On one of the podcasts I listen to, two of the hosts questioned whether the publicity around recent security vulnerabilities are a good thing.
As a security professional who once studied journalism, I think it’s a very good thing, and it’s going to get better. I liken it to the rise of computer virus awareness. You see, it used to be that a computer virus would hit the news once every five years or so. Then, in the late 1990s when a string of effective viruses hit, it became news, and people started to pay attention. People who couldn’t have cared less about antivirus software and firewalls suddenly started caring overnight.
The mainstream media reporting of viruses was terrible, but it got people asking questions, and eventually they got a bit better at it.
Today, the mainstream media reporting of security is beyond terrible. Heartbleed is not a virus, and the current vulnerability in Internet Explorer is in no way related to Heartbleed, but at least the media is talking about this stuff, and believe me, I’m getting questions. People are talking about it, and they’re learning. The people who report on this stuff will learn, too.
Yesterday I saw a report of a vulnerability in a baby monitor. Someone hacked into one and started screaming at a baby until the baby’s parents turned it off. Despicable? You bet. News? Hardly. I heard of another incident just like it a year ago, but I heard about that one on the Pauldotcom security podcast. This time, I saw it on Google News. Then I saw it again lots of other places, including Facebook.
Now, people who thought nothing of putting a baby monitor outside their firewall are questioning that decision. That’s good. You don’t want anything personal on the outside of your firewall. Making a baby monitor capable of being checked remotely from a smartphone while still being secure is tricky. That’s why nobody is doing it yet. But now consumers will demand it, and that’s a good thing. Maybe that means they’ll question whether their light bulbs need to be accessible from the Internet too–and this is the time to be having that discussion, before half a million people have them and unwittingly exposed their networks to vulnerabilities that will last until those light bulbs burn out, which is likely to be more than a decade.
Would I prefer that the news anchors on the national evening newscasts talked more intelligently and in depth about computer security? Sure I would. But poor coverage is worth a lot more than no coverage. People go to unbelievable lengths to get their cause mentioned in any news outlet at all, so discussion in the media about computer security is a good thing.
I guess that brings up one other point. A few weeks ago, a colleague’s phone rang. It was a reporter. The reporter asked a few questions my colleague wasn’t comfortable answering, then asked to speak with the CIO. He told the reporter he couldn’t accommodate that request.
Now, according to corporate policy, my coworker did exactly the right thing. We’re both fairly high ranking but neither of us is authorized to speak with the media. A good security professional needs to look out for his or her employer’s interests and not speak when not authorized. I guarantee you that if I told a reporter that a given company had a couple hundred servers vulnerable to Heartbleed, it would end up in the paper, and then all sorts of bad things would happen. That’s why those rules exist.
But in the interest of promoting security awareness, it would be a good idea to know who in the organization is authorized to speak to the media, so that in the event a reporter does call, the reporter gets good information without harming the company. This promotes security awareness, especially if that person is able to foster a good working relationship with the reporter so there’ll be another phone call the next time something security related hits the news. If that kind of followup happens, it’s good publicity for the company. If other security professionals see someone from your company speaking intelligently about security in the newspaper, they’re more inclined to be interested in working there when the time comes to start job hunting.
And trust me–as someone who spent some time as a newspaper reporter, I can tell you that if someone is willing to talk to a reporter, the reporter will call back. Reliable sources aren’t easy to find. So it’s better for a competent, authorized person to take five minutes out of his or her day every once in a while to talk sense to a journalist so the journalist doesn’t end up calling the place down the street, where they’ll talk to that guy who’s always spewing nonsense. Good security professionals know a quack when they hear one, but the media won’t, and it’s better for everyone if the good advice is what ends up in the papers.