Archive for May, 2013

Affordable Benefits, Part I: Healthcare

Tuesday, May 28th, 2013

I hear all the time CEOs complaining about Obamacare this and regulations that. Frankly, I’m fed up with all the jibber-jabber. Where’s the action? You’re an executive, so your job is to execute, not whine. Creative approaches to health care a possible, and can provide your workforce with world-class benefits at underworld prices.

I’m being literal about the pricing. You’ve got to go the route of mob doctors, or you’ll be bled dry by creeping costs. Do you think that, for one second, an unlicensed physician that has a Consigliere with a bullet in his arm on his kitchen table is going to order up unnecessary procedures or charge ten bucks for an aspirin? Absolutely not. He’ll charge fair market rates for both parts and labor. Organizations everywhere are already going the route of keeping part-timers to 29 hours/week and professionals as 1099 contractors. Your firm will do the same thing, but if you keep a stable of medical school graduates that are desperate to pay off their med school loans, you can offer affordable, effective health care that won’t cost you an arm and a leg.

How good will the care be? The great news is that since it’s all part of an illegal enterprise, you can extend the illegality into how you manage your health care professionals. In the legitimate world, a doctor that screws up can fight a malpractice case and can walk away with little, if any, damage should he win. In the underworld, what a doctor saves in malpractice insurance he makes up for in accountability. Mess up with an off-the-books job, and you’ll be encased in an oil drum filled with concrete. Those guys have incentives to provide the best care imaginable.

Your employees will be eternally thankful to you when you go the mob doctor route to both cut health care costs and improve the level of coverage. Rivals will at first wonder how you do it and then go that route themselves eventually. At the end of the day, it’s a win-win-win for management, employees, and doctors that don’t make mistakes.

Grow Your Employees

Monday, May 27th, 2013

The guys from Sith Consulting sure have their sizzle and flash. Double light sabres, near-robotic suits, lightning shooting out of their fingers… they look like total pros, right? They sure do some high-profile jobs and have a great PR engine, but what happens when something goes wrong? What then?

They lose a guy and they’re down 50% of their billable staff. Lose two, and they’ve got no bench to fill in the gaps. Problem with Sith is that they don’t hire anyone but superstars. If they can’t pinch a rising talent somewhere, they’ve got nothing in their pipeline. That can leave them in the ditch, hurting badly.

Meanwhile, at R’lyeh Consulting, LLP, we’re all about working with our entry-level guys and growing them into senior staff. We don’t go around stealing people from other organizations, they come to us. Let me give you an example.

R’lyeh Consulting has had a lock on the Innsmouth, Massachusetts market. We’ve been the only player there for years. One day, a competitor arrived. The local branch was agitated about that development, to say the least. But I advised a cooler attitude: “Go easy on him. He might be one of us, one day.” And you know what? I was right. His perception of R’lyeh Consulting wouldn’t have been favorable if that Innsmouth branch hadn’t gone with my simple advice, and we would have missed out on a real performer. I’m glad to say that Robert Olmstead, that former competitor, has been with us for years and will be with us for many years more. He even convinced his cousin to join with us – and we always have room at R’lyeh Consulting for guys wanting to get started in IT.

True professional organizations have to be professional, through and through, not just in their most visible aspects. It’s not like Tyrannosaurus Rex sprang from the primordial ooze, ready to go into action, star player like that species was. It took 134 million years to get T. Rex ready to go, and not a moment sooner. Believe me, when I talk about growing talent, I know what I’m talking about.

Death Star: Wiped Out by Lax Security

Sunday, May 26th, 2013

The guys at Sith Consulting talk a huge game, but their delivery leaves much to be desired. While some may chide me as being unprofessional for pointing out the flaws in my competition, I’m a planet-crushing deity, so I’ll destroy the souls of my chiders later on. Before that, though, I want to deconstruct the failings of the Death Star project.

The root of the whole issue was a lack of decent security protocols. Someone, an unauthorized someone, got his hot little hands on the plans for the Death Star and used them to find a weakness in its structure. That weakness was exploited, and a galaxy far, far away got treated to the biggest DDoS attack in its recorded history.

While we don’t have full details about the manner in which the sensitive files were accessed, we do have some information about how security generally ran on the Death Star. Let me tell you all that there were holes big enough for Azatoth to fly through in their security policies. Why don’t we start with the holes in the walls, shall we?

By holes in the walls, I refer to the network access points for droids – and presumably other devices. Apparently, any droid could roll up, plug in, and have administrative-level access to key systems. The same droids would be able to snoop in on important transmissions which themselves were sent out on the network in clear, unencrypted text.

How about a little thing called a “password policy”, hm? That would keep the random droid from having access to the datacenters. Machine authenticaion is the next logical step. That would have kept unauthorized droids off the network in the first place. IEEE 802.1x is a standard that’s been around for a good long while. It’s time the Sith caught up with the rest of the universe.

There was the matter of a break-in to a maximum security prison wing to break out an important prisoner. How was it done? Via access to a public elevator shaft. The perpetrators didn’t climb down the shaft or engage in any acrobatics: they simply pressed the button of the floor they wanted and walked on in. One would think there would be at least locked door between the lift and the prison wing.

A locked door would have been good around the Death Star’s shield generator, as well. Security guards are great, but they are helped out a lot by locked doors. There were plenty of other locked doors all around the Death Star: why not around critical systems? For want of a locked door, someone walked in and shut off the generator.

A password would have been a good idea there, too. That way, access would have been denied to persons without proper authorization. Security 101, Sith.

Finally, if the plans for your biggest system are leaked out into an unsecured environment, it’s time to analyze those plans and perform a risk assessment. Look for vulnerabilities and implement stronger security because the people that stole those plans are looking for the same vulnerabilities to exploit. Got an exposed exhaust port that connects to a core power system? Sounds like that would be a good spot to protect.

I’ll pass over the poor navigation that put the Death Star in a position where it would not have a clear shot of the rebel base. I’ll also not dwell on the lack of supporting screening vessels. Really and truly, the battle to destroy the Death Star was already lost for the Sith’s client when ineffective security measures allowed critically sensitive documents to slip out of the facility not once, but twice.

What would I have done? Back in the 1920’s, some unauthorized persons tried to access an extension of my corporate campus. They didn’t get past the front door before they were apprehended and dealt with but one. That last person did share information with several other individuals, but forensics teams tracked down the spread of the information and terminated its flow. R’lyeh Consulting then put in new measures so that sort of thing would not happen again.

And what do you know, I’m still here and the Death Star isn’t. Hopefully, the Galactic Empire learns its lesson and ditches the brain trust at Sith Consulting before they get talked into something insane like a second Death Star.

Eregion Hardware Security Alert

Saturday, May 25th, 2013

If you have any equipment from Eregion, made by Celebrimbor, I strongly recommend you replace it as soon as possible. There are a number of known exploits noted on several of their flagship platforms, allowing them to be easily compromised.

Most importantly, if you have a Ring of Power from Eregion, dispose of it immediately. We know of full compromises on the Dwarf-king and Human-king models, but have not seen full compromises on the Elf-lord models. The Ring of Power exploit involves a backdoor admin account that allows full control of the device and anyone wearing it. Although no organization or individual has publicly claimed responsibility for the action described, forensics indicates a pattern consistent with Sauron, servant of Morgoth. The Dwarf-king models will basically allow Sauron to access the financial resources of the owner and operator of that kind of Ring of Power. The Human-king models create a sort of botnet, using the Human-king Ring of Power owners as the central server to send out instructions to large groups of men, wargs, orcs, goblins, trolls, and oliphaunts.

While the Elf-lord models are not totally compromised, users have noted suspicious activity in association with their usage, and that activity has been confirmed to be linked to Sauron. Use the Elf-lord models advisedly.

The source of the exploit seems to have been due to Celebrimbor’s employment of a certain employee, Annatar, in the manufacture of these lines. Due to lax screening procedures and security clearances, Annatar was able to gain access to the production process of the Dwarf-king and Human-king lines, where he introduced code for his admin backdoor. Later events showed that Annatar was none other than Sauron himself in disguise. We have confirmed that Annatar/Sauron did not have access to the production of the Elf-lord models, but was in the area at the time of their manufacture.

The second major alert deals with the “Door” line of secure gateway products made at Eregion. While Sauron was not involved in their making, it is clear that the lax attitude toward security at Eregion that allowed Sauron access to the Rings of Power line was also in evidence during construction of their Door line.

Specifically, the Door products have the administrative access password written on the exterior of the product, in plain view. This is a grave breach of security, and should be taken seriously.

We have also received reports of a line of traffic flow monitors called “The Watcher” generating false positives in conjunction with Eregion Door products. While Eregion did not manufacture Watcher systems, we do know of instances in which persons reported a Watcher shutting down a Door secure gateway after the same persons provided the password to gain access. It is also clear from the Watcher activity that it was set to delete traffic inbound or outbound from that interface. For this reason and the one given immediately above, R’lyeh Consulting, LLP, advises strongly to replace any and all Eregion Door secure gateway products.

R’lyeh Consulting, LLP, is able to provide aeons untold of experience and expertise in assisting you in securing what is most valuable in your enterprise systems. If you have Eregion products in your enterprise and need replacement systems, we can help.