#AmericanBlackout is really #AmericanFUD

#AmericanBlackout is really #AmericanFUD

How good (or rather how bad) was National Geographic’s American Blackout? I would argue pretty bad, even if the film was accurate.

On Sunday Night, National Geographic debut a fictional, cynical, survivalist movie on how Americans would react if there was an extended power outage due to a cyber attack that knocks out power for the entire nation.

The movie was largely billed as “the story of a national power failure in the United States caused by a cyber attack — told in real time, over 10 days, by those who kept filming on cameras and phones. You’ll learn what it means to be absolutely powerless. Gritty, visceral and totally immersive, see what it might take to survive from day one, and who would be left standing when the lights come back on.”

It was nothing more than 120 minutes of needless panic, despair, all designed to stir up fear, uncertainty, and doubt while selling advertisements for survivalist products and other doomsday television series on National Geographic. Largely, American Blackout had familiar themes found in NBC’s television series Revolution.

It was 120 minutes that could have been better spent catching up on sleep or an activity of choice. For those who missed it, consider yourselves fortunate.

First, forget the fact that the cyber attack at most made up five minutes of the entire movie. Some of the facts were simply downright wrong, such as the fact that the North American grid is interconnected between Canada and Mexico. Granted the grids can be separated like it did in 2003 during the North East Blackout, any widespread loss of power would have affected our neighbors to the north and south. We clearly saw how the 2003 North East Blackout affect both Canada and the United States. Moreover, we also know that there likely be select pockets of power online within a relative short period of time. Again, see the 2003 North East Blackout for examples.

Assuming a massive nation-state sponsored successfully coordinated a cyber attack on one part of the North American Electrical Grid, it would not personally surprise me that utilities across the country would respond appropriately to defend themselves. Moreover, a cyber attack of this magnitude would create massive ripples in a matter of hours in the global economy.

The storyline is plausible, only because anything is possible, but it is extremely unlikely and farfetched at best. The storyline itself could have used a number of alternative plots to illustrate the consequences of a long-term power outage.

But more importantly, it was a massive missed opportunity to share and educate how vulnerable any organization or any technology we employ, including the electrical grid, is from a cyber attack. Alas, they rather spend 5 minutes of a 120 minute movie citing a cyber attack that took humanity to the brink of self-destruction.

Amazing mind reader reveals his ‘gift’

Amazing mind reader reveals his 'gift'

Now that I have your attention, over the weekend, I remembered this video that debuted back in 2012.

It was a great public service announcement piece from Belgium. What made the video such a hit was the eccentric individual was no ordinary mind reader – he gets all his information from Facebook, Twitter, Social Media, and the web.

He is also warning you against sharing too much private information.

[The video] begins with random people being selected from the streets of Brussels.  They are asked if they would like to participate in an upcoming TV program featuring Dave, described as a gifted clairvoyant.  Once they agree, they are ushered into a white tent to meet Dave. He hugs them and dances around as he seemingly tries to get a sense of the person’s energy.  As people are seated across from him, Dave tells them random facts about them, from the color of the motorcycle they own to their bank account number and even the types and locations of their tattoos.

As the unassuming subjects become absorbed in Dave’s trance and the factual information he is providingthe truth behind his magic is revealed.  A curtain drops, and behind it is a group of computer hackers dressed in all black searching the Internet for information about each of the individuals.  In fact, a large monitor sits in front of the hackers, displaying pictures and personal information about the subjects.  Each person seems astonished, first at the curtain dropping and then at the reveal as they realize what has taken place.  [Emphasis added]

Over here at Net Force, we still see too much over sharing of information on social media sites. Even the most harmless and innocuous pieces of information individuals share on social media is worth its weight in gold when combined with other pieces of information.

We all need a little reminder to “Be vigilant, because Internet fraudsters can (and will) use information against you.”

See the entire video below:


Encouraging Aspiring Future Cyber Defenders

Encouraging Aspiring Future Cyber Defenders

IMG_1102_largeThe process of building, nurturing, encouraging, developing, inspiring, and training future cybersecurity professionals is an ongoing lifecycle for us at Net Force. For the second straight year, our team has been working with Cal-Poly Pomona, Los Angeles Unified School District and CyberPatriot to identify and encourage new and rising talent in the industry.

This past weekend especially was a landmark occasion for those of us in Los Angeles. Over 350 middle and high school students from across Southern California gathered together for the first annual “Cyber Day Los Angeles”. Students as young as sixth grade were given Windows images to debug and remediate security issues while the advanced and battle-tested students also engaged in a Linux Capture-The-Flag (CTF) Competition.

These students represent our future team members and colleagues. It is such a huge priority for those of us at Net Force to have more friends than enemies. We want to see these students become our allies rather than those who go to the dark side. It makes our lives significantly easier.

Training future talent is a key component to defending our systems. As I wrote before, defense is not easy. Competitions like CyberPatriot and events like Cyber Day Los Angeles ensures that we have the brightest minds working on the ongoing battle against cybercrime. Cyber Threats continue to be the biggest threat to organizations alike with increased sophistication. Adversaries are becoming more adept in this field to a point where adversaries are making a profession of being evil. Knowing that these young minds are coming down the pipe brings some comfort.

At the end of the day, I find it inspiring and encouraging to see so many students, from both middle and high schools across the Southern California, gather and share a passion for cyber security.

Teaching CyberSecurity in Higher Academia

Teaching CyberSecurity in Higher Academia

Teaching Cyber Security in Higher Academia has always been a subject that’s struck a chord with both academia and industry. There is always this balance that both sides seek to achieve.

On one hand, there are risks when teaching such a subject, including, having the proverbial “Dog biting the hand that feeds it.” Reading this thread on Reddit made my stomach churn as I see students try to advance their careers, knowledge and understanding of cyber security.

I won’t go down this rabbit hole too much on pointing the negatives out, but I would like to point out the obvious: The students are meeting in an unofficial capacity.

Whether it is sanctioned or unsanctioned by Higher Academia, the students have formed a community to share and learn. The very fact these students want to take it to the next level with the blessing of the administration indicates the willingness by students to do this the right way and ensure this community stays out of trouble.

It is also a wonderful opportunity for the administration to teach and help students learn the right ethics, morals, and understanding the consequences of ‘going to the dark side’. These students will be this academic institution’s first line of cyber defense in future years as they may notice suspicious and unusual behavior of computers they use on campus. They may even join the ranks as staff members of a higher academia institution, including the one they currently attend.

This is a relationship I encourage any student and higher academia to grow, nurture and cultivate. The benefits will always outweigh the concerns, and I ask that higher academia to avoid simply saying no and let that be the end of the conversation and dialogue.

Rather, identify the concerns (and yes they are legitimate concerns) and find ways to teach and educate these young minds that “With great power comes great responsibility.

The Shaming and Heckling of #Infosec

The Shaming and Heckling of #Infosec

Do not let any unwholesome talk come out of your mouths, but only what is helpful for building others up according to their needs, that it may benefit those who listen.” – Ephesians 4:29

First, I understand this blog entry might sound a bit like “Monday Night Quarterbacking” or “Jumping on the Bandwagon”, and you are entitled to your own opinion.

Reading what my good friend Rafal Los wrote about “Living in Glass Houses – #Infosec Industry’s Culture of Shaming” wrote Monday evening, I have to agree with him. Information Security is Hard.

I like to equate being in the information security/cyber security industry being the same as in the intelligence community.

To quote the movie The Recruit,

Our failures are known. Our successes are not.”

The work and life of those in the intelligence community is a tireless and thankless job. Recognition is limited. Success stories are never told. Failures have repercussions and consequences.

The work and life of security and IT audit professionals share similar parallels. It is a tireless and thankless job. Recognition is limited. Success stories are never told. Failures have repercussions and consequences.

Security is, and will always be, challenging on both offensive and defensive. It is a matter of degree. Both sides generally lack the support and resources to do the job while at the same time are some of the first scapegoats in the wake following a security incident.

From an offensive/penetration tester perspective, there is always a finite amount of time and resources trying to rush in and identify risks without breaking the business or the piggy bank in the process. I somewhat question when a penetration tester announces they found a single vulnerability and concludes their job is complete. As part of any security engagement I have been on, there is always that lingering feeling that I missed something and warrants a closer look.

From a defensive/information security analyst perspective, it’s not easy as between managing the day job (Layer 1-7 issues, putting out fires, doing investigations on security incidents, and normal responsibilities) and managing the night job (Layer 8 and 9 issues: Finances and Politics), it is miracle in some sense that some firms actually have security in the first place given the finite budgets they are given to work with and the sheer level of red tape they have to go through to get anything accomplished.

Being part of the Western Regional Collegiate Cyber Defense Competition for the last four years has taught me that playing defense is never as simple as doing a single thing. Whether it be people, process, or technology, something will fail, and that failure will lead to the compromise of a system or entire network. These blue teams (defenders) consistently have to anticipate every single strategy the red team (attackers) will use and win every single battle red team wages. In contrast, red team has the opportunity to win a single battle (or a few small skirmishes) to win the war. The same is true in the real world.

I challenge anyone out there, whether you are in the information security industry or information technology field, or simply a bystander to understand the complexities we face together. The criticisms, and demanding someone should be fired for this illusion, this perception of incompetence needs to stop. The heckling, shaming must stop, even if it is at a cyber competition. There is no such thing as secure. Even security firms are a target.

I challenge everyone that instead of shaming or heckling, we should be encouraging, and edifying one another. Don’t tear people down. Build them up to be even better security professionals. As cliche as this is, we are all in this together.