Bo Strömqvist will be the new head of sales at Cybercom. He comes most recently from Enea as head of sales and is now tasked with accelerating and realising Cybercom’s group-wide sales strategy.

The holidays just around the corner and many project leaders running around in panic, I guess that could sum up the life for many this time of year. Now you might wonder why this time of year might be a headache for a project leader, the reason is quite simple and it spells resources. During Xmas holidays you often only have a ghost crew for a couple of days, you still want anyone actually in the office too have something to do. Just having people sitting around doing nothing is quite expensive and also very boring. Of course there is no silver bullet to fix this “problem”; you just have to be a bit creative. Here are at least a few suggestions:

• If you use scrum it might be an idea to switch to Kanban during Xmas, you could still keep the same delivery schedule etc to avoid getting out of rhythm.
• Seek and destroy defects
• Build competence!
• See who manage to eat the most of the left over Xmas candy!

If you have any other great idea, feel free to send it to me and I might post it on the blog!

Share/Bookmark

In accordance with the procedure agreed by the 2012 AGM, Henrik Didner, Didner & Gerge Fonder AB, has been appointed as a new member of the nomination committee of Cybercom Group AB (publ), as a representative of one of the three largest shareholders in terms of votes.

I now and then get questions on how the life as a consultant is. I’m going try and answer the most common questions here. If you happen to have any questions you wonder about you can of course mail me, or ask in comments, and I’ll try and answer it to the best of my knowledge. I can of course not talk about specific assignments or customers.

Do you like working as a consultant?

Yes I like it. Of course there is up sides and down sides, as to pretty much everything else. I like the fact that my job is constantly changing and that I have the opportunity to meet new interesting people all the time. I learn a lot by working with so many different people and hopefully they learn something from me as well. Of course it’s always sad when you leave people that you enjoy working with a lot, however just cause you finish your assignment it doesn’t mean  that you have to stop talking/hang out with people.  :)

Do you always work alone when going to a customer?

Not always, but it happens. For me this isn’t a problem to be honest, I feel comfortable going on my own just as well going with colleagues. I honestly don’t think any serious consultant company would send a consultant on his own to a company if the consultant didn’t feel comfortable with this.

Do they expect you to know everything?

Maybe I have been lucky but I have never had any problems with anyone having absurd expectations on me. I’m very open about what I can, what I cannot and what is possible for me to learn in the given time frame.

Is it not hard/boring to do interviews all the time?

I actually don’t see it as interviews in that sense. I see it more as a two way street, I want to understand the problem better so I know if I actually can help them solve it and they usually want to get a better idea on who I am. I’d hate getting an assignment where I felt useless and couldn’t contribute!

That was a few of common questions and like I said I’m happy to try and answer any questions you might have just as long as it isn’t about specific customers or assignments.  :)

Share/Bookmark

As a consequence of the rights issue resolved by the board of directors on 29 August 2012 and approved by the extra general meeting on 1 October 2012, the number of shares and votes in Cybercom has increased by 144,351,596.

Outotec and Cybercom have signed an agreement on the delivery of a new IT-solution to support Outotec's Virtual Experience Training service. The project has started and will be delivered in spring 2013.

Cybercom is adapting its operations in Sweden, Singapore and Finland to improve the efficiency. Actions include cuts of the group overhead costs and reductions in the number of employees. The measures are expected to provide annual cost savings of approximately SEK 45 million.

I’m a bit puzzled. I think anyone that works in the IT business today know how vital the testing is, and that it takes all shapes and forms. You have everything from actually poking the 1’s and 0’s with an oversized stick until it breaks to from afar analyzing the “if’s and the maybe’s”. My point is that testing is a whole lot more than just “that stuff that happens just before the code is delivered”.  With that in mind I’m a bit puzzled on how many fresh out school workers, and still in school for that matter, I meet that has almost no clue that testing even exists. Usually the only experience from testing they have is that they made some attempt on unit testing in a java school project or similar. I must say I have kind of the same experience from school, apart from writing very few and extremely simple unit tests I can’t remember ever hearing anything about it.

I hope I’m wrong and the schools actually got kickass courses within all areas of testing, someone please prove me wrong!

Share/Bookmark

I hosted a workshop regarding web security tonight where the main objective was to actually hack into something (a demo app). A part from actually letting the group investigate/test the site for XSS vulnerabilities, bad implementations and overall horrible architecture the idea was to show how easy a small “flaw” can become a major problem. Very few people will be worried by seeing some demo page just showing some “alert window” displaying the word test or something. I think/hope my approach by actually showing how all these “small” flaws together actually made it so the “evil hacker” could perform a session hijacking and get complete access to the demo app highlighted that even the smallest flaw could end up being something very serious.  I’m pretty sure quite a few of these flaws would only make the usual web developer (or tester for that matter) shrug their shoulders and move on saying, “nothing serious…”, this while the “evil hacker” stand on the other side of the fence saying “just smile and wave boys, just smile and wave” (bonus points if you know the movie reference! ).

The group did very well and even though most of them had no previous experience of these things the group together identified all the flaws needed to actually do the session hijacking. Well done!

Share/Bookmark

“I’ve been circumventing antivirus systems today.” His eyes glistened when my colleague Mattias told me this during the latest after-work get-together. It’s not as strange as it sounds. All our clients have antivirus systems, and they are a natural part of penetration tests.

Traditional antivirus systems collect large numbers of so-called signatures of malicious code, which they then compare with the files on your computers. This approach is called blacklisting. It worked reasonably well in the past, but is becoming increasingly difficult for several reasons.

Firstly, the number of known viruses is increasing exponentially. As soon as they are modified just slightly a new signature is needed. Secondly, there are more and more black hats hacking for a living. When they discover new security holes or develop their own code, they use the information in targeted attacks. In the old days they manufactured viruses that were dispersed on a large scale and could be captured and analysed. Now they keep the knowledge to themselves. This means there is more and more malware circulating on the black market.

Most antivirus systems nowadays look not only for signatures but also for suspicious patterns and behaviours. The result is better, but the fact remains that they are still looking for things they know about.

In summary, traditional antivirus systems can only ward off script kiddies and viruses that make use of known methods. They are important for hygiene, but cannot prevent advanced hacker attacks. Moreover, different antivirus systems are good at different things but do not always work if installed together on the same machine.

More recently, a method called whitelisting has come into focus. Instead of trying to find every malicious program, only a certain number of programs that do the right things are accepted. The downside of this technology is that it requires a finely tuned database that suits precisely your system without interfering with business operations. The advantage is the much lower chance of targeted attacks being successful.

Unfortunately there is no single antivirus program that solves the problem of malware. First you have to decide what information is worth protecting. Then, you need a well thought out strategy that includes several different types of protection: antivirus programs, firewalls, intrusion detection systems and possibly whitelisting of applications. Nor is it wrong to have several types of anti-virus software installed on different computers. Since a large proportion of corporate information is held on mobile devices, extra thought must be given to these.

But above all, we must remember that security is so much more than just antivirus software. An individual security mechanism can always be circumvented. It is the whole picture that really matters.

Share/Bookmark