Don't lie about being hacked
Security researcher Graham Cluley had words of warning at ITWeb Security Summit 2019, saying when it comes to cyber security, some companies, and IT staff, could not be trusted.
Cluley, who has worked at McAfee and Sophos, and was inducted into the InfoSecurity Europe Hall of Fame in 2011, told two stories, the first of which involved an exclusive dating Web site called beautifulpeople.com.
Cyber horror never stops, but sometimes you can't take all of these stories at face value.Graham Cluley
Cluley says he became suspicious when it was reported that the site had expelled 5 000 members because they had put on weight over the holidays. He wondered why people would immediately upload pictures of themselves looking somewhat heavier. Another instance that he found suspicious, was when the site reported that it expelled 20 000 people because a former employee had planted a virus allowing 'ugly' people to join. He also thought it strange that no one's personal data was compromised in the so-called hack.
The 'hack' was also reported by media around the world, among them the Guardian, and the Register.
"There's lots of news about data breaches and about hacks; cyber horror never stops; but sometimes you can't take all of these stories at face value," he said.
In any event, the site was eventually hacked, and this time, a press release from the company was not forthcoming.
"Karma", commented Cluley.
His advice to companies is not to lie about being hacked. "The response to the breach is more important than the breach. Be transparent, be honest," he said.
Don't take IT staff at face value
His second story, illustrating why it's important to not take IT staff at face value, was about the Iowa State lottery, known as the 'Hot Lotto Sizzler'. Eddie Tipton, the security director of the US Multi-State Lottery Association, was eventually convicted after it was found he had rigged the lottery. Tipton installed code that vastly lowered the odds on predicting a winning number on particular days. He was sentenced to 25 years.
"The emphasis all the time is on external hackers, and of course, you do need to be worried about them. And companies do come under attack even if you don't think you have essential data that may be of interest to hackers. It may be that you have customers or partners who are potentially of interest to the hackers."
Your company may be the weak link in the chain, or the 'soft underbelly'.
"I'm afraid that we all have to be watching ourselves and watching our colleagues in case someone may have turned into a bad apple."
Cluley also took aim at the media, saying it either did not show the true extent of a cyber-incident, or failed to report on a very real threat, as it was 'too dull, or too elongated, or elaborate for them to explain properly'.
He suggested that the media make cyber incidents easy to understand and consume.
"Give people simple bullet points as part of the article as to how you should respond (to cyber threats).
"Don't just change your password of a Web site that has been hacked. But make sure you're not using the same password anywhere else. Get a password manager and start using unique passwords. And if you've got that right, move onto to multi-factor authentication."
"It's not rocket science, but if the media keep on repeating that, people will eventually begin to get the message and recognise that will keep them better protected."
"I would recommend that all of us remain cynical, sceptical. It's sad that we have to do it, but we do have to have an element of that in order to properly secure ourselves."