This is a piece that I co-authored with Greg Matusky and Mike Lizun of Gregory FCA. 

Imagine you’re on the precipice of greatness, some victory that will define you or your enterprise for eternity. Something important, game-changing, like going public, executing a merger, or something even bigger, like winning your first ever Super Bowl after 50 years of frustration.

And then it’s all lost. Stolen in the dark of night by someone who hacks your system and steals the secret sauce. Maybe it’s your IP or some market advantage. Or maybe it was simply the plays you plan to call that now will be used against your organization. ​

A lot of football fans, players, and coaches believe that is exactly what happened in 2005 when the New England Patriots beat the Philadelphia Eagles in Super Bowl XXXIX.

Even during that game, Philadelphia coaches knew something was amiss and tried to change set play calls. Every time the Eagles’ defensive coach blitzed, Tom Brady knew it and made a quick outlet pass. Two years later, the Patriots were fined $250,000 and draft picks for getting caught videotaping and the stealing the play calls from the New York Jets. A U.S. senator opened an investigation and found New England had been wrongly videotaping and stealing opponent play calls since 2000.

This year, after the Eagles beat New England, there’s been a lot of scuttlebutt about secret security measures the Eagles deployed to thwart any and all intrusions. One story holds that Philadelphia ran a fake practice the Saturday before the game, running plays and using a play call system they had no intention of using. Whether it happened or not, you gotta believe the Eagles weren’t going to be robbed again. Something did work. New England didn’t have a clue as to what the Eagles were doing on offense. They didn’t know about their calls and the result was Philadelphia putting up 538 total yards of offense.

Not every business gets to have a do-over like the Eagles. And in most cases, when it comes to cyber security and data breaches, hindsight is always 20-20. As an example, look at this recent Ponemon survey of 1,200 IT professionals. It found that the majority of them aren’t satisfied with cyber threat sharing tools in terms of timeliness, accuracy, and the poor quality of actionable information. Some of this has to do with a johnny-come-lately realization that threat intel could have been used to prevent a previous attack. Even UK-based telecom provider BT is now sharing its threat intel with its competitors, to try to stem attackers. So maybe the tide is changing.

There are lots of other cybersec lessons that could be learned from the latest Super Bowl matchup and what organizations can do when they get a second chance at defending their networks. They involve the role that revenge can play in motivating ex-employees, deliberate attempts to confuse attackers, and using specific traps to flush out intruders and confuse adversaries.

First, let’s look at revenge attacks.

These happen when insiders or former insiders get motivated by something that they experienced, and want to take out their frustration on their former employer.

The classic insider revenge scenario dates back to 1999, when Vitek Boden was applying for a job for the Maroochy county sewer district in Australia. He was a contractor for the district and the county decided not to hire him. To seek revenge, he caused thousands of gallons of raw sewage to be dumped into the local waterways, using a series of radio commands. He was eventually caught by a police officer with various RF equipment. What is important to note is that Boden had all this insider knowledge, yet never worked for the agency that he attacked. He was able to disguise his actions and avoid immediate detection by the agency IT department, which never had any security policies or procedures in place for disgruntled employees.

Ofer Amitai, the CEO of Portnox, has a more modern revenge tale. One of his customers is a big food company that didn’t pay attention to who was connected to its WiFi network. It had one employee who was fired, and came back to the vicinity of the plant with his own laptop. He changed temperatures on the refrigerators and destroyed hundreds of thousands of dollars of merchandize in revenge.

From these two examples, you can see it pays to be careful, even if a former employee never steps foot on your property or even if you never hired your potential attacker. Certainly, you should better screen insiders to prevent data leaks or willful destruction. And businesses should always monitor their wireless networks, especially as it is simple for an intruder to connect a rogue access point to your network and access data through it.

What about ways to obfuscate attackers?

Like in the Super Bowl, teams are now more careful about how they call plays during the game and practice times. Teams now use an array of sideline ruses to confuse prying eyes, everything from placards with pictures of Homer Simpson to using as many as three decoy sideline play callers.

That’s not too dissimilar to planting special “honeynets” on networks. Typically, they consist of a web server and a stripped-down operating system with tracking software that registers when a hacker tries to compromise the system. These servers don’t contain any actual data, but appear to be a target to a potential attacker and can trap them into revealing their location, sources, or methods that can help network defenders strengthen their security. Honeynets have been around for more than a decade and have an active development community to make them more life-like to confound attackers.

“There will always be timely weaknesses during such events that hackers can exploit,” says Dudu Mimran, the CTO of Telekom Innovation Laboratories in Israel. “Public events such as the Super Bowl present an opportunity because many people will be using digital devices and posting pictures and opening emails around the event. Defenders need to understand the expected sequence of actions around these events and create pinpoint defenses and guidelines to reduce the expected risks. There needs to be a series of layered defenses coupled with user education and better awareness too.”

Good luck with your own do-overs.

This week, Paul Gillin and I examine the results of the 2018 Edelman Trust Barometer, which shows a remarkable drop in the overall trust from the public. Some alarming results from the annual survey:

• Sixty-three percent of respondents say they do not know how to tell good journalism from rumor or falsehoods or if a piece of news was produced by a respected media organization.
• Chinese citizens trust their government more than U.S. citizens trust theirs. 
• Technology remains the most trusted industry sector of them all, with a trust rating of 75% (whew).
• CEOs are becoming more trusted sources and are increasingly being asked to address public policy issues.
• One-quarter of respondents said they read no media at all because it is too upsetting. 

In the second part of our discussion, we look at some examples of annual trends/reports in the security field that I have been studying for this post. For example, Kaspersky’s “story of the year” was about the rise of ransomware, and this set of predictions from ServiceNow are short and sweet, which is a nice break from the norm. Watchguard has been posting a series of predictions to its blog using short videos. All are noteworthy. We suggest B2B marketers review these tactics and see if they can apply to their own media relations efforts.

You can listen to our 17 min. podcast here:

It’s about as regular as hearing Auld Lang Syne on New Year’s Eve: The annual year-end security report issued by companies big and small looking to create awareness and build relationships. Our inboxes were flooded with dozens of them. In this newsletter that I co-authored with Greg Matusky and Mike Lizun, we look at some of the best and worst features of these annual reports and give our opinions. Hopefully you can use our findings to improve your own reports this time next year, and learn from the best and avoid the biggest mistakes.

The Scintillating Standouts of 2017!

Some of the more unusual reports are the ones that really caught our eyes.

Kaspersky’s “story of the year” takes the typical annual year-end report and transforms it into a cyber-security news story similar to People’s Person of the Year. Written in layman’s terms with an accompanying infographic, Kaspersky’s Story of the Year reworks the tired ransomware story into a can’t-not-read compendium on all things ransomware. And it’s understandable! The first line reads like the opening of a movie rather than a technical rehash. Consider, “In 2017, the ransomware threat suddenly and spectacularly evolved. Three unprecedented outbreaks transformed the landscape for ransomware, probably forever.”

Kasperksy then takes it one step forward by producing “The Number of the Year,” based on the number of malicious files its networks have seen transit its sensors. Our co-author David Strom calls it gimmicky, and maybe it is from his journalistic perch. But from a strictly PR perspective, the ability to distill a finding down to a single number (and one drawn from data at their ready disposal) is a brilliant PR take, and they are to be congratulated.

What about your organization? Do you have available internal data that could add PR gravitas to your next report? Might be something to consider.

Another take comes from ServiceNow. They opted to deliver their security predictions in a short-and-sweet format–one that takes less than three minutes to read. Their conclusions are compelling without overselling. For instance, they suggest that 2018 will see the emergence of security haves and have-nots–those having automated detection and response and those who don’t. Guess who sells such a solution? Still, they keep the sell to a minimum.

Watchguard uses their blog to make a series of predictions in a very attractive and still informative way. There are predictions about IoT botnets, a doubling of Linux-based attacks, what will happen to multi-factor authentication, and the state of election and voter hacking. Each prediction takes the form of a short video with high production values.

With all the news about Uber’s mistakes over the past year, here is a cogent analysis by Dark Reading of what Uber did wrong with its breach response: delayed notification, failure to implement stronger access controls, unclear approval workflows, storing access credentials in GitHub, and failing to compartmentalize data access. This analysis was a neat package that we wish others would emulate.

This report, which appeared in IBM’s Security Intelligence blog, is another rarity. It compares what few of these year-end surveys actually do by looking back a year and then scoring their predictions. The author looked at the threats posed by IoT, the rise of cybercrime-as-a-service, and the threats against brand reputations and concludes he was a bit ahead of the curve on some trends. We wish we would see more of these “truth telling” evaluation-type pieces.

Those were our top picks. But there are plenty of other year-end reports, most choosing one of three paths: presenting the results of a survey, focusing on a particular vertical market, or summarizing what telemetry they have collected from sensors located at major internet peering points or at their customers.

All in the Numbers: The Best of the Survey-Based Reports

Let’s look at the two best survey posts.

“The State of Open Source Security” touches on both telemetry and survey methods. It presents the results of a survey of 500 open-source users combined with internal data from Snyk and scans of various GitHub repositories. Sadly, almost half of the code maintainers never audit their code, and less than 17 percent feel they have high security knowledge. Code vulnerabilities are on the rise for open-source projects but not for Red Hat Linux, which is an interesting factoid that isn’t often mentioned.

Beyond Trust’s report has a series of 18 predictions, most of which are obvious (bigger targets will fall, mobile spam on the rise, games can double as malware). A few are interesting, and what sets this report apart is a look ahead to five years from now when GDPR becomes untenable, online elections become secure, and the end of cash arrives.

Customer Telemetry-Based Reports Work Well Also

McAfee’s annual threat predictions have some interesting insights and cover some non-obvious subjects, including describing the machine learning arms race, the opportunities for serverless attackers, and the ways that home automation vendors will misuse your personal data.

Fortinet is another one of those companies that runs a massive protection network and can cull trends from its customers. Their quarterly threat report has identified 185 zero-day vulnerabilities, with an average of each customer experiencing more than 150 attacks over the quarter and unknowingly running an average of two botnets inside their networks. Like other security researchers, they talk about the delay to patching known exploits and how lousy most of their customers are at getting at root causes of infections.

Then there is Bitdefender’s insights into the past year’s threats. It is based on their own global sensor network and from their customers. Ransomware is still king, with one in every six spam emails including some kind of ransomware attack vector. Also on the rise this past year are crypto-currency miner malware, polymorphic attacks, and Android-based Trojans.

Dashlane’s report on the worst passwords of the year is entertaining, if a bit predictable. While they break all the rules about these year-in-review articles, it works. Yes, it is subjective, it is somewhat self-serving (Dashlane sells a password manager), and it covers familiar ground. But it is very amusing and that is why sometimes you can deliver old chestnuts in interesting ways.

Slicing and Dicing Vertical Markets in Reports 

Some vendors have taken a different tactic and written year-end reports that examine specific verticals. This is what eSentire has done with the healthcare industry. Rather than just positing the “chicken little” scenario, it provides specific case studies of security weaknesses in various enterprises that of course were eSentire customers and discovered malware on their networks. They conclude by saying that well-known exploits have been out for years and yet still aren’t patched. Yes, it is self-serving, but it is also instructive.

Another way to slice things is to just focus on bitcoin exploits, which have been increasing as its value rises. Incapsula looked at exploits across its own network and found three out of four bitcoin sites were attacked and a third of the network attacks were persistent attacks. Hong Kong was the most targeted country for bitcoin-based network layer assaults in Q3 2017, largely because of a persistent attack on a local hosting service that was hit hundreds of times throughout the quarter.

Another example is this report looking at mobile threats by RiskIQ. They used telemetry from their network of more than 120 different app stores and billions of endpoints. This is a rich source of exploits and a growing threat. It highlights the non-surprising trend toward using phony rave reviews to prop up a malicious app. It also reviews the collaboration over the takedown of the WireX botnet earlier this fall.

What to Avoid in Your Annual Report 

Finally, no compendium would be complete without mentioning some examples of what to avoid. As we mentioned in an earlier newsletter, having small survey sample sizes is never a good idea, and this report by Holger Schulze where he interviews 500 people forthis report for Alienvault is to be avoided. While it has numerous graphics that can be used in blog posts, it contains mostly subjective content.

Also to be avoided: reports that don’t say anything new, such as this report from Wandera on WiFi risks, or this report on security trends from Cipher. A corollary to this is to avoid predictions that are more self-serving or self-promotional, such as these from Axiomatics.

Another issue: checking your facts. In November, an organization called the Information Technology and Innovation Foundation posted a supposedly detailed review of the security compliance of hundreds of the more popular U.S. government websites. Sadly, the facts weren’t correct, and webmasters responded with complaints and corrections.

Don’t do what NordVPN and eSentire did. Both of their PR firms sent out predictions for 2018 in email messages, and neither of them posted any of this content online. That isn’t helpful, especially in a world where you want to cite a URL for any predictions-related materials.

Then there is this encyclopedic listing from our colleagues at MSSP Alert of dozens of predictions, culled from various security management vendors. We dare you to read through the entire list, which spans multiple pages. Sometimes less is more!

Finally, here is a somewhat different twist on the predictions route.Varonis put together a post that contained quotes from a series of podcasts. It was a good try, and a terrific example of repurposing content. But it held little value for discerning audiences that would want more context in their analysis.