Ruxcon 10: Relevant to our interests.

Depending on your perspective, Ruxcon 10 might have been devastating or inspiring. No matter who you were, it was interesting.

Alec Stuart-Muirk’s Cisco ASA talk demonstrated a series of serious, exploitable vulnerabilities in the company’s flagship network security devices. While Cisco has released a patched operating system for the devices, it has only just become available. Many attendees were sending urgent messages to their NOC teams alerting them to upgrade.

While the existence of remotely exploitable bugs granting administrative privileges is bad, it was the nature of the bugs that added insult to injury. Unsanitised URL parameters leading to arbitrary privileged code execution. Cisco should know better.

If we’re discussing simple classes of vulnerabilities that keep showing up, Ricky Lawshae’s talk on UPnP and SOAP showed that pushing devices out the door quickly and with as many features as possible trumps security practices almost every time. Unfortunately the devices being pushed out are going straight into people’s homes and businesses. Unfortunately, terrible implementations of these protocols exist on most consumer electronics with a network port, from TVs to network routers. With very little motivation for manufacturers to patch their products, it looks like we’ll be in for a very rough future from the products already deployed, let alone those still to come to market.

Finally on my list of highlights, two talks on vulnerabilities of RF products including baby monitors, home security systems, and car alarm/immobilisers. Deliberate security features on these systems ranged from none to not great. When you consider that in the case of home and car alarms, the system in question is a security system itself, the stakes are raised. As in so many security fails before, the designers of these products failed to anticipate what interested parties could, or would, interact with their products. Where security features were added (in the car alarm for example), it was done poorly, with codes able to be anticipated, and the apparent discovery of a backdoor code.

What are the big takeaways from the conference?

First, security vendors sell products (from baby monitors to enterprise grade firewalls) that have exploitable vulnerabilities. If that product is your only, or major, line of defence, you’re going to have serious problems.

Secondly, new categories of products are coming to market faster than developers can secure them. There is still a lack of proper incentive for manufacturers to sell secure products, so they go to market with no to little security. Unfortunately, we still buy these products, so the only incentive is to keep making more without learning from their mistakes.

Unfortunately, these flaws are hurting us, and will continue to hurt us as consumers - both individual and business - while ever we continue to use them. Worst of all, most people don’t know the products they have bought have such serious flaws, don’t understand the massive implications of using such a device, and even if they did, have no opportunity to do anything about it. They either don’t know what to do, or have nothing to do because the manufacturer won’t release patched firmware.

It’s not fair, but right now, this is our reality. Consumers must continue to demand better (and enforce these demands with their wallets). Conferences like Ruxcon provide a valuable platform for security researchers to inform the world about their work, and with that information, help us make better decisions about the products we buy and use in our lives.

The transition to ISO 9001:2015!

IIT Training has successfully held the International Standards Organisation (ISO) 9001 worldwide quality system standard (the five ticks) since 1997. During this time we have experienced a few ‘transitions’ and revisions of the Standard. And, another one is on its way in 2015! During this 17 years, we have witnessed the ISO9001 standard encourage its approved and qualified organisations to consistently improve their management systems. Constant quality improvements mean that the clients of ISO9001 organisations have increased confidence in the products and services these organisations offer. The 2015 upgrade is no different – the emphasis is yet again on not only meeting, but exceeding, client expectations.

The designers of the new 2015 version were set the challenge to meet changes in business management system practices and technologies for at least the next 10 years. SAI Global has advised that the focus of the newly drafted standard will be a ‘risk-based approach’ – a concept always implicit in ISO 9001 but now it is explicit throughout each of the sections.

Risk based thinking requires organisations to analyse and prioritise the risks and opportunities in their ability to meet business objectives. Action to address these risks needs to be demonstrated to ensure ISO9001 organisations consistently deliver their products and services, and constantly monitor and improve client confidence and satisfaction. So, what are some of the other changes within this draft standard (scheduled to be released about September 2015):

  • The organisation’s Management System, based on quality processes, will identify risks and opportunities. The current standard (2008) need for mandated ‘preventative actions’ is no longer required.
  • Requirements for ISO9001 organisations to be more responsive to changing environments in which they operate their business processes.
  • The standard now refers to ‘products and services’ and not just ‘products’ as it is now recognised that organisations in actual fact now deliver both in varying degrees in most outputs.
  • The terms ‘documented procedures’ and ‘records’ have now been replaced by requirements for ‘documented information’, as it is recognised that it is now vital for organisations to maintain and retain documented information, as well as organisational knowledge.
  • There is no reference to mandated documentation. It is recognised that organisations now use a variety of technologies and tools to manage and record their documented information. That said, organisations must still demonstrate how they are measuring and managing quality metrics for the products and services they provide.

For further information on this transition process see http://www.iso.org/iso/iso9001_revision, and to learn about how to prepare your organisation, see SAI Global’s 9001:2015 transition workshops at http://training.saiglobal.com/tis/promotion.aspx?id=a0c20000008gJawAAE. Also, if you have yet to experience our quality management approach to the talent development services we offer, then please be in touch!

What are the Top IT Skills Currently In Demand?

There can be no doubt that the IT field is growing, and at an incredibly rapid rate. Across all industries, IT is an increasing part of the entirety of how a business is run, from manufacturing to marketing to controlling data and everything in between, IT skills are in high demand.And through the year 2020, jobs in the IT industry are slated to grow by 22 per cent, according to CompTIA's IT Industry Outlook of 2013. What does this mean for you as an IT industry professional or someone who utilises advanced technology on the job? The call has been made to develop and improve a host of IT skills, through training, education, and certification.

The Must-Have IT Skills

To be truly competitive in the job market, there are a few highly-demanded IT skills one should develop. Big data, security, virtualisation, and cloud computing seem to be at the top of every employer’s list. Not only that, but employers are continually seeking employees who have skills that stretch across disciplines and areas of expertise--a well rounded individual with varied experience is the prime target.

Big Data

As companies grow, knowledge and understanding of big data becomes an increasingly sought-after skill. Not only do IT professionals require a strong grasp of big data in terms of storage, but the ideal candidates will have skills in analysing this data and turning into well-defined strategies for businesses.

Cloud Computing

As data grows and security worries may be present, the world of cloud computing is fast making headway. Business are moving away from traditional physical data centers onto the cloud, and realising that this is a wise and cost-effective decision. IT professionals should seek training in cloud computing and SaaS infrastructure.

Security

Tales of major hacking, infiltration, and compromised data make big waves in international news. As entire systems become more complex, there seems to be more room for error. Experts in cyber-security are in massive demand by nearly all businesses. Brushing up on these high-level skills will ensure your employment, perhaps helping a top company keep its data safe and secure.

Virtualisation

Virtualisation helps improve productivity and lowers operating costs for companies, so more and more businesses are making the leap to virtual servers. IT professionals with skills in this area are in great demand, as the understanding of the complex web of applications and operating systems is necessary for success.

Other Vital IT Skills

In addition to the major skills highlighted above, other IT skills are continually in demand and will continue to be important in the future. A strong understanding of mobile technology is vital, as mobile development takes off. These skills will be applicable to a variety of operating systems. A grasp of high level technical languages such as Ruby, Python SQL, and Java are quite in demand for IT professionals, as is experience with NoSQL databases like Redis and MongoDB. Additionally, certifications are always an advantage when seeking employment as are more universal IT skills such as graphic design. Lastly, employers are always anxious to hire IT professionals who have experience in supplementary arenas such as marketing and design. If you are in the IT industry, it will be vital to keep pace with advancing technology in the years to come. At IIT Training, we strongly emphasise the need for ongoing training and skills development. Check out our schedule of upcoming workshops to see if one is right for you.