Jumping the InfoSec reporting F.U.D. shark
One of the traps information security practitioners often fall into is becoming purveyors of F.U.D.; fear, uncertainty, and doubt. It's an easy sell: organized crime and state-sponsored groups have truly scary/amazing capabilities nowadays, and there's no lack of news about data breaches to stir up concern. People are getting hacked, our systems do have exploitable weaknesses, and there is reason to worry. Complex interconnections between systems often come about through ingenuity and/or necessity rather than by design -- often in spite of it -- making the securing of an environment difficult even for the most technically astute organizations. It's no surprise that, after the Aurora incident came to public light in January, I began to receive plenty of "Google was hacked, are you next?" spam from InfoSec vendors, F.U.D. purveyors extraordinaires.
The difficult thing for InfoSec folks is to remember that our key audience members (i.e. our CIOs and CTOs) are easily exhausted by the constant stream of F.U.D. that is so tempting for us to forward their way. What was interesting about the Aurora story is that it crossed over into the mainstream so quickly that I had my key stakeholders approaching me with questions -- while the story was still fresh and developing -- for the first time in 14 months, i.e. not since Conficker hit the public consciousness thanks to 60 minutes. Our problem in InfoSec agenda-setting is twofold. First, we don't want to wait for the next haphazardly-selected CBS exposé to start the where-to-invest-in-InfoSec conversation with our stakeholders. Second, too often we sound like this guy -- or worse, we write like this guy and get smacked down thusly -- when we raise our heartfelt concerns.
Different companies will have different cadences for this sort of thing. What's been working relatively well at mine is a monthly conversation starter. The template I use is this: 1200 words or less, split into three sections. First: the industry trend; what's happening out in the InfoSec universe that is particularly interesting? Second: the connection; how does that external event have any similarity to or bearing on what we do as a business? Third: the stakeholder takeaways; what new action do I want my counterparts to take? Since I annotate my sources well, it is no secret that I've used Brian Krebs' columns, first at WaPo and then on his own site, for inspiration... almost as much as I've used Wired's Threat Level blog and, more recently, the Info Law Group's blog. This is where I get to jumping the shark.
Krebs typically did interesting investigative journalism, getting inside scoops on data breaches and on the doings of organized crime, especially botnet operators. Lately, he's been on a mission to bring attention to the plight of small business owners who've lost money to organized crime, usually after using a malware-infested PC for their online business banking -- writing prolifically on the subject, to the tune of 32 posts in the last 5 months. Because I'm not responsible for InfoSec at a small business, I haven't been using Krebs' column for inspiration as much recently. However, I couldn't help but shake my head at the article titled Using Windows for a Day Cost Mac User $100,000, which leads off with this sad tale:
We all know how this movie ends. My disappointment is with the over-the-top headline. Why suggest a cause-and-effect? Krebs doesn't need to be sensationalistic - he has great readership; if alexa is to be believed, Krebs has as many readers as crypto pioneer and prolific pundit Bruce Schneier (the Chuck Norris of InfoSec). He also doesn't need to pile on the Windows FUD-fest; he has blogged regularly about his recommendation that small business users should use a dedicated PC, booting from a Live CD, for their online banking. Why the yellow journalism for this particular piece? Certainly, "Employee's family costs company $100K" isn't a fair headline. How about "Company worker violates policy by leaving authorized banking laptop unattended at office?"
Most importantly, how much did "using Windows for a day" contribute as the root cause of this incident? Perhaps I'd feel better if Krebs had gotten professional forensics done on the PC, or at least conducted some interviewing that established that Windows was at fault as opposed to, say, one of the more common entry points for malware: expired AV subscriptions, disabling firewalling or auto-updates, etc. The ironic thing is that, generally speaking, home users of Windows should have an easier time than corporate ones as far as endpoint security goes: the most common products that are exploited (the OS, browsers, PDF readers, Flash, and Java Runtime Environments) all offer auto-updating today -- you have to go out of your way not to be patched, Windows will warn you if your AV subscriptions lapse, and you have to try extra hard to keep Microsoft's Malicious Software Removal Tool from its monthly refresh. It's corporate IT change management rules that -- usually for the best of possible reasons -- tend to inject cautionary delays into these self-preservation mechanisms. As it stands, I now have to read Krebs' latest releases with a little more hesitation before I use them to seed my regular stakeholder conversations with my IT VP's. The last thing I want to do is resell F.U.D. to my trusted partners. Credibility: damaged; shark: jumped.
The difficult thing for InfoSec folks is to remember that our key audience members (i.e. our CIOs and CTOs) are easily exhausted by the constant stream of F.U.D. that is so tempting for us to forward their way. What was interesting about the Aurora story is that it crossed over into the mainstream so quickly that I had my key stakeholders approaching me with questions -- while the story was still fresh and developing -- for the first time in 14 months, i.e. not since Conficker hit the public consciousness thanks to 60 minutes. Our problem in InfoSec agenda-setting is twofold. First, we don't want to wait for the next haphazardly-selected CBS exposé to start the where-to-invest-in-InfoSec conversation with our stakeholders. Second, too often we sound like this guy -- or worse, we write like this guy and get smacked down thusly -- when we raise our heartfelt concerns.
Different companies will have different cadences for this sort of thing. What's been working relatively well at mine is a monthly conversation starter. The template I use is this: 1200 words or less, split into three sections. First: the industry trend; what's happening out in the InfoSec universe that is particularly interesting? Second: the connection; how does that external event have any similarity to or bearing on what we do as a business? Third: the stakeholder takeaways; what new action do I want my counterparts to take? Since I annotate my sources well, it is no secret that I've used Brian Krebs' columns, first at WaPo and then on his own site, for inspiration... almost as much as I've used Wired's Threat Level blog and, more recently, the Info Law Group's blog. This is where I get to jumping the shark.
Krebs typically did interesting investigative journalism, getting inside scoops on data breaches and on the doings of organized crime, especially botnet operators. Lately, he's been on a mission to bring attention to the plight of small business owners who've lost money to organized crime, usually after using a malware-infested PC for their online business banking -- writing prolifically on the subject, to the tune of 32 posts in the last 5 months. Because I'm not responsible for InfoSec at a small business, I haven't been using Krebs' column for inspiration as much recently. However, I couldn't help but shake my head at the article titled Using Windows for a Day Cost Mac User $100,000, which leads off with this sad tale:
David Green normally only accessed his company’s online bank account from his trusty Mac laptop. Then one day this April while he was home sick, Green found himself needing to authorize a transfer of money out of his firm’s account. Trouble was, he’d left his Mac at work. So he decided to log in to the company’s bank account using his wife’s Windows PC.
Unfortunately for Green, that PC was the same computer his kids used to browse the Web, chat, and play games online. It was also the same computer that organized thieves had already compromised with a password-stealing Trojan horse program.
We all know how this movie ends. My disappointment is with the over-the-top headline. Why suggest a cause-and-effect? Krebs doesn't need to be sensationalistic - he has great readership; if alexa is to be believed, Krebs has as many readers as crypto pioneer and prolific pundit Bruce Schneier (the Chuck Norris of InfoSec). He also doesn't need to pile on the Windows FUD-fest; he has blogged regularly about his recommendation that small business users should use a dedicated PC, booting from a Live CD, for their online banking. Why the yellow journalism for this particular piece? Certainly, "Employee's family costs company $100K" isn't a fair headline. How about "Company worker violates policy by leaving authorized banking laptop unattended at office?"
Most importantly, how much did "using Windows for a day" contribute as the root cause of this incident? Perhaps I'd feel better if Krebs had gotten professional forensics done on the PC, or at least conducted some interviewing that established that Windows was at fault as opposed to, say, one of the more common entry points for malware: expired AV subscriptions, disabling firewalling or auto-updates, etc. The ironic thing is that, generally speaking, home users of Windows should have an easier time than corporate ones as far as endpoint security goes: the most common products that are exploited (the OS, browsers, PDF readers, Flash, and Java Runtime Environments) all offer auto-updating today -- you have to go out of your way not to be patched, Windows will warn you if your AV subscriptions lapse, and you have to try extra hard to keep Microsoft's Malicious Software Removal Tool from its monthly refresh. It's corporate IT change management rules that -- usually for the best of possible reasons -- tend to inject cautionary delays into these self-preservation mechanisms. As it stands, I now have to read Krebs' latest releases with a little more hesitation before I use them to seed my regular stakeholder conversations with my IT VP's. The last thing I want to do is resell F.U.D. to my trusted partners. Credibility: damaged; shark: jumped.
