printer friendly version

What’s a little fact or two?

In the last issue of Hi-Tech Security Solutions we carried an article that reported on a security vulnerability in Hanwha Techwin cameras. As it turns out, the report was correct, but it wasn’t all that correct. By this I mean that although there definitely was a vulnerability, the specifics of how and which users could be impacted were not clear.

As it turns out, the problems were with the consumer versions of the camera and not the professional range. This makes a huge difference to those who may be using those particular cameras, especially these days when a security breach could have a significant impact.

Of course, it’s embarrassing that Hi-Tech Security Solutions only provided some of the story and we apologise for that, but it also raises an interesting issue. There is a trend nowadays to lament the lack of cybersecurity skills in the market, with some figures claiming there are more than a million positions unfilled in the world. Personally, I tend to scoff at these big numbers as there are in fact lots of skills out there, but companies either don’t want to pay for the top skills because supply-and-demand laws are only good when they work in your favour, or they don’t want to have the burden of training people who may not have the experience they require.

Perhaps that’s a bit cynical, but the fact is that when it comes to cybersecurity it’s easy to miss some important facts because too many people don’t know enough about the topic to understand and clearly communicate the issues. And those that do understand may not be very good at putting their knowledge into words that non-technical people can understand.

When someone discovers a security issue, they obviously should notify the manufacturer and provide their data to show the vulnerability at work. The manufacturer should then make haste to resolve the issue. But when does the news get sent out to the rest of the world? We need to know if there are security issues and resolutions for any products we use, but we need to be accurately informed without marketing hype. More specifically, we (users) don’t always need to know the exact technical details of the issue, but rather that there is a fix and how to apply it.

But what about companies that don’t attend to security breach notifications from researchers? How long should they have to resolve an issue before they are exposed for their poor understanding and perhaps even contempt for customers’ security?

And who do they tell? Intel apparently told its Chinese manufacturers about security holes in its processors before it informed the US government (https://www.wsj.com/articles/intel-warned-chinese-companies-of-chip-flaws-before-u-s-government-1517157430).

Perhaps security vulnerabilities need to be dealt with via a documented, consistent process as do so many other issues in the security world (and everywhere for that matter). And perhaps the world needs some serious investment in real risk-based cybersecurity training instead of the endless quick-fix courses that provide a certificate of attendance instead of a certificate of actually learning something.

Andrew Seldon

Editor

Share this article:

Further reading: