By @. With the US election looming it seemed like a good time to interview Greg Scott who is passionate about the risks of data breaches. He aimed to raise awareness about this through his new novel Bullseye Breach.
What is your background?
I spent many years working for Digital Equipment Corporation, in its day, the second largest computer company in the world. Today, nobody outside the industry knows DEC ever existed, but ex DEC people are sprinkled around today’s IT industry, many in top engineering and management positions. After living through DEC’s demise, I spent the next 20+ years mostly as an independent consultant. I built firewalls and did IT security work with small businesses, and saw first-hand how unprepared we are for attacks. Red Hat made a great offer last summer and I said yes. I live in Minnesota, USA, with my wife, daughter, two grandsons, one dog, two cats, and more of my daughter’s fish than I can count.
What inspired you to write the book?
I’ve always wanted to write a book. And after being frustrated reading about data breach after data breach, and after being a credit card fraud victim myself, I decided to do something about it. I set out to write a security how-to book and illustrate my concepts with stories. Alice and Bob would have real personalities and characterizations. Somewhere in the process, the fiction took over and I decided the world already has plenty of great how-to advice. Read “Bullseye Breach,” and book #2 when it’s published, to learn why all that how-to advice is important.
Does this mean the book is quite ‘expositional’? How do you balance this with making sure it is a good read too?
Is *that* what everyone is afraid of? I worked hard to tell a great story with interesting characters. If my mom were alive, she would enjoy this book and she barely learned how to use a touch-tone phone. And at least a few judges thought it was a good story; it was a finalist in the Business category for the 2016 Midwest Book Awards.
A copy of "Bullseye Breach" or an early book #2 draft for telling me how to protect myself from this phishing attack pic.twitter.com/brcyIQ7isb
— Greg Scott (@DGregScott) August 17, 2016
Has anything happened subsequently in real life that made you think ‘huh if I’d have included something like that in the book people would have said I was making it up…’?
Wow, is that a loaded question! Let’s see – the Russians steal emails from the US Democratic party and send them all to Wikileaks for posting. And Wikileaks, run by an accused rapist holed up in the Ecuadorean embassy in London, is suddenly a player in the US presidential election.
Trump Industries had not one, but two credit card breaches. And then we find out Trump is running Exchange 2003, which shipped before today’s 7th graders were born, but they claim that’s okay because it’s behind a firewall. And anyone who stayed in a Trump hotel in 2014, 2015, or early 2016 is likely a credit card fraud victim.
We’ve all read and heard about Hillary Clinton’s email server. She apparently ordered her email administrator to uninstall Microsoft Exchange and delete the datastore, but nobody wiped the deallocated space. (“Wipe? You mean, like with a cloth?”) A rookie mistake? Or a bungled coverup? How much would an enemy of the United States pay for a copy of the discarded hard drive from the Secretary of State’s email server?
The Chinese steal millions of US Federal Government employee details from the US Office of Personnel Management. OPM offers worthless credit card monitoring in a “click here” email to government employees – and spammers get word of that and flood victims with their own nefarious “click here” emails.
The North Koreans force Sony Pictures to change a movie distribution strategy and eventually shut down the whole company. With Malware.
A horrible terrorist organization recruits young people from Europe and the US with Youtube videos and slick PDFs showing pictures of beheaded infidels and videos of pilots burning alive. And that persuades hundreds of young people to throw away their lives and sneak into Syria.
Yeah, a few things come to mind. Sometimes real life is stranger than fiction.
NB that question was not intended to be loaded, rather that often true events overtake fictional ones!
On that question about true events overtaking fiction – in book #2, the Iranians share data from the OPM breach with the Chinese and repurpose Stuxnet to attack the US again. But this time the attack is with both cyber and biological viruses and Iran tries to pin the blame on ISIS. I’m looking for an agent and publisher for this one.
How do you see things playing out in the future in terms of data breaches, better or worse?
Until the world starts taking this stuff seriously, worse. We see it right now with IoT and millions of compromised video cameras launching DDOS attacks. We need to teach the world that security is a process, not an event.
What are your thoughts on biometrics and the like, will we reach a point where we can be uniquely identified based on our bio signatures – or will it always be hackable?
We can already be uniquely identified by fingerprints. Of course, the challenge is, it’s not easy.
I have a hunch smart people will always find a way to fool biometric devices. I’m a fan of biometric devices controlling access to secret installations. I’m not a fan of biometric identification for everyone. And nobody will ever implant an RFID tag under my skin or anyone else in my family. Or anyone else I can influence. Identity theft is bad, but the alternative of being easily trackable everywhere is worse.
What about the big brother implications of being uniquely identifiable?
The technology exists right now, today, to make us all uniquely identifiable by biometrics. I’m a Christian and I thank God no government has instituted such a policy yet. But one day, we will all be faced with a stark choice.
How / where can people buy your book?
“Bullseye Breach” is available everywhere books are sold.
Anything else you’d like to add / we should have asked?
What are a few common-sense precautions an organization can take to reduce the odds of a security incident?
The advice Jerry Barkley gives a skeptical Bullseye Stores board of directors at the end of “Bullseye Breach” is sound, but my thinking has evolved since “Bullseye Breach” was published. For busy leaders who are not security specialists and need it distilled to 25 words or less, remember this rhyme: “Care and share to be prepared.” Everything else flows from that.
Care enough to bring in professionals and do the appropriate homework. Ask the tough questions and challenge wimpy answers. Care enough to think like an attacker and make sure countermeasures are in place. Care enough to realize everyone is connected to everyone else on the Internet, and somebody on the other side of the planet really can invade your business. And even if you’re a tiny organization with no secrets to protect, care enough to get mad when somebody wants to make you a pawn in an attack on a bigger target.
And share what you learn. Present it a professional conferences, write articles about it, publish the post-mortem reports about breaches and study the public comments. Put your security through the gauntlet of peer review so you can avoid the tragedy of a real incident.
Sharing is counter-intuitive. Our natural instinct is to keep that information secret, with the flawed argument that we’re giving away information to potential attackers. This debate has gone on since at least 1854 when AC Hobbs published his book about how locks work. The reality was, and still is, that bad guys already collaborate with each other and already know how to break into our systems. Good guys need to level the playing field by also sharing and collaborating.