Consequences are for the little people

In This Issue:

  • Name brand headline breaches highlight our universal vulnerability
  • The Internet of Things was never good, but Acohido says driverless cars will save us
  • "The end of trust" is not a new idea, but is apparently now available as a free ebook
  • You have to start somewhere: learn your regulatory environment ABC's

Breaches at large brands highlight our universal vulnerability

h/t: Brian Krebs - KrebsonSecurity

Some people believe that consequences are for the little people. They ignore information security because data breaches could never happen to them. Even if they did, it could hardly be their fault, now could it? And they don't need to secure the data in their care, because it doesn't really matter anyway.
One would hope some of the data breaches being analysed in depth this week would begin to reverse those sorts of attitudes. Exploration of the Marriott breach has yielded some excellent analyses. Check out What the Marriott Breach Says About Security, and Massive Marriott breach continues seemingly endless run of successful hacks.

If the Marriott breach doesn't offer a dose of reality to those in charge of infosec budgets, maybe the Atrium Health breach will. Atrium Health data breach exposed 2.65 million patient records and Atrium Health data breach highlights lingering third-party exposures both offer excellent early takes on the topic. Atrium itself wasn’t breached, but a subcontractor of theirs was, and Atrium’s reputation is the one taking a pounding.


The larger the organization, the more likely it is that someone with a carpe diem attitude to information security is to hold a position of power. Identifying these individuals, and drawing up plans to educate them on the topic – whether openly or by stealth – is a fundamental part of information security. In the end, it's the people who are always the biggest risk, and that starts with general attitudes.

Read More >

The Internet of Things was never good, but Acohido says driverless cars will save us

h/t: Byron V. Acohido – The Last Watchdog

When industries fail to police themselves, governments step in to regulate them. All new industries go through the same cycle: markets are founded in a mad rush of innovation and disruption that races ahead of law (think Uber). Regular people get the pointy end, (that "consequences are for little people" thing rearing its ugly head again), and eventually those people vote in lawmakers who reign the now handful of large oligopolistic players in this now mature market in. There's usually a failed attempt at industry self-regulation before the lawmakers really tighten the screws, but that rarely lasts very long.

The Internet of Things is entering the "failed attempt at industry self-regulation phase". People are starting to get tetchy about how universally carp their internet-connected thermostats, door locks, lightbulbs, and life-critical medical equipment are. It's costing organizations real money New DigiCert poll shows companies taking monetary hits due to IoT-related security missteps.

This experience has soured the general public on turning our society over to the driverless zombie chatbots of tomorrow, and people who matter are starting to notice. If and when driverless cars become a thing, they would fundamentally shift the fabric of our society. Any major alteration to how people transport themselves in their daily lives leads to real changes in everything from house design to how we build our cities. The when of driverless cars has implications for trillions of dollars of infrastructure planning spanning decades in every city, in every nation around the world.

But for driverless cars to be a thing, the public has to trust them. The public is not going to do this if the internet of things continues along as it is. Why security innovations paving the way for driverless cars will make IoT much safer explores the interplay between these forces, and makes some interesting predictions.


The IoT space is about to go through the regulatory looking glass. Be wary. Don't make any big bets on anything in the IoT space staying in one place for very long. Stability will be several years coming, and before we get there, we're going to see an explosion of standards proposals, and supposedly "compliant" products that are each abandoned in turn as insufficient numbers commit to any given standard. If you can, postpone your IoT binge until after this major standards debates have all shaken out.

Read More >

"The end of trust" is not a new idea, but is apparently now available as a free ebook

h/t: Dave Maas – EFF

Today, people increasingly believe that trust is earned, and should neither the default setting of technology, nor is it the ground state of human interaction. This goes against the views of those who birthed the internet, and presents a very real problem to corporations and governments alike. Without trust, everything from the credibility of judicial systems to cloud computing fall apart
Information security can be described as figuring out ways to interact – as individuals and via technology – in zero trust environments. McSweeney’s and EFF Team Up for “The End of Trust” offer an excellent introduction to the criticality of trust.


Download and read this ebook. It's free!

Read More >

You have to start somewhere: learn your regulatory environment ABC's

h/t: Robert Chesney – Lawfare

Infosec is as much about the regulatory environment as the tech. Security that isn't convenient is far less likely to be used, and security that doesn't continually evolve as the regulatory environment does isn't particularly convenient. Those looking to get a handle on cybersecurity law and policy should check out Teaching Cybersecurity Law and Policy: My Revised 62-Page Syllabus/Primer.


This is worth working into your mandatory infosec training, at least for staffs responsible for IT. It is a good start, and helps convey many of the most important concepts that underpin the legal side of cybersecurity.

Read More >

This week's tweets


One axiom touches all areas of information security: people are lazy, everywhere.

"Automation: "start w/things that don't involve changes": reporting, etc, to build skills and cultural comfort." – Lisa Caywood (@RealLisaC)

"Is it shadow IT if everyone but Ops knows about it?" – Amy Lewis (@CommsNinja)

"Carhart’s law #2: Like most humans, competent hackers are mostly lazy, and when presented with an easier and equally reliable way to make money (then go do something else more interesting), they will frequently do it." – Lesley Carhart (@hacks4pancakes)

Quick Links

The past week has been one in which pondering the long term consequences of headline events is called for. Each of these events may be ripple that becomes a tsunami, and are worth keeping in back of mind.

Microsoft, Mastercard Aim to Change Identity Management – Kelly Sheridan – Dark Reading

Chinese tech giant Huawei tells The News how CFO was arrested while changing flights at YVR – Alan Campbell & Daisy Xiong – Richmond News

DOJ made secret arguments to break crypto, now ACLU wants to make them public – Cyrus Farivar – Ars Technica

Get Your Copy.