Don't Be Fooled by InfoSec Hasty Headlines

Don't Be Fooled by InfoSec Hasty Headlines
Slide Note
Embed
Share

In this insightful analysis, learn about the rise in data breaches, their impacts on companies like Anthem and Target, and how cyber security journalists shape public perception. Delve into the disconnect between popular news and what truly matters in InfoSec.

  • InfoSec
  • Data Breaches
  • Cyber Security
  • Impact
  • Journalism
eka_k
eka_k Follow

Uploaded on Mar 10, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Hasty Headlines in InfoSec: Don t Be Fooled by Everything You Read , Michelle Schafer, VP, Security Practice, Merritt Group Tim Wilson, Editor-in-Chief, Dark Reading RVAsec 2015

  2. Breaches and Their Impact Incidence of Data Breaches Is Up Verizon Data Breach Investigations Report (DBIR) counted almost 80,000 in 2014 Most companies collecting more event data than ever before Threat intelligence data indicates more activity than ever before Cost of Data Breaches Is Up Average cost of a major data breach is about $3.5M up 15% from the year before (Ponemon) Average loss is about $145 per record up 9% from the year before (Ponemon) The majority of costs are associated with brand damage and loss of future business areas that are not covered by cyber insurance (Aon Corp.) Size of Data Breaches Remains High Anthem: 78.8 million records affected Target: 110 million records, $148M, one CEO, one CIO Sony: $35 million in 2014; $171 million in 2011

  3. Breaches and Their Impact Target (2013) Extremely visible affected as many as 70M to 110M Resulted in lawsuits, brand damage, changes in patronage CEO and CIO eventually resigned Sony (2015) $35 million lost; movie content and other intellectual property stolen This was on top of the $171 million lost via breaches in 2011 Brand damage/political issues ensued Anthem (2015) 78.8 million records affected Downstream breaches at CareFirst No executives lost their jobs; company business barely affected The Target breach has become an iconic blunder. But others have been larger. Why don t we talk about those?

  4. Who Reports on Breaches? Cyber Security Journalists -- Reporters are evaluated by how much audience they can drive they re looking for the big story (will interest the most readers) -- Reporters are looking for stories that will interest the average person on the street or a business that everyone has heard of -- Reporters are looking for breaking news that has immediacy and impact (zero-day stuff) Driven By Advertising The more content/pages they serve, the more money they make Most are looking to define a specific demographic that makes them seem unique to the advertiser They compete with each other for advertising dollars The newest, most novel and most widespread threats get the highest play. But are these the same priorities used by security pros?

  5. The Disconnect: Whats InfoSec-xy Isnt Always What s Most Important The News Can Be Informative Or Popular Pick One! Pick One! Target is sexy there s an element of fear, intrigue, people being fired Some companies (with good PR) knew enough not to say very much impact of breaches are minimized Readers are given a skewed perspective on which breaches are important if it affects consumers or executives, it gets more play (Sony/The Interview) What readers read doesn t always reflect what they need. As an agenda-setter for real security issues, the media isn t always a good yardstick. Why is that?

  6. What Influences The News? Reporters Are Humans Too! Most are overwhelmed with security news moving at a lightning pace Most don t have time to do deep research They often grab the low-hanging fruit on deadline and often have to file 2-3 or more stories per day What They Love Compromises that are new and affect companies readers know Breaches affecting thousands of people and their money Fear What They Don t Love Breaches with little verifiable impact Deeply technical breach stories and companies that no one knows What you see in the news often is what s easiest to write!

  7. Who Influences The News? Vendors/Public Relations Vendors/researchers who have access to reporters and trusted relationships (Bruce Schneier, Shawn Henry) Twitter/Social Networks Twitter is faster than any news outlet Buzz often starts a story wave Influential tweeters carry more weight Other Media One story often creates a wave of stories Search Engines Google and Google News are huge drivers of traffic Publications write stories that are optimized for search engines (SEO) Reporters are influenced by the same stuff you are what s on Twitter, what s on the Web, what people are talking about.

  8. Why Do Some Stories Get So Big? Big Numbers Target, Home Depot, JP Morgan Big Names Breaches at well-known companies (Ebay, Adobe) Breaches flagged by respected authorities (FBI, Microsoft, Apple) Big Claims First or Biggest or Most Dangerous (Heartbleed, Bash) Unusual Threat Actors China/corporate espionage Politically-motivated attacks (Syrian Electronic Army, Anonymous) Highly sophisticated attackers (Stuxnet) Reporters build on stories that lots of readers can relate to and stories that have already gotten a lot of attention.

  9. How Do News Stories Resonate? Social Networks Security news often breaks on Twitter Media vets story ideas through key influencers Influencers might be influenced Search Engines Google/Bing/Yahoo! Search Media spends a lot of time on SEO Crowdsourcing What s Hot Slashdot effect Trending topics: Google News, Yahoo News Competing for Eyeballs Everyone looking for traffic Some stories sensationalized Others optimized for search engines

  10. Underreporting and Overrreporting In a Web Full of Sources, Reporters Perspectives Are Skewed By A Small Number of Influencing Forces Reporters Are Drawn To Sources They Trust They don t always have time to vet new sources If another pub has written about it, its probably safe to cover If they ve written about it before and gotten good results, they will be inclined to write about it again Reporters Are Drawn To Easy or Home Run Types of Stories A new breach or vulnerability Scary industry studies or remarks by well-known or high-ranking execs Far-reaching vulnerabilities (Heartbleed) leaving more impactful and complex stories behind!

  11. How Do InfoSec Pros Get Their Information? Twitter/social media fast info from people they trust Co-workers/colleagues second-hand info from people who ought to know what they re talking about Top executives second-hand info from people who have no idea what they re talking about Vendors and service providers a patch is a warning Security information portals (SANS, CERT) Google/search engines Security researchers/bloggers General media Security/trade media

  12. How InfoSec Pros Prioritize Their Response Executive mandates CEO says it s important Executive mandates CEO read about it in Wall Street Journal Vendor mandates Critical patches issued Compliance mandates Auditor or software tells you you re at risk of failing Industry mandates CERT or industry group alerts System mandates Indicators say you might be at risk News reports Attacks in your industry or vulns discovered in software that you have Your own well-considered security priorities Prioritization is not always the security pro s decision!

  13. News Priorities and IT Priorities Are at Odds The Media Doesn t Know Your Environment Hot threats or highly-publicized breaches might not even affect your organization Small, targeted attacks/exploits might not appear in the news at all Your Top Executives Don t Know the Media Their news sources (general business press) are not as security- savvy as yours They don t know your IT environment either knee-jerk reactions to big news stories may be completely misplaced You Need Your Own Filter What s Hot In the News Might Not Be What s Important to Your Organization

  14. Tips and Recommendations Don t Let the Media Set Your Agenda Too often, the news changes security pros perspective Story waves can affect prioritization of security tasks Perception becomes reality Security Pros Should Read News More Like Financial Analysts Big trends should be understood, but they don t always affect your work decisions Drill into the specific areas that you are investing in Recognize that your decisions may be different than those of other respected experts. Focus on YOUR reality, not perception The Impact of the News Depends Largely On Who You Are

  15. What If Your Organization Is The Victim? Have a Breach Response Plan In Place Understand how the media will respond Disclose what you must to authorities even less to the media Be accurate in your statements, but sparing in details When possible, turn breach news into a positive spin (Heartland, Johnson & Johnson) Recognize All Aspects of Potential Impact Short-term investor damage Long-term brand damage Loss of trust among customers and suppliers Loss of credibility within your industry Understand all of the potential impacts and have a plan to respond to each

  16. Key Takeaways Security News Is Not Always Created Objectively Many influences can affect a reporter s choices Reporters are driven by audience; security managers are driven by criticality/risk Use the News to Your Advantage But Don t Let It Set Your Agenda Infosexy threats aren t always the most dangerous to your enterprise Track lots of different media to find information on the specific threats that might affect your organization Be Prepared to Fight Back Against Execs Who Want a Knee-Jerk Reaction to Breaking News. You re the Expert on Reality!

  17. Questions and Answers Tim Wilson, Editor, Dark Reading www.darkreading.com wilson@darkreading.com (703) 262-0680 Michelle Schafer, VP of Security Practice, Merritt Group www.merrittgrp.com schafer@merrittgrp.com 703-403-6377 Slides Available Upon Request

Related


Comprehensive Overview of Security Risk Analysis and Management

Comprehensive Overview of Security Risk Analysis and Management

toula
Boolean Algebra: Duality Theorem, De-Morgan's Law, and Don't Care Conditions

Boolean Algebra: Duality Theorem, De-Morgan's Law, and Don't Care Conditions

islarose
LinkedIn Content Hacks Captivating Strategies to Boost Engagement

LinkedIn Content Hacks Captivating Strategies to Boost Engagement

Shimon
make headlines make sales with our best press release services

make headlines make sales with our best press release services

Pragencyuk
How-to-Craft-a-Compelling-Headline-for-Newswire-Releases

How-to-Craft-a-Compelling-Headline-for-Newswire-Releases

book
How-to-Craft-a-Compelling-Headline-for-Newswire-Releases

How-to-Craft-a-Compelling-Headline-for-Newswire-Releases

book
Analysis of Hamlet's First Soliloquy in Act 1, Scene 2

Analysis of Hamlet's First Soliloquy in Act 1, Scene 2

alena
Mastering the Art of Writing Headlines: A Vital Skill for Effective Communication

Mastering the Art of Writing Headlines: A Vital Skill for Effective Communication

braydon
Logical Fallacies in The Crucible: Act 1 & 2

Logical Fallacies in The Crucible: Act 1 & 2

davian
Enhancing English Language Skills Through Newspaper Articles and Vocabulary Exercises

Enhancing English Language Skills Through Newspaper Articles and Vocabulary Exercises

cayson
Mastering the Art of Writing Captivating Headlines

Mastering the Art of Writing Captivating Headlines

bryn
Effective Presentation Strategies for Engaging Audiences

Effective Presentation Strategies for Engaging Audiences

su_sel
Mastering Social Media Content Creation Techniques

Mastering Social Media Content Creation Techniques

meve
Implicatures: Types and Contextual Triggers in News Headlines

Implicatures: Types and Contextual Triggers in News Headlines

alee960
Mid-Year Sector Review: Healthcare Insights

Mid-Year Sector Review: Healthcare Insights

dev_sa
Guidelines for Creating Effective Content

Guidelines for Creating Effective Content

maah_972
Impact of Message Execution on Advertising Effectiveness

Impact of Message Execution on Advertising Effectiveness

mcauliffe_a
Ensuring Safe Work Environments: Understanding Staff Relations and Legal Considerations

Ensuring Safe Work Environments: Understanding Staff Relations and Legal Considerations

zmode
Effective Column Layout Strategies for Clear Communication

Effective Column Layout Strategies for Clear Communication

mes_l
Mass Media and Newspaper Headlines

Mass Media and Newspaper Headlines

elh_bra
Reflections on Regret and Innocence Lost in the Evening Rain

Reflections on Regret and Innocence Lost in the Evening Rain

sharlett
Understanding the Right-to-Know Law & the Sunshine Act

Understanding the Right-to-Know Law & the Sunshine Act

shin848

More Related Content