You can't secure what you don't acknowledge.SM

Sunday, January 8, 2017

Hacking is not just an action, it's an excuse

Given all the ridiculous analyses and "findings" on Russian hacking as of late such as federal government bureaucrats who said there's no evidence to prosecute Clinton or who claim that the NSA does not collect data on America citizens yet they're certain that the Russians meddled in the U.S. election - many assertions of which are coming from talking heads with zero experience working in this field - I thought this blog post I wrote back in June of 2011 was worthy of a re-post:


Weiner fallout: "I got hacked" is the new scapegoat

I recently met up with some technology lawyer colleagues after work and we shared our thoughts on the Anthony Weiner "incident". We were talking about how early on in the saga no one but Weiner and the lucky recipients of his tweets really knew what the truth was. Predictably, as we're seeing and hearing more and more these days, Weiner came out and said "I was hacked. It happens to people." In other words, instead of claiming personal responsibility for the issue, he could just claim someone else did it and hopefully wash his hands of the issue.

Don't get me wrong. Companies and people do get hacked, but hacking is not always what caused the problem.

Then it came to us, "I've been hacked" is the new scapegoat. Savvy politicians and business leaders know that getting "hacked" is a generic enough claim that the general public may buy it. After all, many people believe that hacking is this mysterious, intangible "thing" that just happens these days. It's simply dismissed as "Oh well, sucks to be that person or business". Such an excuse is very similar to what I've written about "computer glitches". It's an easy way out.

Interestingly, one thing that hasn't really been discussed in the media covering WeinerGate was here's how you get to the truth...you do X, Y and Z to reveal what really happened. Be it a simple forensics analysis of Weiner's computer(s) all the way to subpoenaing Twitter for their log files associated with the usernames, dates and times in question, there's a way to get to the bottom of such matters. These procedures are carried out as part of the legal process in countless investigations and lawsuits every day in the US. But we weren't hearing about that.

We now know that a formal investigation wasn't needed with Weiner. However, if you're caught in a bind and need to prove your innocence, the e-discovery and forensics processes have a nice way of working things out...It's all a matter of choice and, I suppose, context.

Perhaps it's time to step back, fix the low-hanging fruit that's putting your business at risk, and move forward with your chin up willing to take responsibility for information security once and for all. No scapegoats necessary...
Here are some reading assignments for you written by two of my peers - leaders in our field and fellas who have their heads on straight about this Russian hacking storyline:

"From Putin with Love" - a novel by the New York Times by Rob Graham

Of course it was the Russians by Peter Stephenson

I may be wrong...I often am. There's always three sides to every story (yours, theirs, and the truth). Knowing what I know about information security along with politicians/bureaucrats and their motivations, I'm a bit skeptical.

By the way, don't let our rulers in the U.S. fool you as this country has been meddling in foreign elections for years - perhaps a bit more legitimately:
https://www.theguardian.com/commentisfree/2017/jan/05/americans-spot-election-meddling-doing-years-vladimir-putin-donald-trump

http://www.latimes.com/nation/la-na-us-intervention-foreign-elections-20161213-story.html

http://www.npr.org/2016/12/22/506625913/database-tracks-history-of-u-s-meddling-in-foreign-elections

No comments:

Post a Comment