For this new DefCamp edition, CYBER Media has brought information security specialists together to help increase awareness of cyber security issues. Curiosity pushed me to ask how cyber security and media relations interact, how effective awareness campaigns really are, the details behind disclosing vulnerabilities and the best advice for journalists’ protection. Also, a few speakers revealed their expectations about DefCamp and shared some advice for Romanian companies and for local cyber security specialists.

Everybody is talking about cyber security awareness. From your experience, what kind of actions/activities do you believe are most effective to increase trust and create awareness?

Raul Alvarez, Fortinet:

People check their emails daily and it is one of the common vectors for an attacker to get into your system. Training is one of the most important ways to increase awareness in the workplace. Every company should have regular training exercises for people to get used to handling events and scenarios about cyber security, including how to handle email attachments properly.

Yehia Mamdouh, DTS-Solution:

From Organizations side: I have seen many organizations increase awareness in very wrong ways by sending email reminders only warning the employees about clicking on suspicious links or installing malicious software, which is not effective at all because criminals are getting smarter these days and use sophisticated attacks. The best actions to raise awareness for companies is to have monthly security awareness training for every employee in the organizations. This training should include explaining all modern attacks and the latest methods of social engineering, physical attacks, etc. Second, you should attack yourself before any criminal does. Try to implement those training sessions for your employees: create phishing emails, spoof SMSs, use vishing and see how your employees respond to your attacks. This is how you will really increase awareness.

As far as the media is concerned:  In my opinion, better actions that the media can take to increase security awareness is to interview more security experts, to discuss more topics, not only online, but also in the written press and on TV. Also, focusing on discussing and reporting solutions to global incidents should be equal to focusing on the impact of the incident itself, especially incidents that use social engineering techniques.

Inbar Raz about the distortions of infosec by the media:

The fact that all hackers are portrayed as bad, and that legitimate vulnerability research is presented as criminal and bad. The ethical vulnerability researchers are working to make the world a better place by forcing the vendors to fix their products and exposing their negligence at times. (read the interview)

What is your point of view about the best case scenario regarding vulnerability disclosure? Can the media be involved in this action plan? How?

Raul Alvarez, Fortinet:

There are different aspects involved in vulnerability disclosure. One of the important ones is to follow the proper vulnerability disclosure procedure that should be in effect whenever a security researcher found a weakness in a system. There is also a waiting period where the involved party should be given a chance to patch the vulnerability. The media can be involved by telling it to people after every proper step is executed regarding the said vulnerability.

Yehia Mamdouh, DTS-Solution:

It’s very hard to say what is best case scenario regarding vulnerability disclosure because every vulnerability disclosure philosophy have advantages and disadvantages if we compare Limited Disclosure and Full Disclosure. For example, Limited Disclosure means only some information about the vulnerability is disclosed.

The goal is typically to slow down the reverse engineering process and exploit development long enough for a fix to be developed and deployed, which is an advantage of Full Disclosure. By releasing a vulnerability into the open, you unlock a Pandora’s Box where unsavory individuals are able to rapidly and easily produce exploits, and compromise vulnerable systems. But on the other hand, vendors are more motivated to respond quickly. Vendors are often quite slow to respond to security notifications in normal cases.If I were forced to choose one philosophy, I will choose Coordinated Disclosure, in which the specialist who reports the vulnerability informs the vendor and suggests a timeline for disclosure. This allows the person who reported and the vendor to collaborate to fix the security issue.

Yes, the media must be involved in the action plan. Actually, the media has an essential role when it comes to vulnerability disclosure, specially in Full Disclosure scenario. By reporting it, it effectively puts pressure on vendors that usually don’t devote the necessary attention to critical security issues in their products, and limits the number of attacks on the vulnerable system. Reporting on this also allows the public to find out about the existence of a vulnerability as well as the way to resolve it. We can use WannaCry ransomware as an example. In this case, the media played a big role in helping increase security awareness for the general public.

What do you think about the relation between cyber security and media? How cyber security can help or damage the reputation of the media? Do you consider the connection vulnerable to cyber threats?

Raul Alvarez, Fortinet

I personally believe that media and cyber security can work together hand-in-hand, as long as, proper procedures are followed. A good research and a proper dissemination of information will greatly help the people in general.

Yehia Mamdouh, DTS-Solution:

Today, most media and broadcasting companies are operating in online environments. Keeping their viewers updated with the latest breaking news the sense of urgency for cyber security has increased due to the emergence of IP everywhere in the media value chain.

Media and entertainment industry revenues are based largely on personal relationships; data breaches can cause irreparable damage to an organization’s reputation. Imagine website forced offline and becoming unavailable to customers, therefore, represents a serious business risk. Of course, cyber security helps the reputation of the media by protecting privacy and sensitive data, and yes, connection is vulnerable to cyber threats which require in first to identify those threats in the first place.

What are the most dangerous cyber security threats to media businesses?

Yehia Mamdouh, DTS-Solution:

In the last few years, we have more than 25% have experienced cyber-attacks. Most dangerous attacks that targeting Media and broadcasting is Advanced Persistent Threat (APT) groups and activists groups which they determine to further their own political agenda, whether they are criminals, want to steal data or nation-state, want to influence content.

Another dangerous cyber threat that target media and broadcasting companies (Malvertising) which is refer to using online adverting to spread malware, which allow online attackers spread malvertising through news websites.

Also Distributed Denial of Service (DDoS) attacks pose a particular concern to news media companies as so-called hacktivists attempt to take over media websites for political purposes. DDoS attacks are also frequently used to mask or divert attention from other malicious activity.

Can you provide a list of the 3 most important recommendations for journalists to keep themselves safe in cyberspace?

Yehia Mamdouh, DTS-Solution:

Don’t attract attention –Stay Hidden: the first to keep in mind all the time is that law enforcement or the intelligence agencies can monitor and spy on anybody. Acknowledging this idea will keep you more safe. So, before we talk about protection and many security solutions or software, the journalist should keep as low of a profile on the internet as possible all the time. Don’t draw their attention in the first place, and keep quiet by masking your identity and your location. Change your computer and smartphones from time to time, use search engines that don’t track your searches like duckduckgo or startpage, and if you suspect you are being monitored, keep doing other activities like talking to friends on social media sites – watch movies. It gives them something to monitor and use other devices for your work.

Use Encryption Everywhere:  Also, before we talk about encryption (don’t leave any sensitive data on your computer) keep your information on flash drives and portables hard drives, that make your computer and smartphones dummies if it get compromised – don’t leave any footprints. Metadata is being collected from ISPs (email recipients, usernames, or dialed phone numbers), so use the TOR browser for communication. Use secure chat that supports end to end encryption (like Ricochet or Telegram), and end to end encrypted email providers like Protonmail for protecting sources, encrypt your hard drive and flash.

Be Aware:  The weakest link in security is the human. Criminals, law enforcement and intelligence agencies use social engineering to compromise machines by installing malware and backdoors in the machines through spoofed emails, social media posts which have shortened link, which confuse recipients about where those links are redirecting to. Be aware of what you click because, if your machine is compromised, all encrypted emails and chats will be exposed.

René Freingruber, SEC Consult: 3 security habits of infosec specialists that even home users can apply

Use a password manager to generate and use unique passwords per website and don’t use the same passwords for work and private stuff. Keep your system and software up-to-date. If you receive an e-mail or a message, be cautious and precisely check the sender (misspelling, different domain, etc.) and the content (Does the person typically write like this? Is there something strange with the message? Is the attachment doing strange stuff like showing uncommon dialogs, security warnings, etc.? Does the message ask for actions like to open a document, download a file, enter credentials, and so on?). In general, common sense together with a little bit of paranoia is a good combination to stay safe on the internet. (read the interview)

Inbar Raz: The most important two are data backup and unique passwords

1) Data Backup – If something is very important to you, have another copy of it somewhere. Preferably offline (unlike an external hard drive that’s always connected).

2) Unique Passwords – Your passwords must not be used in more than one place. You can argue and complain, but this is an undeniable truth. Leaked passwords are fed to automatic scanners that try them at major services. Make even a small change, but make it. (read the interview)

What are your expectations from DefCamp? Would you have some advises for Romanian companies and for the local cyber security specialists?

Raul Alvarez, Fortinet

I have been to DefCamp twice. This is now my third time. It is always a pleasure to present at DefCamp. Each and every year, DefCamp has something new to offer: new trainings, new villages, and new presentations.

My advice to companies, and not only for the Romanian ones, is to keep your system up to date with the latest technologies in security. You need to have layers of security, and most importantly, train your people regularly on cyber security.

For local researchers, it is wise to attend security conferences and events such as DefCamp or BSides events. You will learn a lot from experts with diverse background and skills. And of course, keep reading books and practice a lot.

Yehia Mamdouh, DTS-Solution:

I was a speaker at DefCamp in 2016 and honestly, it was beyond my expectations! They were well organized, they picked mostly new and advanced topics in cyber security, they support startup companies, they added more CTF villages so seeing how DefCamp is growing every year is great. I will not share my expectations, but I will say that my wish is for them to keep growing.

My advice for Romanian companies is they should provide practical security awareness training to their employees which is not limited to the security division. Securing company assets and data is a responsibility that should be shared by every employee. They should focus more on securing human behavior because any smart criminal will use human exploits more than using 0days.

My advice for local cyber security specialists, especially those engaged in red team activities – not to limit your job to only exploiting and reporting vulnerabilities. Try to also create teachable moments for those who are vulnerable. Collaborate to create new projects, no matter if they are defense or offense projects, which will add more security layers against criminals.

Follow #DefCamp on blog, Facebook, Twitter and YouTube.

Editor: Andra Zaharia

Știri Resurse awareness cyber security awareness cyber security specialist DefCamp DefCamp2017 digital media front hacker journalism journalists protection jurnalism mass-media media protectie securitate cibernetica vulnerabilitate vulnerability disclosure