There’s nothing like a crisis to bring out the absolute stupidity in a person… especially if said individual works for a big company or government agency. This week alone we’ve had everything from the ongoing BP disaster (the one that really scares me) to the Israeli meltdown. And I’m sure Sarah Palin is in the mix there someplace.
Crisis communications is an actual field of study, with many examples of how to manage your public image even in the midst of a major meltdown. Heck, I’ve been trained on it as part of my disaster response work. But it seems that everyone from BP to Gizmodo to Facebook is reading the same (wrong) book:
- Deny that there’s a problem.
- When the first pictures and videos show up, state that there was a minor incident and you value your customers/the environment/the law/supporters/babies.
- Quietly go to full lockdown and try to get government/law enforcement to keep people from finding out more.
- When your lockdown attempts fail, go public and deny there was ever a coverup.
- When pictures/video/news reports show everyone that this is a big fracking disaster, state that although the incident is larger than originally believed, everything is under control.
- Launch an advertising campaign with a lot of flowers, babies, old people, and kittens. And maybe some old black and white pictures with farms, garages, or ancestors who would be the first to string you up for those immoral acts.
- Get caught on tape or in an email/text blaming the kittens.
- Try to cover up all the documentation of failed audits and/or lies about security and/or safety controls.
- State that you are in full compliance with the law and take safety/security/fidelity/privacy/kittens very seriously.
- As the incident blows completely out of control, reassure people that you are fully in control.
- Get caught saying in private that you don’t understand what the big deal is. It isn’t as if people really need kittens.
- Blame the opposing party/environmentalists/puppies/you business partners.
- Lie about a bunch of crap that is really easy to catch. Deny lying, and ignore those pesky videos showing you are (still) lying.
- State that your statements were taken out of context.
- When asked about the context, lie.
- Apologize. Say it will never happen again, and that you would take full responsibility, except your lawyers told you not to.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Mike Rothman on Tabnapping at SC Magazine.
- The Network Security Podcast, Episode 199.
- Rich presented on Data Breaches for whitehatworld.com; it should show up on their archive page soon.
Favorite Securosis Posts
- Rich: NSO Quant: Monitor Process Map. These Quant projects keep getting bigger each time we do one, but it’s nice to do some real primary research.
- Adrian Lane: The Hidden Costs of Security.
- Mike Rothman: Understanding and Selecting SIEM/LM: Correlation and Alerting. We are working through the SIEM/Log Management research. Check it out and provide comments, whether you agree or disagree with our perspectives.
Other Securosis Posts
- The Public/Private Pendulum Keeps Swinging.
- White Paper Released: Endpoint Security Fundamentals.
- Thoughts on Privacy and Security.
- Incite 6/2/2010: Smuggler’s Blues.
- On “Security engineering: broken promises”.
- FireStarter: In Search of… Solutions.
Favorite Outside Posts
- Rich: Inside the heart of a QSA. As much as we complain about bad PCI assessors are, the good ones often find themselves struggling with organizations that only want a rubber stamp. The bad news is there are very few jobs that don’t end up being driven by rote over time. That’s why I like security – it is one of the few careers with options to refresh yourself every few years..
- Pepper: Android rootkit is just a phone call away. It’s actually triggered by a call, not installed by one, but still very cool – in a bad way.
- Adrian Lane: Detecting malicious content in shell code.
- Mike Rothman: Windows, Mac, or Linux: It’s Not the OS, It’s the User The weakest link in the chain remains the user. But we can’t kill them, so we need to deal with them.
Project Quant Posts
- DB Quant: Secure Metrics, Part 1, Patch.
- NSO Quant: Monitor Process Map.
- DB Quant: Discovery Metrics, Part 4, Access and Authorization.
- DB Quant: Discovery and Assessment Metrics, Part 3, Assess Vulnerabilities and Configuration.
Research Reports and Presentations
- White Paper: Endpoint Security Fundamentals.
- Understanding and Selecting a Database Encryption or Tokenization Solution.
- Low Hanging Fruit: Quick Wins with Data Loss Prevention.
Top News and Posts
- MS plans 10 new patches. Sharepoint and IE are the big ones.
- Cyber Thieves Rob Treasury Credit Union.
- Ukrainian arrested in India on TJX data-theft charges These incidents go on for years, rather than days or even months.
- iPhone PIN code worthless Rich published on this a long time ago, and while it was a known flaw, the automounting on Ubuntu is new and disturbing. Previously it looked like you had to jailbreak the iPhone first.
- Viral clickjacking ‘Like’ worm hits Facebook users.
- ATM Skimmers. Another installment from Brian Krebs on ATM Skimmers.
- 30 vs. 150,000 Adam teaches Applied Risk Assessment 101.
- Trojan targets Anti-Phish software.
Blog Comment of the Week
Re-engineering can work, Spolsky inadvertently provides a great example of that, and proves himself wrong. I guess that’s the downside to blogs, and trying to paint things in a black or white manner. He had some good points, one was that when Netscape open sourced the code, it wasn’t working, so the project got off to a slow start. But the success of Mozilla (complete rewrite of Netscape) has since proved him wrong. Once Bill Gates realized the importance of the internet, and licensed the code from Spyglass (I think) for IE, MS started including it on every new release of Windows. In this typical fashion, they slowly whittled away at Netscape’s market share, so Netscape had to innovate. The existing code base was very difficult to work with, even the Netscape engineers admitted that. But when you’re trying to gain market share, speed counts, look at Facebook, and eBay. But eventually you have to make a change, if the code is holding you back. Look at how long it took IE to come out with tabs – ridiculous. And look at Apple’s ability to move to a BSD/Mach/Next (?) kernel. But the best example is still – Mozilla’s Firefox, still ahead of IE, in my opinion.