The prospect of changing the threat landscape always includes eradicating the platform of the perceived threat. However, perception and reality are often only clearly discerned after careful evaluation of the desired goals. The goal in this case is what my prior post was regarding and now that goal is plainly in focus.
One key thing that should be kept in mind with any approach for a framework defining techniques and tactics that drive neural correlates (Likes and other reactions) is the fallout of withdrawal that flows from taking away that 'fix.'
Lesley Carhart, an infosec expert and stalwart on Twitter, posted a prescient admonition regarding actions taken to have an effect on the rapidly escalating usage of alternatives to twitter.com after the president's twitter account was suspended permanently.
Not that I have a kind thing to say about Parler, but we are about to have the same cybersecurity problem as we would have had if TikTok had been banned from the App Store. There are about to be a lot more jailbroken phones and dicey apps. Be on the lookout if this persists.— Lesley Carhart (@hacks4pancakes) January 8, 2021
The application being targeted for action in the service provider community is an app called Parler. The risk that @hacks4pancakes pointed out is one that should be of concern and monitored for in Mobile Device Management (MDM) applications. Like a drug the neural processing of social rewards might drive users to seek via whatever means possible access to those rewards. Shortly thereafter there were clear signs that the postulate was proving true. Users were placing in jeopardy not only the privacy and security of themselves but others intending to use the platform. This can also be used for development of a new potential narrative by those promulgating disinformation.
I’m already right about them being ready to screw up their security instead of using the web app, guys.... https://t.co/e9sp7x1yxy— Lesley Carhart (@hacks4pancakes) January 9, 2021
Providing vetted secured access to applications and user education for platform usage may be a good target for the sought after revisions to 47 U.S.C. section 230. As it stands now there are private business terms of service and other expectations of users for how they will behave to comport with a platform providers community. There are not specifically any rules placed on the provider to educate the user community regarding access and use of the platform. This to me seems like an opportunity to review and correct that.
In most businesses and required in government information security plans there is a requirement for users to receive security awareness and rules education before they obtain full access to the infrastructure, no matter their level of access. Education in that regard serves more than one purpose. Primarily, user awareness education provides a venue to discuss use case prohibitions and threats. Additionally, the education provides an opportunity to inform users of the risks from not following the rules, not only to the user but also to the community at large. This should be required. In fact, I propose the type of education required would be pretty easy to retrofit into current platforms and roll-out for new ones. Additionally, it's an obvious type of policy to pursue in terms of vetting and compliance from a regulatory point of view.
Get these things done while the getting is good! With the rise of phishing campaigns, ransomware and persistent threat actor sophistication the iron is hot for a change in the rules that makes the entire community safer. User education provides a chance to drive home the desired outcomes of social interaction without constraining unnecessarily the verve of community. Additionally, the development of the applications to provide, monitor and enforce a policy for training opens a new market for application development that exists and which could use wider adoption. Like driver education for obtaining a driver's license helps to ensure understanding of traffic rules, a simple bit of guidance on adherence to rules can go a long way. The residual outcome provides a sound basis toward detecting violations and preventing security failures.
Stay aware and wary. Watch your user activity. Think deeply. Subscribe
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.