Did you notice how some journalists ask one particular question at the end of an interview? It’s usually a good sign: "Is there anything I didn't ask you but should have?"
This question indicates curiosity to go past the obvious talking points. It shows the interviewer’s openness to considering new angles. We decided to rephrase and broaden that question and pose it to our InfoSec Luminaries:
"What's the one IT security issue that you wish journalists would cover more or better, and why?"
No media bashing or gripe-airing intended here. Reporting on IT security, computer crime, data protection and privacy - and getting it right - is tough enough. It looks like more fun from the outside (if you’re not doing it yourself ) than it actually is. We get it.
But even those in the industry who enjoy stellar media coverage can point to an issue or two that deserves more attention than it is actually getting.
The premise of this Lineup was to highlight aspects that rarely make it on page 1 of the Daily Data Breach. Perhaps we can even seed one or two story ideas. In any case, all our contributors welcome your questions if you’re a journalist covering the industry and looking for expert input or a fresh perspective on a related topic.
At Authentic8, for example, we would like to see more light shed on the web’s inherent security weakness, for better general awareness of what's needed to better protect ourselves. Below, our InfoSec Luminaries highlight the IT security issues that they think could otherwise get lost in the shuffle.
The submissions cover a broad range this time. They address gender aspects and the human element (Daniel Garrie/ Masha Simonova, Eric Vanderburg). They offer facts and insights for less dark (Fred Scholl) and more diligent (Benjamin Wright, Mike Baukes, Pete Kofod) reporting.
Another one highlights an upcoming regulatory requirement that will have a significant global impact (Steve Durbin). And we close this round with a practical reminder that WiFi connections always warrant a second look - for all of us, but for journalists in particular (Joseph Raczynski).
PS: Do you have something to add or would you like to be included in future InfoSec Luminary Lineup discussions? Connect with us through one of the links at the top of this page or use the comment form below.
“Address IT Security Career Stereotypes” (Daniel Garrie)
(with thanks to Masha Simonova for her input)
One of the most under-discussed issues in IT security is the lack of female participation in the security workforce.
Journalists cover the gender gap in security on occasion, but it should be brought up more frequently and thoroughly.
According to The Women’s Society of Cyberjutsu (WSC), a 501(c)3 non-profit passionate about helping and empowering women to succeed in the cybersecurity field, only 11 percent of the information security workforce are women, whereas 50 percent of professional occupations in the US are held by women.
What are the main reasons for the gender gap?
Why are women hesitant to pursue jobs in IT security? Michael Brown, the CEO of Symantec, told Forbes in 2016 that by 2019 there will be a projected shortfall of 1.5 million jobs in cybersecurity. The unfilled positions are clearly there, and yet the statistics for women in such roles still show low numbers and slow growth.
I would like to see journalists address the stereotypes of an IT security career, and cover what such a career looks like as well as a concrete description of what an IT security job entails.
The discussion around women in STEM fields and tech has evolved and gained press coverage, and it now needs to include bridging the gender gap in IT security as well.
Daniel Garrie is the Senior Partner & Co-Founder of Law & Forensics LLC, a technology consulting firm that specializes in e-discovery, software, computer forensics, and cybersecurity. Garrie also is a Cybersecurity Partner at the law firm Zeichner Ellman & Krause LLP.
“Focus More on the Human Element” (Eric Vanderburg)
Focus more on the role each of us plays in security.
The human element of security and each person's individual responsibility to protect their own privacy and the information they work with on behalf of employers, customers, and colleagues.
Eric Vanderburg (Twitter: @evanderburg) is a cybersecurity and technology leader, author, and consultant based in Cleveland, Ohio.
“Cover more of the progress” (Dr. Fred Scholl)
Most journalism still focuses on fear, uncertainty and doubt. I wish that journalists would cover more of the progress that security professionals have made in the last 22 years.
The internet really started taking off in 1995. In 1995 we had 16 million internet users. Now we have 3.8 billion users; the threat has grown by 200X+. We are not going to see this magnitude of threat increase again.
The recent WannaCry attack highlights vulnerabilities in Microsoft Windows. But we should also not forget that WannaCry seems to have netted the attackers about $0.30 per attacked machine. Hardly worthwhile.
We should also give Microsoft credit for adopting much more secure development processes starting with the 2002 Trusted Computing Initiative. This, in turn, led to the adoption of secure development processes across the industry.
Enormous progress in IT security since 1995
Enormous progress has been made in security since 1995. On the hardware side, we should consider how chipmakers have moved IT security forward. This includes VT virtualization technology, TPM technology and Control-flow Enforcement Technology (CET).
Security standards initiatives worth mentioning in this context include SOX, PCI and HIPAA. On the government side, FISMA was signed into law only in 2002. NIST 800-53 was released in 2005; the latest NIST security standard is SP 800-190 “DRAFT Application Container Security Guide.”
I would argue that all this activity is making us more secure. Around the new millennium, we had script kiddie attacks like Code Red and Nimda.
Then, ten years later, we moved into an era of domestic and overseas criminal attackers like Albert Gonzalez and Roman Seleznev, both of whom were responsible for extensive credit theft.
Only nation states can afford hacking today
It seems like this type of crime does not pay so much anymore. We have made the cost of doing online business too high for criminals. The FBI, with a limited number of agents, has made significant progress in capturing criminal hackers.
I think the script kiddie era has long passed and the criminal gang era is subsiding. It’s not ending; we still have bank robberies. But we also have made progress in cybersecurity.
The cost of hacking has gone up so much that only nation states can now afford it. This is our next security task… to make sure our critical infrastructure remains resilient.
The challenge is that pretty much everything today is, or connects to, critical infrastructure.
“Carefully Evaluate Cyber Evidence” (Benjamin Wright)
I believe that news organizations could do a better job of acknowledging the difficulty of assessing the evidence of any kind of security incident.
It is easy for people to see an incident and jump to the hasty conclusion that there has been a breach or that the source of the incident can be attributed to a particular group of bad guys.
For example, in December 2016 the Washington Post published a breathless article saying that Russian hackers had penetrated the American electric grid by way of a utility in New England, the Burlington Electric Department in Vermont.
The Washington Post received its information by way of a whistleblower inside the Department of Homeland Security. The whistleblower had seen a limited report from a power utility saying that some hacker tools were found on a laptop belonging to an engineer.
However, the utility in question soon had to release a statement saying that no one had penetrated the grid, and there was little support for the idea that the incident identified by the utility was related to Russian hackers.
Within a few days, The Washington Post had to substantially rewrite and amend the original article, retracting its reporting that Russian hackers had penetrated the U.S. electric grid. What an embarrassment.
This episode illustrates how journalists were jumping to crazy conclusions based on very slender evidence. Journalists and other professionals who see cyber evidence should very carefully evaluate it before reaching conclusions.
Attorney Benjamin Wright (Twitter: @benjaminwright ) teaches the class Law of Data Security and Investigations for SANS Institute. He is the author of "The Law of Electronic Commerce" (Wolters Kluwer) and chair of SANS Institute's annual "Data Breach Summit."
“Not Every Cyber Attack is a Hack” (Mike Baukes)
Journalists covering cyber risk today have their work cut out. Rarely a day goes by without news of some cyber attack, whether against a corporation, government institution, or individual consumers.
Entire beats at news publications have been created just to cover this topic, an immensely important development not only for journalism but the world at large. This development is welcome news for a digital landscape increasingly marked by global disruptions of the sort caused by the recent WannaCry malware attack.
However, a common mistake that we in the cyber resilience industry see is when journalists and the media refer to any malicious cyber activity as a “hack.”
It can be hard to parse, but consider this as a start:
While every hack might be considered a cyber attack, not every cyber attack is a hack.
For example, if someone leaves their computer unlocked and another person posts from their Facebook account, that’s not a hack; indeed, even more malicious activity, such as a Distributed Denial-of-Service (DDoS) attack, requires no hacking to successfully take down a target, provided enough firepower can be mustered.
A hack is defined by the use of something for a purpose for which it was not intended, or exceeding one’s authorized digital access.
And not all hacks are created equal - there are many ways of hacking IT systems, methods which can often be combined with other nefarious tactics.
A ransomware attack, for instance, might be initiated through an open port, the implantation of malware, and perhaps even some social engineering, in the form of phishing, to acquire needed passwords to further degrade IT integrity.
When reporting on IT security, it is important to remember that some of this activity would not constitute hacking.
Mike Baukes (Twitter: @mikebaukes) is the Co-Founder/Co-CEO at UpGuard, the company behind the world’s first cyber resilience platform, based in Silicon Valley. Originally from Australia, Mike is an entrepreneur at heart who started his career out living and breathing DevOps. Mike is as comfortable dealing in technical detail as he is strategic outcomes, with extensive knowledge of technology, ability to realize opportunities, and execute on his vision. Mike held senior leadership roles in Enterprise strategy, architecture and solution design for major corporations including Lloyds, E*Trade, and CBA, all at a young age.
“GDPR - the EU’s General Data Protection Regulation” (Steve Durbin)
Amidst the breathless news cycle that all journalists are obliged to follow, the never ending media release from the vendor with that silver bullet product that is destined to save the security world from no end of hacks, breaches and general misdemeanors, one element almost always goes to the back of the queue for coverage… legislative changes.
Why? Well, second to perhaps only a guide to watching paint dry, legislation is a close second for the Party Pooper of the Month award. After all, who wants to read about an additional compliance burden that is destined to occupy the minds and resources of an already stretched security department?
The short answer is: not many. But there is a transnational regulation going into effect in May 2018 that will have such a global impact that, whether we find it attractive or not, journalists are duty-bound to report, explain and educate about it.
Who wants to read a guide on watching paint dry?
I am referring to the EU’s upcoming General Data Protection Regulation (GDPR). I have lost count of the number of companies that have told me that this won’t apply to them or who believe that with one or two minor changes to the way they handle personal data relating to EU residents all will be well.
The GDPR is arguably the biggest shake-up to privacy legislation that we have ever seen. Not only is it far-reaching in its requirements, but its reach is truly global and boy, does it come with some teeth for those companies that choose to ignore it.
Would a maximum fine of four percent of global turnover get your attention? No? What about suspending your business activities while you remedy data protection problems?
GDPR: a European regulation with global impact and painful penalties
The GDPR will be enforced starting 25 May 2018 and organizations should understand which aspects of readiness will – or will not – be in place for that time so that they can plan their implementations and mitigate residual risks if they are not ready.
The GDPR extends beyond EU borders and applies to EU residents’ data no matter where in the world it is processed.
European supervisory authorities can enforce the GDPR against an organization even if it has no physical presence in the EU; so long as it is processing EU residents’ data or monitoring their activities, the GDPR applies. So key considerations for organizations must be:
- Do we process personal data about EU residents?
- Do we process personal data within the EU, irrespective of the nationality or location of the data subject?
What does GDPR mean for US-based companies?
What about US companies hoping that the EU-US Privacy Shield will provide some protection?
While the Privacy Shield defines a mechanism under which personal data can be transferred from the EU to the United States, such hopes would be misplaced.
US organizations that receive personal data from the EU under the Privacy Shield or through other mechanisms must comply with the principles of the GDPR and submit to the authority of EU courts and supervisory authorities for that data.
And that is just the tip of the iceberg. GDPR also carries requirements for a data processing officer, for erasure of personal data, rights around portability, and for incident management plans.
Organizations that rely on consent for their direct marketing activities will be required to provide evidence of consent for such activities, and the responsibilities associated with third parties are also going to change.
Plenty here for journalists to get their teeth into.
And the “good” news is, from a media perspective, that no doubt there will be examples of noncompliance and associated breaches and fines coming down the pike that will continue to provide the more traditional security reporting content for stories well into the coming years.
Steve Durbin (on Twitter: @SteveDurbin) is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cybersecurity and the emerging security threat landscape across both the corporate and personal environments. Steve has considerable experience working in the technology and telecoms markets and was previously senior vice president at Gartner.
“Spend more effort on covering the motives and drivers behind attacks” (Pete Kofod)
A key function performed by intelligence analysts in support of law enforcement, national defense and foreign policy is identifying the motives that drive various organizations and political entities around the world.
The resulting reports grant executives and policy makers insight into conditions and events that may trigger a response. The gathered intelligence also allows investigating authorities to narrow down suspects as well as identify pending targets of an attack.
Aside from the broad threat announcements from CERT and similar organizations, there is little analysis and discussion among technology journalists describing the underlying causes and catalysts for attacks. The publications of Brian Krebs and Bruce Schneier are among the rare exceptions from this rule.
Without in-depth background information, consumers and IT security professionals alike are left reactively punching in the dark, wasting precious time and resources researching and hardening their IT against low priority threats.
Journalists should examine the "why" of cyber threats
Transnational crime syndicates are motivated by different factors than the Anonymous group, for example. They consequently select different targets, employ different attack vectors and seek different outcomes.
That is not to say that organizations should ignore known threats simply because they aren’t an end target. After all, attackers may use unrelated targets as confidence targets, vector testing or as attack intermediaries.
In conducting a threat analysis, probability should be considered, however, and knowing the "why" of the attacker helps define the probability of being attacked.
Journalists have a significant role to play in informing their readership regarding the profiles of adversaries. It may not be as easy as doing a piece on the latest security technology, but it is critical that CISOs and consumers develop awareness of who the real threats are.
While industry and vendors have a large role to play, it should fall on journalists to cover this important topic.
Peter Kofod, Co-founder of The Sixth Flag, (Twitter: @TheSixthFlag) has over twenty years of technical and leadership experience in Information Technology, including the development of secure hosted services for the transportation industry as well as designing and managing networks in the utility and defense sectors. Peter is also the Founder and Principal of Raleigh-based Datasages Consulting Group LLC, a firm dedicated to providing enterprise management services to industrial and transportation customers.
“WiFi. It Can Be Hazardous to Your Health.” (Joseph Raczynski)
Using WiFi without encryption is like riding a bike through Times Square without a helmet. At some point, a cab door will open, and you're going to get whacked without any protection.
Journalists, who rely heavily on WiFi for work, are not invulnerable. They can also play an important role in informing and educating less savvy WiFi users about the associated risks.
For starters, one major concern is the "man in the middle" attack. People can buy plug and play devices to listen to your internet traffic when you're using public WiFi without VPN or encryption.
In fact, one company produces a device called the WiFi Pineapple that sees all Access Points (APs) within a few blocks radius. Get ready. The cab door is about to open.
Unprotected on public WiFi? You will get hit.
Imagine the following scenario. Picture yourself at the local Starbucks on their WiFi checking your recent bank direct deposit. All of a sudden you get bounced from your connection, alas you reconnect in a few seconds - all good? Nope!
What you don't realize is that you have reconnected to a rogue access point which looks like Starbucks, but isn't. What happened?
Someone seated in your general vicinity has a device or application which you just connected to instead of the Starbucks WiFi. They bounced you off the legit Access Point, and you reconnected through the bad guy. Bike rider meet cab door.
At this point, the hacker can see, in real-time, everything that you are doing on your browser. So yes, the crook can see your bank account web page and just captured your bank login and password.
If using any WiFi, make sure the network is encrypted or use a VPN. We better wear ours helmets while riding the interwebs.
All that said, some experts I've chatted with recently go as far as to say any sensitive work should never be done via WiFi - even if you have encryption and a VPN.
Something to think about especially for journalists, whose reputation rides on protecting their sources.
Joseph Raczynski (Twitter: @joerazz) manages a team of Technical Client Managers for both the Large Law and Government divisions of Thomson Reuters Legal. Joseph serves the top law firms in the world consulting on legal trends and customizing Thomson Reuters legal technology solutions for enhanced workflows.
P.S.: We should acknowledge that one of the hardest parts of reporting on cybersecurity is illustrating the story. So before doing it this way...
The 5 types of stock footage you’ll see on the news after a cyberattack pic.twitter.com/2f4Gfpfl9U— VICE News (@vicenews) May 20, 2017
...better follow Eric Vanderburg's advice: "Focus on the human element."
Check out more InfoSec Luminary Lineup discussions on the Authentic8 blog:
- How Can Companies Balance IT Security and Personal Web Access at Work?