Thursday, July 6, 2017

A Maturity Primer for Vulnerability Coordination

At the FDA Cyber Summit in Washington DC last year January, issues concerning the security of medical devices & patient records was discussed and a couple of resolutions were passed by the key policy wonks/attendees/manufacturers during the summit. Make no mistake, I’m still of the opinion that the healthcare industry is the most technology-retarded. There are too many well-purposed and fragmented efforts in healthcare cybersecurity and it’s about time we bound them together.

Less than seventy-two hours ago, the prestigious UK National Health Service patient records, systems etc were compromised. It affected about seventy-five thousand victims and has spread to ninety-nine countries. This is fast becoming a popular trend and I believe CISOs, C-Level Executives, and even last-mile employees/end-users should upturn the overarching narrative by employing the right strategies. Most organisations should be focused on looking for solutions for vulnerabilities and quit living in the denial of asking the IF probabilistic question.
The way and manner we approach vulnerability concerns could determine the posturing of our organisations, our customers and how we effectively defend against threats. It's about time we employ new strategies because the threats of today cannot be remediated by yesterday's strategies. The standards for vulnerability disclosure (ISO 29147) and vulnerability handling processes (ISO 30111) are still quite valuable in the grand scheme of things but seeking out ingenious methods is a way to go. The Vulnerability Coordination Maturity Model stirred up by other known maturity models will assist organisations:
  • Appraise their level of preparedness in the advent of a breach and acting on the vulnerability reports submitted by the Information Systems/Information Security Auditor.
  • Gird-up a list of activities to heighten their effectiveness to respond to security bug reports in their own software or services.
  • Establish a guideline towards bettering their vulnerability coordination and security with time.
The Vulnerability Coordination Maturity Model inspired by HackerOne focuses on five capability areas namely:
  • Organizational: This focuses on the people, processes, and resources that would handle potential vulnerabilities. With the maturity model, you have got three different levels of capabilities namely Basic, Advanced and Expert. With the Basic, it means you have the executive support to respond to vulnerability reports and a commitment to security and quality as core organisational values. Advanced focuses on policy and process for addressing vulnerabilities according to the ISO 29147 and ISO 30111 or any other comparative framework. Expert level buttresses on the fact that you have got executive support, processes, budget and dedicated personnel to handle vulnerability reports.
  • Engineering: Evidently, to address concerns, you will need an Engineering team that can do the analysis. The team must be able to evaluate and remediate security holes and improve the software development lifecycle. At the Basic level, you should have a clear mechanism to receive vulnerability reports and an internal bug database to track them to resolution. ISO 29147 would be a good reference point at this instance. At the Advanced level, you must have had a dedicated security bug tracking and documentation of security decisions, deferrals, and tradeoffs. At the Expert level, the team should have been able to use vulnerability trends and root cause analysis to eliminate entire classes of vulnerabilities. Refer to ISOs 29147, 30111 and 27034 as a guide.
  • Communications: At this stage, the focus is on the ability to communicate to audiences internally and externally about vulnerabilities. At the Basic level, you will have the ability to receive vulnerability reports and a verifiable channel to distribute advisories to the affected party. At the advanced level, you will have tailored, repeatable communications for each audience, including security researchers, partners, customers, and media. At the Expert level, you will be providing structured information sharing programs with a coordinated distribution of remediation.
  • Analytics: This is where you take every information you have learned about vulnerabilities, do a data analysis of it to identify trends and improve processes. At the Basic level, you track the number and severity of vulnerabilities over time to measure improvement in code quality. At the Advanced level, you use root cause analysis to feed back into your software development lifecycle. At the Expert level, this is where you use telemetry and real-time threat detection to drive dynamic pivots of the remediation strategy.
  • Incentives: This is an area where you are trying to hit the goal of getting vulnerability researchers to report issues directly. At the Basic level, you give thanks or little gifts like T-Shirts and most importantly state in your vulnerability disclosure policy that there wouldn't be any legal action taken against anyone who reports bugs. At the Advanced Level, you give financial rewards or bug bounties to encourage reporting the most serious vulnerabilities. At the Expert level, you should have a detailed understanding of adversary behaviour and vulnerability markets, and structure advanced incentives to disrupt them.
The recent cyber-attack being spread is a Ransomware. It's a type of malware that once executed, encrypts all your files and demands the payment of a ransom before they can be decrypted. The Ransomware is nomenclatured in various ways as WannaCry, WanaCryp0r, WCry and the malware is believed to be among a tranche of brawny hacking tools stolen from the NSA in August of 2016. The attack vectors and its reach is quite broad in scale as the spread has gotten to Europe, Asia, North and South America and Africa (North & South).
This malware exploits a known Windows vulnerability, bypassing traditional antiviruses and firewall protection and granting full administrative privileges over the victim's computer. The common mode of delivery is via eMail and if mistakenly opened, starts to encrypt user's files. As soon as that's done, it locks the victim's out of their computers and demands a ransom to be paid in BitCoins. As a fundamental rule of thumb, do not open eMails from people you don't know or eMails that have an acute sense of urgency. E.g. "Click on this link to avoid losing access to your account" etc.

If you aren't infected, please run your Windows update as soon as possible and if you are yet to download the Microsoft Fix, kindly do so below:

MSU Files X64 http://bit.ly/2rdH9DI
MSU Files X86 http://bit.ly/2pKJzZa

Be safe.

This article first appeared on http://www.kingsleyudoh.com/blog/2017/05/14/a-maturity-primer-for-vulnerability-coordination/

Spouts on the Future of Work

Everyone in an organisation needs to start thinking about the organisation of the future and this is an important aspect the public sector in Africa shy away from. From my vantage point, the most senior people in organisations are the most change resistant. One of my favourite books after Mavericks at Work by Bill Taylor & Polly LaBarre is definitely The Constraints of Corporate Tradition written by Alan Kantrow which was published in 1987. One of the mistakes leaders keep making is that they don’t understand the history of the organisations they work in and the portfolios they hold. Kantrow’s book posited that power doesn’t reside with the Chief Executive or the Line Managers; it might be a mid-level executive or a retired executive who still wields a lot of influence. How are five of the most important decisions that were made in last ten years made? What were the two decisions that should have been made that weren’t made?
Most organisations and countries are smart. They have thought about lots of ideas and it just never worked. You have got to do forensics to decipher what was wrong and the key to this is that you have to listen to people. Listening is such a hard skill to acquire and looking at this in hindsight, the best nuggets come in the last 15 seconds of a one-hour conversation. If you don’t have anyone in the top leadership group who doesn’t want to change, I think you are wasting your time. The biggest driver of change in economic power is urbanisation. On every strategic map of cities, Lagos takes a prominent place. I write this with some trepidation because a sitting Governor for eight years built under 5000 housing units in eight years. Contrasting this to the 1980’s of Lateef Jakande, 20,000 units were built in four years. Too much for revisionist theory.
Leaders are trying things out. The order of the old isn’t going to sustain the future. Fabrizio Freda, President and Chief Executive of Estee Lauder have laid out plans for his top 250 executives to think outside of the box. He has proposed and implemented that his top executives should have reverse mentors. Each of them now has a 26-year-old or less mentoring them and every day, they get new insights and challenges moving into the new age. Can you beat that? In the public sector, the Ruler of Dubai, Sheikh Mohammed Bin Rashid Al Maktoum employs this same strategy to aid the culture of entrenched innovation. I’ve learnt not to pedestrianise the power of an individual – the singular visionary who lays the big ideas on the table and sets the vision like Deng Xiaoping did in Shenzhen in 1980 and George Soros did in 1992 with the Bank of England.
FREE FACT: There will be 2.4 Billion new middle-class consumers over the next seven years and they are situated in Africa and Asia. This number is 1000 times more than the industrial revolution.
Contrast the picture of Shenzhen in 1980 to its outlook in 2016 and you will see what I’m saying. Shenzhen’s 2016 image is replicated in over 200 cities in China and George Soros, hedge fund manager and entrepreneur forced the almighty Bank of England to devalue in 1992. I also agree that Soros epitomising the strengths of the capital market in 1992 isn’t something that can happen in 2016 due to Geopolitical risks but he dared to dream. I have come to see that as a people, the black race and Nigeria, in particular, have an acute self-esteem challenge. Everywhere I go, I keep hearing senior executives talk about having an outpost in Nigeria, yet, the citizens themselves don’t believe in whatever the government is willing to do. I don’t blame the young people leaving in droves and it's okay to get cynical about government when the indices so far show that you should. If you don’t have equality of opportunities, it produces a very bad outcome just as we have witnessed.
I’ve said this a thousand times and I’m willing to reiterate, Jack Ma wouldn’t come to Africa and the next Jack Ma has more than enough incentives not to come to Africa, how do we rescue ourselves out of these abysses? Can we bring in big thinking into government for once and quit the rigmarole and tribal slurs plugged into the very innards of its operation? Deng Xiaoping famously said, “I don’t care if it’s a white cat or a black cat, if it’s a communist cat or a capitalist cat, as long as it catches a mouse, I’m fine.” I know most trend spotters have not noted this in Nigeria, but the productivity growth the country has witnessed over the last 16 years isn’t because of technology but because of women entering the workforce in the early 2000’s in large numbers, yet, there’s no elaborate program across the board to encourage this demographic. No African country is yet to have a broad plan on immigration reforms to retain and bring in the smartest talents into the continent. We just have to stop throwing money at every challenge. The 21st century is a huge resource war and we should think resources first.
Overall, I’m optimistic irrespective of the level of volatility and technology makes me very optimistic when we get more people participate in the global economy through digitisation. Also, education makes me optimistic too. If we can educate 30 Million more Nigerians, we sure will have several Einsteins amongst us. What I’m worried about from a business perspective is that our institutions aren’t fit for purpose. After World War 2, the world changed dramatically and it takes really brave leaders to do things and we presently don’t have a lot of that. We need to sit back and introspect. The average washing machine today has more computing power than all the machines that powered NASA to the moon in 1969. Let’s give ourselves another chance and not despise our days of little beginning, this could be the renaissance we so desire if we decide to focus on the right things.
This article first appeared here: http://www.kingsleyudoh.com/blog/2017/02/10/spouts-on-the-future-of-work/

Monday, September 2, 2013

REFORMING THE DEVELOPMENT AGENDA - MY QUICK TAKE ON THIS.

The current state of the Nigerian economy and its infrastructural leanings is unfathomable. Thanks to years of neglect, corruption and nonchalance by the despots that masquerade as leaders since independence.
With a staggering population of 175 million (2013 est.), our human resource and propensity to develop is and should be unrivalled but the glaring and unfortunate reality shows clearly we are micromanaging our potentials.

In Nigeria, bringing up good reforms in key sectors of the economy from Agriculture, Health, Education and Power has never been a challenge. In fact, it’s as routine as coffee breaks. We get lost in the process due to the sabotaging efforts of our self-seeking and politically minded leaders.

Of note is the Nigerian education sector. Since the return of democracy in 1999, the country has had ten Education Ministers with each of them introducing supposedly good policies. Just as the seeds begin to blossom into a flower, the administration is changed, the policies have not had the capacity to run on autopilot and we begin to undulate in a cyclic twist of ineptitude.

When Dr. Obiageli Ezekwesili, the immediate past World Bank Managing Director for Africa was Nigeria’s Education Minister, she did curate a couple of policies by reinventing the country’s Education framework from 6-3-3-4 to 9-3-4. Six years after, the ripple effects of policies like these are at an abysmal low.

Classrooms from Primary to Tertiary institutions of learning in the country are an eyesore; other physical infrastructures that actually make learning comfortable like furniture are dilapidated. There are no books in the libraries and if they are, it’s outdated. The curriculum and instructional guides are not pedagogical and to crown the insolence, the graduates that are churned out of the system can’t compete for jobs in the industrial age, more less this information age.

I’m not in any way swerving towards pessimism, in fact, I’m an eternal optimist. In the midst of this madness, there seem to be some few flashes of brilliance. For the past two years, The Nigerian Agriculture Ministry has been managed by a technocrat who sees the big picture.

Nigeria’s agricultural output for two years now has consistently been northward bound. The Minister has an eye for detail and he’s quite prescient in managing the people and the processes in the ministry.
Prior to 2011, Nigeria loses 66% of its agricultural produce just from the farm to the market. The entire value and supply chain wasn’t seamless. Dr. Adesina, the man at the helm of affairs adopted and implemented strategies that were sine qua non to sustainable development.

For instance, the Nigerian fertilizer distribution chain was reeking with corruption prior to his arrival. The real beneficiaries, the farmers have been constantly force-fed with a constant diet of half-truths and whole lies regarding the status of their fertilizer needs. The real case scenario at the point was that the elites where diverting the subsidized or near-free fertilizers into the commercial markets.

As soon as this gaping hole was closed, agricultural output in 2012 had an increase of 42% and was the highest contributor to the GDP only after the Petroleum Ministry. That’s the power a maverick wields in making developmental agendas work. For development to have a place of permanence in our polity, those in the position of authority like this must stick to be transformational and not transactional leaders.

The reform for development in key areas is imperative and long overdue and I’m of the opinion that we consistently need to drive ourselves towards perfection. The key policy wonks must put the qualified people at the right places so we would hasten up the pace of development and make our society become that last best hope, for all those who are called to the cause of freedom, who yearn for a life of peace and who want a better future.

As we approach 2015, it’s propitious of us to revisit the Millennium Development Goals (MDGs) which is an acceptable international benchmark of development and ask ourselves stern questions on what we did right and where we went wrong for progress to be entrenched. There sure wouldn’t be development without the people and this would in turn make the citizens of the country regain believe in themselves, putting away the complexes of the years of denigration and self-abasement. 

Tuesday, February 7, 2012

MY Projects at SYSPERA for 2012

2012 is already 38 days old and I'm just updating my blog. It's quite a very unique year at least in the country of my business incorporation, Nigeria and in the world as a world.

Fiscal projections are not very encouraging. Jobs are being slashed off. People are laid off. My own take is that content is key. Since at SYSPERA, we aim to be Africa's foremost IT and Management Consulting firm, we are consistently innovating for the future and for the present.

Here's a peek- view of our 2012 calendar:







 Other projects and collaborations are already in the pipeline. Just stay updated by following me on Twitter @UbongUdoh or finding me on Facebook Ubong KINGSLEY-UDOH.

Wishing my esteem readers a successful 2012 ahead!

Friday, February 18, 2011

CLOUD COMPUTING – LATEST BUZZWORD OR A GLIMPSE OF THE FUTURE?

Cloud Computing has steadily been growing in popularity in the IT industry since early 2007. In non technical terms, I would define a CLOUD as a (C)OMMON (L)OCATION- INDEPENDENT (O)NLINE (U)TILITY on (D)EMAND SERVICE.

In recent times, I’ve been engaged in discussions on Social Networks most especially on Facebook as regards Cloud Computing because I’ve been a cloud evangelist a little over a year now and I’m dismayed by the pessimism a lot of Nigerian techies posit in these discusses.

First and foremost, there have been myriad variations on the definition of the Cloud. Everyone has a different perspective and understanding of the technology and the misconceptions surrounding the subject matter was obvious when Steven Ballmer, Microsoft CEO had problems communicating his company’s cloud strategy & infrastructure, Microsoft Windows Azure to a select group of C-level executives last November.

The vagueness surrounding this ‘phenomenon’ is largely attributed to what I call the ‘hype cycle’. Since February 2007, Cloud Computing has been a buzzword for enterprises and Governments that are looking forward to saving costs and reducing their energy usage and carbon footprints.

For my non techie audience, Cloud Computing is basically an outsourced, pay-as-you-go, on-demand and a somewhere on the internet experience that is always offered as a service. Even if you are not a good technology adopter or in technical parlance a ‘digital immigrant’, you would be surprised at how much you interface with the ‘Cloud’.

The mobile phones we possess, the email addresses (Yahoo!, Windows Hotmail, Google Mail etc) we have, the Instant Messengers (Blackberry Messenger, Yahoo, Windows Live, Nimbuzz, Meebo, 2GO, eBuddy etc) we use to communicate on the go are typical examples of Cloud Computing services.

It’s as a result of the fact that the physical layer of the OSI (Open Systems Interconnect) model has been abstracted. In plain sense for instance, it means an Airtel subscriber should not be concerned about where the server serving him/her is located but his/her focus should be geared towards the service that’s been delivered.

Neither should a Gmail user bother about where Google server is located because it’s completely unimportant. This generation is a serviced generation. Everything is now been offered as a service and the benefits of being serviced is too indispensable to avoid.

From a technical perspective, Cloud Computing is divided into 3 major tiers namely:

1. Software as a Service (SaaS): This is basically what everyone already has in form of Gmail, Yahoo! Mail, Wordpress, the various search engines, wikipedia, Facebook, Twitter etc.
2. Infrastructure as a Service (IaaS): This is an offering Amazon pioneered as the grand-daddy with the Elastic Compute 2 (EC2). Developers and system administrators obtain general compute, storage, queuing, and other resources and run their applications with the fewest limitations. This is the most powerful type of cloud in that virtually any application and any configuration that is fit for the internet can be mapped to this type of service. Microsoft’s Cloud Infrastructure is known as Windows Azure.
3. Platform as a Service (PaaS): This is the newest entry where an application platform is offered to developers in the cloud. Developers write their application to a more or less open specification and then upload their code into the cloud.

Highlighting all of these, the benefits of Cloud Computing to enterprises, individuals and Governments cannot be over-emphasized. Cloud Computing in every facet frees up budgets handcuffed by IT expenses. Instead of purchasing software licenses for new employees and locations, businesses simply add accounts to expand computing capacity.

Governments would benefit from it because it pools all disparate sectors as a whole and it would ensure openness, accountability and prudence. For instance, the Nigerian Government can create a cloud where citizens pay their tenement, water and electricity bills on a central platform. The Nigerian Police Force can create a Cloud Infrastructure we would name in this instance, The Nigeria Intellipedia® that would have sub cloud systems like The Police Reporting Software® which advertently takes away statements from being on paper to a central database and makes crime management a less cumbersome issue.

In moving with the times and trends, some young Nigerian entrepreneurs are creating overtly ambitious private Cloud infrastructures which is beginning to generate positive ripples. First is the Naija Info Bank ® which when completed would be the largest Human Resources database in Sub-Saharan Africa with a capacity of over 80 million users and secondly www.traffic.com.ng which is still in its Beta Phase and after completion would offer descriptive traffic report with GPS Coordinates of every nook and cranny of Nigeria. All you have to do as an end-user is to plug into the cloud and enjoy these services.

The odds are good that within the next five years, the popularity of Cloud Computing within the enterprise and government would grow significantly. Yet Cloud Computing alone is not the answer. The key to achieving great success is for enterprises and governments to use efficient software to integrate their existing on- premises infrastructure with the Cloud.

For a more detailed understanding of Cloud Computing, sign up for the largest Cloud Computing event in Africa this Summer in Lagos, Nigeria and secure your company and agency’s future in the Cloud at The African Summer School on Cloud Computing, Cloud Identity and Virtualization Technologies on www.SSWorldSeries.com

Thursday, September 23, 2010

Diaspora vs. Facebook: The Anti-Privacy War Begins

With the recent issue trending on the web over privacy, the open source social media, Diaspora that was founded by four students Dan Grippi, Michael Salzberg, Raphael Sofaer and Ilya Zhitomirskiy in mid 2010 with freshly minted University Diplomas from New York University has issued out its developer’s release on their website (www.joindiaspora.com)
It’s coming at a time when Facebook is facing serious criticisms from its users’. The over 500 million users’ behemoth has faltered on issues pertaining to privacy and Diaspora, a ‘rebel’ social networking platform is offering a breath of fresh air in that regards. The anti-Facebook social networking site to be, last week unveiled some more details about what their project will look like. Features so far include the ability to share photos enjoy a degree of encrypted traffic, and in the near future-hopefully data portability and Facebook integration. According to Nicole Ferraro of Internet Evolution, “The heavy focus for Diaspora, seems to be on community for a couple of reasons. First, it’s an open source project and second, Diaspora is supposed to be all about the user”.
According to Diaspora’s Blog, “This is now a community project and development is open to anyone with the technical expertise who shares the vision of a social network that puts users in control “. It sounds very nice and I want it to go beyond rhetoric, but a lot of things sounds nice and in writing this, I can’t but think on what it’s claiming to be according to Nicole Ferraro, “is sort of an idealized version of a social network from a consumer perspective”.
Reactions have been generated across the web with Social Media enthusiasts airing their views about the new phenomenon. A Web Developer, Arnold Kurtz says “If Diaspora really wants to gain interest by ‘elitists’, they should start out their system by ‘invitation only’. Make some sort of public announcement that they only want the world’s best and brightest. Who would resist an invitation like that little ego booster? Then to keep the illusion of exclusivity alive, they would reject people who were invited by friends and have an appeals process to let them in anyway-sort of how the Hippie communes with their recruited convents in the 60’s”.
Realistically, from a Web Developer viewpoint, the pre-alpha code is so insecure and a lot of security researchers have criticized it too. This is nicely summed up in an article by PC Magazine. Diaspora might have users’ best intentions at heart, but it may also be trying to fix something that is working too well.

Ubong Udoh
Chief Executive Officer, SYSPERA
+234 (0) 704 119 06 64
udoh.ubong@syspera.com
www.syspera.com
Follow me on Twitter on: www.twitter.com/ubongudoh