Someone (China?) is building an enormous dossier database from all these massive hacks

Bob Sullivan

Perhaps you missed the tantalizing detail I reported earlier  that Congressional investigators believe the initial Equifax hackers entered that company’s systems with computers using IP addresses in China.  Or The New York Times reporting that U.S. authorities now blame China for the hack on Starwood / Marriott.  You probably forgot that the devastating hack of the Office of Personel Management systems has also been blamed on China. And you probably forgot that the hack of Anthem, the health care firm, was also blamed on China.

Combine all that information, and one thing seems disturbingly likely: There’s a big dossier database in the sky, controlled by some foreign entity, and your most personal information is in it.

Maybe you are worried about your credit report. But this surveillance database contains far, far more precious and revealing information. Where you traveled. How long you stayed. Your driver’s license. Your passport.  If you are a government worker, who your closest friends are, and even your fingerprint.

All in the hands of a foreign, potentially hostile, nation-state.

Attribution is a very tricky game — freelance actors? the Chinese government? Another nation state hiring mercenaries in China? — and anyone who asserts with surety they know who did it might be overstating their case. When we spent months looking into the Yahoo hack, it became clear that both nation-states and freelancers can be involved in the same hack, making breach analysis even harder. With Equifax, there’s a theory that rogue hackers gained entry at first, then handed off the access to a more sophisticated entity. This kind of hack-sharing means that whoever stole all that data from Yahoo — remember, for years, Russian agents could read millions of victims’ emails — is available to whoever is building this big dossier database in the sky. Passport numbers and 15-year-old emails linked? That’s quite an incredible amount of information.

It’s fashionable to blame things on China right now, but the particular nation-state that’s the culprit at Starwood doesn’t matter as much as the potential existence of this database.

I haven’t seen it, but plenty of folks I speak to very much believe it exists. The best evidence for it: Where are all the stories of Equifax-related identity thefts, or widespread Starwood points hacks, or….? Whoever is stealing this information isn’t doing it for money, and isn’t doing it for lulz. No one hangs out in a network for four years for lulz.  Or, for that matter, for money.

Instead, think about how useful a list of hotel stays would be as an intelligence-gathering tool? As my colleague at NBC News Ben Popken points out, Starwood is a favorite chain for U.S. Government employees. Executives, too. So perhaps most of the data is useless to the hackers; they just want to good stuff. That was initially the goal in the Yahoo hack: Read the email of very specific people. A needle-in-a-haystack search, with the hay uninteresting.  Later on, however, the Yahoo hackers shared the stolen data with others who indeed picked through the hay — you and me, in this metaphor — and found all sorts of other uses for it.

Perhaps the criminals are even more interested in tracking corporate executives.  Understanding their movements can provide a lot of intelligence — “Why is he visiting South Korea? Is he interested in a new supplier?”  Think deeper, and you can imagine the data being used for leverage or extortion. What if a foreign power had information on a clandestine relationship a U.S. executive was having? That would be very useful in negotiations.

In some ways, all these hacks are starting to sound redundant, as if someone keeps stealing the same kinds of data over and over. But as Avivah Litan of Gartner recently told me, there is the matter of upkeep. Whoever has this database has to keep it current, and accurate.  Each new heists helps the “owner” clean the data. (Read more from her here, and here .)

Bill Malik at Trend Micro offers another clever use for this executive-tracking database: something I call executive identity theft. Business email compromise is among the fastest-growing cybercrimes. A criminal poses as a CEO and demands her secretary wire money overseas immediately as part of secret merger talks. It works because underlings are less likely to question bosses. If a criminal had a tool that predicted executive movements, imagine how much easier, and more targeted, these attacks could be.

At this point, you are probably wondering what all this has to do with you.  If merely monitoring high-value targets is the goal of these hackers, that should be a relief to most of us, right? Perhaps. You must understand that whoever is stealing these massive datasets is in it for the long game, however.  Again, the Starwood hack lasted four years.  Can you really be sure that you’ll be uninteresting to a foreign power in a decade or two?  Are you sure there isn’t an email you wrote in 2003 that wouldn’t embarrass you somehow in 2023?

This is the point at which an editor would yell at me to give readers some hope, to dole out advice on what to do about all this.  So sure, change your passwords and limit the personal information you give large companies. Always act like anything you type into a keyboard might eventually end up on a billboard in Times Square. But realistically, you are collateral damage in a cyberwar being fought by nation-states on one side and fairly helpless U.S. corporations on the other.  The big dossier database in the sky is only going to get bigger, and more accurate, with each big hack.  That’s our 21st Century reality now.


Email impersonation attacks: a clear & present danger

Larry Ponemon

Most companies admit that it is likely they experienced a data breach or cyberattack because of such email-based threats as phishing, spoofing or impersonation and they are concerned about the ongoing risk of such threats. However, as shown in this research there is a disconnect between the perceived danger of email-based threats and the resources companies are allocating to reduce these risks.

Sponsored by Valimail, Email Impersonation Attacks: A Clear & Present Danger, was conducted by Ponemon Institute to understand the challenges organizations face to protect end-users from email threats, such as impersonation attacks. Ponemon Institute surveyed 650 IT and IT security professionals who have a role in securing email applications and/or protecting end-users from email threats.

The risks that are causing IT security practitioners to lose sleep are phishing emails directed at employees, executives, customers and partners; and email as a vector for cyberattacks. When asked what measures or technologies will be deployed in the next 12 months to prevent impersonation attacks, more companies say they will be using secure email gateway technology, DMARC, DKIM and anti-phishing training for employees. In fact, more companies will be using automated solutions to improve email trust.

We were surprised to see a vast majority of companies who believe that they have had a breach involving email but are not yet embracing automated anti-impersonation solutions to protect themselves proactively. Adopting fully automated solutions for DMARC enforcement that provide email authentication will help companies get ahead of the attackers and build trust with their clients and end users.

The following findings illustrate the disconnect between concerns about email threats and fraud and the lack of action taken by companies represented in this study. 

  • Eighty percent of respondents are very concerned about the state of their companies’ ability to reduce email-based threats, but only 29 percent of respondents are taking significant steps to prevent phishing attacks and email impersonation. 
  • Only 27 percent of respondents say they are very confident that their organization knows all of the vendors and services that are sending email using the organizations’ domain name in the “From” field of the message. 
  • Companies have complex email environments. On average, companies in this research have more than 1,000 employees, six servers and 15 cloud-based services that send email on their behalf. However, only 41 percent of respondents say their organizations have created a security infrastructure or plan for email security. 
  • Despite the ineffectiveness of anti-spam and anti-phishing filters, they have been the primary solution for preventing email-based cyberattacks, and impersonation. Sixty-nine percent of respondents say their organizations use anti-spam or anti-phishing filters and 63 percent of respondents say they use these technologies to prevent impersonation attacks.
  • Companies are not spending enough to prevent email-based cyberattacks and fraud. While there is a sense of urgency among respondents to address the numerous threats against their email systems, only 39 percent of respondents say their organizations are spending enough to protect email from cyberattacks and fraud.

Because the risks discussed above are not being addressed, most companies believe they had a material data breach or cyberattack during the past 12 months that involved email. Seventy-nine percent of respondents say their organizations certainly or likely experienced a serious data breach or cyberattack during the past 12 months such as phishing or business email compromise. More than 53 percent of respondents say it is very difficult to stop such attacks.

“With the dramatic rise in impersonation attacks as a primary vector for cyberattacks, companies are re-assessing the balance of their security efforts,” said Alexander García-Tobar, CEO and co-founder of Valimail. “While traditional approaches are good for filtering malicious content and blocking spam, impersonation attacks can only be stopped with email anti-impersonation solutions. Individuals at all levels of a company, including customers and clients, are vulnerable to phishing, fraud, and impersonation attacks.”

To read the full study, click here and visit Valimail’s site. 

The life-cycle of a vote, and all the ways it can be hacked

Bob Sullivan

We know every vote counts, but will your vote actually be counted? Or will it be hacked? I’ve spent the last several months reporting on election hacking for my podcast Breach, and I’ve learned a lot: Mostly that vote “hacking” is a much broader problem than people realize.  While lots of attention has been paid to the hacking of electronic voting machines themselves, elections can be hacked months before, or months after, voting day.  Here’s a look at the entire life cycle of your vote, and all the places it can be hacked along the way.

Listen to the podcast on Stitcher

or iTunes


Step 1: Deciding to vote

The voting process begins when people decide to vote (or, they don’t), and register. The enemies of democracy spend a lot of time trying to convince citizens that their vote doesn’t count, that people shouldn’t even bother going to the polls. Encouraging apathy is actually step one.  How does that happen? Through disinformation campaigns — state-sponsored trolling — that are nudged along unwittingly by people who fall for the trick

“Academics will make the distinction that disinformation is false information that’s knowingly spread,” says Nick Monaco, a D.C.-based researcher and expert in worldwide trolling campaigns. “So there’s an intent to deceive people knowingly. Then they’ll say that misinformation is information that is spread unknowingly that’s false. So maybe you retweet a story that you thought was true, that would be a case of misinformation. But if you create a false story to smear someone that would be disinformation.”

In the podcast, we talk about a fictitious election between myself and Alia Tavakolian, my Breach co-host. Someone spreads a rumor online that I am a puppy killer — very untrue — and I lose crucial campaign time fighting off this attack. Why does it spread so quickly?  Bots, using artificial intelligence, talk it up.

“Most news organizations now have incentive (and) choose of their own accord to report on what’s trending online. What if what’s trending online is produced 90% by bots and 10% (by) humans?” Monaco said.

In other words, bots are hacking people’s attitudes. State-sponsored trolling is the hacking of our minds.

“I think that in the first place, if people’s attention is hacked already by a platform, and they’re spending time on this platform, and then they’re receiving messages that might sway their actions … So we already have you in one place, we know where you are, we know what you think about, and we know where you live. Let’s just send you some information that we think would be amenable to what you — what you think, and maybe influence you to act in some way,” Monaco said.



Step 2: Voter registration

Let’s say you press on past digital propaganda and decide you are going to vote. You register. That data has to live somewhere. And it has to remain accurate.  If a group wanted to engage in voter suppression, they could hack state registration databases and remove names — or just change addresses in a way that would create election-day chaos.

“(Voter) records are maintained in computer databases, many of which are connected directly or indirectly to the internet, and subject to the same kind of data breaches that affect other kinds of internet systems,” said Matt Blaze, a computer science professor at the University of Pennsylvania, where he’s been working on voting technology for the past fifteen years. “We often don’t find out that we’re not listed on the voter registration database when we should be until we show up at the polls to vote.”

This isn’t a theoretical risk. The U.S. government says that Russians tried to access voter registration databases in at least 21 states, and in two states they were able to succeed to some degree.

Even more ominous: If someone wanted to tip an election, they’d do this only in zip codes that traditionally leaned one way or the other.

“Because with the marketing data these days we can microtarget down to the neighborhood how we know a certain neighborhood’s going to vote,” said Maggie MacAlpine, co-founder of security firm Nordic Innovation Labs. “We’ve had some elections that were decided by less than 1,000 people, and the burden tends to be on the voter to say that you are registered or not. So if just ten people in the right place at the right time come in and say, ‘Well, I should be registered, why aren’t I registered?’ If you can keep that spike under the radar, you can actually change things that way.”

Many jurisdictions use e-poll books at voting locations now, to get the best registration information in the hands of poll workers. They also add another layer of technology to the process that can be hacked.


Step 3: Voting “Day”

U.S. voting machines have been under scrutiny dating back at least to the hanging chads of Bush v. Gore in the 2000 presidential election.  In 2002, Congress passed the Help America Vote Act, which gave states money and incentives to abandon old-fashioned voting machines and led to the purchase of electronic machines — generally touch-screens (DREs) or optical scan / scantron machines (like multiple-choice tests). They’ve caused a lot of trouble. There have been years of demonstrations showing the machines are vulnerable to various attacks.  Vendors often say these are only theoretical, that the machines themselves are not networked so they aren’t really vulnerable.  Many voting experts disagree.

“What people sometimes don’t understand about voting machines is that they’re really not as isolated from each other and from internet-attached systems as they may seem,” said J. Alex Halderman,  director at the Michigan Center for Computer Security in Society, and another long-time voting expert.

For starters, the machines must be loaded with candidates — somehow.


“Before every election, virtually every electronic voting machine in the country has to be programmed, and it has to be programmed with the ballot design. That is the candidates, the races, and the rules for counting,” he said.  This is usually done with an election management system. “(Hackers) can potentially spread malicious software to every voting machine in the jurisdiction just by having that software essentially hitch a ride with the ballot programming that election officials copy to the machines in the field.”

Harri Hursti was the researcher who first hacked voting machines nearly 15 years ago.  His technique actually has a name: “The Hursti Hack.”

“What I found was that the bootloader is looking from the memory card a certain file name. If it finds that name, it will reprogram itself with the contents of that file with no checks, balances whatsoever,” he said. Some of the same machines he hacked 15 years ago are still being used in elections today. “Sometimes I get tired of talking about it…but it took people 15 years to listen.”

Step 4: Vote counting

Once you leave the polling place, an intricate dance of technology takes place.  Perhaps the machine you used creates a local tally and prints out an end-of-day receipt, which is later added to tallies from other machines in that precinct , in that county, and that state. The counts themselves must be accurate, but perhaps more important, the transmission of the counts must be secure.  Many experts see this as a vulnerable step.

“If we’re able to modify the transmission of vote tallies back and forth across these systems, we could potentially influence the vote,” said Mark Kuhr, a security expert with Synack Inc.

The votes might be sent over the Internet. They might be sent via “sneaker net,” with a courier driving memory cards to a central location.  In some states, vote tallies are transmitted wirelessly. And that introduces more potential problems. States that do this claim the data is encrypted, but experts worry about vulnerabilities – such as so-called man-in-the-middle attacks.  Devices like Stingray machines – often usually by police to intercept smartphone transmissions — can pose as cellular network towers and download all information sent towards those towers.

Step 5: Announcing the results

It’s easy to overlook, but perhaps the prime election hacking opportunity might also be the easiest – skip the James-Bond-esque vote-flipping efforts, and just hack a secretary of state’s website to cause confusion.

“We know that the Russians have hacked websites that announce election results in the past,” said Jake Braun, executive director of the University of Chicago Cyber Policy Initiative and organizer of the Voting Village project at hacker conference Def Con. “They did it in the Ukraine a few years back. I mean, can you imagine if it’s election night 2020, and they have to take the Florida and Ohio websites down because they’ve been hacked by Russia, and like Wolf Blitzer is losing his (mind) on CNN and Russian RT has announced that their preferred candidate won, who knows who that is, and then of course the fringe media starts running with it as if it’s real here in the United States. …How long would it take to unwind that? I mean it would make Bush v Gore in 2000 look like well-ordered democracy.”


This makes me think of somebody who spent six hours making a wedding cake and drives it to the wedding and gets to the wedding and the second before they’re going to put it on the table, they trip and fall and the wedding cake splatters on the floor. That’s our election process.

Step 6: Accepting the results

Even after the vote is over, it’s not over.  A critical element of democracy is that the losing side accepts the results. Think back to step 1: If an enemy of democracy could foment enough disenchantment that a sizable set of the population refuses to accept the legitimacy of the election, that could be enough to “hack” the election process, too.

“Messaging around the integrity of voter information or the legitimacy of the election is something I’m really worried about,” Monaco said. “So aside from hard hacking of infrastructure, (what scares me most is) a disinformation campaign that would say, ‘The vote’s not legitimate, these people couldn’t vote, their voting records were altered,” even if that stuff’s not true. I mean the scary part is like with a kernel of truth that would really, really empower that disinformation campaign. So that’s like a nightmare scenario for me.”

In our market, the dollar bill is the fundamental unit of capitalism in America, The integrity of the dollar bill is paramount. If one day people decided, “What is the dollar really worth? I’m not sure. I don’t trust this thing.” Our country would collapse. Voting is exactly the same way. The vote is the central unit of democracy, and right now the vote is under serious threat. People right now are asking themselves, “Should I really take a vote or not? Does that really matter? Does it really count? When we added them all up, is it really correct?” It’s that fundamental an assault on our way of life.

The End: Next steps

Kim Zetter, who’s been reporting on election hacking for a decade, lays out the dark reality. Russian election interference is only the latest in a long line of problems with the way we vote in America.

“I would say that the Russians are a red herring because that’s not why we should be looking at this. This problem has existed since 2002, people have ignored it,” she said. What is the real danger? “Everything is the danger. Danger is a software bug that could cause the machine to not record your vote to — to lose votes, to record it inaccurately. The danger is an insider in the election office, anyone who is opposed to U.S. foreign policy, anyone who has a gripe with the U.S. And again, it doesn’t have to be someone who’s really sophisticated. “

If all this seems hopeless, it’s not.  For starters, every single expert we talked to about election hacking said that, while the problem is challenging, democracy is far from doomed.

“I have confidence in our democratic institutions, and we’ve survived a lot,” said Adam Levin, whose company Cyberscout performs security audits for state election officials. “And my belief is that we’re going to survive this as well, but the truth is, look, it is a Herculean task. It is a daunting task. No one denies that. But this country has always stepped up, always. At some point, we dug down deep, and we stepped up.”

What can you do? Step up and vote. And be informed. The biggest vulnerability in democracy is apathy. The fewer people who vote, the easier it is the manipulate the result. The fewer people who work hard to be informed, the easier they are to manipulate.  The angrier you are, the easier it is to set you against your fellow citizens.  So vote on (or before!) election. Read, read, read before and after the election to stay informed. And don’t fall for the enemies’ “divide and conquer” strategy or “let’s you and him fight” tactics. Disagree, but keep America a civil society. There’s a lot you can do to prevent the hacking of democracy. Listening to the full podcast would be a good start.


Where’s the data? Firms increasingly fret about governance; join us for a free webinar

Larry Ponemon

There will be a free live webinar discussing these results on Oct. 18 at 11 a.m. Click here to register for this webinar.

Organizations are becoming increasingly vulnerable to risks created by the lack of oversight, visibility and controls over employees and other insiders who have access to confidential and high-value information assets. The 2018 Study on the State of Data Access Governance, sponsored by STEALTHbits Technologies, reveals the importance of a Data Access Governance program that can effectively reduce the risk created by employees’ and privileged users’ accidental and conscious exposure of confidential data.

In the context of this research, Data Access Governance is about making access to data exclusive and limiting the number of people who have access to data and their permissions to that data to the lowest levels possible. Ponemon Institute surveyed 991 IT and IT security practitioners in the United States (586) and United Kingdom (405).

To ensure these respondents have an in-depth knowledge of how their organizations manage users’ access to data, we asked them to indicate their level of access to their organizations’ IT networks, enterprise systems, applications and confidential information. If they had only limited end user access rights to IT resources, they were not included in the final sample of respondents.

While the study reveals companies are taking some steps to manage the risk, the perception among these respondents who are knowledgeable about access rights in their organizations perceive that the risk will either increase (48 percent) or stay the same (41 percent) over the next year.

Key Findings

 Following is an analysis of the key findings. The complete audited findings are presented in the Appendix of this report. We have organized the findings according to the following topics:

  • The risk of end user access to unstructured data
  • Data Access Governance tools used to limit access to sensitive data
  • Current practices in assigning privileged user access
  • Effectiveness of Data Access Governance programs
  • Recommendations for improving Data Access Governance programs

The risk of end user access to unstructured data

 Organizations lose track of where employees and other insiders are storing unstructured data. In the context of this research, end users are employees, temporary employees, contractors, consultants and others who have limited or “ordinary” access rights to their organizations’ IT resources.

Unstructured data is defined as information that either does not have a pre-defined data model or is not organized in a pre-defined manner. Unstructured data tends to be user generated or manipulated data that lives in documents, such as spreadsheets or even scanned and signed contracts. Typically, this data may be in a structured format in an application and exported to a document for use by a person or team of people.

Respondents were asked to rate their confidence that their organization knows where users are storing unstructured data from 1 = no confidence to 10 = high confidence. Only 19 percent of respondents rate their confidence as high (7+ responses). This lack of confidence indicates that much of a company’s sensitive unstructured data is not secured.

Organizations lack visibility into how users are accessing unstructured data. As discussed above, respondents have little confidence they know where unstructured data resides. They also don’t know for certain the end users accessing the sensitive unstructured data.

The majority of respondents (50 percent) say their organizations rely upon platform capabilities, such as access controls built into Dropbox, to determine who has access to sensitive unstructured data. Only 37 percent of respondents say they use role-based access enforced through AD groups, even though many rate AD as very important. Only 31 percent of respondents monitor compliance with policies or information from specialized file activity monitoring (28 percent of respondents).

Documents and spreadsheets are the unstructured data most secured today. Some 71 percent of respondents say documents and spreadsheets are most often secured and 64 percent of respondents say emails and text messages are secured.

Confidence in safeguarding unstructured data is low. As a result of the volume of unstructured data that needs to be protected and the difficulty in determining who has access to sensitive unstructured data, only 25 percent of respondents rate their confidence in discovering unstructured data containing sensitive information as very high (7+ on a scale of 1 = no confidence to 10 = high confidence). Only 12 percent of respondents highly confident in their organizations’ ability to discover where unstructured data is stored in the cloud.

Inappropriate behaviors by end users put organizations at risk. Fifty-nine percent of respondents say users access sensitive or confidential data because of curiosity and 52 percent of respondents say users share their access rights with others.

False positives and too much data are the biggest challenges in determining if an event or incident is an insider threat. Organizations find it difficult to determine if inappropriate access to sensitive data was caused by a negligent or malicious insider. Security tools yield too many false positives (63 percent of respondents) and security tools yield more data than can be reviewed in a timely fashion (60 percent of respondents) are the biggest challenges in determining if an event or incident is an insider threat.

To continue reading, download the full report at Stealthbits website.

There will be a free live webinar discussing these results on Oct. 18 at 11 a.m. Click here to register for this webinar.



What should college students know about ethics and technology? Help us make a 101 course, here

Bob Sullivan

What should computer science students — all college students — learn about the intersection of ethics and technology? @ethicaltechorg, founded by two Duke University students, (I’m an adviser) is crowdsourcing the curriculum for Tech Ethics 101. Thoughts here, or at the link:

Algorithms run our lives today. They decide what homes we should buy, who we should date, what jobs we are qualified for, what updates and Tweets we see, and even welfare payments, mortgage loans, and how long convicts must remain in prison. Complex formulas make all these decisions in darkness, their calculations unknown to their subjects, often even beyond the understanding of their data scientist creators. Operating beyond reproach inside a black box, computers have become our puppet-masters, as consumers buy things, choose mates, and make political decisions based on realities calculated on their behalf.

But like all systems that operate in secret, algorithms have a dark side. They can lie. They remain vulnerable to hacking and reverse-engineering. And they reinforce some of society’s worst elements, like racial, class, and gender bias.

I’m really concerned about this; I believe everyone in the world should be. So today I’m announcing that I’ve joined a new group called Ethical Tech, which collaborates with groups like the Duke University Center on Law and Technology; I’m a member of the organization’s advisory board.  Founders Cassi Carley and Justin Sherman, both of Duke, have ambitious plans for the organization.

We join a rich set of organizations springing up lately — long overdue — to deal with runaway technology and its unintended consequences.  The Center for Humane Tech opened its doors earlier this year, born out of frustration with Facebook, promising to help programmers think more about what they are making. Just this week, my pal Julia Angwin announced a publication called The Markup, funded by Craig Newmark from Craigslist. It will seek to add journalistic accountability to the world of technology.  So, energy around this topic is brewing.

At Ethical Tech, our  first project involved bias in algorithms used by judges around the country to decide how long convicted criminals should spend in prison. Several other projects are in the works, including design of a tech-ethics class for college students.

I hope you will consider helping. What should future programmers know? What should future digital citizens know? How can we arm them for this ongoing information war; and how can we convince engineers to use their math skills for good instead of evil?

I often ask a basic question when I am in groups, like this: “The Internet — good or bad?”  Yes, yes, it’s done an amazing job spreading information around the world. But it’s done an even better job spreading BAD information around the world. Some research suggests that more people think the world is flat today than 10 years ago.  So, that’s bad.  But I doesn’t have to be that way. (And anyway, I think the Internet is good, but it’s more a 60-40 thing). We can’t afford to be passengers in this digital journey any longer, however. We have to make deliberate choices, every day, to make sure tech enhances our humanity instead of destroying it.  That will require concentrated effort across all sorts of party, racial, gender, and ideological lines.  We’re going to have to talk to each other. So, let’s get started.

What should computer science students — all college students — learn about the intersection of ethics and technology? @ethicaltechorg, based at Duke, (I’m an adviser) is crowd sourcing the curriculum for Tech Ethics 101. Thoughts here, or at the link:


Separating the truths from the myths in cybersecurity

Larry Ponemon


Ponemon Institute, with sponsorship from BMC, conducted the study on Separating the Truths from the Myths in Cybersecurity to better understand the security myths that can be barriers to a more effective IT security function and to determine the truths that should be considered important for the overall security posture. In the context of this survey, cybersecurity truths are based on the actual experience of participants in this research. In contrast, cybersecurity myths are based on their perceptions, beliefs and gut feel.

More than 1,300 IT and IT security professionals in North America (NA), United Kingdom (UK) and EMEA who have various roles in IT operations and security were surveyed. All respondents are knowledgeable about their organizations’ IT security strategies.

Separating the truths from the myths in cybersecurity

Following are statements about cybersecurity technologies, personnel and governance practices. Participants in this research were asked if these statements are considered truthful or if they are based solely on conjecture or gut feel (i.e. myth). Specifically, respondents rated each statement on a five-point scale from -2 = absolute myth, -1 = mostly myth, 0 = can’t be determined, +1 = mostly truth and + 2 = absolute truth. The number shown next to each statement represents the average index value compiled from all responses in this study. As can be seen, all myths and truths are not equal and range from -1.04 to +0.78.

Drawing upon nonparametric statistical methods, we separated those statements that had a statistically significant positive value that was above 0 (i.e. truth) from those statements that had a statistically significant negative value at or below 0 (i.e. myth).

Truth – The test statistic confirms the following statements are mostly believed to be a fact


  1. There is a skills gap in the IT security field. +0.78
  2. Security patches can cause greater risk of instability than the risk of a data breach +0.52
  3. The cloud is cost effective because it is easier and faster to deploy new software and applications than on-premises +0.52
  4. Greater visibility into al applications, data and devices and how they are connected lowers and organization’s security risk. +0.45
  5. Malicious or criminal attacks are the root cause of most data breaches. +0.42
  6. A strong security posture enables companies to innovate and take risks that can lead to greater profitability. +0.33
  7. IT security and IT operations work closely to make sure resolution and remediation of security problems are completed successfully. +0.22
  8. Many organizations are suffering from investments in disjointed, non-integrated security products that increase cost and complexity. +0.09


Myth – test statistic confirms the following statements are mostly a myth


  1. Too much security diminishes productivity. -1.04
  2. A strong security posture does not affect consumer trust. (In other words, a strong security posture is considered beneficial to improving consumers’ trust in the organization.) -0.87
  3. Automation is going to reduce the need for IT security expertise. -0.55
  4. Artificial intelligence and machine learning will reduce the need for IT security expertise. -0.50
  5. It is difficult or impossible to allocate the time and resources to patching vulnerabilities because it leads to costly business disruptions and downtime. -0.41
  6. Insider threats are costlier to detect and contain than external attacks. -0.27
  7. Nation state attacks are mainly a threat for government organizations. -0.24
  8. Security intelligence tools provide too much information to be effective in investigating threats. -0.21

Discussion — the state of cybersecurity 

Senior management believes in the importance of the IT security function. Sixty-one percent of respondents say their senior management does not think IT security is strictly a tactical activity that reduces its importance in the eyes of senior management. Respondents concur that IT security in their organization is considered a strategic imperative.

Companies face a shortage of skilled and competent in-house staff. According to another Ponemon Institute study[1] , 70 percent of chief information security officers and other IT security professionals surveyed say a lack of competent in-house staff is what they worry about most when trying to defend their companies against cyberattacks. Further, 65 percent of these respondents say the top reason they are likely to have a data breach is because they have inadequate in-house expertise.

Are tensions between the IT and IT security function diminishing the security of organizations? Fifty-six percent of respondents agree that there is tension between IT security and IT operations because of a lack of alignment of their different priorities. Specifically, IT operations is more concerned with the organization’s business objectives and IT security is focused on securing the enterprise from cybersecurity threats.

However, many respondents believe that despite this tension, IT security and IT operations work closely to make sure resolution and remediation of security problems are completed successfully. Collaboration between these two groups can be improved through the use of tools that bring these two functions closer together and foster teamwork which will benefit the organization as a whole.

Investments in security technologies should be aligned with the overall IT strategy and not lead to complexity. While the priorities of IT security and IT operations are often not in alignment, investments in technologies are consistent with their organizations’ overall IT strategy, according to 60 percent of respondents. However, respondents believe many organizations are suffering from investments in disjointed, non-integrated security products that increase cost and complexity.

Technology investments are often motivated by well-publicized data breaches.  Fifty percent of respondents say data breaches that are widely reported in media can influence the decisions to purchase security technologies. While companies may purchase cyber insurance to manage the financial consequences of a data breach, only 34 percent of respondents say such a policy would reduce their investments in security technologies.


Mark Zuckerberg is the world’s front-page editor now. That’s the real problem

Bob Sullivan

Mark Zuckerberg never set out to be the world’s editor in chief, but here we are.  And sorry Mark, you are a terrible front page editor.

Hearings in Congress today dug into the weeds of why Americans feel like social media is letting them down — it was a ready-made tool for Russian election interference; it’s now silencing some voices based on vague criteria, and so on.  But these aren’t aren’t THE problem. They are just symptoms.

Two thirds of Americans get their news from social media today. Most from their Facebook wall. That’s s a very, very small window through which to see the world.  Worse yet, most of them don’t know how social media really works.  Pew just released a study showing a majority have no idea how stories are selected for Facebook’s news feed. And don’t believe they have any influence over what appears there.

That’s THE problem.

Fairly recently, a consumer reading a newspaper who didn’t like what was on the front page could do something simple, but now seems revolutionary — she could turn the page.  Over and over.  And within 10 minutes or so, she’d be exposed to hundreds of stories, neatly organized in sections.  If she were really smart, she might do this with three or four papers. More to the point, she had a pretty good understanding of why those headlines and those stories appeared in those sections.

Today, we scroll.  A supercomputer designed to hack our attention span optimizes that “front page” for “engagement,” with the goal of hypnotizing you into sticking around. There’s no sections, no priorities. Only click-bait.  And whatever Facebook has decided is important to the hypnotics that month (Live video! Puppies!) If a good story doesn’t click with the first few folks who see it, it’s dismissed into the long tail of Internet oblivion, destined to be a tree that’s fallen silently in an empty forest. This story, I’d think, will be a good candidate for that scrap heap.

I don’t begrudge that (ok, of course I do. Facebook’s algorithm changes have killed my website in recent months).  But I found this piece of Pew’s most recent survey the most troubling: Facebook offers token tools for adjusting what’s on users’ front pagea, but even these are rarely used. Fully two-thirds of users have never even tried to influence the content on their news feed. Of course, the older users get, the less likely they’ve taken an active step to change their feed, such unfollowing groups or asking that certain friends be prioritized. (Please choose “see more” of me.)

In other words, news consumption in America is dangerously passive.  And Mark Z is the most powerful front page editor in history.

This is not what Facebook set out to do; I genuinely think many at the company are horrified by this state of affairs.  I am one who believes it is an existential threat to the company — it’s very far from the Mark’s core expertise. And users will eventually revolt. In a separate Pew survey, researchers found that 42% of users had taken some kind of Facebook break recently. And 26% said they had deleted the app from their phone. Those numbers seem awfully high to me, but you get the point.  People sort of hate Facebook now for what it’s done to their lives.  That’s not a great business model.

And it’s getting worse. As Facebook works frantically to save itself, and to diffuse the bomb it’s been turned into, news feed is often shrunken. Puppy photos are back on top; interesting news stories (like this one!) are out.  Users see an even smaller selection of “follows” when they look.  You might have 500 friends, but only 25 of them appear in your feed, urban legends and empirical evidence tells us.

Why are we really here? Since the beginning of time, Facebook has refused to offer an unfiltered option that would simply list every post from every friend.  When a software maker invented a third-party app to make such a raw feed, Facebook forced it to shut down. Users would be overwhelmed by so many posts, the firm believes.  News feed must be edited.  And so, here we are.

Yes, in some ways, we did this to ourselves.  Nothing stops Americans from visiting on their own, instead of relying on the news feed (or Google News) for their headlines. Heaven forbid, we could actually subscribe to a newspaper, too.  But, as I began this piece, here we are.  The world’s most efficient tool for connecting human beings, one of the Internet’s original killer app, has killed our curiosity.  We’re devolving into digital-made tribes, only listening to the 25 or so people who make the front page of our lives.

As the saying goes, you made this mess, Mark. You have to clean it up.

The value of Artificial Intelligence in Cybersecurity

Larry Ponemon

Ponemon Institute is pleased to present The Value of Artificial Intelligence in Cybersecurity sponsored by IBM Security. The purpose of this research is to understand trends in the use of artificial intelligence and how to overcome barriers to full adoption.

Ponemon Institute surveyed 603 IT and IT security practitioners in US organizations that have either deployed or plan to deploy AI as part of their cybersecurity program or infrastructure. According to the findings, these participants strongly believe in the importance and value of AI but admit that being able to get the maximum value from technologies is a challenge.

The adoption of AI can have a very positive impact on an organization’s security posture and bottom line. The biggest benefit is the increase in speed of analyzing threats (69 percent of respondents) followed by an acceleration in the containment of infected endpoints/devices and hosts (64 percent of respondents). Because AI reduces the time to respond to cyber exploits organizations can potentially save an average of more than $2.5 million in operating costs.

In addition to greater efficiencies in analyzing and containing threats, 60 percent of respondents say AI identifies application security vulnerabilities. In fact, 59 percent of respondents say that AI increases the effectiveness of their organizations’ application security activities.

To improve the effectiveness of AI technologies, organizations should focus on the following three activities.

 Attract and retain IT security practitioners with expertise in AI technologies. AI may improve productivity but it will increase the need for talented IT security personnel. Fifty-two percent of respondents say AI will increase the need for in-house expertise and dedicated headcount.

Simplify and streamline security architecture. While some complexity in an IT security architecture is expected in order to deal with the many threats facing organizations, too much complexity can impact the effectiveness of AI. Fifty-six percent of respondents say their organizations need to simplify and streamline security architecture to obtain maximum value from AI-based security technologies. Sixty-one percent say it is difficult to integrate AI-based security technologies with legacy systems.

Supplement IT security personnel with outside expertise. Fifty percent of respondents say it requires too much staff to implement and maintain AI-based technologies and 57 percent of respondents say outside expertise is necessary to maximize the value of AI-based security technologies.

As the adoption of AI technologies matures, the more committed organizations become to investing in these technologies.

In this research, 139 respondents of the total sample of 603 respondents self-reported that their organizations have either fully deployed AI (55) or partially deployed AI (84). We refer to these respondents as AI users. We conducted a deeper analysis of how these respondents perceive the benefits and value of AI. Following are some of the most interesting differences between AI users and the overall sample of respondents who are in the planning stages of their deployment of AI. 

  • AI users are more likely to appreciate the benefits of AI technology. Seventy-one percent of AI users vs. 60 percent of the overall sample say an important benefit is the ability of AI to deliver deeper security than if organizations relied exclusively on their IT security staff.
  • AI users are more likely to believe these technologies simplify the process of detecting and responding to application security threats. As a result, AI users are more committed to AI technologies.
  • While AI users are more likely to believe AI will increase the need for in-house expertise and dedicated headcount (60 percent of AI users vs. 52 percent in the overall sample), these respondents are more aware than the overall sample that AI benefits their organization because it increases the productivity of security personnel.
  • AI has reduced application security risk in organizations that have achieved greater deployment of these technologies. When asked about the effectiveness of AI in reducing application security risk, 69 percent of respondents say these technologies have significantly increased or increased the effectiveness of their application security activities vs. 59 percent of respondents in the overall sample who say their effectiveness increased in reducing application security risk.
  • AI technologies tend to decrease the complexity of organizations’ security architecture. Fifty-six percent of respondents in organizations that have more fully deployed AI report that instead of adding complexity AI actually decreases complexity. Only 24 percent of AI users say it increases complexity.
  • As the use of AI increases, the more knowledgeable the IT security staff becomes in identifying areas where the use of advanced technologies would be most beneficial. Fifty-six percent of AI users rate their organizations’ ability to accurately identify areas in their security infrastructure where AI and machine learning would create the most value as very high.
  • AI improves the ability to detect previously “undetectable” zero-day exploits. On average, AI users are able to detect 63 percent of previously “undetectable” zero-day exploits. In contrast, respondents in the overall sample say AI can increase detection by an average of 41 percent.

Download the entire report from IBM here. 

The newest, most devastating cyber-weapon: ‘patriotic trolls’

Bob Sullivan

Governments around the world are waging war on a new battleground: Social Media.  Their fighting force is an army of trolls. And if you are reading this story, you’ve probably been drafted.

Troll armies have helped overthrow governments and control populations. The playbook has been repeated in places like Turkey, India, and the Philippines. Once installed, trolls become engines of state propaganda, shouting down and crowding out voices of dissension.

While America is embroiled in an endless back-and-forth about Russian election meddling, this larger development has largely been missed: The 2016 election was just a data point in a much larger, more alarming trend. Trolling has become perhaps the most powerful weapon in 21st Century warfare.

If free speech has a weakness, this is it.  And it’s being used against democratic societies across the globe.

Sometimes called “patriotic trolling,” it’s a stunning reversal from the way dictatorial regimes used to handle the information superhighway — by shutting off the on ramps.  Increasingly, those in power are instead flooding the highway with misinformation, overwhelming it with noisy and malicious traffic.  It’s easier, and far cheaper, to control populations with a hashtag than the barrel of a gun.

The Great Firewall is being replaced by the Great Troll.

“States have realized that the internet offers new and innovative opportunities for propaganda dissemination that, if successful, obviate the need for censorship. This approach is one of ‘speech itself as a censorial weapon,’ ” write authors Carly Nyst and Nicholas Monaco in a chilling new report called “State-Sponsored Trolling: How Governments Are Deploying Disinformation as Part of Broader Digital Harassment Campaigns.”  The report was published by the Institute for the Future, which says it is a non-partisan research group based in Palo Alto, California.   “States are seizing upon declining public trust in traditional media outlets and the proliferation of new media sources and platforms to control information in new ways. States are using the same tools they once perceived as a threat to deploy information technology as a means for power consolidation and social control.”

What does state-sponsored trolling look like? Government officials and political leaders encourage personal attacks on opponents and civil rights groups.  They sow seeds of disbelief around the work of traditional watchdogs, like judges and journalists.  They encourage public vitriol and cynicism by citizens to protect themselves and their policies from traditional scrutiny and debate.

In some cases, professional trolls are hired to sow seeds of doubt and frustration. Other regimes sign up volunteers into an organized “cyber militia” to harass journalists and civil rights groups.  But in many cases, citizens are nudged to do the dirty work of trolls with little or no prompting from those in power.

You probably see evidence of this kind of behavior every day on your social media feeds; people lining up to lob personal attacks on those who disagree. That’s low-level trolling, however. The stakes get higher, fast.

Bloomberg recently investigated the phenomenon worldwide and came up with a long list of examples:

“In Venezuela, prospective trolls sign up for Twitter and Instagram accounts at government-sanctioned kiosks in town squares and are rewarded for their participation with access to scarce food coupons, according to Venezuelan researcher Marianne Diaz of the group @DerechosDigitales. A self-described former troll in India says he was given a half-dozen Facebook accounts and eight cell phones after he joined a 300-person team that worked to intimidate opponents of Prime Minister Narendra Modi. And in Ecuador, contracting documents detail government payments to a public relations company that set up and ran a troll farm used to harass political opponents.”

If you are shocked by the spread of conspiracy theories like Pizzagate online — and the emergence of a cottage industry that profits from the spread of such crazy ideas — don’t be. It’s not an accident, the report says.

“The new digital political landscape is one in which the state itself sows seeds of distrust in the media, fertilizes conspiracy theories and untruths, and harvests the resulting disinformation to serve its own ends,” the state-sponsored trolling report says.  “States have shifted from seeking to curtail online activity to attempting to profit from it, motivated by a realization that the data individuals create and disseminate online itself constitutes information translatable into power.”

The authors spent 18 months examining widespread trolling efforts in seven countries around the world: Azerbaijan, Bahrain, Ecuador, the Philippines, Turkey, Venezuela … and yes, the United States.

“Such attacks appear organic by design, both to exacerbate their intimidation effects on the target and to distance the attack from state responsibility,” the report says.  “However, in the cases we studied, attributing trolling attacks to states is not only possible, it is also critical to understanding and reducing the harmful effects of this trend on democratic institutions.

  • The report cites multiple examples of government propaganda by trolling.
  • In China members of the “50 Cent Army” are paid nominal sums to engage in nationalistic propaganda
  • In Turkey, journalist Ceyda Karan was subjected to a three-day-long trolling campaign in which two high-profile media actors played a key role:
  • Pro-Erdoğan journalist Fatih Tezcan, who has more than 560,000 followers, and Bayram Zilan, a self-declared “AKP journalist” with 49,000 followers. Tezcan and Zilan were central players in a campaign that involved 13,723 tweets against Karan sent by 5,800 Twitter users
  • The Twitter account of Indian prime minister Narendra Modi follows at least twenty-six known troll accounts, and the prime minister has hosted a reception attended by many of the same trolls
  • Filipino president Rodrigo Duterte has given bloggers active in online harassment campaigns accreditation to cover presidential foreign and local trips. Duterte groomed a cyber militia of around five hundred volunteers during his election campaign, eventually promoting key volunteers to government jobs after his election (For more on Duterte’s use of trolls, read this Bloomberg story.)
  • The Turkish government maintains a volunteer group of six thousand “social media representatives” spread across Turkey who receive training in Ankara in order to promote party perspectives and monitor online discussion
  • In Venezuela, former vice president Diosdado Cabello, who currently hosts the TV show Con el Mazo Dando (Hitting with the Sledgehammer) on the Venezuelan state-owned TV channel VTV8, used his TV show and a Telegram channel associated with it to encourage Twitter attacks on opposition politician Luis Florido using the hashtag #FloridoEresUnPajuo (“Florido, you’re a lying idiot”). Attacks on Florido lasted for days; they were vitriolic and crude and frequently accused him of being a traitor to Venezuela.
  • In Russia, state-sponsored trolling has been professionalized, with “troll farms” operating in a corporatized manner to support government social media campaigns. The most well-known troll farm is the Internet Research Agency (IRA), but there are reportedly scores of such organizations all around the country

Trolling efforts work in part because the trolls have access to data which help them game social media algorithms; their posts fool Facebook and Twitter into giving them more prominence. That worked during the U.S. presidential campaign, when the Russian troll group Heart of Texas gained 200,000 likes soon after launch – more than the official state GOP page.

“In one form of algorithm gaming, trolls hijack hashtags in order to drown out legitimate expression,” the report says.

Don’t be part of a troll army

If all this sounds to you like a fairly traditional propaganda campaign, I agree.  It’s just far more targeted, thanks to the information age. And, Americans seem particularly vulnerable to propaganda at the moment, for a variety of reasons. But you don’t have to be.

If you don’t want to be part of the troll/propaganda army, what should you do?  Do all the things your high school English said to do. Don’t be a troll.  Don’t say things just to get an emotional reaction, because you like setting people’s hair on fire. Always provide evidence, stick to facts, and don’t be drawn into ad hominem attacks.  Rise above them. When you see a vitriolic post by someone whose Twitter handle includes random strings of numbers, or who otherwise has a thin social media profile, assume you are dealing with a troll – even if the person seems to be on your side. Remember, America’s enemies simply want to sow discord, they don’t really care whose “side” they’re on. At a bare minimum, don’t repeat things you haven’t verified yourself just because you agree with the sentiment expressed.  Read numerous independent sources before passing on information.

Meanwhile, if you see or hear someone dismissing independent media with over-the-top criticisms, question their motives. Disagreeing with facts is healthy. Questioning someone’s integrity and patriotism, or persuading others to ignore an entire group or industry, should be viewed with deep skepticism.

Here’s how you recognize trolling, according to the Institute for the Future report:

  • Accusations of collusion with foreign intelligence agencies.
  • Accusations of treason.
  • Use of violent hate speech as a means of overwhelming and intimidating targets. Every female target of government-backed harassment receives rape threats
  • Creation of elaborate cartoons and memes.
  • Trolls often accuse targets of the very behaviors the state is engaging in. In numerous countries, for example, trolls make claims that targets are affiliated with Nazism or fascist elements. Politicians and their proxies use claims of “fake news” as a form of dog whistling to state-sponsored trolls.

In which state are consumers most prepared for a cyber attack?

Larry Ponemon

Ponemon Institute is pleased to presents the results of a U.S.-based survey of consumers located in all 50 states and Washington D.C. Survey findings were used to create the Cyber Hygiene Index (CHI) that attempts to measure consumers’ ability to protect themselves from various criminal attacks, especially in the online environment.

The CHI consists of a series of positive and negative survey questions weighted by the relative importance of each question for achieving a high level of readiness.

In the context of this research we define cyber hygiene as an individual’s ability to maintain a high level of readiness in order to prevent, detect and respond to cyber-related attacks such as malware, phishing, ransomware and identity/credential theft. The index provides a score ranging from +37 points (highest possible CHI) to -39 points (lowest possible CHI).

A total of 4,290 respondents were surveyed, which represented a 3.2 percent response rate from a proprietary sampling frame of consumers located throughout the United States. A total of 553 surveys were removed from the final sample because of reliability failure. The state-by-state sample sizes varied from a low of 40 completed surveys in Wyoming to a high of 179 completed surveys in New York.

Figure 1 provides the CHI scores for the top 5 and bottom 5 U.S. states. The bracketed number next to each state is the relative ranking from the most positive score for New Hampshire (re: 4.29) to the most negative score for Florida (re: -6.29).

Figure 1

In this section, we provide an analysis of the CHI and survey findings. The figures summarize the results of our survey. Each chart provides the overall survey response compiled from our total sample of 4,290 U.S. consumers with comparison to the 100 individuals with the most risky responses. We call this group the Bottom 100.

The complete audited research results are presented in the Appendix of this report. We have organized the report according to the following topics:

  • The impact of identity theft on cyber hygiene
  • The impact of malware and phishing attacks on cyber hygiene
  • The impact of a lost device on cyber hygiene
  • The impact of password practices on cyber hygiene
  • The impact of online behavior on cyber hygiene
  • The impact of identity theft on cyber hygiene

Figure 2 shows the percentage of respondents who said they experienced an identity fraud or another identity theft crime over the past 12 months. Our hypothesis is that consumers who experience an identity related crime were less likely to have strong cyber hygiene at the time of the incident.

Figure 2

Figure 3 shows the immediate consequences of the identity theft. As can be seen, both the Overall and Bottom 100 show a similar pattern. The most significant consequence is the decline in credit because of a low FICO score, followed by the misuse or theft of the respondents’ credit or debit cards.

Figure 4 presents respondents’ level of cautiousness resulting from the identity theft incident. As shown, 42 percent of respondents said the incident had a significant impact on their level of caution when connected to the Internet or when sharing their personal information. In sharp contrast, 60 percent of the Bottom 100 said the incident had no impact on their online behaviors.

Figure 4

There are dozens more findings and charts in the report, which you can download for free at this link on