CyberSecurity by FEAR must STOP!

Security, whether in IT or any other field, shouldn't rely on constant fear and marketing scare tactics. Fear isn't sustainable because we humans get used to it. It might work in the short term, but over time, it loses its impact and becomes counterproductive.

Let me share a personal story to illustrate this. During the civil war in Algeria, I was living in Switzerland. I went back to Algeria to visit my family and one evening, I heard gunfire outside. The unmistakable sound of an AK-47 made me jump on the sofa. But no one else reacted. My father just turned up the TV volume to hear his movie over the noise.

The first time you hear an AK-47, it terrifies you. The 101st time, you stop caring. I eventually reached that point too. The same thing happens with scary images on cigarette packs—they were shocking at first, but now, who even notices them?

Last week, there was a huge IT meltdown because of a bad CrowdStrike update causing Windows machines to crash with BSOD. Within 24 hours, security vendors were raising alarms about threat actors registering domain names related to the incident. Names with "CrowdStrike" and words like "fix" or "claim" started appearing. This only created more panic in an already stressful situation.

Stirring up fear in such moments is a marketing tactic to get clients to spend more on security solutions. But this isn't ethical or sustainable. We can't build cybersecurity on terror.

I've been in the domain name business and sold .COMs for five-figure amounts. A friend of mine still does this. The business model is simple: watch for big news and register related domain names. Some do it automatically when something trends on Twitter/X. It's all about traffic. In SEO, traffic equals money. If a domain gets steady visitors, you can sell merch, redirect traffic to affiliates, or sell the domain itself.

Let me share an example. Recently, there was an assassination attempt that targeted presidential candidate Donald Trump. Here is a non-exhaustive list of domains that were registered minutes after the event:

Most of them haven't been monetised yet. They will end up appearing on some marketplaces such as Sedo or eBay. They may also end up dropped if the owners see no value in them.

One of them is selling merch related to the event. It's not a threat actor trying to steal your money. It's a legit, though amateurish, shop running on Shopify and accepting PayPal payments with all the protections that come with it.

We need to move away from threat actor fetishism and constant scare tactics. Yes, once in a while, a group of hackers may register a domain name as part of a broader social engineering campaign. Indeed, some domains distribute malware under various pretences. But most importantly, we need a balanced and realistic approach to these things.

While we panic about a kid registering a domain to make a quick buck, let's not forget that the last outage wasn't caused by any hacker. The call was coming from inside! While we stack security solutions on top of each other, we lose sight of the basics.

CrowdStrike, a security solution, caused more outages than any threat actor could have dreamed of. They probably didn't validate the update enough before pushing it to critical systems. And what about companies allowing automatic software updates to their critical systems? This is what we are losing sight of while focusing on lateral stories.

Some claim that CrowdStrike incident is not security related. Sorry to be so Talmudic on the basics: the CIA triade. A is for availability. If your systems aren't available, you can play with words as much as you want, this is security incident.

Cybersecurity is too important to be left in the hands of marketers. Let's concentrate on what really matters:

• Education and Awareness: Teach people about risks and best practices. Stop buying stuff if you are not enforcing good practices. No amount of software or hardware will save you if you are not following some basic old school rules.
• Transparency and Communication: Be open about threats without sensationalising. Stop trying to put threat actors into boxes. They are more agile then your company. They don't play with any book nor do they follow any predictable pattern. You can't fight them on agility while you are crippled my meetings, processes and policies. Fight them on a different level by ensuring your basics are covered.
• Proactive Measures: Focus on preventing issues rather than just reacting. Use your imagination. Anything that can go wrong, may go wrong in the future. The last outage was caused by CrowdStrike, the next one can be cause by Microsoft or any other vendor. Keep that in mind.
• Ethical Marketing: Promote solutions based on their real benefits, not fear.

By focusing on these principles, we can build a more secure and trustworthy environment.