Four things I’m reading this week:
Pew Study on Cybersecurity Shows That We Don’t Know Much About Cybersecurity: This shouldn’t come as a surprise to anyone, but a new study from Pew out on Thursday shows that out of 1,055 US adult Internet users, the median respondent answered only 5 out of 13 questions about cybersecurity correctly. Only 20 percent of the respondents answered more than 8 questions correctly. Also, if you expected that younger respondents would be much better than older ones, that’s not really the case either: 18-29 year olds answered 6 out of the 13 questions correctly, while respondents older than 65 answered 5 of them right.
As I said, this isn’t much of a surprise, but it does reinforce the fact that, for many people, cybersecurity still seems like a mysterious art. If we can’t get more people to understand what the basic components of personal security mean – much less what they’re good for – it’s unlikely we’re going to achieve a more secure society any time soon.
If you’re wondering what the three hardest questions were, only 16 percent of respondents could identify a botnet, only 13 percent knew what a security benefits VPN offered, and only 10 percent (!) could correctly identify multi-factor authentication. Wondering how you would do? You can take the quiz here: http://www.pewinternet.org/quiz/cybersecurity-knowledge/
I'm reading: "What the Public Knows About Cybersecurity"
What the Arrest of the JCC Bomber Can Teach Us About Cybersecurity: On Thursday, police arrested an Israeli-American teenager for calling in more than 100 bomb threats to Jewish community centers and schools, as well as more in other countries around the world. He went to extraordinary lengths to protect himself, using a phone-spoofing service (paid for in Bitcoin) to conceal his phone number, using web proxies to conceal his Internet traffic, and manipulating his voice when on the phone itself.
Tracking him down took US investigators and international partners months of effort. What was his ultimate undoing? At least once, he failed to proxy his Internet traffic, leaving behind a real IP address for investigators to find. And once was all it took – law enforcement traced that single IP address back to a Wi-Fi access point at the suspect’s house.
Disrupting this months-long, disturbing rash of targeted hate crimes is big news in and of itself, but there’s an important lesson here for cybersecurity experts, as well. By all accounts, this criminal is smart, thorough, and careful. He stayed concealed for months, but it only took a single slip for him to be unmasked. Every investigator has stories like this – clever criminals undone by a single, tiny mistake. This is why so few criminals get away: eventually, everyone slips up.
If you’re a security team, and you think you can keep out every attacker, you’re making the same bet as criminals that think they can stay ahead of the law: that you can be perfect every time. That’s not a bet that I’d ever want to take. Instead, smart security assumes you will get breached, and focuses on controlling the environment you are protecting so that, once the intruder gets in, you can stop them before they cause damage. Why does this work? Because once they’re inside a controlled environment, every step an intruder takes risks exposing them – they have to be perfect, just like the criminal. And nobody’s perfect.
I'm reading: "The Slip-Up That Caught the Jewish Center Bomb Caller"