Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Monday, February 08, 2010

Security PR: Article Series

In a five-part article series on Dark Reading, I explored how tech and security companies can be more successful with PR, and build their brand by discovering the wealth of resources they already have.

Many companies I contract with ask me one of the following questions: What is a good PR strategy for releasing a security vulnerability? What if we have nothing to say to reporters? Many people speak of social networking, what's real? How do we get our name out there?

A previous series on articles I wrote was on Lessons I Learned from Cybercrime.

I started this series on PR almost by accident, when discussing why some security blogs are more successful than others, and continued with articles trying to answer some of the other questions.

The Secret Sauce For Security Blogging
About how some security blogs manage to engage their audience better than others and make their readers feel more in touch with what's happening -- on top of earning credibility.
Security PR: How To Talk To Reporters
Here are some tips for security professionals and security public relations representatives on how to pitch reporters when you have something new and exciting to share.
Security PR: How To Disclose A Vulnerability
When your team discovers a new security vulnerability in a third-party product, there are ways to handle it correctly to achieve maximum visibility.
We Have Nothing To Say -- Or Do We?
The first rule of appearing smart, they say, is to keep quiet, but keeping quiet doesn't help your PR. What are you to do?
'Brand' Your Employees
You might want your product to be in the news every day, and for your PR to create miracles for you. But if you want attention, then your company must speak out on big security issues and news. But there are challenges, and your employees may be the answer.
Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron
Posted by at No comments:
Labels: , , ,

Tuesday, September 29, 2009

Medical Vaccines as an Analogy to Information Security

In the information security field, we often encounter an ethical dilemma. Should information become public, so that people can protect themselves, or better decide how to do so. Or should it remain secret so that larger harm is prevented? The world of Vaccines shows us an image of how medical professionals deal with the issue.

I recently wrote a blog post on an unrelated subject, vaccines and their risks. I have been gathering information on whether they are safe for some time now.

While they are in fact, in the vast majority of cases, safe, there is no easily available information online as to the risks associated with vaccination. Most of this data, therefore, can be found in scare-monger websites, spreading fear, uncertainty and doubt.

Whatever reason vaccine professionals have to take the party-line, we can assume one reason they do not wish public debate to avoid risk of more people not vaccinating, potentially increasing the death-toll and causing epidemics.

The similarities don't end there, and it truly is fascinating. For example the World Health Organization (WHO) monitors disease globally, detects new epidemics and responds accordingly, and thus monitoring the success of vaccines as well.

An interesting anecdote is on global risk analysis. How regulation trumps personal liberties world-wide in vaccination programs for new-born babies, as the risk of epidemics outweighs the infringement. Some people claim that this is no longer the case, and that these programs need to be reexamined. They seem to be wrong, but information is not easily available online. It is interesting to note, as once successful, even if it was no longer helpful I very much doubt society would easily change in this regard, much like I am sure it was difficult to initiate this program to begin with.

I doubt such regulation will happen in information security, but a common stance such as vaccine developers and medical doctors have on emerging threats could be highly beneficial to our field, when approaching the public.

Many interesting strategic and psychological lessons can be learned by examining this field, when compared to information security.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron
Posted by at 2 comments:
Labels: , , , , , , , ,

Friday, September 11, 2009

Lessons I Learned from Cyber Crime, an Article Series

I have been slow on updating this blog due to blogging on Dark Reading. I will make amends and start updating here more often. I will also start to cover my more interesting blogs on Dark Reading, here. You can also read my personal blog where I write about things I find interesting, or funny.

A few months ago I wrote a short series on some of the lessons I learned from the world of security and cyber crime. About systems and networks, people and communities, and finally, projects and making things happen, the first one begins with:
"The history of anti-spam teaches us about half-baked ideas and how people succeeded or failed to implement them. The analogy of evolution, while limited, demonstrates how reactionary solutions can achieve strategic goals before they are made obsolete by countermeasures.

How do you herd cats? In a series of blogs starting today, I'll explore the history of fighting cybercrime and how and why certain solutions worked while others failed, how we can recreate success, and what lessons we can distill to build business solutions, affect change in communities -- and even fight terrorism."
The three posts in question, are:

1. Lessons From Fighting Cybercrime
"... Criminals were forced to evolve in a desirable direction, which is a victory on its own. Evolution in capabilities occurs to circumvent security measures. By limiting the spammers' options they evolved to a technological battleground where we have more control."
2. Lessons From Fighting Cybercrime, Part 2

"... It enumerates ways by which "new" and "amazing" suggestions on solving the spam problem go wrong... If only "everyone" (or most people) used their solution or "forced users" to act counter intuitively (and similar truisms), spam would be "gone". It is well worth a read.

Trying to map how some solutions work while others can't even get off the ground and seeing how communities and social systems change is fascinating. The examples above and many other lessons of fighting cybercrime are illuminating. Especially when we consider they are mostly derived from failures of technical solutions to solve a human problem, a common design fallacy this day and age."

3. Cybercriminals: More Obvious Than They Think?
  • "...Let me pose it this way: It's a hot summer day, and you're drinking a beer at the beach. People are having fun and relaxing. Suddenly, you see a person wearing an heavy coat. Is this suspicious?"
  • "... Encryption is a great tool, but it also draws attention to you for using it. In your organization, how likely is an attacker to identify important resources just by watching for encrypted traffic? In some cases, it may be better to stay obscure, in the background as noise, than to use encryption. If the malware sample is new and therefore undetected by antivirus, then the same unfortunately applies to malware authors."
I hope you find these posts interesting. Do share your thoughts with me. Any anecdote, epiphany or even just an insight from your own experience will be appreciated.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron
Posted by at No comments:
Labels: , , , , , , , , , , ,
Subscribe to: Posts (Atom)