cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
4d4m
Newcomer III

Innocent until proven guilty? Not in the cyber world

Hi all

 

I read on Twitter yesterday about a well known ticketing company breach, and the following calls for fines, GDPR messages, finger pointing, and on, and on. This has since been discovered to be a vulnerability in the chat bot they used on the site - a line of products worth looking at I think, which I am doing.

 

I am not defending the company and have no axe to grind either way, but what happened to innocent until proven guilty? What happened to blaming the criminals who stole details and used them for whatever purpose - maybe even to fund slavery, or worse? Would it be better pointing the majority of energy at the real bad folk?

 

I am quite bored of trial by Twitter now, and I don't think it puts the security community in a good light - well some of it.

 

We should be helping to share knowledge on how to protect, detect, and respond to threats, and not blaming at the first sniff of a leak/weakness.

 

Imagine a different headline "victim company x hacked by criminals, cyber security folk help plug the gap and go thwart the baddies".

 

Welcome any other views! Maybe I have it all wrong.


Adam

3 Replies
Baechle
Advocate I


@4d4m wrote:

 

Imagine a different headline "victim company x hacked by criminals, cyber security folk help plug the gap and go thwart the baddies".

 


Adam,

 

I personally completely agree with your basic assessment.  The victim company probably should have engaged a public relations ("PR") person or organization a long time ago in preparation for this day.  I personally believe that organizations should consider coordinating the initial engagement of PR, an experienced Forensic consultant, and either inside or outside counsel prior to experiencing an incident.  The resulting PR could well have been what you suggested here.

 

As more and more companies experience problems, I think you'll see organizations adapt to the concept that they will eventually have an incident and be prepared to respond; and others that continue to ignore security problems until they're forced to deal with it who will experience growing brand damage.

 

 

Sincerely,

 

Eric B.

 

 

 

 

denbesten
Community Champion

A related issue is rush to judgement.  Social media, instant messaging and 24-hour news all drive the demand for immediate answers to "who did it", "what was their motivation" and "How are you going to fix it".  No longer are we willing to wait for the police to process the scene, for the investigators to run tests or for the judges to issue rulings.  Instead, we seem perfectly happy for self-proclaimed experts to issue proclamations based on a few news postings with tabloid-level investigative journalism.

Baechle
Advocate I

William,

 

You raise a good point, especially about social media.  A handful of my friends are severely influenced by rumor and conjecture as-fact spread through social media platforms.  I’ve even had folks outright reject a link to a U.S. federal statute as being the law (and these weren’t Sovereign Citizens)… because it conflicted with whatever the social media rumor was about what the law says.

 

It’s extraordinarily disappointing how many people fail to apply basic critical thinking and fact checking.  Instead it appears whatever “news” releases first and loudest is the dominant belief regardless of its accuracy.  Another reason to have a dedicated PR person/firm on hand to flood MyBook, FaceSpace, Snapster, etc. with the media you want out first and repetitively.

 


@denbesten wrote:

Instead, we seem perfectly happy for self-proclaimed experts to issue proclamations based on a few news postings with tabloid-level investigative journalism.