Figure out what brings them to the table and what the ideal outcome would be for them. You need to trust them and they need to trust you.

Let’s get back to stupid

I want to share with you some of the most used techniques by these badly trained old age stupid negotiators. My hope is by knowing their techniques, you will be better able to react and ultimately win.

Power of the negotiator

Every participant has different sources of power available to them during the negotiation.

In your office life, when negotiating with your boss, he/she has the power to reward or punish you. But often the levers of power are much more subtle and not always known (there is rarely perfect information).

Power can come from desperation, power of precedents (knowing someone else that got a specific deal), power of expertise, power of credentials, etc.

The message here is that you should ensure you have prepared all possible power sources. Additionally it is important to remember that power is perceived power and not absolute. You may think you are entitled to the same deal as another similar company (power of precedents) but may not realize they bought twice as much as you or that they brought another deal to the table.

Get the other party to invest

Every economics student learns about the concept of sunk costs. Wikipedia defines it as “In economics and business decision-making, a sunk cost is a cost that has already been incurred and cannot be recovered.” In Economics 101 we learn that sunk costs should not impact our analysis of continuing or killing a project.

Unprepared investors often make this mistake. They sink thousands into a stock whose price keeps dropping. Instead of limiting their losses and “getting out”, they keep adding to their losing position hoping it will turn around. They are using the sunk cost (all the investments up to this point) as a major deciding factor, whereas they should make a clear analytical decision on the chances the stock will actually appreciate from this point on regardless of these sunk costs.

One technique is to get the other party to invest heavily in the negotiations process. When buying a car, this could be “forcing” the sales rep to show you every car in the dealership, then test drive everyone, give you a detailed walk-through of every car, etc. When you finally are ready to make a decision a couple of days later, he will likely bend over backwards because of all the time he has already invested.

In a corporate environment, if you extend the negotiation process and the sales team has flown in from out of town, they may be more inclined to be “flexible” because they don’t want to walk away empty-handed.

This means that before you start the negotiations, you have an honest discussion with all stakeholders in your company and you agree on a common set of goals before ever walking into that boardroom. Know exactly what you want, what you are willing to invest, what you are willing to concede and agree that you will walk away if those conditions can’t be met.

Chance favours the prepared

The negotiation process starts much earlier than your first face to face meeting. Know the situation of your counterpart (aka do your homework). The more you know the better the outcome will be.

When negotiating a salary increase with your boss, the negotiation starts much earlier than the meeting where you ask for more money. It starts weeks before where you try to determine next year’s budget. You try to figure out how the company is doing and how that performance will exert pressure (if any) on your boss. You should check out the salary range for others doing your job in similar companies. You should figure out when your boss is more likely to be “happy and agreeable”. etc.. etc.. etc…

In a corporate negotiation scenario, some of this information collection may happen during the formal meetings. You should determine how much information you are willing to divulge, at what rate, when, how and to whom. Typically the counter-party will divulge some information but will then expect you to reciprocate accordingly. Are you willing to play ball? Make sure you determine this with your team before the counter-party ever shows up.

Time may be your friend

Any deadlines your counter-party may have could be used as an advantage. If you are negotiating with a supplier and know their end of quarter/end of year is in 2 weeks, but you have no such deadline, you come from a position of power. They may be willing to negotiate much more to ensure a deal closes within that window.

On the other hand, you may have a subscription licence with a fixed expiry date for a product critical to your business. If you wait too long and negotiate too close to that deadline, the OEM may not be flexible because they know you are working against the clock. And because time is tight, they may also assume alternatives are out of the question.

If you are working against a fixed deadline, start the negotiation as early as possible to ensure you are not bullied into a bad deal. If possible, prepare a plan B (alternative solution) that can be implemented if a reasonable deal cannot be reached. If the alternative is reasonable then the counter-party loses their position of authority and will likely be fairer.

Make it personal

Good negotiators know that making it personal generally helps your cause. Making it personal means being friendly and likeable. Make sure the counter-party sees you as human and not a big unfriendly grey corporation.

In extreme American jury based court cases, defendants have been declared not guilty, even though there is enough evidence to clearly assign blame. In these cases the jury sometimes sees the prosecutor as arrogant, mean, vindictive and “on a mission”.

Don’t be a prick. Always be kind and caring. Remain cool, calm and in control.

Effective Executives Lead By Example

GeneralEdward KiledjianComment

Close your eyes and think back to an executive you worked with (or for) that was truly inspiring. Someone so incredibly motivating that everyone around him/her seemed to work better, faster and more efficiently. What did this person possess that motivated everyone around them? 

When you meet someone like this (and they are few and far between), it feels like they were born for that job. But as explained in my previous article  (Answering the most important leadership questions (Link)), these leaders are made and are not born with these skills.

Effective leadership can be summed up in a few simple concepts:

  1. an effective leader knows what has to happen (strategy)
  2. an effective leader knows how it has to happen (operational excellence)
  3. an effective leader knows who has to make it happen (people management)
  4. an effective leader can let it happen by removing red tape and providing executive sponsorship (accountability, enablement, responsibility)

If you want to become one of those much needed leaders, you need to honestly assess your current skills gap and build a roadmap to acquire the missing knowledge. When was the last time you really took time to improve yourself?

Perform (or ask a superior to perform) a true  and honest 360 evaluation for you. This evaluation should include feedback from colleagues, employees, bosses, clients and anyone else you work with. This is  a great way to determine if you have any misconceptions about your skills. These evaluations also help you identify your real weaknesses (things you may not even know or realize yourself).