#SonyHack: Will Executives’ Embarrassing Emails Better Motivate Cybersecurity Change?

Sitting in the Miami airport at 5:00 am I am reading news updates on the #SonyHack and a thought just occurred to me:

Previously, many of us preaching the “you better take your company’s security seriously” message to the C-Suites have been wondering if it would take a court decision finding C-Levels or Board members personally liable before they would fully appreciate the significance of cybersecurity risk to their companies.

In reading the articles about how the Sony Hackers are releasing Sony Executives’ entire email folders and all of the personally and professionally embarrassing email conversations they have exchanged, it makes me wonder if this will not do more damage to their professional reputations and careers than anything. And, if it does, does that mean that this may ultimately exert as much or more pressure on them (and other executives who are watching) to put more emphasis on cybersecurity in their companies when the risk to company message has not been working?

If there is one thing we know about human nature, it is that self-interest always prevails … will it here as well?

Is Sony Really “Defensively” DDoS’ing the Sites Hosting Its Content?

Sitting in the airport, I just read this article Here’s How Sony Is Hacking Back to Defend Itself claiming that Sony is using distributed denial of service attacks against the sites hosting its stolen content in the hopes of slowing them down.

Ok, to DDoS, you have to have control over a lot of computers — usually other peoples’ computers, right? This usually requires using malware to get into them … then using them to attack other peoples’ computers, right?

Hmmmmmm.

I call bs on this. Sony may be engaging in some active defense measures but DDoS attacks that are now publicly attributed to a global giant like Sony? Where is Paul Harvey when we need him because I definitely want to know the rest of the story?

#SonyHack shows there are no “safe secrets” in the corporate world – what do you do?

Dishonest Man's WisdomThe #sonyhack will change the way the corporate world operates in many ways that we cannot even yet imagine. Yes, there are obvious data security implications that I usually drone on about, but there is another change that we may see come about.

The now outdated idea that internal corporate secrets will remain corporate secrets. You know, things like email conversations among colleagues containing snide and catty remarks, etc. Not to mention the real corporate secrets — trade secrets and other competitive information.

What does this mean for the way the corporate world does business?

Who knows how far the ramifications will be felt. I doubt it will lead to a rebirth of that outdated thing called the “Golden Rule” when it comes to talking about others, but it just may push folks back into the direction of that other outdated notion of not “putting it in writing” if you do not need to.

Earlier in my legal career I found myself in the unenviable position of having a client’s interests in a lawsuit be aligned with a rather unsavory character. Nah, who am I kidding, the guy was a crook — I mean the stereotypical “snake oil salesman” type.

Once, I asked him if he had any written proof of a conversation that he was telling me about. He laughed, paused, and shared with me some of his dishonest man’s wisdom that I will never forget:

  • Don’t say anything if a nod will do
  • Don’t say something over the telephone if you can say it in person
  • Don’t put something in writing if you can just say it

And, while email wasn’t very prevalent back then, I suspect there would be one more rule if we were having that conversation today:

  • Don’t put it in an email if you can write it on a napkin!

Maybe this dishonest man’s wisdom is not only for the dishonest …

 

The Best Evidence Why Your Company Needs a CISO Before a Data Breach

“The proof is in the pudding,” goes the old saying.

When it comes to organizational changes companies make following a data breach, If the proof is in the pudding, then the verdict is clear: companies should hire a Chief Information Security Officer (CISO) before they have a data breach.

Why?

According to this article in USA Today, companies usually tend hire CISOs after they have had a data breach. After?

Yes. They do this because they do not want to have another data breach and, after feeling the sting from the first, they are finally willing to invest more resources so that they do not have another data breach.

There is another old saying to remember: “Wise men learn from their mistakes, but wiser men learn from the mistakes of others.” (author unknown)

As your company’s leader, which will you be?

Check out my first post on Norse’s DarkMatters > Sony Hack: Where Do We Die First?

Hey everybody, go check out my first post on Norse’s DarkMatters blog — yeah, you know, Norse with the awesome Live Cyber Attack Map!

Now that you’re mesmerized by the map, here’s the post and please share it! Sony Hack: Where Do We Die First?

Automakers show more concern for hackers’ efforts to exploit vulnerabilities in car computer systems

Automakers seem to be taking the car hacking issue a lot more seriously. They should be.

Over the last few years I have written quite a bit about car hacking and what laws may apply to such cases — such as the Computer Fraud and Abuse Act. Here is a post that references several of those posts: Hackers continue to exploit vulnerabilities in car Don't hack me, bro!computer systems.

This is a real threat and, as usual, the laws addressing it are well behind the times and the technology. This means that regardless of what laws may be used to address the sure-to-be-coming misuses, we will hear a loud chorus of folks complaining about it saying the laws are being misused. Happens all the time.

Fortunately, the automakers seem to be stepping up their efforts to at least make it more difficult for the hackers to give us the chance to apply the laws to their misdeeds. Here are some relevant quotes from an interesting article that talks about the efforts the automakers are taking to prepare for these activities:

One major association representing brands including Honda and Toyota is helping establish an “information sharing and analysis center” patterned after efforts by big banks to try to thwart cyberattacks.

“Before, when you designed something, you looked at how might components fail,” said Michael Cammisa, director of safety for the Association of Global Automakers. “Now, you have to look at how would somebody maliciously attack the vehicle.”

The so-called Auto-ISAC will allow participating companies to evaluate the credibility of threats and, in the event of an attack, let one warn others so they could test their own systems. The effort was announced this summer at the Cyberauto Challenge in Detroit, one of an increasing number of programs focused on auto hacking. Several days later, in China, organizers of a cybersecurity conference announced success in their challenge to hack a Model S made by Tesla Motors.

Another American company, General Motors, has checked how Boeing and defense companies create systems to repel hackers, according to Mark Reuss, GM’s executive vice president of global product development.

Cybersecurity is “one of the highest priority things that we have,” Reuss said. “We have got to make sure that our customers are safe.”

Read more: Automakers Aim to Drive Away Car Computer Hackers