Cybercrime and other forms of “cyber-badness” affect different professions in different ways. Recently I participated in a panel about the cybersecurity concerns of journalists and the news media, hosted by the Inter America Press Association (IAPA). An account of the panel was published on WeLiveSecuritylast month but in this article I want to pass along some of the notes I made in preparation for that event. These include websites and resources that journalists and news media might find helpful when thinking about their cybersecurity.
General cybersecurity resources
Need to get up to speed on cybersecurity? Struggling with the jargon? The following are good places to start. Some of them can help you train employees on security and raise security awareness among colleagues.
- A Glossary of Common Cybersecurity Terminology: there are quite a few out there, but this one is nicely referenced and tied to standards.
- A glossary more focused on malicious code: written by ESET malware researchers (malware is short for malicious software, also known as malicious code).
- StaySafeOnline.org (NCSA) is a great starting point for both learning about cybersecurity and helping others to understand the need for cybersecurity awareness. This site is also the hub of activity for the annual cybersecurity awareness month (October), now observed in many countries.
- Our very own WeLiveSecurity.com is a website offering security news, advice, opinion, and award-winning security research, presented in five languages:
- Free Cybersecurity Training is provided by ESET to help companies, including publishers, to educate their employees about basic digital security. Employers can document employees’ progress with certifications and badges for successful completion. The online training takes less than two hours and is available at any time on demand. You can also download training content and customize your own program.
Making friends and saving numbers
In journalism, having good contacts is key and this is true when it comes to defending your digital assets. The following are some sources – of information and, possibly, assistance – that you might want to cultivate.
- Make friends in the cybersecurity community: knowing the phone number of someone who has the skills, contacts and inclination to help out with security issues is a good precaution to take, preferably before such issues arise. Where to start? Try attending events held by organizations formed by security professionals, many of which have local chapters. Look out for public events where you can network and collect cards.
- Here are the leading associations of security professionals:
- (ISC)2: International Information System Security Certification Consortium, best known for creating the CISSP credential (Certified Information System Security Professional).
- ISSA: Information System Security Association, which has a lot of local chapters but is also international.
- ISACA: began as the Information Systems Audit and Control Association but now goes by just ISACA.
- AITP: a broader IT group, the Association of Information Technology Professionals is part of CompTIA, a leading provider of certifications in IT and security.
- Make cybersavvy friends in the law enforcement community: these could be local police officers who work computer crimes all the way up to national agencies (for example, in the US that would be the FBI, Secret Service, and DHS). Note that some regions have inter-agency law enforcement collaboration initiatives, such as the Computer and Technology Crime High-Tech Response Team (CATCH) in Southern California.
- Know your national CERT, as in Computer Emergency Response Team, or Computer Security Incident Response Team (CSIRT). Most countries have one of these (the original CERT at Carnegie Mellon University maintains a list of National CSIRTs). Publishers and other organizations can get help from CSIRTs when responding to cyberattacks. CSIRTs can also be a good source news about emerging threats.
- For sector specific cybersecurity information, check out the relevant ISAC, as in Information Sharing and Analysis Center. These have been formed by industry partners, with government encouragement, to improve each sector’s awareness of cyber-related threats. In the US, ISACs currently cover areas like automotive, aviation, healthcare, and maritime. You can find ISACs at the National Council of ISACs. (As of now, there is no ISAC for journalism or publishing, but that might change.)
- Know a good (cyber) lawyer: because not all attorneys know the computer crime laws. Find one who does, just in case. And if your publication experiences a hacking incident the first call made by the Incident Response Team should be to the lawyer(s).
Sites with journalism specific cybersecurity resources
- TCIJ.org: The Centre for Investigative Journalism (CIJ) is a charity that champions critical, in-depth reporting and the defense of the public interest. It offers a series of educational videos for journalists, explaining the risks of using information technology, and how to mitigate them using state of the art, free software tools.
- RSF.org: Reporters Sans Frontières (RSF), or Reporters Without Borders (RWB), is an international non-profit, non-governmental organization that “promotes and defends freedom of information and freedom of the press”. It offers excellent content in English, French, Spanish, Portuguese, Arabic, and Persian. The RSF Online Survival Kit offers “practical tools, advice and techniques that teach you how to circumvent censorship and to secure your communications and data”.
- CPJ.org: The non-profit Committee to Protect Journalists (CPJ) offers a comprehensive “Journalist Security Guide” which offers potentially life-saving advice on all aspects of security, from crime to natural disasters. There is also a good chapter on Technology Security.
- AccessNow.org: While not purely focused on journalism, Access Now is a good org to know about because its mission is to “defend and extend the digital rights of users at risk around the world”. They have a good section on digital security and offer a Digital Security Helpline.
- EFF.org: Again, not a journalism org, but the Electronic Frontier Foundation (EFF) offers a wealth of information on protecting yourself online, plus tools to help you educate (EFF) your colleagues. The EFF recently launched the Security Education Companion, a new resource for people who would like to help their communities learn about digital security but are new to the art of security training. And if you’re a “ journalist on the move” check out How to stay safe online anywhere without sacrificing access to information. [Disclaimer: I’ve been a paying supporters of EFF for many years.]
- CitizenLab.ca: Another great organization is Citizen Lab, a Canada-based interdisciplinary laboratory. Folks there focus on “research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security”. The website has good advice on topics like secure messaging, plus reports on the hacking of journalists and political abuses of technology.
I hope you find these resources to be helpful. If you know of relevant resources that I missed, pleased tweet me at @zcobb and I will check them out.
written by Stephen Cobb, ESET We Live Security