Hello, and welcome to the first of our series of interviews with online security experts. We are starting out with an interview with Tripwire’s David Bisson, where he is the associate editor for The State of Security series.
David has been writing about online security and privacy issues for many years now. First starting way back when he wrote his senior thesis on the militaries digital weaponry. With a sigh on continuing his career in info sec journalism, his valuable insights below will be sure to help anyone looking to increase their online security.
Interview with Tripwire’s David Bisson: Online security expert interview
David, let’s get started with the basic question. How did you get started in the Internet security business?
I first got started in the Internet security business back in undergraduate school. I was writing my senior thesis on the notion of digital weapons ushering in a new concept of what we define as “war.” For inspiration, I decided to create a Twitter account and to connect with individuals researching similar ideas. The managing editor of a site called Information Security Buzz found me on Twitter and asked if I would like to contribute some articles. I said “yes.”
After graduation, I began editing for the site and writing for Tripwire’s The State of Security blog. That latter opportunity opened up all kinds of doors for me. I now write for Graham Cluley, Carbonite, Metacompliance, and OASIS Open in addition to Tripwire.
@DMBisson joins us to talk Tesco hack, irresponsible Google researchers and Trump's 'the cyber' affecthttps://t.co/1eZGlkuFNa #infosec pic.twitter.com/GlO95bKp4o
— Foursys (@FoursysLtd) November 11, 2016
You seem to be everywhere, that is quite the career path. Do you think that others could easily follow this path? If not, where should they start?
I think the path is wide open for individuals with an interest to learn. I didn’t know much about Internet security when I started out, which is why I chose to write about topics with a political bent to them. But that changed after the first year or so. If you spend so much time writing about one subject, you’ll pick up the crucial ideas and begin to form your own opinions of them.
By writing about information security specifically, I found that I couldn’t disengage myself as a user from my the topics of my articles. I therefore took a hard look at my computing practices and made some changes. Even today, I continue to modify my behavior to stay as safe online as possible.
Security is a process; it never ends.
That process I feel has made me more conscientious as a user and more informed as an infosec writer.
My recommendation is that people begin reading and writing about information security. They should also follow the conversations infosec experts participate in on social media. Once they start to formulate their own opinions, they can approach some of these infosec news websites and ask to contribute some content. It’ll probably be unpaid at first. (It was for me.) But it’s a step in the right direction, and you never know where it might lead.
That story sounds awfully familiar. It’s how I got into the industry as well! Let’s change it up and look at some opinions of yours on specific topics related to VPNs. What is your opinion on VPNs keeping logs?
It’s self-defeating. Users flock to VPNs out of a concern for privacy. They don’t want to be tracked, and they certainly don’t want their VPN to be capable of matching their IP address to a time stamp under certain situations. Any VPN that keeps extensive logs on their customers therefore risks losing business should anyone find out about their policies. And once that goodwill is gone, it takes a lot of time, transparency, and hard work to get it back.
It is definitely something for people to think about. We covered this quite a bit in an article about Hide My Ass and they’re logging policy.
What solutions, if any, do you have for the online security skills shortage?
I feel the most effective way we can overcome that gap is by cultivating interest in children and young people at an early age. Grammar schools should form their own digital security clubs that host public awareness campaigns and teach the fundamentals of network defense. (I’m thinking Legos would serve as an excellent education tool.)
In secondary institutions, students should have the option of joining hacker teams where they can compete against one another. If students have the opportunity to refine their interest in digital security over a period of years as they would a sport or a musical instrument, they’ll be more inclined to apply for scholarships, to pursue that field in college, and to ultimately enter the security community as a professional.
Those both sound like good ideas. I particularly like the Lego. How do you feel about content providers (such as Netflix, Hulu) who are blocking VPN users?
I can understand where Netflix and Hulu are coming from in their efforts to respect their regional licensing agreements with studios. But those services are growing, and along the way, they’re accumulating content to which some of its members have never been exposed.
My hope is that content providers will see that development as an opportunity to expand their users’ horizons and to offer the same content to members everywhere. If they don’t, they’ll simply drive more people to use VPNs to specifically bypass their content walls.
Worse, some members could reject Netflix and Hulu and instead navigate towards piracy. Such a scenario would hurt the studios that made the content, the content providers that are losing customers, and the users who might unknowingly install malware or end up in prison. It would hurt everyone.
I’m sure that a number of people who check out our Top 10 piracy/p2p websites article are doing so because they cannot legally stream content. I’m not going to say I have…
Let’s take a more global look at the politics and online security you enjoy. What are your current thoughts on China and The Great Firewall?
The Great Firewall is completely antithetical to the spirit of the web. Information is at its best when it’s shared, as that helps to drive innovation. But the Communist Party of China (CPC) doesn’t want change. It wants to perpetuate its rule…even if that means it must wall ordinary Chinese citizens off from the rest of the world.
Why? It fears what the people might do in the possession of unbiased information. Perhaps they might decide they want a new type of government. The Great Firewall helps prevent that from happening, but if a political regime resorts to such measures out of fear for its own people, you have to wonder how long that regime will last in an increasingly globalized world.
The great fall air wall of China is certainly an issue related to a free Internet. Speaking of online security issues and freedom, what are your thoughts on NSA spying, and encryption backdoors?
Encryption–like any technology–is dual use, which means users can use it for good or bad. Though one shouldn’t outweigh the other. In the information age, privacy is a sacred right. Each and every user should be fighting for the right to keep their personal details private. Of course, some people in the intelligence community might not hold such a rosy view of privacy. How can they? Their mission is to security, not privacy.
But bulk data collection programs like PRISM aren’t the answer. Watching everyone all the time just creates mounds and mounds of non-actionable data that can easily distract investigators from finding evidence of criminal activity. Investigators say encryption backdoors could allow for more targeted investigative work. That might be true in one sense. However, the potential for intelligence analysts and bad actors to undermine privacy and security should be for every user too much to bear.
In other words, there’s no good answer to resolving this dispute. It’s a challenge that will continue to define and shape the Internet for years to come.
Chinese company installed secret backdoor on hundreds of thousands of phones https://t.co/zEYSpn1lOI @arstechnica #security #infosec pic.twitter.com/x5fBdyrNrN
— David Bisson (@DMBisson) November 15, 2016
That was a very insightful answer, David. Thank you. Now let’s end this with a little bit of advice for someone out there who knows absolutely nothing about online security. What would you tell them to do to get the basic protection?
To get the basic protection, users should implement the following steps:
- Install a VPN and anti-virus solution on their mobile devices and computers.
- Use a password manager to save strong, unique passwords for each of their web accounts.
- Set up two-step verification whenever there’s a way to do so on their accounts.
- Back up critical information on a regular basis using local AND cloud-based solutions.
- Configure your browser so that it deletes cookies every time you end your session.
- Avoid clicking on suspicious links and email attachments.
It takes a bit of research to figure out how to do all of this, but none of those measures are too difficult for a user who knows nothing about online security to eventually wrap their head around. More importantly, each of those steps will go such a long way towards safeguarding a user’s important information.
Thank you for the great interview, David. I’d like to invite everyone to follow him on Twitter, and a comment below with your thoughts on anything we discussed.