PR is a form of social engineering. Information security companies are often in a highly competitive game to gain attention from the media and increase their brand recognition and visibility. However, this can often lead to tactics to generate FUD (fear, uncertainty and doubt), which yields a bit of hysteria and fear to help increase demand for their product.
These claims can be in the form of reports that reveal astonishing but purposely misleading statistics. It might be the discovery of a massive computer vulnerability in the power grid that could bring an end to civilization as we know it. It could be a security firm reporting a major data breach wherein all of our information has been compromised; China spying on us through all of our electronics; or a fresh Snowden leak revealing alien life really exists.
Okay, I might be getting a little carried away, but recently, I have seen some headlines that have actually ended up being far from true or at least vastly overblown. It is no coincidence that these headlines seem to hit around the time of Black Hat and DEFCON every year.
I thought I would offer some advice to the press for how to vette some of these claims when PR teams send salacious tips.
Purposely Bold But Vague
A common tactic to bait journalists into covering a story is to make bold claims around findings but are purposely vague with regards to the findings. The goal is to let the journalist make their own assumptions, usually making the claims larger and grandiose than the actual research supports.
For example, if I claim planes are hackable without any additional information, a journalist may believe this means any plane can be hacked by someone with the right exploit, where it might only mean that I was able to make the in-flight media player in my seat flicker. To a degree, some of these types of pitches lie by omission, relying on the journalist’s ignorance of technology and information security paired with the journalist’s need to write a hot story that will generate click-throughs and ad revenue for their publication.
Devil Is In the Details
One of the best things a journalist can do when dealing with a pitch relating to an information security related topic is to get really curious and ask a lot of questions. If the pitch is around an exploit or data breach, the first question should be around the details of how it was discovered and who is affected.
It is also not unreasonable to request that the company or individual making the claim provide proof of the exploit or a sample of the data compromised. If the breach involves a company, it is a good idea to ask if the company has been notified and if they have issued a response. If they are vague on this, again, it is not unreasonable to reach out to the company affected to let them know about the claims and to request additional information.
When you request additional details, sometimes a company may say they cannot reveal the details due to proprietary algorithms or private information; this is usually a red flag. If the company is not able to provide some sort of proof regarding their claims, you should be suspect of the claims and tread carefully.
Dial a Nerd
Technology is difficult enough to comprehend for many journalists and information security is its dark art, adding additional layers of complexity and its own lingo to navigate. It is a good idea for journalists to have a crack team of security professionals available to call to vette these pitches.
Keep in mind that within information security there are several specialized disciplines ranging from vulnerability researcher, forensics, network security, penetration testing and others, so it is important to realize that you may need to have a few different experts to field questions to depending on the topic.
More Journalism, Less Click Bait
It is important for journalists to also focus on reporting the facts and not succumb to the information security equivalent of tabloid journalism. The general population and business users rely on the media to provide them with information about actual risks, but when the media becomes the puppet of security firms by making exorbitant half-truth claims, we all lose.
Eventually, people start to become numb to the stories as they fail to pay attention to the serious security issues and risks, making us all more vulnerable.
- Weeding Through The Security White Noise
- DEFCON 22: Hacking Airports, Airplanes and Airwaves
- Cybersecurity as Realpolitik – Lessons from BlackHat 2014
- The Information Security Hierarchy of Needs
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].