Telling The Cautionary Tales Of Cyber Crime

Scare tactics and the media are often two items that are grouped together in the cyber security industry (anyone else tired of seeing the guy in the dark hoodie in front of the computer?). Fear is oftentimes used to make an impact on cyber security headlines because they’re memorable for consumers. However, this is not always the case in the corporate world.

Here, CNBC reporter and adjunct professor of cyber security in the Applied Intelligence program at Georgetown University, Kate Fazzini, explains how she wants to change that. Driven by the need to deliver the right information in a more accessible way for everyone, in order to make a more realistic impact, Cyber Security Hub caught up with Fazzini to dig a little deeper into the disconnect from news in the field to how breaches actually work. Plus, we get a little more insight into her new book: "Kingdom of Lies: Unnerving Adventures in the World of Cybercrime,” available June 11, 2019, wherever books are sold.

CS HUB: How did you get into covering the cyber security industry?

FAZZINI: I worked in cyber security at a bank, and then later for a number of technology clients in my role as a principal at the consulting firm Promontory Financial Group. During this time, I consumed all the news I could about cyber security. And I saw there was a major disconnect between what is reported in the news about the field, and how “breaches” actually work from the inside. A lot of information was wrong, but more importantly; a lot of the coverage was focused on things that had little impact on people’s real lives or their businesses. There was too little insight into why all this was happening. I wanted to change that.

CS HUB: What made you specifically decide to write this book?

FAZZINI: It was for many of the same reasons, but also because I had met so many fascinating people with fascinating stories that all converged, even if they didn’t know one another. They converged over certain major incidents, or in certain countries or because of certain big figures in the hacking underground. I wanted to tell their stories, and in doing so, hopefully invite a wider range of readers who don’t care much for technical jargon or pontifications on cyber warfare, but who can approach a crime thriller or a cautionary business tale.

"I wanted to tell their stories, and in doing so, hopefully invite a wider range of readers who don’t care much for technical jargon or pontifications on cyber warfare, but who can approach a crime thriller or a cautionary business tale."

CS HUB: Can you give a brief synopsis? What is it about?

FAZZINI: The book is a braided narrative that examines the lives of four key people, some of whom are criminals, some of whom are good guys, but all of whom sometimes skate the boundaries between good and bad. It explores their motives, and goes into detail about how information security has uprooted their lives, also for good or bad. It explores the common threads that unite both sides.

CS HUB: Why is telling these stories so important today?

FAZZINI: We have a lot of problems we need to solve as it relates to cyber security, and we’re not solving them. We can’t keep doing things the same way, or thinking about things the same way. I see a lot of the cyber security marketing and literature out there as being much like a blunt instrument, hammering away at the exact same talking points year after year without an attempt to genuinely re-evaluate a problem that has obviously evolved beyond our past capabilities.  

Have you ever heard of that analogy, when you put a small piece of granite underneath a microscope it looks just like the mountain? I wanted to start this conversation by putting the problem under a microscope, and zeroing on some of the people involved, right down to their individual stories. Not the big names that you’ve heard of or the people with the most impressive titles, but the people doing the work for good or for bad. And then seeing where that takes us.

"I see a lot of the cyber security marketing and literature out there as being much like a blunt instrument, hammering away at the exact same talking points year after year without an attempt to genuinely re-evaluate a problem that has obviously evolved beyond our past capabilities." 

CS HUB: How has the cyber security industry evolved to be as important as it is now?

FAZZINI: I think we are certainly at a point where the cyber security industry is struggling under its own weight. There are a lot of companies, and they’re kind of shanking each other at every turn. I might see more of this looking at it from a media perspective than people working in it, but that makes it an interesting period for the industry.

Cyber security also is becoming such an integral part of the national conversation that you can’t distinguish it as separate from many mainstream news stories: Elections, the Mueller report, Huawei and trade talks with China generally, our entire relationship with Europe, the stability of our corporations. These are all cyber security stories in 2019, and so it is maybe a little harder for an industry used to being and acting like a bit player to suddenly find itself on this greater stage.

See Related: “Baltimore Blames NSA For Ransomware Attack”

We’ll have IPOs this year of Crowdstrike and maybe Palantir next year and it will be interesting to see how these companies fit into the greater conversation as well. How will cyber companies look in 10 years? Will they be more like telecoms or utilities? How will they fare in the marketplace? It’s a really pivotal time for the industry, and I’m excited to see where the next few years take us.

CS HUB: What are the top 3 breaches everyone should know about? What were the biggest lessons learned from those?

FAZZINI: That’s a pretty broad question, but I’ll try to narrow it down. For me, Equifax is huge. I’ve written about how the consensus in the intelligence community is that the Equifax data was not stolen by criminals, but by a nation-state actor. Thefts like these can’t be underestimated. While the vast majority of Americans have worried about how this breach may impact their credit score or may lead to identity theft, and have also been sold numerous credit monitoring products as a result, they maybe shouldn’t be as worried about their personal credit. It might not even be in play at all. Instead, I think people should look at the significance of this information being stolen by a nation-state, and that it may be used decades from now. A 20-year-old victim of this breach running for president in 2047 may see some consequence of adverse information stolen in 2017. That’s significant. It’s actually amazing. And more of this data is being stolen everyday. What does that mean for us as a country?

I think the Yahoo email breaches are also very important for the same reason. Everyone says they’re not worried about what’s in their emails, because they’re not an important person. Even if that’s true, what if you’re a CEO a decade from now? Are you going to be worried about something embarrassing you said over an old Yahoo account in 2006? Well, it’s sitting in some server in Russia right now just waiting for your rise to power.

A third is the ransomware shutdown of Baltimore. A major U.S. city is taken offline by a pretty simple criminal attack, in spring 2019. Anyone worried about nation-state infrastructure attacks should be paying attention to this.

See Related: “Nation-State Security Trends Report 2019”

CS HUB: What are your top tips for individuals looking to learn about cyber security and better protect themselves or the enterprise?

FAZZINI: For most people, just respect yourself. Try to limit what you do on social media. Be enigmatic. You can survive without Facebook and Twitter. The online world is not the real world. I’m sure you will get plenty of better advice from other cyber pros regarding how to structure your passwords and encryption and whatnot, so I’m going in a different direction.

For the enterprise, partner with the FBI — now before you have to make an emergency call. Check your insurance. Have back-ups and make sure that they work. Invest in cyber security — don’t push absolutely everything on to your employees. If you are victim to a phishing attack, don’t blame your employee. Figure out why you didn’t have adequate protection first, then figure out what happened on the other end.

CS HUB: Are there any examples of companies to watch that are doing cyber security well (or have a good security posture)?

FAZZINI: The banks are real innovators. Look to them. I like how well the banks collaborate even when their business units are highly competitive. This is a must that a lot of companies in other industries just aren’t doing, maybe for cultural reasons. The banks managed to get over that, however.  

I think anyone doing a matrixed cyber security organizational structure is on the right path. Top-down, heavily bureaucratic organizations are getting crushed in their ability to respond properly to incidents.

CS HUB: What’s in store for the future of cyber security?

FAZZINI: I think the parlor-trick days of “live hackings” and whatnot are coming to an end. People have already grasped that anything is hackable. Cyber security is no longer a novelty, and I think a trend toward the industry being a completely integral part of business will only grow.  

I think manufacturing and industrial systems security will really take center stage. Parlor-tricks aside, this is where the most fearsome attacks have actually taken place in recent years, against companies like Maersk, Reckitt Benckiser, Merck, Wolters Kluwer or the NHS in Britain. If you let your imagination run wild against these real-life scenarios, it can go to some pretty dark places and for good reason – I expect this is where we will see a lot of innovation, and also a lot of damage.

See Related: “4 Ways To Defend The Enterprise From Nation-State Attacks”