The Inner Circle

 View Only
Expand all | Collapse all

I need you! Participation in a scientific research around shadow-IT, COVID-19 and post-its with passwords

  • 1.  I need you! Participation in a scientific research around shadow-IT, COVID-19 and post-its with passwords

    Posted Nov 19, 2020 06:23:00 AM
      |   view attached

    Hey everyone, 

    this group has been recommended to me as a place full of interesting and curious minds. 

    Who am I?
    I'm looking for people and organisations who would like to participate in my current research at the Hasso-Plattner Institute & Stanford Design Thinking Research Program
    My research is very practical and aims at providing concrete ideas and guidelines. This is based on my 20 years of experience in the field and seeing these issues first handed. I spent the last years within a Big4 and now move to a CISO role for a power & utilities company.

    My research
    COVID-19 brought a massive social disruption to organisations. As people rearranged to work remotely, they also reorganised themselves in their teams.
    By doing so we have seen a massive increase in shadow-IT. 
    People started to use Zoom, collaboration moved to private phones and messengers like WhatsApp, teams turned to DropBox, Google docs and others. All of this despite the fact that we spend so many resources on personal awareness, security controls etc. 

    If you want to find out why this happens, and how to hack your organisational design for better future performance, I want  to invite you to participate in my research. 

    How you can participate
    I am looking for organisations where I can conduct expert interviews, about 60 minutes time. The experts should come from a business department, because they can provide the best insights on how they deal with cyber-security on a daily basis. 
    If possible, I would also talk to someone from security, to represent their view on the COVID-19 lockdown and how the business reacted.  
    All of this will be fully anonymised and confidential if requested. 

    What's in for you? 
    You will get the insights from my research and the final publication, with practical advice about what type of problem you are facing, why these things are happening and how you can deal with them. 

    I have attached a document with the official invitation and my contact details. This is your chance to participate in some pretty cool and novel research! And you would help me a lot. 

    Feel free to ask me anything or to reach out directly via my contact details in the pdf. You can also share this with other interested parties!

    Thank you in advance and I am looking forward to talking to some of you soon!

    Regards,

    Tom



    ------------------------------
    Tom Hofmann
    Researcher / CISO & DPO
    Hasso-Plattner University / undisclosed
    ------------------------------

    Attachment(s)

    pdf
    Research Invitation_EN.pdf   109 KB 1 version


  • 2.  RE: I need you! Participation in a scientific research around shadow-IT, COVID-19 and post-its with passwords

    Posted Nov 19, 2020 06:24:00 AM


    PS: For those who are interested, here is some background information. 
    Todays awareness programs are labeled "human centric", but this has some major flaws. 
    First, it targets the individual and thereby neglects the fact that these people are part  of larger teams, with their own dynamics and goals. 
    Second, it assumes that the problem is known and can be solved by good and best practices, aka "the problem is a lack of knowledge and awareness" 

    A good example is the espionage case of Monika Witt. She created social media sock puppets and connected with personnel from the U.S. Central Command (CENTCOM) Joint Intelligence Unit. While being deployed in Afghanistan they had a private FB group where they shared information [1][2]

    Or the Secret Service agent who plugged in the malicious USB drive of an alleged Chinese spy [3], United States Army Intelligence and Security Command (INSCOM) leaking NOFORN data through unprotected backups [4] and CENTCOM leaking internet surveillance data [5].

    If such highly trained individuals fail to maintain proper OPSEC, how can we expect this from businesses? 

    Why this happens, how this can be addressed and why awareness isn't enough, this is my research, and this is why I need you and your insights!

    [1] Monica Witt: from US intelligence officer to alleged Iranian spy

    [2] https://assets.documentcloud.org/documents/5736443/Indictment-Monica-Witt.pdf

    [3] Secret Service agent put Mar-a-Lago intruder's USB into computer, triggering immediate download of malware
    [4] Black Box, Red Disk: How Top Secret NSA and Army Data Leaked Online | UpGuard
    [5] Dark Cloud: Inside The Pentagon's Leaked Internet Surveillance Archive | UpGuard

    Upguard remove preview
    Dark Cloud: Inside The Pentagon's Leaked Internet Surveillance Archive | UpGuard
    While this blog post provides a description of a data exposure discovery involving the Department of Defense, this is no longer an active data breach . As soon as the UpGuard Cyber Risk Team notified the Defense Department of this publicly exposed information, immediate action was taken, securing the open buckets and preventing further access.
    View this on Upguard >



    Upguard remove preview
    Black Box, Red Disk: How Top Secret NSA and Army Data Leaked Online | UpGuard
    While this blog post provides a description of a data exposure discovery involving the United States Army Intelligence and Security Command (INSCOM) , this is no longer an active data breach . As soon as the UpGuard Cyber Risk Team notified INSCOM of this publicly exposed information, immediate action was taken, securing the open buckets and preventing further access.
    View this on Upguard >



    The Independent remove preview
    Secret Service agent put Mar-a-Lago intruder's USB into computer, triggering immediate download of malware
    A US Secret Service agent put a USB drive taken from a Chinese woman who tried to gain access to Donald Trump 's private Florida club into his government computer, triggering an immediate download of malicious software.
    View this on The Independent >






    Documentcloud remove preview
    View this on Documentcloud >



    Documentcloud remove preview
    View this on Documentcloud >




    the Guardian remove preview
    Monica Witt: from US intelligence officer to alleged Iranian spy
    Whatever turned Monica Witt from the US air force and the world of Washington defence contractors and took her to Iran as an alleged defector and spy, it seems to be have been a wholehearted transformation.
    View this on the Guardian >


    ------------------------------
    Tom Hofmann
    Researcher / CISO & DPO
    Hasso-Plattner University / undisclosed
    ------------------------------