Rossander’s Security Reader

How many times have you seen someone talking to a reporter and ask “did he really just say that?” What was he possibly thinking? Sometimes people do say stupid things but sometimes they just get caught because they are not used to speaking to reporters. This is especially true when you are responding to a crisis. Remember that the reporter has one set of goals – and they are not your goals.

When you get into a crisis, it’s too late to be deciding who and how to talk to the media. Have a plan and practice it before the crisis hits so you don’t get caught off guard. The list below has some helpful thoughts about dealing with reporters. It was originally developed at a crisis communications workshop at a Florida Beekeepers meeting in 1992 in response to scaremongering about africanized honey bees. These rules are still relevant today and apply no matter what your crisis is.

1. Individual Rights – No one from the press has the right to violate your individual rights.
2. Honesty – Never mislead or lie to a reporter. If the situation is under litigation, say this is so; if there is a question about profits, dollars or proprietary information, you can defer/refuse answering based on not informing competitors in the marketplace.
3. Buzz Words – Never repeat an expression or inflammatory statement made by a reporter. As an example, if you are asked to what do you attribute this catastrophe, do not repeat the word “catastrophe.” It then becomes attributable to you and you alone; you will “own” it.
4. Hostility – Never get angry; keep cool and remember the reporter always has the last word.
5. Off the Record – There is no such thing; if you don’t want it reported, don’t say it.
6. Estimates – Never make numerical estimates in time or dollars. Say that the incident is under investigation and you will provide accurate information when it becomes available.
7. Reporter Verification – Ask for identification, the purpose of a reporter’s activities, media affiliation and telephone number.
8. Bridging – Try to bridge the gap between a reporter’s wish to be negative and providing a positive statement about your activity.
9. Statistics – If you are not aware of statistics provided by a reporter, say so and ask for them in writing before commenting.
10. Deadlines – All reporters are on deadlines, but you are not. Take all the time necessary to avoid hasty comments. The fact that a microphone is stuck in your face doesn’t mean you have to say something. Dead air time is not likely to appear on television.

This was originally posted on 13 Sep 2009. I accidentally deleted the post the next week. Here it is again “for the record”.

These days, security is a Red Queen’s race where “it takes all the running you can do, to keep in the same place.” Hackers are constantly raising the bar and making old protections worth less than they were the day before.

The company that hosts this blog recently posted a very good article on the problem. They recommend (and I strongly agree) that you need to keep your software fully up-to-date and patched. You might not be perfectly protected from every hacker attack but you’ll be protected from most and often that can be enough.

There’s an old essay by Mike Pilgrim comparing computer security to the Club and to Lojack. If you remember the club, it was a lock that fit on the steering wheel of the car, making it almost impossible for a thief to steer as he’s trying to get away. It wasn’t perfect security – a really determined thief who specifically wanted your car could drill the lock or just cut a section from the steering wheel. But it was pretty good protection from a thief who just wanted a car. As long as easier pickings are available, the thief will follow the path of least resistance.

A more grizzly way to say it is in the old joke about the two hikers who surprise a bear in the woods. They start running and the bear chases. One of them stops to change into sneakers and the other says “You’re crazy – even in sneakers you’ll never outrun a bear.” The other replies “I don’t have to be faster than the bear … I only have to be faster than you!”

That “faster than you” attitude can be enough to deflect the hacker to an easier target. On the other hand, if you don’t keep your software patched, you’re choosing to be the guy still in boots – the easy meat. Patch your software and keep it current. If you can, use a tool such as Secunia to help stay current. It’s a lot of work but it’s better than joining the bear for dinner.

Security Theater is a difficult topic for any security person to talk about. First what is it – Security Theater in my mind are those ‘security’ restrictions that don’t actually improve security. They’re put in place to make somebody feel better or to give the appearance of improved security regardless of their actual effect. They may be well-intentioned but they are generally poorly thought out.

For example, the early restrictions imposed at the airports which attempted to stop people from bringing “weapons” on the plane used a definition of ‘weapons’ that was so bad that all kinds of immaterial tools were confiscated. Yes, a 10″ screwdriver could conceivably be sharpened and used as a punch knife. You’d need a file and a half-hour or so unobserved to sharpen it – not things likely to happen in any concourse I know of but it’s theoretically possible.

The hypocrisy, though, is that they never banned pens or pencils. A number 2 pencil is already sharper than most knives and just as dangerous.

But even assuming the most liberal interpretation of ‘weapon’, what possible harm can an evildoer perpetrate with the miniature phillips head screwdrivers that many people carry to tighten the screws on their eyeglasses? There simply is no defensible argument for that restriction. Unless you think that no one will notice as the offender sits there for another half-hour and tried to take apart the plane?

The confiscations of those tools (which, while not perfectly safe, were as safe as other routine objects allowed through) represent an unjustified sacrifice of civil liberties. Security is important. But it is not the end desire of all life or of business. Security is about managing risks and balancing the risks against the benefits.

Security folks (including myself) often have a hard time with this concept. Our job – our whole purpose in life – is often focused on thinking about security, increasing security and reducing risks. We often don’t have the perspective to see the benefits or liberties that we’re infringing with our policies. And we certainly don’t have the incentives to look for those benefits.

This, unfortunately, is why security people should never be allowed to have the final say in the security policy. If you have your own business, have someone who is responsible for security. And listen to them carefully. But make sure that you have both sides of the argument – the benefits from security and the consequences of the policy. Remember that a risk-free environment is not possible. Good security is about balance.

Well, I finally took my exam. Have no idea how I did and it’s probably pointless guessing. I’ll know in 6-8 weeks. I’ll start working on tips again.

See you soon.

I’ve got a couple of things going on right now and will be taking a sabbatical from the infosec tips for a while. Hope to be back soon.