FIR B2B podcast episode #149: Cutting out the middleman in B2B PR

Posted on by
Reply

For years Paul and I have used Help A Reporter Out. The service — now owned by Cision —  aims to eliminate the gatekeeping middleman role of corporate PR, and put sources directly in touch with the journalists that want to quote them. HARO, as it is known, has been less useful as of late, but there is a new, venture-backed startup called Qwoted that is making some important inroads. We spoke to its CEO and co-founder, Dan Simon. He told us Qwoted had close to a thousand inquires last month and is growing. The service has a free tier (individuals can make three monthly requests, agencies five) and a paid tier.

Qwoted flips the PR paradigm on its head by letting journalists initiate the conversation and cutting out the need for pitches.

Simon has lots of pointers to help PR and marketing staff get the most out of his service. He is deeply steeped in the field, having been president of Cognito, a New York financial services agency, among other roles. Simon recommends that you use the tools he provides to search on previous successful match-ups and examine the job titles more carefully, as well as to fill out the profiles to make your expertise more transparent and compelling.

You can listen to our 16 min. podcast here:

Speech: Using NetGalley to Promote Your Self-Published Book

Posted on by
Reply

One of the best ways to promote your book is by reaching new readers with pre-release copies, and thanks to a service called NetGalley, you can add this to your toolbox.

I have been using NetGalley as a reader for the past several years: the idea is that I can read new books that interest me for free, provided that I review them and post my reviews on Amazon and other book selling sites. In this presentation, I will show you the author’s point of view. Yes, it does cost to make your pre-release “galleys” available—but the fee is a very reasonable $450 per book, or $200 if you are a member of IBPA. In this presentation, I will show you how NetGalley works, what kinds of books are best for the service (including audiobooks) and the best time to take advantage of it as part of your book marketing efforts. 

This speech will be given to the St. Louis Publishers’ Assn September 8.

Here is a copy of my presentation slides

Two new posts on cybersec certifications advice from Infosec Resources

Posted on by
Reply

Figuring out your appropriate certification program isn’t easy and involves almost as much studying as preparing for the certification exams themselves. But these programs can have big payouts in terms of job advancement, increases in responsibility and salary. I wrote two posts for Infosec Resources.

In our first post, we presented the issues a manager should consider in building a training program for their company. Training budgets tend to be the first ones to be cut in any economic downturn and often don’t get fully funded even when the economy is improving. But training can also have a significant impact on an enterprise: it can increase the pool of available skills, help pave the way for a department to take on new challenges, improve morale and create a sense of purpose for workers. In this first post, I talk about what are some of the benefits of training and ways to measure them, explore some of the costs, and the four different modalities that you can use to design your own training program.

In the second post, I explore the benefits and costs from the individual’s perspective and what you should expect from a certificate program and how to evaluate a program. This post also has a handy comparison chart that shows your costs and other considerations from the major infosec certs.

Provider/Link Cost Other certifications to consider
COMPTIA Security+

 

 $390 for 90-minute test Penetration testing, cybersecurity analyst and general IT courses too
EC-Council Certified Ethical Hacker (CEH)

 

 $1200 for four-hour test More than a dozen cybersecurity specializations including disaster recovery, penetration testing
ISACA Certified Info Security Manager (CISM)

 

 $760 for four-hour test for non-members but significant discounts for members, study materials extra Courses on risk management, data privacy and auditing
ISC2 Certified Cloud Security Practitioner (CCSP)

 

 $549 for four-hour test Also offer numerous other cloud-based security classes and boot camps for above tests
Offensive Security Penetration Testing $800 for a one year subscription Three different levels, other certifications in web apps and devops
SANS Institute Network penetration testing $8,000 for in-person instruction at various locations around the world Dozens of courses covering a wide range of infosec topics

 

Nine ways to improve your business cybersecurity

Posted on by
1

Two new reports  show the dismal state of cybersecurity across US federal government networks. First is this report from the General Accounting Office, which found hundreds of its earlier recommendations haven’t been implemented by numerous federal agencies. While there has been some progress since it last review these procedures, much work remains to secure our federal systems.

And more recently is this report from the Senate Homeland Security committee is now out. Despite years of warnings, federal agencies such as the State, Education, Agriculture and Health and Human Services departments have not established effective cybersecurity programs or complied with federal information security standards. We all knew that the feds were lax when it came to implementing better cybersecurity practices, but the lack of many basic security practices is alarming.

Here are nine things that most federal departments don’t do and that your company should implement.

1. Maintain an accurate and current IT asset inventory, including apps and OS versions. Do you know where all your critical apps are, and who is responsible for them? How about where outdated systems (Windows XP anyone) still live and lurk? If you don’t know, you will need to find this out, and the sooner the better.
2. Patch quickly and constantly stay up to date with them. Microsoft issues patches weekly on Tuesdays. Adobe is also generous (ahem) with its patches. But you need to get into the regular habit. Some major cyber attacks happened because businesses — some very big ones at that — took a couple of weeks to get around to doing them. (Remember WannaCry?
3. Know your risk factors and assess them regularly. I have written lots of articles about assessing risk, including this one for CSOonline. The key word in this task is being regular. If you are running an online business, your applications are continuously changing, and that means you need to audit these risks and ensure that something isn’t missed. The GAO report found that “while many agencies almost always designated a risk executive, few had not fully incorporated other key risk management practices, such as establishing a process for assessing agency-wide cybersecurity risks.”
4. Do you track unauthorized users’ access to your systems? It is a simple yes or no answer, but often we don’t know enough to be sure. So many attacks happen because the bad guys have gotten into our networks months ago, and had time to mess around with things before we found evidence of the intrusion.
5. Have you implemented any multi-factor authentication methods? One way to shore up your access is to use MFA. This is gaining traction but still far from universal, whether that be inside government or out.
6. Do you protect your personal identifying information (PII) and do you know when you don’t? It is important to first understand where you can find your PII, who has control over this data, and who has control over protecting it.
7. Do you have a CIO or does anyone have that role carry the authority to fix any of the above problems? While many small businesses don’t have budgets to hire a full-time CIO, someone has to take on the job — either inside the company or as a consultant. Make sure the authority to make improvements is also part of the job.
8. Do you know your IT supply chains well enough? The recent ransomware attacks have shown that many businesses haven’t developed any procedures to ensure that they are protected from these sorts of attacks.
9. Have you read and implemented the NIST standards docs? What, you don’t know what I am talking about? Back in April 2018, the National Institute of Standards published its Framework for Improving Critical Infrastructure Cybersecurity.  Speaking of improving supply chains, another NIST document is worthy of your attention — it lists a bunch of mitigation measures for this particular scourge. While a lot of both documents is written in government mumbo-jumbo, the basics are all spelled out how businesses can reduce the risk of cyber attacks.
Good luck with improving your defenses.

How hate can fund a video streaming career

Posted on by
Reply

When I last checked in with Megan Squire, a computer science professor who specializes in tracking online hate trends, she was looking at the the far-right users of various messaging services. Last month she presented this paper about how this group has taken advantage of the DLive streaming video service to solicit donations and spread their horrible videos. Some of the Jan 6 Capitol rioters used DLive to broadcast their attack and exploits.

Unfortunately for these users, DLive also has a very robust and public API that allows researchers to track the flow of funds through their platform. Squire was able to examine the accounts of more than 100 different users, half of them active streamers and the other half either large-ticket donors or others of interest to her work. Some of these streamers can make $10k in a typical month in donations, providing a way to obtain regular income to these political extremists. While most of these funds comes from these donors, there is also funds that originate from lots of followers. These donations usually happen during the live broadcasts when the viewers purchase “lemons” (the built-in platform currency).

She mapped the community into this network graph shown below. You can see the pink nodes that are the streamers, and the graph shows a very fragmented audience. The streamers mostly have their own and separate fan clubs (if you analyze their donors who give them at least $120). The cluster marked B in the diagram is an affiliated Proud Boys account and the C cluster represents the activist Peter Santilli. Both Santilli and members of the B cluster are facing various criminal charges.

Now, Squire admits that finding these alt-right streamers wasn’t easy, and by no means representative of the larger DLive community, most of whom are focused on online gaming. Since the January riot, the platform has taken steps to remove these streamers and to cooperate with law enforcement on subsequent illegal usage.

Still, while they were allowed on DLive, many of her streamer subjects have made substantial incomes from their narrowcast supporters. I am sure they have found other online platforms to spew their messages of hate.

If you don’t have time to review Squire’s paper, you can watch a short 10 min. video where she walks you through her research. She hopes that by shining a light on these activities, other researchers will be encouraged to examine other online platforms that have public data.

Avast blog: An Ugly Truth: A book review

Posted on by
Reply

56470423. sy475 New York Times reporters Sheera Frenkel and Cecilia Kang have been covering the trials and tribulations of Facebook for the past several years, and they have used their reporting to form the basis of their new book, An Ugly Truth: Inside Facebook’s Battle for DominationThe book is based on hundreds of interviews of these key players  and shows the roles played by numerous staffers in various events, and how the company has acted badly towards protecting our privacy and making various decisions about the evolution of its products. Even if you have been following these events, reading this book will be an eye-opener. If you are concerned with your personal security or how your business uses its customer data, this should be on your summer reading list. The book lays out many of the global events where Facebook’s response changed the course of history.

My review of the book and some of the key takeaways for infosec professionals and security-minded consumers can be found here.

Avast blog: Beware of crypto exchange scams

Posted on by
Reply

You may already have won! How many scams have begun with these words?

There is a new breed of scammers gaining popularity, thanks to the wild swings in the cryptocurrency market. I worked with Avast researcher Matěj Račinský who has tracked three different fake crypto exchanges, I show you some of the come-on messages, why their tactics are so compelling and — almost — believable — and how they ply their criminal trade, including phony news sites announcements (as shown here).

You can read more about these scammers, and ways to avoid them, in my blog post for Avast here.

Recently published stories you might be interested in

Posted on by
1

First off, mea culpa for sending out that test message earlier this month. As you might have guessed, I have moved everyone to a new listserv (still using Mailman after all these years) at Pair.com, and things seem to be working. LMK if you want to be removed or have your address updated or have issues with the mailings.

Last week was not a quiet week in Lake Wobegon, where all of my sources are above average. I flew for the first time domestically on business, and (unlike the fictional town) the flights and airports were crowded, but everyone was masked up and behaving, thankfully. The trip was to visit the Cyber Shield exercises held at the Utah National Guard base outside of Salt Lake City. I was staying on the base across the street from the monster NSA data center that you can see in the background.

The Guard story is posted here on Avast’s blog. I write about how the Guard is using live cyber ranges to train its cyber soldiers and the very realistic scenarios it is using. The dedication of the 800-some participants during this two-week event was amazing to see first-hand, and I appreciated all the time the Guard took to explain what they were doing and give me some of their stories of how they got involved with both the Guard and how it related to their careers in cybersecurity.

I also wrote another post for Avast about the Pegasus Project that was the work of security researchers at The Citizen Lab in Toronto, the Security Lab of Amnesty International in Berlin, and the Forbidden Stories project in Paris. Pegasus is a surveillance tool sold by the Israeli private firm NSO Group. It can be deployed on both Apple and Android phones with incredible stealth, to the point that targets don’t even know it is there.

The three groups examined phones from 67 people and found 34 iPhones and three Androids had contained traces of Pegasus – about a third of these had evidence that Pegasus had successfully compromised each phone. What was interesting was two items: First, one of the hacked iPhones was running the most current version of iOS. Second, many of the targets show a very tight correlation between the timestamps of the files deposited by Pegasus and particular events that link to the monitoring of the victim. Someone was very interested in these people, which ranged from politicians to journalists, someone who was a client of NSO and could target their tool to these people.

Several years ago, one of my contacts showed me the power of Pegasus on a test phone at my office and it was scary how easily the spyware could collect just about anything on the phone: texts, pictures, IP addresses, phone contacts, and so forth. If you want to read more about this project, several media outlets have written stories about it and are linked in my Avast blog.

Since I am in self-promotions mode, you might also want to check out some of my other work that I have written recently:

  • A story for CSOonline about a new defensive knowledge graph done by Mitre for the NSA called D3FEND. The project will help IT managers find functional overlap in their security tools and help guide new purchases as well as make better defensive decisions.
  • A podcast about a new report by Forrester that Paul Gillin and I recorded about the changing landscape of B2B discussion groups. The 14 minute conversation is how the shift from LinkedIn to Facebook groups has evolved and why IT vendors and channel partners should pay attention to the other social network outlets.

FIR B2B podcast #148: The Changing Landscape of B2B Discussion Groups

Posted on by
Reply

A new report on social media usage by the channel by Jay McBain of Forrester Research finds that the groups people use and the way they use them is changing amid a 13.2%, 490 million-user surge in social media use in 2020.

The report lists major tech channel groups that both managed service providers and channel managers should know about for each social network. McBain’s informal research found that Facebook Groups have replaced LinkedIn as the place to talk tech. He claims many LinkedIn groups have become ghost towns overrun by spam. Half of his respondents to his survey were disappointed with engagement levels on the platform.

The report prompted me to realize that he belonged to more than 50 groups and couldn’t remember the last time he posted — or even clicked on content on any of them. McBain has identified more than 40 FaceBook Groups that IT folks should take a closer look at. 

One of the more important lessons of this research is that social media groups aren’t an ad medium but a way to engage potential partners on a grassroots level. Too often we both have seen plenty of spam or vendor posts that don’t really encourage discussion. The speed at which channel firms have apparently abandoned LinkedIn groups shows how quickly attitudes can change if group members don’t believe their needs are being respected.

McBain also reviewed several other social networks, some of which we hadn’t heard of. Up-and-comers include the audio- and app-oriented Clubhouse and Discord, which was originally for gamers but which has broadened its scope. McBain rates Twitter the second most popular spot for tech content, even though it really doesn’t have the community engagement tools to match Facebook or LinkedIn. And he advises B2B companies to keep an eye on Reddit, which had 52 million daily active users worldwide at the end of 2020, up 44% year-over-year.

Although the report is aimed at technology channel companies, it’s a useful way for any B2B marketer to take a fresh look at the social groups you use to get your message across.

You can listen to our 14 min. podcast here:

Avast blog: How the National Guard trains its cyber soldiers

Posted on by
Reply

Earlier this month, I had the unique opportunity to observe the National Guard conduct its cybersecurity exercises at Cyber Shield 21. This is perhaps the largest training effort of its kind, with more than 800 people across the U.S. taking part. It uses a series of real-world threats to train its “cyber warriors”. For the first time, the Guard took advantage of a virtual cyber range that the Department of Defense developed with more than a dozen contractors. It was an interesting experience, and it busted a few of my long-held myths about our military and demonstrated the value of public-private partnerships.  It was inspiring to see so many dedicated men and women who are willing to give so much time to support this effort, year after year.

You can read my full report for Avast’s blog here.