Jan 18 2008

The New Face of CyberCrime wasn’t what I was hoping for

Published by at 7:03 am under Hacking

It’s a legitimate question to ask if “The New Face of CyberCrime” is a documentary on the state of security or just a marketing piece for Fortify.  They could have easily made a 20-minute movie that was all about Fortify, but they didn’t.  The movie was a short, straight forward look at some of the issues facing internet users today regarding the security of the Internet.  There are bad people out there and they’re becoming more organized in their efforts to get your data.  It was meant to mildly shock the members of your board room or a class you might be teaching, without sending too strident of a message.  Fortify hit their goal of making a movie that could be used to educate end users who aren’t that familiar with the Internet. 

There were two things that disappointed me about the film though.  The first was that there was nothing in the film that the audience hadn’t seen or read before.  Much of the film was like reading an article from any one of the half dozen glossy security magazines that come out on a monthly basis.  They rehashed many of the same subjects we’ve seen before, with many of the people we’ve all read before.  There were a lot of people in the audience who would have like to see something that added to the body of knowledge, not just rehash what we know.  In the director’s defense, they we weren’t his target audience.  He was aiming for people who were like himself and barely understood computers. 

The second thing I thought the film was lacking was a call to action.  There was enough information in the movie to scare some people, but there was no “now go do this…” in the movie.  There was a slight bias towards securing the applications, but nothing you’d notice if you weren’t in a theater surrounded by Fortify staff.  But there was no suggestion of something to do about it, no suggestions of where to look for further information.  If the film works and there’s an emotional charge worked up by viewing the film, you want to give people something to do with that energy.  But I guess that’s for the person presenting after the film to take control of.  The director says they thought of that, but that any call to action would have made The New Face of CyberCrime into a marketing piece and he may be right.

I went into The New Face of CyberCrime expecting to see something new and interesting; instead I saw Rsnake pointing to a screen while saying “Cross site scripting” a number of times and a good view of Marcus Ranum’s backyard.  It wasn’t what I was hoping for, I would have liked to have heard some of the deeper conversations that went around the sound bites.  But I think the movie was what Fortify and the director were hoping for. The New Face of Cybercrime would make a good brown bag lunch movie, something where you lead a conversation afterwards and educate your users.  As far as using it in the board room though, I’m not too sure I’ve ever worked in a company where I could get the board to listen to me for 20 minutes, let alone watch a movie that long.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “The New Face of CyberCrime wasn’t what I was hoping for”

  1. […] representative from JC Penney was interviewed for the Fortinet documentary last night, and this is one of the dangers of the information age he didn’t bring up.  Not only do […]

  2. Roger Thorntonon 20 Jan 2008 at 10:55 pm

    Martin, thanks for attending the premiere and the follow up post. Fred and I also want to thank everyone that took the time to be with us on Thursday and share their insights and suggestions at the screening.

    As you mentioned, our goal was to tell a story that would resonate with business people and the general public and to help open a dialogue between the infosec experts and those who rely upon their expertise. We were indeed careful to avoid a prescriptive answer that might have been perceived as shameless self-promotion for Fortify. If we had included a call to action it would be the same one I recommend when I talk to CIOs and CISOs about this problem:

    1. Understand that the serious threats are making their way through your perimeter defenses (I am still amazed how few business executives really understand this).

    2. Make sure your InfoSec and IT development teams are working closely together and have them collaborate on risk and threat profiles for all of your critical business assets (customer data, intellectual property, business processes). Be sure that they consider vectors beyond network and host access – Software, Outsourcers, Business Partners, Employees, etc.

    3. Put in place a security process that engineers security into the critical IT systems as you build and integrate them, testing for vulnerabilities at every step in the lifecycle.

    Of course that can be done with or without Fortify’s products, but of course I can’t imagine anyone going without 😉

    Let’s keep the dialog going. Hopefully, the film will inspire others to pick up where we started and tell the deeper story of how the underbelly of cybercrime works. In fact, Fred and I are considering a trip to Russia and gathering material for a sequel ourselves…

  3. […] if the company is totally new to security, it might help with putting resources to security. Martin Mckeay also has some comments on this […]

%d bloggers like this: