The Shadow IT Survival Guide

Recently I’ve been thinking through my next modules, changes at work & my career development. I’ve posted before about the challenges of getting into cyber security. It’s not an easy path for a career changer.

But what about living in shadow IT?

That’s kinda where I am at the moment. My role, like many, incorporates large swathes of technology from reviewing XML files to technology planning, from managing system upgrades to assessing user experience. And, although I work closely with an excellent IS&T team, I’m on the outside. I sit within the business.

I am a shadow IT person.

shadowIT

 

 

 

 

 

 

 

 

Here’s a definition of Shadow IT. There are loads out there on the web but you get the idea:

Shadow IT refers to information technology projects that are managed outside of, and without the knowledge of, the IT department.

The downside to being in Shadow IT is that you never quite feel you’re in the right place.

Development & training can be a struggle as few really understand why you’re trying to get on a particular course.

You don’t get that warm fuzzy feeling of being part of a professional job family.

You rarely have the right tools or access-level to really do what you want.

For the IT team or ‘regulars’, Shadow IT can be a nightmare. Deploying cloud-based systems no one has ever heard off. Creating vulnerabilities at the click of every button. Working round agreed processes because they’re too slow.

My experience has so far revealed a few different species of Shadow IT. Here are the two I know so far:

  • The Shadow IT Natives – a bit like me really. They do have some technical skills. Should they be in IT, who knows? Most of the time they are business people who have transitioned in. We tend to be a pretty pragmatic bunch but that doesn’t stop us causing trouble. We can be a troublesome for IT folks – a little knowledge is very dangerous – isn’t that what they say.
  • The Digital Peeps – ever heard anyone say they work ‘in digital’? These tend to be marketing folks who go ecstatic when anyone mentions AI or block-chain. Or, they know about a bit about a CMS & are now ready to implement major machine-learning projects. Heavy on buzzwords – this group sees block-chain as a solution for everything from managing Brexit to solving the work food crisis.

I’m sure there are more. And, I don’t mean to sound critical of them – after all, I’ve already said I’m part of the zoo as well.

So, is there an upside to it?

Well, technology is everywhere nowadays as my Mum likes to say. Maybe it’s time it came out of the closet. I’ve read a lot of the growing demands for ‘hybrid’ managers – comfortable in both technology & business. With the right mix of digital & people skills. I’ve not personally seen this demand yet but folks like Gartner say it’s there.

Having a foot in both camps can be fun and challenging. My previous line manager was a superb example. She spent years in business & finance before moving into large scale deployment projects & was very effective in her roles. She’s pragmatic, realistic & has the rare talent of being able to bring her years of experience to the table without over-ruling new folks with new ideas. She is also adept at knowing when to lean on the regular IT team.

I don’t know how she does it. If I learn the secret I’ll share it. In the meantime, I’m going to continue learning how to survive in Shadow IT & spot of few more of those different species…

Book Review: Get Coding Kids!

Right, which book is number one on Amazon in the programming category?

Image1

Some fancy Java guide the size of a small house? A Python book to make PhD computer scientists cry? Some new language you must learn but have never heard of?

No, it’s Get Coding from Walker Books. A kid’s & everyone guide to HTML, CSS & Javascript. And you know what, it’s brilliant.

Get_Coding

Why am I reviewing a kid’s book? Long answer follows. Application security & best practice programming is vital in cyber security. I don’t know a lot about programming – I’m covering that off at university next year. Plus, I like the web & want to focus on it.

Enter this book. It’s a colourful work book, with a tonne of explanations, illustrations & exercises. It’s clear, concise & the story is very funny.

HTML, CSS & javascript are essential skills to have. Basically, you need to know them. If you don’t – this is a great place to start. It answers all the questions you were too shy to ask. There’s explanations on everything from HTML tags to how to tell your browser you’re now writing javascript.

I was stunned by the scope of this book & how it effortlessly introduces the core skills any web developer needs.

You got all the tag stuff of course. You got the style sheet madness – in a good level of detail. And, a great introduction to javascript itself.

But, on top of that you have talk of iframes, APIs & wireframing….what more could you ask? Plus, the exercises are fun & part of a funny little story that carries on through the book.

I can’t recommend this enough. If you’re worried about picking up kid’s book – forget it – we all learn in different ways & sometimes approaching like a kid is perfect. For them, learning needs to be interesting & fun. This cool book is both. It’s also backed up by a snazzy website.

Check it out if you’re interested!

Get Coding Book

Five Skills for New Cyber Security People

Recently, my ambition to work in the field of cyber security has been under a bit of pressure. I’ve been struggling as just how to connect the dots and make it really happen.

Changes at work have developed my role but I’m no closer to any formal cyber security brief. Sometimes it feels like a fortress I just can’t break into.

So, I thought this skills list might be useful.

Firstly, I want to introduce you to the unsavoury reality that I’ve come across when trying to answer the question – how do I get into cyber security?

The Established Path – join an established network team as a small child and get through all your Cisco qualifications around networking. Bugger around with corporate firewalls. Have an in-depth and practical knowledge of the OSI model, packet-switching and ports.

If you know the guy below from the TV series The Office – you ‘ll know what I mean.

sddefault

Job done.

You are now the kinda candidate everyone seems to be looking for. (Women, career-changers and anyone who didn’t follow the networking route need not apply).

Apologies if that all sounds very gloomy but that’s just sometimes how it feels – as I said when I started this blog – they don’t make it easier.

And, talk of new digital apprenticeships won’t mean much to the many career-changers I’ve spoken to. Being super-cynical, I’d say they’re just enough to enable the industry to say ‘we’re doing something’ but not enough to threaten the premier status of many in the industry establishment.

Enough of this gloom – following my career research – here are 5 key skills I’ve come across. If you are looking to get into cyber security, if you don’t where or how, then focusing on these will give you a good start…well, that’s the plan at least. These are presented in no order

  • Application Security – I remember reading somewhere, might have been on CBeebies, that 90% of vulnerabilities are within applications themselves. With that in mind, I suggest a grasp of a least one programming language a good starting point. You need to understand the critical structures in object orientated programming. Add to this the software development cycle and testing. Me, I’m learning Java on my course next year.

 

  • Web Stuff – Scripting languages – we all love them – HTML, CSS and Javascript. Building blocks of the world wide web. Plus, how web services are deployed and provisioned. For me, getting to grips with these areas in 2018-2019 is going to be a key challenge. Like it or not, the web is at the centre of many security challenges.

 

  • Stay Awake in Your Network Classes – you don’t need to be able to work out a subnet mask or an IP address in binary but the bit around the OSI model and that dusty MS networking book you were given are far more powerful and important that you might have realised. They underpin pretty much everything in modern computing. I’ve studied this stuff – I will be revisiting it. Virtual ports and all that jazz – a critical area in my opinion. Remember, you don’t need to be able to program in machine code but you do need to have a good understanding of what goes where in networking.

 

  • Talking Cyber Security in Business – now, I’m not expert but I kinda the feeling that the rule of the network teams is coming to end. The industry is going to need a broad sweep of tech-savvy business folks. Training and education are going to be challenges – us career changers can help there. We know that jungle.

 

  • Cyber Security in Your Pants – well, not literally, I’m just making the point that it is becoming part of so many jobs from access management through to vulnerabilities to new websites. Be curious in your current role. Find areas where you can put your cyber-sec hat on and start investigating. I’ve found vulnerabilities in websites, applications – all sorts of places. It might not be in your job title but make that effort to support yourself and your company by being an extra pair of eyes. Read widely so you know what to look for you. I’ve also found that you don’t need to understand all of the technical details to be able to expose vulnerability. Just think a bit differently, dig in a different area – look to prove that something could be done. For example, if you’re looking at injecting hostile code – it could just be pseudo-code – doesn’t have to be real, just proving that you can get it onto another machine will prove your point.

OK so that’s my take. I’m going to continue working on my dream now. I’m officially half-way through my computing degree, I’m building the kind of experience I need to, I just need a bit a luck to get to where I want to be…..

Cheers

Sean

Book Review: Internet Security Made Easy

I’m an experienced book reviewer but to date pretty much everything I’ve done has been related to zombies & horror(!). Well, time for a change. As I build up my own security library, I’m going to review the best books I find. Now we’re all different so maybe they won’t float your boat but I’ve found them useful on my path….

So, here we go….something in here for most people I think:

intro

With the full title of: Internet Security Made Easy: Take Control of Your Online World, author Richard Williams dons a superman cape to try to gather together everything ‘most users’ need to know about being safe online & all that jazz….an impossible task you say?

Now, I must confess, no matter how bold the claim, I love this kind of book. I grabbed a copy of the paperback in a discount book shop – costs around £4 on amazon (links below). It’s a pretty glossy volume, good quality & well-laid out.

First things first – it says ‘straightforward’ on the cover & the book stays true to that mantra. So, even if you are a budding ‘security’ fanatic like me, there is plenty in there for everyone – be it a recap or some new stuff for you.

I knew much of the content on the history of the Internet, the web & virus types but it was great to get this refresher to make sure everything was straight in my own mind. Equally, I think this would be an ideal primer for anyone who wants to get to grips with ‘security’.

Considering it was published in 2015, it’s all dated pretty well – perhaps with the exception of the anti-virus software providers section – which to be honest, isn’t a million miles out. The mobile content probably needs a bit of an update but again, it’s pretty close to the mark.

The author is not a technical expert & I think this helps his quest. He basically takes everything floating out there & gets it into a format we can all understand. I liked his style & the pages were laid out specifically to make things easy to get a handle on.

Contents include an introduction to the Internet & web, some general bumpf on online security, a section on anti-virus software, browsers & some more advanced trouble shooting content.

contents

My only slight criticism of the book is when it addresses dealing with some of the more troublesome malware that can both hide in your system & dodge many virus-checkers. This is the kind of threat that sometimes involves delving in the registry of your operating system & the book includes some detail on what to delete once you’re in this Aladdin’s Cave. To be fair, the author does warn you to back up your system & it is perhaps advice intended folks on the more advanced side of the user spectrum but still, I felt I should point it out. Messing around in your registry can cause you some serious headaches, that’s all I’d say. It’s one of those areas where a little knowledge is very dangerous. Just a small point really.

page

I’ve had this book around 6 months now. I’ve not read it from cover to cover but I’ve read chunks of it on an on-going basis & found it to be a really useful volume. By now, I reckon I’ve pawed over every page at least once!

It really sets out what it plans to do. There’s something in there for everyone & it’s a good recap of what we should all know about staying safe & secure online. Thoroughly recommended & well-worth the price.

Linky to the Booky on Amazony

Five Dodgy Tips for Studying Computing at the Open University

Back in the summer of 2015, I started to study for my BSc in computing. The Open University was my choice – the decision seemed pretty obvious at the time – I was planning to study remotely, I was doing it part-time & working at the same time…

I’m nowalmost half-way through – that’s right – it takes around 6 years if you’re doing it part-time – it’s no quick fix.

My motivation is clear – I wanted to work in & have a much better grasp of technology.

Simples as the meerkats would say.

I started with some basic introductory modules & mathematics in my first year, I’m now on to specialise in digital technologies & the web. Next year brings me face to face with more web, Java & my final modules are around cloud computing & all that jazz.

Anyway, here are my 5 top tips, moans, whinges & useful pointers about studying computing with the OU in no priority order:

Number 1# Me + Degree = Success

You do not need to do mathematics to realise that the above it not necessarily true. See your degree as a foundation. If you are working, you need to get as much as experience in related projects as you can. Getting experience & developing a portfolio is essential. You’re in it for the long-haul so develop as you go along – link in your studies where you can. Above all, remember that a degree doesn’t guarantee anything – it’s not a Willy Wonka Golden ticket….

Number 2# Modules Madness

I’m 50/50 on the OU’s module mix. In several cases, the material is out of date or at least dated. The fundamentals are fine but after all you are paying for this – or at least someone is. There are some solid enough courses but it does all feel a bit old-fashioned. I suspect the OU are slow at updating content & a number of those I’ve done are ‘being replaced’. My advice – choose carefully. There are a number of streams including a general one but I suspect other providers offer more ‘modern’ selections’. For example, there is no cyber security module – when I asked, they answered that it was ‘part of every module’. Fair enough a few years ago but times have changed & how can I go through my entire degree & not do a module called ‘Cyber Security for Idiots’ – seriously, I would do that course….

Number 3# Skimming Students

The students – you get a mix. You get some trying to do 90 units (in other words a full-time course) whilst working & with kids. These folks tend to be pre-occupied with getting through it – they just want to get the qualification & to pass. Fair enough. My advice is don’t follow this path. Take your time & make best use of the materials. Many of the obvious things like the TCP/IP model will come back time & time again in your career & studies. Don’t be a skimmer! Be more Zen about the whole experience…

Number 4# Cliché about Marathons

Six years right? When people ask me how long it will take, I just don’t say anything. Many won’t understand this kinda planning. See it as a journey & build your experience along the road. Manage your workload carefully & my advice is don’t take on too much, stay ahead of the study schedule & try not to listen too much to moaning fellow students on Facebook. I haven’t got the figures but I suspect many drop out – they like the idea of the degree but it’s a long road (more cliches at no extra charge).

Number 5# Studying Alone

OK – they say there’s nothing remote about the OU – for example, there are some day schools & tutorials but on the whole, it is about studying alone. I don’t think many students get a social life out of the OU – might be obvious but I thought I’d mention it. You get books, websites, DVD’s & there is ‘support’ out there from various student support type people but for the most part, you’re on your own. Does that sound a bit gloomy? Maybe but I reckon at least 90% of your effort will be a solo affair. If you don’t like that then check out some other options – there are plenty out there….

Here’s an interesting graph from a really interesting blog. There could be loads of reasons why the trend is there such as funding but I also suspect the OU has fallen behind other providers because of it’s dated content & module mix:

Enrolments-16-17

Source: Coolio Intelligent Guy’s Blog

That’s quite enough of that. I hope this has given a flavour of studying at the OU. It’s not an easy path. There are some alternatives that maybe if I had my time again, I’d look at.

I do think the OU is changing but not fast enough & I suspect there will be far more slicker new options out there for remote & part-timers like us in the next few years.

Learning the Basics – Cookies and Firewalls

I did mention when I started this blog that I’d be learning on the job. Well, here are a few bits I’ve recently learnt. Things that I think every computer should now. Things most of us have heard of but few really know what they are.

What is a Cookie?

Not the chocolate variety – I mean the cryptic collection of information that is placed on your hard drive without you really knowing. What’s worse is that they are not actually that easy to find. Below is cookie picture:

Image2

(I know – the power of graphics makes the blog come alive. Shit, it’s just a crappy text file with a load of code & perhaps a sneaky clue as to what the hell it is…)

How about that? Back in 2014 I had a thing for Fort Boyard. I watched loads of episodes; I also used to watch it in France. So, I checked it out online. Brilliant show but I had no idea the website had stored information on my hard drive. Here’s a picture of the real castle – good isn’t it.

Fort_Boyard_low_tide

Luckily, we now all get that lovely warning which pops up warning you that the website use cookies. Also, of course, they can be useful for making browsing your favourite sites quicker.

So, where’s the problem? Well, some people think they’re intrusive. For me, it was just the surprise of not knowing they were there. It was simply learning that others had stored information on my computer without my knowledge (or least without my educated knowledge).

What’s in the Cookie Jar?

A quick search on your Windows 10 PC will not yield instant results when searching for your cookie jar. You can google how to find them – here’s how I did it:

  • Type ‘run in the ‘Type here to search box’
  • Into the pop up run box type ‘shell:cookies’
  • Hey presto, the cookies will appear in Windows Explorer – to be reviewing

Sure, there are easier ways to delete or clear your cookie history but it’s interesting to have a look through these mysterious text files. Your octane-fuelled browser will have some cunning options to help you manage cookies including blocking them completely.

What is a Firewall?

OK we pretty much all know that one right? For most of us, it’s software that examines communication traffic, blocking or permitting according to a set of user-defined rules. In most cases, our crafty anti-virus software helps us decide on these rules.

But what’s it actually protecting us from? Well, just have a look at this:

15102011702

Hang on wrong picture. That’s my good pal Adam Pulman shooting himself rather than being converted into a zombie. That’s the kind of guy he is. Anyway, back to the picture I wanted to post:

Image3

That’s ‘much more better’ as my young daughter likes to say.

Most anti-virus software comes packaged up with a neat firewall – something better than the basic supplied with your operating system. Just have a look at the blocked intrusions from my firewall history. There are pages & pages of content. Tracing the IP addresses, I can see these are from all over the world. It kinda feels like everyone wants to get on my PC. In reality, it’s pretty typical. It’s why you need a firewall.

Now, not all blocked attempts are sneaky villains. Some were blocked accidentally but it does prove a point I hope.

There you go. Two simple things – cookies & firewalls. No great point to make. No test for readers. Just a note to myself not to forget these tiny but super-powered features in computing.

Here’s another needless picture – it’s me & a girl I met when I was down in the bunker……

111

 

Flaky Career Plans in Cyber Security

26677992_10155508025239263_7136655666814828964_o

Right, this is about the time in most blogs when you realise that you have only a few readers & you begin to wonder whether the whole thing is a pointless exercise…

(Incidentally, that piccie is me during my time in the bunker, see previous blogs but I thought the piccie summed it all up pretty well!)

Well, I’m using this point to checkpoint where I’m up to in my career plans, with particularly reference to technology & cyber security. Here are a couple of things I’ve learnt so far:

They don’t make it easy. You will read loads of articles reporting on massive gaps in the sector & from experts saying that it needs x thousand people by 2020. But, transitioning is very difficult. Routes are not clear. It typically comes down to that old adage; if you’re not already doing to the role then it’s hard to break into the area…

Cyber security does not just mean network security & firewalls. There’s a lot more to it but it sometimes feels like not everyone got the memo. I have a feeling the software development cycle & human factor will become increasing important. What route should I take? Should I just have swallowed the pill & done the CISCO networking qualifications?

You can find cyber security in your current role (probably). Unless you’re a goat-herder in Sinai, there are aspects of IT security in most roles. As I’ve done a lot of software testing I’ve had great fun with the following:

  1. Finding a web form which leaves the organisation open to an SQL injection attack (success)
  2. Discovering that a display screen for orders could be viewed by any user over the web with no credentials (great success)
  3. Checking whether IP addresses can be faked as discovered that communications from a server to our mail server did not have any credentials other than the IP address. Turns out it’s very hard (impossible for me) to fake an IP address to get through the firewall (kinda success)

I think I’ve got the mustard for penetration testing. I’m irritating & I think that helps. I just need to develop my technical skills on par with my ‘gitness’ skills.

So, where does that leave me?

26219872_10155508031494263_6560038881722854033_n

Well, I’m half-way through my computing degree with the OU. I’m not happy with my current module as it reads like it was written in 2006. The book on nuclear war wasn’t on the reading list.

Next year I move onto Java & web technologies. Believe it or not, there is no cyber security track. I did ask & was told ‘it’s part of every module’. Kinda true but also not that helpful.

Hence my remarks about flaky. I’ve learnt stacks so far but there’s still so far to go…that should be a song…My mind is awash with courses, certifications, entry level jobs, challenges & virtual ports….

I’m going to be revisiting my career plans in the next few weeks but am facing a few changes at work. I’m not really sure where this is going to end up so stay tuned. Let’s just hope I don’t go totally crazy with all this adventure…

25299942_10155438066599263_6831447933709042363_o