Tag Archives: security

The Wildebeest Speaks, (Almost) March Issue: How the Secret Breaches Hurt Us All

It’s February, but I’ve already published the March issue of Bredemarket’s LinkedIn newsletter, “The Wildebeest Speaks.” I hope you forgive me.

This issue looks at the wonderful world of data breaches, including what we know and what we don’t know.

What we don’t know is that many data breaches are never reported, even though organizations are required by law to do so.

The solution is to prevent data breaches from occurring in the first place.

Read more in the latest addition to the newsletter section of Bredemarket’s LinkedIn account.

https://www.linkedin.com/pulse/how-secret-breaches-harm-us-all-bredemarket-wk9bc/

What Do Chief Information Security Officers (CISOs) Fear?

(Imagen 3)

When marketers write content for Chief Information Security Officers, we need to ensure they’re listening. The content needs to speak to their concerns. Understanding their emotions helps us to do that.

Tapping into their emotions helps to ensure the CISOs are paying attention, and that the CISOs are not dismissing our content as unimportant and unworthy of their attention. (See what I did there, dear marketer?)

Are our prospects listening to us?

I’ve talked about emotions and content before. My approach is fairly simple, identifying the emotions encountered at two stages of the customer journey:

  • The negative emotions faced at the “problem” stage. Perhaps fear, anger, or helplessness.
  • The positive emotions faced at the “results” stage, after you have provided the customer with the solution to their problem. This could be the happiness or satisfaction resulting from hope, accomplishment, or empowerment.

What do CISOs fear?

I’m reworking a client piece targeted to Chief Information Security Officers (CISOs), and I needed to re-examine the things that keep CISOs up at night. I started with a rudimentary list.

  • Cyberattacks. (Duh.)
  • Technological complexity.
  • Resource constraints.
  • Corporate liability.
  • Job security.

A good list—well, I think so—but is it good enough? (Or big enough?) The elements are rather abstract, since you can discuss concepts such as “resource constraints” without FEELING them.

What do CISOs really fear?

Maslow’s famous hierarchy of needs is (literally) based upon physiological (survival) and safety needs. Can I translate the abstractions above into something more primal?

  • Loss of all our information, leaving us dumb and helpless.
  • Confusion and bewilderment in (as the AI bots are fond of saying) “the ever-changing landscape.”
  • Overwhelming burnout from too much to do.
  • No money after being sued into oblivion.
  • Wandering the streets homeless and starving after losing your job and your income.

How should we express those fears?

Now there are various ways to express those primal fears. I could go for maximum effect (will the wrong decision today leave you homeless and starving tomorrow?), or I could write something a little less dramatic (are you vulnerable to the latest cyber threats?). The words you choose depend on your company’s messaging tone, which is why I recently reshared my original brand archetypes post from August 2021. A Sage will say one thing, a Hero another.

Why?

Anyway, thank you for reading. Writing this helped me, and maybe it gave you some ideas. And if you want to know more about the seven questions I like to ask before creating content (emotions being the 7th), read my ebook on the topic.

This Week’s Acronym is ASOCMM: the MM part should be a giveaway

(AI image from Imagen 3)

I just read a post by SentinelOne, but it’s too early to tell if this is just a string of buzzwords or a legitimate endeavor.

The post about a proposed “Autonomous SOC Maturity Model” (ASOCMM?) includes buzzwords such as “autonomous,” “SOC” (system and organizational controls, or security operations center – take your pick), “agentic AI,” and of course “maturity model.”

Having done my maturity model time during my days at Motorola Solutions predecessor Motorola (although our group stuck with CMM rather then moving on to CMMI), I’ve certainly seen the benefits and drawbacks of maturity models for organizations large and small. Or for organizations large: I shudder at the thought of implementing a maturity model at a startup; the learning curve at the Printrak part of Motorola was bad enough. You need to hit the target between no process, and process for process’ sake.

So what of this autonomous SOC maturity model? Perhaps it can be real.

“At SentinelOne, we see the Autonomous SOC through the lens of a maturity model. We welcome debate on where we, as an industry, are on this evolutionary revolution. We hope most will agree that this is a better way to look at Autonomous SOC innovation and adoption – far better than the binary, all-or-nothing debates that have long fueled analyst, vendor, and industry watcher blogs and keynotes.”

If nothing else, a maturity model approach lends (or can lend) itself to continuous improvement, rather than just checking off a box and saying you’re done. A Level 5 (or Level 4 on a 0-4 scale) organization, if it believes what it’s saying, is ALWAYS going to improve.

Something to watch…and not just with SentinelOne.

(Adapted from original posts on LinkedIn and Facebook)

Metal Injection Attack: The Ozzy Version

In my previous blog post about a fingerprint biometric security metal injection attack, I said:

“This metal injection attack isn’t from an Ozzy Osbourne video…”

Well, now there IS an Ozzy Osbourne video about the metal injection attack. The reel is on Instagram.

“Metal Injection Attack” Instagram reel.

Metal Injection Attack: Bypassing Biometric Fingerprint Security

(Image from LockPickingLawyer YouTube video)

This metal injection attack isn’t from an Ozzy Osbourne video, but from a video made by an expert lock picker in 2019 against a biometric gun safe.

The biometric gun safe is supposed to deny access to a person whose fingerprint biometrics aren’t registered (and who doesn’t have the other two access methods). But as Hackaday explains:

“(T)he back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint.”

Biometric protection is of no use if you can bypass the biometrics.

But was the safe (subsequently withdrawn from Amazon) over promising? The Firearm Blog asserts that we shouldn’t have expected much.

“To be fair, cheap safes like this really are to keep kids, visitors, etc from accessing your guns. Any determined person will be able to break into these budget priced sheet metal safes….”

But still the ease at bypassing the biometric protection is deemed “inexcusable.”

So how can you detect this injection attack? One given suggestion: only allow the new biometric registration control to work when the safe is open (meaning that an authorized user has presumably opened the safe). When the safe is closed, insertion of a thin piece of metal shouldn’t allow biometric registration.

For other discussions of injection attack detection, see these posts: one, two.

By the way, this is why I believe passwords will never die. If you want a cheap way to lock something, just use a combination. No need to take DNA samples or anything.

Oh, and a disclosure: I used Google Gemini to research this post. Not that it really helped.

TPRM

(Imagen 3)

A little (just a little) behind the scenes of why I write what I write.

What does TPRM mean?

I was prompted to write my WYSASOA post when I encountered a bunch of pages on a website that referred to TPRM, with no explanation.

Now if I had gone to the home page of that website, I would have seen text that said “Third Party Risk Management (TPRM).”

But I didn’t go to the home page. I entered the website via another page and therefore never saw the home page explanation of what the company meant by the acronym.

They meant Third Party Risk Management.

Unless you absolutely know that everybody in the world agrees on your acronym definition, always spell out the first instance of an acronym on a piece of content. So if you mention that acronym on 10 web pages, spell it out on all 10 of them.

That’s all I wanted to say…

How is NIST related to TPRM?

…I lied.

Because now I assume you want to know what Third Party Risk Management (TPRM) actually is.

Let’s go to my esteemed friends at the National Institute of Standards & Technology, or NIST.

What is TPRM?

But TPRM is implied in a NIST document entitled (PDF) Best Practices in Cyber Supply Chain Risk Management. Because there are a lot of “third parties” in the supply chain.

When companies began extensively outsourcing and globalizing the supply chain in the 1980’s and 1990’s, they did so without understanding the risks suppliers posed. Lack of supplier attention to quality management could compromise the brand. Lack of physical or cybersecurity at supplier sites could result in a breach of corporate data systems or product corruption. Over time, companies have begun implementing vendor management systems – ranging from basic, paper-based approaches to highly sophisticated software solutions and physical audits – to assess and mitigate vendor risks to the supply chain.

Because if MegaCorp is sharing data with WidgetCorp, and WidgetCorp is breached, MegaCorp is screwed. So MegaCorp has to reduce the risk that it’s dealing with breachable firms.

The TPRM problem

And it’s not just my fictional MegaCorp. Cybersecurity risks are obviously a problem. I only had to go back to January 26 to find a recent example.

Bank of America has confirmed a data breach involving a third-party software provider that led to the exposure of sensitive customer data.

What Happened: According to a filing earlier this month, an unidentified third-party software provider discovered unauthorized access to its systems in October. The breach did not directly impact Bank of America’s systems, but the data of at least 414 customers is now at risk.

The breach pertains to mortgage loans and the compromised data includes customers’ names, social security numbers, addresses, phone numbers, passport numbers, and loan numbers.

Note that the problem didn’t occur at Bank of America’s systems, but at the systems of some other company.

Manage your TPRM…now that you know what I mean by the acronym.

Keith’s “Why”

One of the best “why” stories I’ve seen in some time was written by Keith Puckett of Ubiety Technologies

He had purchased a feature-rich home security system and received an alarm while he was traveling. That’s all—an alarm, with no context.

“The security company then asked me, ‘Should we dispatch the police?’ At that moment, the reality hit: I was expected to make a decision that could impact my family’s safety, and I had no information to base that decision on. It was a gut-wrenching experience. The very reason I invested in security—peace of mind—had failed me.”

From Ubiety Technologies, “What is Your Why?”

https://ubiety.io/what-is-your-why

Puckett then started his company so others wouldn’t face the same emotions of fear and helplessness that he faced.

Why ask why?

Why is a “why” story so powerful? 

Because a story like this grabs a prospect’s attention a million times better than some boring technical feature list with optimum camera angles.

Make it personal. Many prospects have their own challenges that you can solve. 

Make sure you have the answers to their questions. That’s why Bredemarket asks questions before creating content…so your prospects don’t have to.

After all, “why ask why?” is more than an old beer commercial slogan.

And one more thing

For those like me who noted Ubiety Technologies’ Illinois location—you know, BIPAland—here is the company approach to privacy.

What Coauthor “Wrapped” About My LinkedIn Activity

So I checked out Coauthor’s me-too LinkedIn-themed copycat of Spotify Wrapped, like many of you did. Here’s the (unedited) post it wrote for me—not too bad:

= = =

Here’s my 2024 LinkedIn Rewind, by Coauthor.studio:

After 30 years in identity and biometrics, 2024 showed me that verification only goes so far. The real challenge isn’t just confirming who someone is – it’s understanding what they might do.

From employment fraudsters with verified credentials to healthcare imposters with stolen birthdates, this year proved that identity verification alone can’t prevent deception. But it also showed how combining technical expertise with human insight can help protect organizations and individuals.

Key observations from 2024:

  • Identity verification without intent analysis is incomplete
  • Employment fraud evolves faster than verification methods
  • Healthcare identity remains dangerously vulnerable
  • The best fraud prevention combines technology and psychology
  • Product marketing must address both verification and trust

Three posts that captured these themes:

“Employment Fraud and Identity Verification”

On why verifying someone’s identity only goes so far

https://www.linkedin.com/feed/update/urn:li:activity:7268454996734545921/

“Rich Powaza’s Disappearance” 

Real consequences of fraudulent behavior

https://www.linkedin.com/feed/update/urn:li:activity:7253092940393193472/

“Get Off My Lawn”

Changing workplace norms and responsibilities

https://www.linkedin.com/feed/update/urn:li:activity:7262320817898758145/

Through Bredemarket, I delivered over 100 content and analysis projects helping organizations navigate these challenges. I also conducted research on employment fraud tactics and moderated communities helping others avoid scams.

Looking ahead: 2025 will require even more sophisticated approaches to identity verification and fraud prevention. The fraudsters aren’t going away – but neither am I. I’ll continue helping organizations implement effective identity strategies while advocating for ethical AI use and employment practices.

To the wildebeests following along: remember that verification is just the start. The real value comes from understanding intent and building trust.

#fraud #identity #security #productmarketing

Get your 2024 LinkedIn Rewind! Go to coauthor.studio 

Black Friday Fraud Reduction?

Black Friday fraud dipped in 2024? Maybe good news…maybe not.

Frank on Fraud shared a TransUnion report of a 30% decrease in fraud on Black Friday this year. (Links below.)

This in turn was shared and analyzed by Hilton McCall, who noted several theories as to why fraudsters apparently took Black Friday off.

“Tighter fraud prevention measures by merchants and platforms.”

That’s good news.

“Shifting fraud tactics targeting other high-value days like Cyber Monday.”

“A possible focus on new fraud methods, like account takeovers and loyalty point scams, rather than traditional purchase fraud.”

That’s bad news.

Remain vigilant—and if your firm offers a fraud-fighting solution, share your message.

Frank on Fraud: https://frankonfraud.com/fraud-trends/fraudster-vacation-fraud-plunges-on-black-friday/

TransUnion: https://www.globenewswire.com/news-release/2024/12/05/2992306/0/en/New-TransUnion-Analysis-Finds-More-Than-4-of-U-S-Attempted-Ecommerce-Transactions-Between-Thanksgiving-and-Cyber-Monday-Suspected-to-be-Fraudulent.html

Hilton McCall: https://www.linkedin.com/posts/hilton-mccall_fraudprevention-blackfriday-cybersecurity-activity-7272611182727909376-lsyD

Survey Says

So Deloitte announced the results of a survey earlier this month.

“The fifth annual Deloitte “Connected Consumer” survey reveals that consumers have a positive perception of their technology experiences and are increasingly embracing GenAI. However, they are determined to seek balance in their digital lives and expect trust, accountability, and transparency from technology providers.”

Deloitte conducted the survey BEFORE the RIBridges hack.