New media, it would appear, now outpaces the old. More data is consumed and processed than at any time before in human history. But as we hasten into a world where the immediate is often favoured over the verified, the attention-grabbing over the considered, and the assumed over the researched in terms of how we both receive and disseminate information, we open ourselves up to new and unprecedented scales of manipulation by those of nefarious intent.
Although I will on this occasion refrain from directly quoting Sun Tzu, the ‘weaponization’ of misinformation is, of course, as old as war itself. It could also be rightly observed that our traditional media institutions have not been without their own biases and agendas when reporting daily news and affecting public opinion. Their motivations were generally well understood, however, hence people chose outlets that tended to reflect their own political and world viewpoints. Furthermore, the better of these continue to strive for some degree of impartiality and journalistic integrity. What is fundamentally different today is the sheer volume of completely unverified information we are now absorbing and the ease with which even content of credible origin can be digitally tampered with or misrepresented.
We have been on this trajectory of fact-blurring and general provenance erosion since the early days of mass internet access. Take, for example, that revered body of knowledge that once took pride of place on the bookshelves of those wishing to have a searchable source of general knowledge within their homes prior to the Web – the encyclopaedia. Subscribers received periodically updated, beautifully illustrated books containing the knowledge of thousands of recognised experts within their respective fields. These contributions were then scrutinised by multiple editors who were themselves often distinguished scholars, the intended result being something of consensual quality which could be trusted in its accuracy and considered broadly authoritative.
The downsides of this model were cost to the subscriber, limited physical portability, and the obsolescence or at least loss of relevance concerning certain areas of its content in an increasingly changing world. The arrival of the Web then gave us search engines, blogging, and the ‘Wiki’ model for immediate and collaborative content publishing by anyone. This ‘democratisation’ of information yielded many benefits in terms of speed of access, real-time updates, and diversity of subject matters. The downsides were a lack of oversight beyond peer review (by other unverified contributors) and the opportunity for ‘factoids’ and more blatantly spurious and misleading information to pass themselves off as actual truths.
Fast forward to the arrival of social media and its ubiquitous integration into every facet of our lives. The dynamic proliferation of instantly accessible information has brought with it many positive benefits. It has also, however, opened the door to an unprecedented flow of information of zero credibility being rapidly broadcast to far reaching audiences. Recently to the point that it can apparently exert greater influence than that of ‘real news.’ Feeds from such sources are now assisting in powering analytics and ‘AI’ that we are told will soon start to not only advise and nudge but automatically shape our lives.
This is not to say that no one looks to trusted, traditional sources for their information or that nobody subscribes to more definitive collections of knowledge any more. They do particularly in the more respected areas of academia. It’s just that most of us when checking a fact will simply pick up our phones when more often than not it will give us the answer we need there and then.
Which is all well and good for settling a debate around historical football scores at the bar, but how about when such quick data retrieval may influence critical decision making? Perhaps concerning cyber security, for example.
In the current climate, there is an unwelcome sense of inevitability that publicly available cyber security information will become increasingly diluted, exaggerated, fragmented, or purposely targeted for subtle (or not so) manipulation of its accuracy – all of which will undermine the posture of specific or more general targets. A balanced sense of critical thinking is therefore vital when evaluating any information that may be used to shape decisions, design solutions, or otherwise advise in the name of security. As the Integrity part of the classic C-I-A security triad starts to take a renewed relevance within our own arena, let’s look at some basics for preserving it.
Don’t Cry Wolf
Since the days of email virus hoaxes, the tendency to eagerly share unchecked and often false security alerts albeit with best intentions, has rarely been helpful and is at best counterproductive. The ease and temptation today to rapidly retweet or otherwise share alarming news, alerts or updates to wide audiences before validating accuracy should always be avoided. As a security professional, you may end up adding credibility to misinformation that you may later regret. Even if you then reconsider and remove the update, your followers may have already shared it on.
Question & Corroborate
The explosion in cyber security awareness (and related business opportunity) has created a torrent of information sources, social media accounts, and blogs. This is by and large a healthy state of affairs, which brings in new ideas and perspectives. We have to be able to discern between the altruistic as opposed to vendor- or other agenda-driven content. However, separate fact from opinion and spot fly by night charlatans. If a news story seems far-fetched or an advisory wrong, try corroborating it over a number of other sites before taking it ‘as red.’ Trusted forums can also provide a way of asking questions to check what others think.
Blogs with editorial oversight (such as State of Security) mean that facts are checked and themes carefully considered before they are ever published at all. National sites such NCSC here in the UK have Government-backed reputation and quality standards to adhere to. Whereas independent bloggers such as Graham Cluley and Pierluigi Paganini have built solid, credible reputations based upon consistently and tirelessly publishing quality, informative content to their readers. Whilst no one can get such a diverse and complex range of possible subjects right all the time, reputable sources are far less likely to publish spurious information, and if they inadvertently do, they are likely to quickly and transparently correct it and inform their readers.
Security, Securing Itself
Regardless if their public websites contain or collect no confidential content, all online security resources should be using TLS with valid SHA2 certificates to help reassure their visitors they are looking at the real deal. Likewise, email bulletins such as SANS make use of S/MIME to digitally sign their newsletter updates for authenticity. It goes without saying that security sites should be fixing vulnerabilities and applying the full panoply of protections available to them to ensure their own resources are not hijacked for the purposes of distributing either malware or false information.
Standards Still Stand
It is sometimes stated that the likes of ISO 27001 & PCI-DSS (for example) are staid, archaic pieces of compliance that please auditors rather than enhance real security posture against the rapid innovation of attackers. This is only if they are treated as box-ticking exercises or viewed as the entire picture in themselves. Recognised standards used as they should be in terms of well understood, proven foundations to build good practice upon still give us some common terminology and rational reference points as to what good should look like. Whilst never perfect, the outright rejection of formal standards leads only to pure subjectivity and greater uncertainty, thereby creating more opportunity for ‘anything goes’ misinformation to take hold. Likewise in the areas of training and education, long standing, not-for-profit, and award-winning resources such as those provided by (ISC)² offer content that has been vetted and deemed best practice through rigorous review and global industry acceptance.
Whilst organisations have to exercise reasonable post-breach PR damage limitation and risk management, a total lack of transparency or the offering of any worthwhile information once a breach has been made public inevitably leads to much unhelpful speculation and misinformation. Likewise, if more companies fessed up to simply not prioritising the cyber hygiene basics (and then telling us how they are rectifying that situation) rather than claiming every breach was the result of some ‘advanced’ ‘sophisticated’ threat actor, the real threat picture for many businesses would be far less muddled.
And if it still doesn’t sound right, it probably isn’t?
So let’s keep our wits about us, our feet firmly on the ground and as Public Enemy once advised us “Don’t believe the hype!” Ultimately, perception is reality, and we need to be very careful how that perception is being fashioned and by whom.
About the Author: Angus Macrae is a Certified Information Systems Security Professional (CISSP) in good standing. He has more recently been awarded the CESG Certified Professional – IT Security Officer (ITSO ) role at Senior Practitioner level. He is currently lucky enough to live in and publicly serve the beautiful county of Cornwall in the UK.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.