infoSource

infoSource is a cybersecurity newsletter. By subscribing to infoSource you will remain up-to-date on the latest in communication, computer and software cybersecurity issues.

Choices Have Consequences

 Application martyrdom is a risk

Firstly, in light of the activity of the last week, it would be folly not to acknowledge that swift actions are required to wrangle control of potential command and control platforms. To be clear insurrection is the activity, which took place in my hometown, in my neighborhood, to which I'm referring. Although this attempted coup d'état was not successful it has been revelatory in regard to the risk profile and the type of threats to be considered. In more stark terms the likelihood of physical threats being realized has only increased.

The prospect of changing the threat landscape always includes eradicating the platform of the perceived threat. However, perception and reality are often only clearly discerned after careful evaluation of the desired goals. The goal in this case is what my prior post was regarding and now that goal is plainly in focus. 

 Chasing the Likes

One key thing that should be kept in mind with any approach for a framework defining techniques and tactics that drive neural correlates (Likes and other reactions) is the fallout of withdrawal that flows from taking away that 'fix.'

Lesley Carhart, an infosec expert and stalwart on Twitter, posted a prescient admonition regarding actions taken to have an effect on the rapidly escalating usage of alternatives to twitter.com after the president's twitter account was suspended permanently.

The application being targeted for action in the service provider community is an app called Parler. The risk that @hacks4pancakes pointed out is one that should be of concern and monitored for in Mobile Device Management (MDM) applications. Like a drug the neural processing of social rewards might drive users to seek via whatever means possible access to those rewards. Shortly thereafter there were clear signs that the postulate was proving true. Users were placing in jeopardy not only the privacy and security of themselves but others intending to use the platform. This can also be used for development of a new potential narrative by those promulgating disinformation.

Worse if users are not educated how to obtain safe and secure access to any particular platform there will be threats, risks and consequences associated with alternative means employed to gain access. Privacy breaches, ransomware and advanced persistent threats have all ben in the news lately with no sign of abating. Taking away access to a platform and "martyring" usage may only prove to escalate user security self-compromise and broadening of the vulnerability landscape and attack surface in unexpected and detrimental ways.

 Thoughts on amendment to 47 U.S. Code § 230 

Providing vetted secured access to applications and user education for platform usage may be a good target for the sought after revisions to 47 U.S.C. section 230. As it stands now there are private business terms of service and other expectations of users for how they will behave to comport with a platform providers community. There are not specifically any rules placed on the provider to educate the user community regarding access and use of the platform. This to me seems like an opportunity to review and correct that.

In most businesses and required in government information security plans there is a requirement for users to receive security awareness and rules education before they obtain full access to the infrastructure, no matter their level of access. Education in that regard serves more than one purpose. Primarily, user awareness education provides a venue to discuss use case prohibitions and threats. Additionally, the education provides an opportunity to inform users of the risks from not following the rules, not only to the user but also to the community at large. This should be required. In fact, I propose the type of education required would be pretty easy to retrofit into current platforms and roll-out for new ones. Additionally, it's an obvious type of policy to pursue in terms of vetting and compliance from a regulatory point of view.


The Bottom Line

Get these things done while the getting is good! With the rise of phishing campaigns, ransomware and persistent threat actor sophistication the iron is hot for a change in the rules that makes the entire community safer. User education provides a chance to drive home the desired outcomes of social interaction without constraining unnecessarily the verve of community. Additionally, the development of the applications to provide, monitor and enforce a policy for training opens a new market for application development that exists and which could use wider adoption. Like driver education for obtaining a driver's license helps to ensure understanding of traffic rules, a simple bit of guidance on adherence to rules can go a long way.  The residual outcome provides a sound basis toward detecting violations and preventing security failures.

Stay aware and wary.  Watch your user activity.  Think deeply.  Subscribe

×
Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Deception Is The Way Of War
The Cyber Neighborhood Watch

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 22 July 2024

Contact Me

Contact

Address
1309 S Street S.E., Washington, DC, 20020
Phone
00 1 202-276-8641
Mail
eric.d.williams@infobro.com
Web
https://www.infobro.com

Send Me a Message

Contact Me