Friday, 14 September 2018

Listen to this man

11:57 Posted by G No comments

Bit of a grand title I know...

I was lucky enough to hear Professor Ed Hess talk at an LEF (Leading Edge Forum) event a couple of years ago.  He talked about lots of things I've never really thought hard about, but immediately made perfect sense to me.

At the time he had just published his book called Learn or Die, which is well worth a read.  It talks about developing a learning mindset, and about being much more open to other peoples ideas, concepts such as 'I am not my ideas', 'my mental models are not reality' (aka I know I have biases).  He also talked a lot about make up of team, and how much diversity of thought positively impacts a team's performance.

I still follow the LEF guys ( twitter feed ) and also Ed Hess (Twitter Feed) and saw that Prof. Hess was speaking at the LEF study tour.

There's an LEF article (Link) called 'Rethinking Human Excellence with Ed Hess' which is worth a read, but if you've got 10 minutes watch the video below

He talks about how the operational models we developed in the industrial revolution (operational excellence, low failure rates, efficiency, command and control etc.) are not suitable for the smart machine age of software running everything/AI/ML.  He believes that :

Operational excellence will be taken over by technology and will become table stakes

his view is that we will need to change our approach and focus on what humans does better than machines.

You cannot command and control human beings to be innovative

You cannot command and control human being to be emotionally intelligent

I think he talks a lot of sense about how we need to change as leaders, being better versions of ourselves, continually learning, hiring for mindset and behaviours and this will be absolutely crucial in the years to come.

Some of this thinking is very similar to some of the thinking another I read a while ago  General Stanley McChrystal's Team of Teams, which also proposes changing the structure of organisation away from command and control to teams of teams - I wrote a bit about this here

Tuesday, 23 January 2018

Fresh Sophos home for Mac install via TeamViewer Gotcha

17:17 Posted by G No comments
After much pulling of hair, and thinking what am I missing, it turns out that Apple have changed permissions on remote installs in OSX 10.13 (High Sierra) of some software that install kexts .

Anyway I'm sure as anyone who happens to have IT in their job title knows, one becomes the default tech support for all our family.  This is exacerbated by Christmas 'could you just have a quick look at...'

Anyway I was checking the father-in-laws Mac, and to save time I was using Teamviewer so I could do it from the comfort of my own home.  All was going well, I downloaded Sophos home for Mac, and got to the final stage of the install, and needed to 'apply' a setting in system preferences.

I could see it via team viewer, but whatever I tried I couldn't click it !

After many different approaches, like most men I finally reverted to RTFM and found the following on the Sophos website -

Here's the text from the advisory:

Due to a new security mechanism that Apple has released with MacOS 10.13, called Secure Kernel Extension Loading (SKEL), all non-Apple kernel extension (what we use to intercept files, etc) vendors must be manually added to a trusted list (Any user can add this). This allows the kernel extensions to load and is required for Sophos Anti-Virus to function properly. All 3rd party vendors are impacted by this change, and it is not possible to work around this requirement.
Note: Due to an Apple security restriction, this cannot be done via a remote desktop connection. There must be a locally logged on user. The Allow button will show, but be grayed out if it is accessed via remote desktop.
  1. After installing Sophos Anti-Virus got to Security & Preferences in the Apple System Preferences window.
  2. Near the bottom of the window, it will list the blocked Kernel Extensions (kexts) by Sophos. Click Allow.
Once authorized, all future Sophos kernel extensions are allowed, even after uninstallation.  This step is not needed again on a reinstall. Kernel extensions already installed during an upgrade from MacOS 10.12 are automatically authorized.
So after a quick call to the father-in-law and him pressing 'Apply' locally at the appropriate moment, all is good.  Hope this saves you some time and heartache fellow family IT support !

Patching cadence becomes a thing

16:05 Posted by G No comments
I recently wrote on the Hiscox London Market Blog (with the help of the excellent Simon Challis) about the Meltdown / Spectre vulnerabilities in CPU's (article is here). Two immediate things, firstly it shouldn't be a popularity contest for which bugs have the nicest logo and website and secondly most of my thoughts are reflections of Kevin Beaumont, who I think is one of the most incisive commentators on IT security (and suitably irreverent at the same time).

image from Corax website

So what's the big deal ? Well nothing really. These vulnerabilities have the potential to be a really big deal, but at the moment, they're just not. That doesn't by any mean you should rest easy, and certainly after careful testing you should apply (if safe to do so) all the relevant patches.

What interests me most is how this is changing patching from a boring but necessary (and often neglected) back office task into something that the board, and soon investors will be taking notice of. The race is on currently, can enterprises patch before malware authors come up with a remote way to exploit these newly discovered vulnerabilities.

What makes this even more interesting is the fact that it's now easier to watch this battle from the sidelines. A new industry has sprung up to measure cyber risks.

Both the pure risk scoring players such as Bitsight and FICO, but also a new breed of insurance startups premised on cyber risk scoring and aggregation, such as Cyence (recently acquired by GuideWire), CyberCube (recently spun off by Symantec) and Corax.

How long before the board asks for their own risk score, or during M&A discussions a company's risk score is one element that is considered before financial investment ?

If you're interested in learning more about Cyber insurance, here's a link to a BBC article in which I'm quoted here