Key Updates to the NIST Cyber Security Framework

framework-01The first version of the NIST Cybersecurity Framework came about in Feb. 2014. In May 2017 President Donald Trump issued an executive order directing all federal agencies to use the framework to manage this risk, including future versions. Conversely, the private sector more so uses it as a non-uniform guide (sometimes in part) when needed and they other more industry specific frameworks as well. On 04/17/18 NIST released the updated version of this standard-setting framework. We attended the NIST hosted webcast reviewing this on 04/27/18 and my key points are:

Framework 7 Step Process:

1)    Prioritize and Scope: Implementation tiers may be used to express varying risk tolerances.
2)    Orient
3)    Create a Current Profile
4)    Conduct a Risk Assessment
5)    Create a Target Profile: When used in conjunction with an Implementation Tier, characteristics of the Tier level should be reflected in the desired cybersecurity outcomes.
6)    Determine, Analyze, and Prioritize Gaps
7)    Implementation Action Plan

These recent changes to the framework are based on feedback collected through public calls for comments, questions received by team members, and workshops held from 2016 to 2017.

NIST Cyber Security Framework 3 Areas

The newest version (1.1) includes these updates:

1)    Clarifies utility as a structure and language for organizing and expressing compliance with an organization’s own cyber security requirements.

2)    Added a new section for self-assessing cybersecurity risk which explains how organizations can use the framework. Emphasizes the role of measurements in self-assessment stresses critical linkage of business results:

  • Cost
  • Benefit
  • to cybersecurity risk management
  • Continued discussion of this linkage will occur under
  • Roadmap area – Measuring Cybersecurity

3)    Added a new section for supply chain risk management which focuses on identifying, assessing, and mitigating acquired products and services that may contain malicious functionality, be counterfeit, or have critical vulnerabilities because of poor manufacturing practices.

4)    Added new focus area for small business – what this means is yet to be seen.

“Engagement and collaboration will continue to be essential to the framework’s success,” said Matt Barrett of NIST. “The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve. With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk”, he said.

PwC’s 2018 Global State of Information Security Survey (GSISS) indicated that respondents from healthcare payer and provider organizations, as well as oil and gas companies, said the NIST Cybersecurity Framework is the most commonly adopted set information security standards in their respective industries.

In another case, the University of Chicago’s Biological Sciences Division (BSD) successfully implemented the Cybersecurity Framework to help them comply with HIPAA and other federal data security rules.

If you want to know how to customize this to your organization please contact us.

Review of the 2018 Verizon Data Breach Report

The 11th edition of the DBIR (Data Breach Investigation Report) was released this month. It analyzed more than 53,000 cybersecurity incidents and over 2,200 data breaches across the globe. Here is a summary of its key findings:
Ransomware continues to be a top cybersecurity threat, according to the report. Ransomware is found in almost 39 % of malware attacks – double the amount in last year’s analysis. “Ransomware remains a significant threat for companies of all sizes,” says Bryan Sartin, executive director security professional services, Verizon. “It is now the most prevalent form of malware, and its use has increased significantly over recent years.” This comes as no surprise to many city and state officials that have battled with ransomware takeovers recently. Systems in the city of Atlanta were offline for several days last month following a ransomware attack. Government offices and municipal systems have also been targeted in Baltimore, North Carolina, San Francisco, and others yet to come forward – the government does not like to admit their errors.

The report also shows that attacks on public sector organizations continue to focus on espionage. 43 % of public sector attacks were motivated by espionage. Of those attacks, 61 % were carried out by state-affiliated actors. Privilege misuse and error by insiders account for a third of breaches. Small businesses represent 58 percent of data breach victims. Over 50% of the attacks on public sector organizations were accomplished using backdoors in software, which arguably makes the case for why putting backdoors in software is a bad idea even if a government plans to use it for its own purposes – the government is far behind the private sector in incubating innovation here. Using phishing techniques to get data from individuals remains the most popular method as individuals continue to be the weakest link when it comes to security.

Fig 1. Data Breach Causes, Verzion 2018
Using stolen credentials topped the list of causes for data breaches (See Fig 1. for the other top causes). A common saying is “it’s easier to ask the employee for their password than try to guess it”, so social engineering continues to be a very useful tactic for hackers. For most employees, the only security protection system is their password. If a cyber-criminal obtains it, they can easily bypass most of the company’s security controls.

Attribution is probably one of the most difficult tasks in cyber-crime which already has more challenges than most people realize, with misdirection and lack of digital footprints to help lead to the cyber-criminal. This is likely due to several virtual machines and botnets used to facilitate the attack across several nations – all of which are likely unfriendly to the United States. Specifically, 73% of cyber-attackwere caused by outsiders. Organized crime rings are very likely using hackers as a service because 50% of cyber-attacks were attributed to organized crime. 12% was attributed to nation-states – APT (advanced persistent threats) who have unlimited funds.

Specific to Healthcare: The healthcare industry is rife with error and misuse. In fact, it is the only industry that has more internal actors behind breaches than external. In addition to these problem areas, ransomware is endemic in the industry—it accounts for 85 % of all malware in healthcare.

In total, there were 750 incidents and 536 with confirmed data disclosed. The top three patterns include: miscellaneous errors, crimeware, privilege misuse – 63 % of all incidents within healthcare. Breach threat actors breakdown: 56 % internal, 43 % external, 4 % partner, 2 % multiple parties. Breach actor motives are: 75 % financial, 13 % fun, 5 % convenience, Data compromised: 79 % medical, 37 % personal, 4 % payment.

The full report is available here.

Abstract Forward Consulting can help you review the issues in this report to build stronger security and process controls. Contact us here to learn more.

Jeremy Swenson, MBA, MSST

AbstractFwdHzTag300

New Consulting Site: www.Abstractforward.com Is Up

My new website, updated and stylistic, is up at: https://www.abstractforward.com/
AbstractForward New WebsiteThe site will serve as my corporate site going forward while the old site: https://www.jeremy-swenson.com/ will serve as a more personal blog.

If we can be of service to you in any way please contact us here.

Respectfully,

Jeremy Swenson, MBA, MSST
CEO & Principal Consultant: Abstract Forward Consulting, LLC
Speaker / Writer / Futurist

Abstract Forward Consulting Now Open For Business!

AbstractFwdHzTag300

In 2016 Mr. Swenson decided to go back to graduate school to pursue a second masters degree in Security Technologies at the University of MN’s renowned Technological Leadership Institute to position himself to launch a technology leadership consulting firm. This degree was completed in 2017 and positions Swenson as a creative and security savvy Sr. consultant to CIOs, CTOs, CEOs, and other business line leaders. His capstone was on “pre-cursor detection of data exfiltration” and included input from many of the regions CIOs, CISOs, CEOs, and state government leaders. His capstone advisor was technology and security pioneer Brian Isle of Adventium Labs.

Over 14 years, Mr. Swenson had the honor and privilege of consulting at 10 organizations in 7 industries on progressively complex and difficult problems in I.T. including: security, proj. mgmt., business analysis, data archival and governance, audit, web application launch and decommission, strategy, information security, data loss prevention, communication, and even board of directors governance. From governments, banks, insurance companies, minority-owned small businesses, marketing companies, technology companies, and healthcare companies, he has a wealth of abstract experience backed up by the knowledge from his 4 degrees and validated by his 40,000 followers (from LinkedIn, Twitter, and his blog). Impressively, the results are double-digit risk reductions, huge vetted process improvements, and $25+ million on average or more in savings per project!

As the desire for his contract consulting work has increased, he has continued to write and speak on how to achieve such great results. Often, he has been called upon to explain his process and style to organizations and people. While most accept it and get on board fast, some aren’t ready, mostly because they are stuck in the past and are afraid to admit their own errors due to confirmation bias. Two great technology leaders, Steve Jobs (Apple) and Carly Fiorina (HP) often described how doing things differently would have its detractors. Yet that is exactly why there is a need for Abstract Forward Consulting.

With the wind at our backs, we will press on because the world requires better results and we have higher standards (if you want to know more reach out below). With a heart to serve many organizations and people, we have synergized a hybrid blend of this process and experience to form a new consulting firm, one that puts abstract thinking first to reduce risk, improve security, and enhance business technology.

Proudly announcing: Abstract Forward Consulting, LLC.

Company Mission Statement: We use abstract thinking on security, risk, and technology problems to move business forward!

Company Vision: To be the premier provider of technology and security consulting services while making the world a better and safer place.

Main service offerings for I.T. and business leaders:

1) Management Consulting

2) Cyber Security Consulting

3) Risk Management Consulting

4) Data Governance Consulting

5) Enterprise Collaboration Tools Consulting

6) Process Improvement Consulting

If you want to have a free exploratory conversation on how we can help your organization please contact us here or inbox me. As our business grows, we will announce more people and tactics to build a tidal wave to make your organization the best it can be!

Thanks to the community for your support!

Founder and CEO: Abstract Forward Consulting, LLC.

Jeremy Swenson, MBA MSST (Master of Science In Security Technologies)

Three Unique Tech Trends in 2017 and Implications for 2018

Minneapolis – 12/24/2017

Each year we like to review and commentate on the most impactful technology and business concepts that are likely to significantly impact the coming year. Although this list is incomplete, these are three items worth dissecting.

3. The Hyper Expansion of Cloud Services Will Spur Competition and Innovation:
Cloud computing is a utility that relies on shared resources to achieve a coherent economy of scales benefit – with high-powered services that are rapidly provisioned with minimal management effort via the internet (Fig. 1). It presently consists of these main areas: SaaS (software as a service), PaaS (platform as a service), and IaaS (infrastructure as a service). It is typically used for technology tool diversification, redundancy, disaster recovery, storage, cost reduction, high powered computer tests and models, and even as a globalization strategy. Cloud computing generated about $127 billion in 2017 and is projected to hit $500 billion by the year 2020. At this rate, we can expect many more product startups and consulting services firms to grow and consolidate in 2018 as they are forced to be more competitive thus bringing costs down.

The line between local and cloud computing is blurry because the cloud is part of almost all computer functions. Consumer-facing examples include: Microsoft OneDrive, Google Drive, GMAIL, and the iPhone infrastructure. Apple’s cloud services are primarily used for online storage, backups and synchronization of your mail, calendar, and contacts – all the data is available on iOS, Mac OS, and even on Windows devices via the iCloud control panel.

Fig. 1. Linked Use Cases for Cloud Computing.
Cloud Infra

More business sided examples include: Salesforce, SAP, IBM CRM, Oracle, Workday, VMware, Service Now, and Amazon Web Services. Amazon Cloud Drive offers storage for music, images purchased through Amazon Prime, as well as corporate level storages that extends services for anything digital. Amazon’s widespread adoption of hardware virtualization, service-oriented architecture with automated utilization will sustain the growth of cloud computing. With the cloud, companies of all sizes can get their applications up and running faster with less IT management involved and with much lower costs. Thus, they can focus on their core-business and market competition.

The big question for 2018 is what new services and twists will cloud computing offer the market and how will it change our lives. In tackling this question, we should try to imagine the unimaginable. Perhaps in 2018 the cloud will be the platform where combined supercomputers can use quantum computing and machine learning to make key breakthroughs in aerospace engineering and medical science.  Additionally, virtual reality as a service sounds like the next big thing; we will coin it (VRAAS).

2. The Reversal of Net Neutrality is Awful for Privacy, Democracy, and Economics:
Before it was rolled back, net neutrality required service providers to treat all internet traffic equally. This is morally and logically correct because a free and open internet is just as important as freedom of the press, freedom of speech, and the free market concept. The internet should be able to enable startups, big companies, opposing media outlets, and legitimate governments in the same way and without favor. The internet is like air to all these sects of the economy and to the world.

Rolling back net neutrality is something the U.S. will regret in coming months. Although the implications of it are not fully known, it may mean that fewer data centers will be built in the U.S. and it may mean that smaller companies will be bullied out of business due to gamified imbalances of cost in internet bandwidth. Netflix and most tech companies dissented via social media resulting in viral support (Fig 2).

Fig 2. Viral Netflix Opposition to Rolling Back Net Neutrality.
Netflix Twitter

Lastly, it exacerbates the gap between the rich and the poor and it enables the government to have a stronger hand in influencing the tenor of news media, social norms, and worst of all political bias. As fiber optic internet connectivity expands, and innovative companies like Google, Twitter, and Facebook turn into hybrid news sources, a fully free internet is the best thing to expose their own excesses, biases, and that there are legitimate conflicting viewpoints that can be easily found.

1. Amazon’s Purchase of Whole Foods Tells Us the Gap Between Retailer and Tech Service Company is Closing:

For quite a long time I have been a fan of Amazon because they were anti-retail establishment. In fact, in Amazon’s early days, it was the retail establishment that laughed at them suggesting they would flounder and fail. “How dare you sell used books by mail out of a garage”. Yet their business model has turned more into a technology and logistics platform than a product-oriented one. Many large and small retailers and companies of all types – employ their selling, shipping, and infrastructure platform to the degree that they are, in essence, married to Amazon.

Magazine Business Insider said, “The most important deal of the year was Amazon’s $13.7 billion-dollar acquisition of Whole Foods. In one swoop, Amazon totally disrupted groceries, retail delivery, and even the enterprise IT market” (Weinberger, 12/17/17). The basis for this acquisition was that grocery delivery is underserved and has huge potential in the U.S. as the population grows, less people own cars, and people value not wasting time walking around a retail store so much (getting socialized to a new level of service) (Fig 3).

Fig. 3. How Amazon Can Use Whole Foods to Serve High Potential Grocery Delivery.
Amazon Whole Foods

By Jeremy Swenson and Angish Mebrahtu

Mr. Swenson and Mr. Mebrahtu meet in graduate business school where they collaborated on global business projects concerning leadership, team dynamics, and strategic innovation. They have had many consulting stints at leading technology companies and presently work together indirectly at Optum / UHG. Mr. Swenson is a Sr. consultant, writer, and speaker in: business analysis, project management, cyber-security, process improvement, leadership, and abstract thinking.  Mr. Mebrahtu is a Sr. developer, database consultant, agile specialist, application design and test consultant, and Sr. quality manager of database development.

 

 

 

5 Things Equifax Could Have Improved to Prevent Their Data Breach

Equifax_breach_exposes_143_million_peopl_0_4110363_ver1.0_640_360Minneapolis, MN – 11/22/17. The recent Equifax data breach impacted one-third of the U.S. population with more than 143.5 million records exposed.  This epic hack started on 05/13/2017 and lasted until 07/29/2017, all the while the company was clueless.  As a result, the threat actors trolled around Equifax’s network, staging and exfiltrating data undetected for 2.5 months.  It is one of the biggest data breaches in U.S. history but clearly not the biggest.  Going forward, breaches are likely to be bigger, given the threat actors risk vs. reward tradeoff, and the increasing capabilities of cloud computing and botnets thereby enabling anonymity.

Equifax 1Yet this breach may be one of the most negatively impactful because of the comprehensive sensitive data lost in it including social security numbers, full names, addresses, birth dates, and even drivers licenses and credit card numbers for some.  “This information is the kind that several businesses like financial companies, insurance companies, and other security-sensitive businesses use to identify a customer accessing their accounts from online, by phone, or even in person” (Pelisson, Anaele; & Villas-Boas, Antonio, 09/08/17).

Therefore, this breach lends itself perfectly to future identity theft.  To date, hundreds of fraudulent loan applications, credit card charges, student loans, and insurance claims have been documented and it’s not likely to stop anytime soon.  All of this has inspired negligence lawsuits and regulatory reviews across most states.  If there is one thing you would expect from a credit monitoring company claiming to protect the accuracy of your data, it is that they would at least have above average information security standards.  Yet they clearly did not.  Below are the things that went wrong at Equifax to enable and exacerbate the breach:

1) Equifax’s first problem was that they failed to take a recent critical update notice seriously:
NIST (The National Institute of Standards in Technology) via CERT (critical emergency readiness team) issued an update alert for the Apache Struts platform on 03/08/17, CVE (critical vulnerability exploit) 5638 (Fig 2) which Equifax ignored or gave low priority.  Apache Struts is a free, open-source, MVC (model view controller) framework for creating nice, new Java web applications.  At Equifax, the Apache Struts platform was used for multiple applications and thus the risk associated with failing to patch the vulnerably was exponentially large and complex.

Apache Struts
Negatively, the Apache Struts vulnerability allowed remote code execution via a cmd string upload in the HTTP header.  Both versions of this vulnerability were listed as being highly severe by the CVE alert.  There is no way Equifax did not know this to a considerable degree.  Lesson learned: solidify your security baseline and update and patch based on likely impact and ease of execution.

2) Equifax had a history of poor security culture back to 2014 and failed to make key improvements:
“In April 2017, cyber-risk analysis firm Cyence rated the probability of a security breach at Equifax at 50 percent in the next 12 months.  Credit analytics firm FICO gave Equifax low marks on data protection — an enterprise security score around 550 on a scale of 300 to 850.  In 2014, Equifax “left private encryption keys on its server,” potentially allowing hackers to decrypt sensitive data, according to a recent breach related lawsuit.” (Harney, Kenneth; 11/21/2017).  Thus, Equifax had poor security long before the recent breach and they have been warned.

a) Creating a culture of security where rank and title do not suppress valid evidence and reason, and outside vendors are vetted and listened to in a timely order concerning security risks would improve their security posture.  Yet this requires cross-departmental collaboration, openness, and it requires firing those insulating themselves in fiefdoms of “yes sayers”.

3) Executives had more concern for short-term profit than long-term security:
On 08/01/17 and 08/02/17 three top executives from Equifax sold nearly $2 million worth of company stock at a high price but maintain that they had no knowledge of the breach that was discovered by the company on 07/29/17. Allegedly these trades were placed before August 2017. Although these may be innocent well-earned stock trades, the totality of the circumstances warrants further validation even though Equifax’s attorneys reviewed the trades at the time. Trades like these should not just be reviewed by the legal department but also by the P.R. department when a disaster is near, likely, or present. Most importantly, long-term security should be on the mind of executives, not short-term profits – implicates a huge culture issue.

4) They have business products that create conflicts of interest that incent data breaches and identity theft:
This is because Equifax sells credit monitoring services at about $17 per month per customer.  They also partner to sell identity theft monitoring via LifeLock.  LifeLock has a direct copy of most of Equifax’s data so they can accurately monitor for fraud indicators.  LifeLock cost about $30 per month per customer and a part of that profit is shared with Equifax via a prearranged deal inked in 2015.  Sen. Elizabeth Warren described it in the video below.

5) Equifax used stunningly simple PIN numbers that were composed of date
and time:

This was corroborated by Wes Moehlenbruck, MS, CISSP, CEH, CHFI, a California-based senior cybersecurity engineer with a master of science degree in cybersecurity.  He stated, “The PINs used to lock and unlock credit files were simply based on the time and date – nothing more complicated than that.  Absolutely yes, this is a rookie mistake” (Hembree, Diana, 11/15/17).  Obviously, in using such a simplistic approach in PIN generation, a user’s PIN could easily be guessed or brute-forced by testing every possible combination using a computer program.  PINs should be more complex, completely confidential, and there should be a policy mandating that they change often (every six months for example).

If you want to talk more about these and related concepts applied to my consulting and speaking, please contact me here.

The Danger of Thinking Title Makes You A Leader (expanded)

socrates_fiorina_kodak

Leadership is about enabling the potential in others and getting out of the way so their dreams can enable something bigger. Having people paid to report to you does not mean you are a leader but more likely a manager, which is a very respectable and worthwhile career path but it is not leadership. It is not even close to leadership! When people choose to follow you without money or title, that is leadership. In this context, the title is derived from results and action first. As a leader, you are responsible for incubating synergies to get three out of two. Leadership is about influence, not title. Title is a mostly meaningless word that constantly changes in todays amorphous corporate culture.

Title without great external influence is not title at all. How can you move someone’s cheese when you can’t even move your community. Leadership STARTS at the community level and its nuclear power resides there. Community based leadership has overthrown a lot of ruthless dictators, leading scammers, and corporate bullies. Real leaders understand the value of academic inquiry (formal or informal), history, change, and that these things together are the precursor to innovation. They also understand that innovation is a team thing and they don’t seek to steal the spotlight.

Former H.P. CEO and Presidential candidate Carly Fiorina said it best this way, “leadership is about changing the order of things”. Changing the order of things is dangerous because it has many unknowns and it ruffles the feathers of those presently holding power. If you are truly a leader or aspire to be one, get ready to be attacked multiple times. All TRUE leaders are different and DO NOT FIT IN with most people or the status quo, and they are bullied, harassed and attacked, and that is the life they know. They can lead in times of great stress and controversy while the vast vast majority of people in the world could never even get close, and would break like a generic toothpick at the sign of light criticism.

Carly Fiorina On  Management Vs. Leadership – Stanford Univ. 2007.

Although a lot of executives say or believe they are leaders, their actions contradict that. All too often, they can’t handle the criticism that comes with true leadership and they are very often afraid of change, or people with abstract cultural personas. In many parts of their personal lives, they could not even pass the simplest leadership test of helping someone less fortunate than them when nobody else will in a disaster situation. Very often they insulate themselves with simple minded yes-sayers, fire people who question them, and are more often concerned with the superficial status that comes with being wined and dined by vendors that serve their vertical. Types like these are fools masquerading as leaders but there is plenty of them.

The real life of a leader is lonely and some think you’re crazy. The people (mostly fools) who think you’re crazy don’t understand diversity, the evolution of culture, true creativity, and they most likely could never connect the dots to realize any type of noteworthy synergy.  Yet they often hype up all kinds of useless nonsense to promote their fallacious status:

1) You can’t argue with me, I am a Director, therefore I am right. Truth: Delusional.
2) I am a VP, therefore, my ideas are innovative. Truth: No one credible declares innovation.
3) I am a 27-year-old director and won’t make time for you because I am in a leader development program. Truth: Leader development programs have next to no track record and teach corporate conformity. A leader development program would not have helped Bill Gates, Martin Luther King Jr., or Mark Zuckerberg.

With great respect for everyone, in my experience, the people making these types of arguments are the biggest fools of all and they are usually one trick ponies – good at one or two things only and for a short period of time. If you fall for them you have been scammed.

Examples of true leaders include Billy Corgan (alternative rock music pioneer), The Wright Brothers (building and flying the first airplane) William Kunstler (landmark civil rights attorney), John McAfee (anti-virus pioneer), and Steve Jobs (computer pioneer). These people were all criticized in their early years and pushed many people away from their inner circle. Although this criticism and isolation may have broken some people it did not break them.

Most often, real leaders don’t fit in with most people and unless they get fame or money they are ostracized. So many in our society are overly focused on fame, media hype, and money. Yet real leaders are not distracted by these immoral fallacies for they have nothing to do with life satisfaction, moral progress, or any type of synergy. Real leaders undeniably inspire movements, better people, processes, and with their vision and advocacy – society, business, and/or technology gets to heights never dreamed possible. Very few people see this at the time, though many are happy to jump on the bandwagon decades after its validated as cool by the masses.

Martin Luther King Jr. was one such leader and he paid the ultimate price but inspired a civil rights revolution that redefined America – William Kunstler defended him. Philosopher and teacher Socrates was unjustly condemned to death for questioning the current status quo of Athenian politics and society and for teaching students to do the same thing for a better world. Today his ideologies and approach have proven to be the foundation for much of Western philosophy and education. His name is associated with the Socratic Method, which means questioning everything. It is the hallmark of how law schools teach students throughout most of the world and it is a methodology that has proven to save the lives of thousands.

Yet some corporate leaders do not like to be questioned by even the most validated intellectuals. Case in point, when credible writer and analyst Bethany Mclean was questioning Enron CEO Jeff Skilling in 2001 about Enron’s public financials, he blew her off and created a smoke screen to cover up large scale fraud. It’s no surprise that Enron is now defunct, Skilling is in prison, and Mclean has been proven as the real leader. Having met her, having read her works, and having correspondence with her, I know she is everything that makes up a great leader. Great leaders have no problem taking questions from validated individuals of all walks and ranks because they have nothing to hide (including insecurities) and they can use the dialogue to advance their innovative mission. In the data-centric democracy of the United States, business and technology fads come and go, and now is about the new – false leadership will be short lived.

Socrates Condemned to Death Speech – 399 B.C.

I will take the person with the best ideas and passionate followers over someone who gloats about how prior titles prove anything. Titles by themselves and even with experience do not prove much at all. In the evolving and constantly changing landscape of technology, titles, for the most part, do not matter. Results, creativity, and inspirational empathetic leadership are what matter – emphasis added!!

If you focus too much on title, the guy or girl with the right idea will run you out of business and you and your whole team with be left with little money and no title. Please think long and hard about this, if you are claiming to be a leader. You don’t want to be like Kodak and fail to see digital cameras are the future, and you don’t want to be the leader who failed to see a data breach. You don’t want to be an overconfident leader who self-declares your morality over subordinate objections but who years and perhaps decades later is deemed as greatly immoral. You don’t want to be that executive whose peers support you only because they are paid to but really don’t respect you, and are not at all inspired by you. This happens a lot and this faulty leadership under good governance will be short lived.

Lastly, to that person who gloats about their V.P., Director, SVP title, or the like, ask them how many people would follow them passionately without money in times of great challenge while others criticize them. Likely, they will be confused, because most leaders are below the surface working to make the world a better place while the above fakers seek status and “yes” cliques. They know nothing about leadership or moral courage. To think that titles are a right-of-passage to leadership is one of the most dangerous fallacies in society to date. It has caused wars to be lost, inspired political violence, caused elections to be lost, technologies to be missed, and it is a solvable irony for a society as advanced and gifted as the human race. What are you doing to be your own best leader for the greater good of others? I assure you it has nothing to do with title.

If you want to talk more about these and related concepts, please contact me here.

Three Points on Artificial Intelligence and Cyber-Security for 2017

icit-new-logo-for-website5
Although I have been known for longer posts, I would like to offer only three things to watch out for related to artificial intelligence and cyber-security for 2017, followed by sharing two videos.

1) Cyber attackers have long used machine learning and automation techniques to streamline their operations and may soon use full-blown artificial intelligence to do it. Botnets will become self-healing and will be able to detect when they are being discovered and can re-route in response. The botnet and cyber crime business will grow and become more organized. Showdan, the world’s first search engine for internet connected devices, will be used to target companies and individuals negatively. Yet it can also be used for safety and compliance monitoring, most likely when its feed into another analytical tool.

How to Hack with Showdan (For Educational Purposes Only):

2) It won’t be long until A.I. learns the patterns of mutating viruses and then has the ability to predict and/or stop them in their tracks. This is dependent on the most up to date virus definitions, and corresponding algorithms. How a Zero Day is made is heavily a math problem applied to a certain context and operating system. There should be a math formula to predict the next most likely Zero Day exploit – A.I. could provide this. It’s a matter of calculating all possible code various and code add on variations. It’s a lot more advanced than a Rubix Cube.
975f495fafd8c494591892412ecf87e33) A.I. has the potential to close the gap between the lesser developed world and the developed world. The technology behind A.I. is not limited to big companies like IBM or Microsoft for the long term. We may be surprised with tech start-ups out of the lesser developed world who are very creative. Lack of fiber optic cable connectivity has forced many lesser developed nations to rely heavily on cell tower smartphone based internet communications. This has inspired a mobile app growth wave in parts of Africa as described here; “the use of smartphones and tablets within the country has led to a mobile revolution in Nigeria. Essentially, people now tend to seek mobile solutions more often and thus, enhance the growth of the mobile app development industry” (Top 4 Mobile App development companies in Nigeria, IT News Africa, 2015). A.I. will likely close the gap between these two sectors though not drastically change it. If lesser developed countries can build their own mobile apps and outsource things to A.I.; they could become more independent from the economic constraints of the developed world.

The below video highlights some of the complications around these points. It is from a conference hosted by the ICIT on April 25, 2016, and I did not attend this. In the video, Donna Dodson (Associate Director, Chief Cybersecurity Advisor and Director, NIST), Mark Kneidinger (Director, Federal Network Resiliency, DHS), Malcolm Harkins (ICIT Fellow – Cylance) and Stan Wisseman (ICIT Fellow – HPE) discuss related concepts and share realistic examples of how these technologies are reshaping the cyber-security landscape.

ICIT Forum 2016: Artificial Intelligence Enabling Next-Generation Cybersecurity

If you want to contact me to discuss these concepts click here.

Five Unique Tech Trends in 2016 and Implications for 2017

1) Russian Hacking in U.S. Elections – critical infrastructure implications:
For more than ten years candidates and advocacy groups have used internet marketing hacks to steal their opponent’s websites, redirect internet traffic, or increase negative search results on them by manipulating search engine algorithms. For example, former GOP Presidential candidate Carly Fiorina failed to register carlyfiorina.org and thus had an opposition group use it as negative publicity against her, but she has since acquired the site. Yet 2016 proved to be a turning point in political hacking because of the level and sophistication and sustained effectiveness. The Washington Post reported, “Russian government hackers were able to penetrate DNC servers, compromising opposition files, chats, and emails on republican nominee Donald Trump (Eliza Collins, 12/30/16, USA Today). With this information, Russian intelligence agents masqueraded as third parties to create very believable spear phishing campaigns. These fake emails worked to trick victims into typing in their usernames and passwords after which Russian agents moved further into their networks, undetected at the time.

On 12/29/16, in a first of its kind move, the Obama Administration released a joint FBI and DHS report (JAR-16-20296: GRIZZLY STEPPE – Russian Malicious – US-Cert) on the technicalities of the hack and sanctioned the GRU and the FSB (Russian intelligence agencies) and key companies they contracted with (Katie Bo Williams, 12/29/16, The Hill). The following diagrams (Fig. 1-a and 1-b) show there were two main hacking groups and that they used mostly classic hacking tactics that were clearly preventable. APT29 hides via encrypted communication and speeds up commands via PowerShell code automation, applied to multiple operating systems. Thus they must have been observing and studying/testing for a while to get this right as its complex across phones, tablets, and PCs. At the same time, APT28 was using a private tunnel (like a VPN) to install and remotely run applications – key loggers designed to steal information and credentials.

Russian DNC Hack Diagram – Fig. 1 – a: (JAR-16-20296: GRIZZLY STEPPE – Russian Malicious – US-Cert).
Russian Hack Part 3.png
All this started as far back as the summer of 2015, so the full penetration went undiscovered for more than a year. In that time, it has been alleged that the hackers were releasing embarrassing info to manufacture fake negative news against Hillary Clinton. In one instance the release of this info resulted in the resignation of the on DNC Chair, Florida Representative Debbie Wasserman Schultz. Yet the hack is not fully partisan because many sources confirmed that, Republican House members, thought leaders and non-profits to the GOP, were also hacked (Jeremy Diamond, 12/16/16, CNN).

Russian DNC Hack Diagram – Fig. 1 – b: (JAR-16-20296: GRIZZLY STEPPE – Russian Malicious – US-Cert).
Russian Hack Part 2.png

On 12/30/16 the Obama Administration took the strong action of expelling thirty-five Russian diplomats in response to the hack. Shortly thereafter they enacted OFAC (Office of Foreign Asset Control) sanctions against Russian business entities associated with these people. They left the country under close U.S. escort on 01/01/17 as they arrived at an airport to depart on a private Russian plane sent by president Putin.

Alleged Hacker and Russian Spy, Alisa Shevchenko – Fig. 3:
1483128352073-cachedInterestingly, one of the people expelled, Alisa Shevchenko, was praised a year before by the United States which does not speak well for U.S. intelligence agencies. Specifically, The Department of Homeland Security said “Alisa Shevchenko had helped prevent cyber crime under a program for information sharing between the public and private sector. Ms. Shevchenko was also said to have assisted a French company, Schneider Electric, in identifying vulnerabilities in its software” (Andrew E Kramer, New York Times, 12/31/16). However, we think she may have been a Russian spy all along and could have been inside key U.S. systems at that time but this unconfirmed. Her company, Zora Security, has been a key supplier to the Russian Military’s Main Intelligence Directorate, or G.R.U. In her recent Twitter posts she indicates that she is indifferent to being discovered by the U.S. intelligence agencies. This is likely because she is a close pawn of Putin’s who did a fairly good job going undetected as long as she did. More intel is likely to come out substantiating this.

At present, the election systems aren’t considered among the sixteen U.S. critical infrastructures and thus they have no federal protection. This is because current law defines the administration of elections as in the hand of each state and these states do not want federal involvement into their election systems out of fear of political persecution. We can understand this (especially Texas) but think some compromise could be accorded if a state election system was targeted by a foreign government, thus making it a national interest. The federal government is less involved in the day to day activities and security of the sixteen critical infrastructures because 80% of them are owned by private enterprises. However, when Sony got hacked in 2014 it became a national issue a few days later and then the Federal government helped out, but afterward, Sony quickly wanted to avoid contact with them. This is because, although well intentioned and large, the federal government is not as good at most I.T. security as the private sector is. Yet the case of multiple state election systems is unique because they are used only for elections and then are put in storage. Ultimately each states voting data rolls up to the federal level and most of this supply chain is at risk to hacking and manipulation. Thus, the maintenance and updates of these systems and the systems used by dispersed political parties for campaigns need to be improved. This may require some sort of hybrid-critical infrastructure protection, increased private sector partnership, or just more dollars spent by the state election bodies and political parties. Why are commercial facilities and their systems more important than the systems that track election activity and results in a country that fought several wars to stay democratic? By including the election process and systems as a critical infrastructure or hybrid-critical infrastructure, researchers and entrepreneurs will be inspired to improve the process, all the while sustaining or increasing privacy which is a must for a nation as diverse as the United States. More news outlets, advocacy groups, consultants, and academics need to debate this publicly!

2) Tesla and the Growth of the Electric car – decline of the gasoline based car: 
2016 was a profound year of announcements when it comes to the market for electric cars. Many car manufacturers have been playing catch up with Tesla for a few years now. That being said, several companies have produced versions of their own electric car. But there are very few that have produced an electric car designed from the ground up. The Nissan Leaf and BMW i3 were two of those, and as of November 2016 Chevrolet started manufacturing its Bolt EV. Mercedes also announced that it will have several different types of electric vehicles soon. This includes their urban electric-powered straight truck (Fig. 3) which has self-driving capabilities. This would allow inter-city delivery on an EV platform.

Mercedes Electric Self-Driving Truck Prototype – Fig. 3:

mercades-self-driving-truckSimply put, the market is starting to catch up to Tesla. 2017, we think will be the year that makes or breaks Tesla. If Tesla can ramp up production like it plans to, it will continue to maintain market share. By 2018, it has audacious production goals of a half million. With just about every major automotive company producing plans for electric vehicles, competition for this segment will start to get really competitive.

3) Self-Driving Cars – personal and commercial:
Google has been developing a self-driving car for a few years now, but it has been slow to fully develop and bring them to market. In fact, a few of Google’s employees left to start their own company for self-driving trucks. That company, Otto, was recently sold to Uber for $680 million (Mark Harris, Business Insider – Back Channel, 12/03/16). Uber has also been working on self-driving cars with its Ford Fusion line. Now, these cars still have people behind the wheel just in case of an emergency, but it’s the next step in fully rolling out an autonomous fleet of vehicles. Uber gave their fleet of Volvo XC-90s a try for only a week in San Francisco but picked up and moved on to Arizona to continue testing. This was because they didn’t want to comply with California DMV requirements to file paperwork and pay a registration fee. Otto, on the other hand, also made their first delivery of Budweiser beer in Colorado (Fig. 4).  

Otto Self-Driving Budweiser Delivery Video – Fig. 4:

This is dawning the start of Uber Freight where shippers can ship through an Uber App for their truckloads. C.H. Robinson and Amazon are both developing apps like this. We think before cars get the green light to drive in inner-cities, self-driving semis will get the regulatory green light, firstly on interstates. This is because commercial vehicles cost a lot more, are bigger, serve thousands of customers per year, thus the investment in self-driving technology is a justified priority in spite of any risk.  Additionally, commercial shipping is automated in most parts of the supply chain and this is a precursor for self-driving trucks. The NHTSA did publish guidelines on self-driving cars and their testing in September (link here). We think 2017 will be the year of testing self-driving vehicles and in 2018 it will start to become a mass market idea.

4) Surveillance via Smart Phones – privacy implications:
Smartphones are small supercomputers that house more personal info on their users and families than any other device in modern history. From texts, PHI, fingerprint scans, downloaded documents, contact lists, photos, geolocation tags, the use of many cloud databases – both upload and download, and apps that take away some of our privacy – via partial and full consent. A smart phone is more advanced than any gadget dreamed up by 007 and the need for privacy on it is just as important.

2016 proved to be a turning point in the privacy vs. government surveillance debate. It intensified after the mass shooting in San Bernardino, CA, which happened at the end of 2015, killing 14 people. Then in 2016 the government sued Apple to get them to build a backdoor into the perpetrators iPhone to which Apple strongly objected. The government eventually broke into them phone shortly thereafter with the help of Israeli tech contracts. Keep in mind that ever since Edward Snowden leaked NSA documents in 2013 about the government’s overreach into technology companies, to get them to build back doors, it has become more politically acceptable to resist such demands. Congress has made very minor surveillance rollbacks, mostly related to phone metadata but much more work needs to be done (Ellen Nakashima, The Washington Post, 11/27/15).

Andriod phones have also suffered hacks and backdoors.  A source described it this way, “security experts say they have discovered secret ‘backdoor’ software in some Android phones that sends users’ personal data to China. Kryptowire, the security firm that discovered the vulnerability, confirmed this information on its website on Tuesday. The firm wrote that certain Android devices contain pre-installed software that collects and sends personal data, such as texts and geographical location, to an unauthorized third-party” (New York Times, 11/15/16).  This is a clear blow to android privacy and will require costly R&D by Google.  With the growth of third party phone applications these risks will continue to increase and get more complicated.

Illustration of Apple vs. The FBI – Fig. 5:
1458594148060
Although the government argues that back doors make the nation safer, this makes no logical sense and there are no real world case studies to support it. First of all, the fact that the government needs to rely on the private sector for such backdoors and tech consulting proves that the private sector is where technology innovation comes from and that supports the concept of intense free competition.

The U.S. intelligence agencies would not be much better than a “drunken inspector gadget” without third-party consultants and tech firms. Key private sector innovation in the military industrial complex has helped this nation win wars and secure freedom for all – way back to the founding of the Union. This includes stealth fighter technologies, radar technologies, canons, and it does not require government overreach or back doors. The government is a paying customer of the best tech products and has always been.  

Yet when the same consultants and tech firms serve regular customers, like Apple with the iPhone, those customers have a reasonable expectation of privacy and quality. This should not diminish merely because the government can’t solve a crime or problem quickly. Apple CEO Tim Cook described the government’s request this way, “it’s the software equivalent of cancer. He said he was prepared to take the fight all the way to the Supreme Court. This would be bad for America, he said. It would also set a precedent that I believe many people in America would be offended by” (Enjoli Francis, ABC News, 02/24/16). There are far more security benefits in keeping private technology data private. This includes privacy after domestic breakups, privacy from cyber-stalking, privacy from annoying marketing, privacy from political persecution and harassment. Also, Government agencies can use these same private technologies to conduct military and intelligence operations without worrying about being hacked by opposing governments or terrorists.

In 2017 we think technology companies will increase the security of their products, and companies like Apple and Google are already in the process of doing this. In Apple’s case, they have spent millions to hire encryption legend Jon Callas, who invented PGP encryption, to redesign the security of their products (Reuters, 05/24/16). We think most company shareholders, investors, customers, and finance people now see the additional cost to build in great security as required.  To customers, security on a product is worth a price premium and a globally competitive company must have secure products.

We also think policy makers will have to do more to accommodate the privacy concerns of citizens, perhaps partly like the E.U. has done. We also think 2017 will further debunk the connection between backdoor system hacks and terrorism prevention. Clearly, monitoring the entire free world’s metadata is a violation of democratic norms, and it waters down security greatly because it can easily be manipulated for every imaginable bad reason. Most likely, setting people up, and government leaders throughout all history like to find people to blame for their problems/misdeeds. Yet behavioral profiling and good traditional police and intelligence work in conjunction with advanced sustained diplomatic dialogue with a range of diverse groups, friends and enemies alike, should produce better intelligence for more specific actionable results. The intelligence community has thousands of tech tools to use to secure the nation, mostly private sector based, so they don’t need to monitor all metadata.

5) Using Drones for Last Mile Deliveries – suited for rural and high traffic areas:

Amazon Prime Drone via Prime air – Fig. 6:
imagesAmazon made its first test delivery by a drone in the U.K. in 2016. This will continue to be developed as Amazon continues to test and tweak its system for making deliveries by drone. In fact, this is one of many programs where Amazon is developing its systems in “last mile” delivery. They also currently have their own fleet of vans to deliver and they use their Flex program of drivers to pick up and deliver packages. They also recently filed a patent for “floating warehouses” where these would have inventory in an airship that drones could pick up products and then deliver them, for example to a sporting event (Kate Abbey-Lambertz, 12/30/16, Huffington Post). Realistic but far out innovation like this will continue to challenge UPS and FedEx to provide a better customer experience. Drone delivery is just one idea. The benefit or idea behind drone delivery is that it could deliver to customers within a half hour. This would drastically improve the time to deliver to its customers. Currently, with Prime Now, you can get one-hour and two-hour delivery in certain areas.  

We think Amazon will continue to develop its drone delivery in 2017 by testing it in many countries across the world. The FAA in the U.S. has been one roadblock to Amazon testing in the United States. This is just one agency that is figuring out how to regulate this new technology as it tries to prevent small planes and traffic from colliding with drones. Amazon’s competitors are watching and we’ll see how far they get in 2017.

jeremy-swensonmike-cassem
Jeremy Swenson and Mike Cassem are two seasoned, part-time, Intel certified, retail technology marketing and training representatives on assignment at Best Buy for clients including Intel, H.P., Trend Micro, Adobe, and others – presently on sabbatical. They also spent five years crafting their public speaking and writing skills in Toastmasters International. For full-time work, Swenson doubles as a Sr. business analyst, process improvement and project management consultant. While Cassem doubles as a marketer and sales logistics analysis consultant. Tweet to them @jer_Swenson and @micassem.

Michael Kirk Please Interview us For Your New Movie “Prince: R U Listening”!

Film Director / Producer Michael Kirk of Maltese Productions please interview us for your new movie “Prince: R U Listening”!

–First of all we are huge fans! —

I am writing this open letter to introduce you to my esteemed friends who are music aficionados and Paisley Park regulars.  Together we have more knowledge about Prince than most of the so-called experts in the media frenzy over the last six months.  We want to help with the making of your new documentary film “Prince: R U Listening”.  We don’t care about money or publicity.  We do this for the truth and because we were a part of that Paisley Park scene that showed “love4oneanother”!  Here is a brief background of each of us.

Fig. 1. Matt Martin and Jeremy Swenson – Dance Party at Paisley Park, Oct, 2015.
matt-martin-jeremy-swenson-paisley-park-oct-2015
1) Dr. Griffin Woodworth has a Ph.D. in Musicology from UCLA where much of his research has been on Prince and Frank Zappa.  Since 2012 he has been working on a book “Prince, Musicologist” (working title) for the University of Michigan Press Tracking Pop series.  He has been a Paisley Park regular since about 1995 and has written articles, blog posts, and has also been cited by the media on the history of Prince and music generally.  He is also a music history, music technology, and music commercialization professor – he has taught at leading colleges and universities from MN to SC.  See the links to some of his publications here:

a) Blog: PAISLEY PARK IS IN YOUR HEART: A REMEMBRANCE.
b) News Media: At Prince’s house, heartbroken fans mourn ‘a piece of my childhood gone’.
c) Academic article: Prince, Miles, and Maceo: Horns, Masculinity, and the Anxiety of Influence.
d) LinkedIn: https://www.linkedin.com/in/griffinwoodworth

2) Mark Bonde is an energetic leader with a firm understanding of the global security landscape and is focused on helping organizations deliver higher levels of physical security through the effective use of technology.  He possesses a strong set of interpersonal skills that enable him to communicate effectively in diverse cultures and environments.  He has been going to Paisley Park since 1995 and is friends with one of Prince’s longstanding and highly regarded tour and party DJs, DJ DUDLEY D (AKA Dustin Meyer).  He was also in Prince’s 1996 MTV Emancipation Broadcast as an extra.  He has a BA from the University of MN in Political Science, and has been cited by the local media about Prince and has blogged and spoken about him in the following links:

a) Video Blog Eulogy:

b) Blog: Paisley Nights.
c) Media commentary: Prince fans still visiting Paisley Park.
d) LinkedIn: https://www.linkedin.com/in/mark-bonde-b249353

3) Sara Savoy is a seasoned business leader with over 20 years of success in sales and sales management.  She focuses largely on driving net new revenue and exceeds quota attainment for Digital Technology and Marketing (Software and Software as a Service) products.  She is a strong local music insider, creative photographer, and has also been a Paisley Park event regular for many years.  She has a few impressive blog posts and media citations, including a photo of Paisley Park that went viral from TIME, Rolling Stone, and other publications this summer:

a) Media: Her Paisley Park photo cited by TIME Magazine among others.
b) Blog: A Rehearsal of Fortune with Prince at Paisley Park.
c) LinkedIn: https://www.linkedin.com/in/sarasavoy

4) Michael Holtz is a data and infrastructure technology professional who runs a DJ business on the side.  He has been Prince’s event party DJ for about the past two years and still does so for his estate on occasion.  He has an exotic flair for funky beats and is respected among Paisley Park staffers and the electronic music scene in MN.  He has commentated on Prince and the music industry many times and can be seen in the following news links:

a) Fox News: Prince’s Studio DJ Opens Up About Pop Icon’s Final Public Performance.
b) DJ Video Commentary: A Tribute To Prince | A Reflection On His Life with Mike Walter and Michael Holtz | #DJNTV.
c) DJ Service web-site: 2 The Max Entertainment.
d) LinkedIn: https://www.linkedin.com/in/michaelholtz

5) My name is Jeremy Swenson and I am a passionate creative, music curator, and Prince super fan who has been a regular concert goer and party goer at Paisley Park since 2000 – both public and under the radar events.  I watched Prince audition and select his best drummer ever, John Blackwell,  and even got on stage to sing with him in the year 2001 at a jam session.  I am connected with many of his present and former bandmates and staff on Facebook, LinkedIn, and in other social channels.  I was at the last dance party on 04/16/16 and was one of the lucky few to hear from Prince before he passed away the next week as were my friends Mark Bonde, Michael Holtz, Harvey Andrus, and Sara Savoy.

I have a BA in Political Science and Jazz from UWEC, an MBA from St. Mary’s University of MN, and am currently pursuing a rare and exceptional masters degree at the Univ. of MN in Security Technologies.  I have blogged and commentated about Prince, the Mpls music scene, the music business, economics, and related technology concepts.  I am also a speaker and Sr. Consultant to the insurance, banking, retail, and healthcare industries at the intersection of process improvement, security, and technology.  See a few of my written works below:

a) Blog 1: Prince and Purple Rain 30 years later: Business and Music Innovation.
b) MN AMA Blog 1: Three Keys to More Innovative Marketing: The Case of Prince.
c) Blog 2: Social Tech CEO Jimmy Chamberlin Rejoins Smashing Pumpkins.
d) MN AMA Blog 2: U2: Music Marketing Tweaked for a Hyper-competitive Digital World, While Still Appealing to Emotion.

We have open hearts to help with your film pursuit of the Prince scene in whatever way we can.  Our insights and stories are valuable as you move your documentary forward. 

Fig 2. Bill McKee and Jeremy Swenson visiting The New Paisley Park Museum, Oct, 2016.
20161022_135516

Please contact me here to set up a meeting.

Much love and respect,

Jeremy Swenson