David Braue Writes. PHOTO: Cybercrime Magazine.

12 Best Cybersecurity Stories In Cybercrime Magazine

As told (written) by an Aussie

David Braue

Melbourne, Australia – Aug. 29, 2022

When you talk with enough people in an industry like cybersecurity, you start to hear the same themes come out, over and over.

Security is tough, especially with limited budget and corporate sponsors who are distracted by the day-to-day of running a big company.

Vendors are innovating left, right, and center — making it hard for CISOs to know which bets to back and which to hold off on.

And while technology is good, users are harder to account for because they have a habit of doing exactly the thing you’ve told them not to. So, you have to figure out new ways to say the same thing, and hope it soaks in.

Through all of this, cybercriminals, we hear over and over again, are lurking just outside the door like hungry possums, ceaselessly testing the window glass for strength and trying to lift the roof tiles as they look for a way to sneak in and wreak havoc under your nose.

Over eighteen months of hearing stories from the length and breadth of the cybersecurity industry, I’ve been reminded that most of the challenges we collectively face are just variations on one of a few themes.

We face common enemies with common motives — and the similarities in our own security challenges unite us with common purpose.

That purpose has been a common thread throughout the many interviews with security luminaries that the Cybercrime Magazine team — of which I am just one cog in a large wheel — have had the opportunity to talk with over the years.

There have been ex intelligence, ex military, and ex CISOs.

We’ve chatted with one-time cybercriminals whose luck eventually ran out, and with the cybercriminal investigators that caught them.

We’ve heard from victims of fraud, authors of books, hackers of security, makers of movies, detectors of deepfakes, and breeders of unicorns.

More than 125 stories later, it has been quite an education — and a constant reminder of how this industry is populated with all kinds of people, with all kinds of perspectives.

Its diversity — of thought, of experience, of gender, of heritage — is the source of its strength. It ensures that there’s never a dull moment in this sector. And, frankly, it’s the best thing we’ve got going for us as we collectively work to protect ourselves from the depredations of cybercriminals who are often richer, better-resourced, smarter, and absolutely determined to breach our networks.

To paraphrase Kyle Reese, the cybercriminals are out there. They can’t be bargained with. They can’t be reasoned with. They don’t feel pity or remorse, or fear. And they absolutely will not stop, ever, until you are breached.

Fighting them off means bringing your A-game — and your A-team — every single day. And if your team members are anywhere near as brilliant as the people I’ve had the pleasure to hear from, I’d hazard to suggest that you’ve got a fighting chance.

Here are a dozen of the stories that, for me, really highlight the ways that diversity is helping cybersecurity experts bring their best selves to the fight every single day.

It Takes A Village To Raise A Hacker. Figuring out how to get the next generation involved with cybersecurity is an ever-present challenge. Kids grow up with preconceived notions of what it means to be involved with cybersecurity, and they’re usually shaped by movies that paint the industry as a Manichean conflict between brilliant cybercriminals and hapless victims.

If that dynamic doesn’t resonate, kids will walk right past cybersecurity as they grow into adults — and become victims of those who saw the potential in cybersecurity as young people. Events like BloomCON HAK4KIDZ represent the kind of immersive engagement that we need to see more of, fostering the problem-solving and curiosity that we need more of if we can ever hope to normalize the cybersecurity industry.

Security Awareness Training Market To Hit $10 Billion Annually By 2027. Training employees about cybersecurity remains a constant challenge for security practitioners — but it’s fundamentally important, and it’s the kind of thing that can be done really well or really badly. That’s why it’s important to understand that security training isn’t just about forcing your employees to sit in classes while a trainer drones on and on about the things they shouldn’t do.

Making security awareness training work requires a broad range of perspectives — and if you’re designing or sourcing a training program, it’s important to make sure that you tap those perspectives. After all, your workforce is diverse — so you need to try an equally diverse range of approaches to convey information to them in a way that they can relate to. Get that right, and you have a much better chance of helping your training investment deliver results.

Global Ransomware Damage Costs Predicted To Exceed $265 Billion By 2031. The story of ransomware never ceases to astound, both because of the creativity and resourcefulness of ransomware gangs and because of the governance firestorm that the very existence of ransomware has triggered. Can companies recover from a ransomware attack? Should they pay the ransom or lean on their own response plans? What costs will insurance companies cover, if any? Should executives fear for their jobs if their companies are compromised?

These and many more questions show how ransomware is a canary in the coal mine for a whole range of risk-management issues — and how ransomware hits often expose systemic shortcomings across the cybersecurity spectrum. This report highlights both how significant a threat ransomware has become, and how quickly it’s growing despite the best efforts of the entire cybersecurity community — important considerations for every security executive.

Application Security Goes Hollywood. TV portrayals of cybersecurity attacks or defenses tend to be exaggerated, over-stylized, embarrassingly oversimplified, or — occasionally — vaguely lifelike. So what would you do if you worked in cybersecurity, and you were tired of seeing those portrayals? If you’re someone like cybersecurity specialist Alissa Valentina Knight, you write your own.

Hoping to put more realistic portrayals of cybercrime and security practices into the public domain, Knight co-wrote a five-part miniseries, called Ransom, that she called “very technically accurate.” Hollywood, take note: wrapping that kind of information in an engaging narrative is exactly the kind of out-of-left-field thinking that the industry needs to teach the public more about what cybersecurity really is, and what it definitely isn’t.

Cybercrime: Lawyers Fight Back, When Banks Won’t. Cybercrime may be a nuisance for large businesses, but it can be existentially catastrophic for small businesses that rely on the availability of systems and funds to carry on their everyday operations. So when a company like Washington, D.C.s’s Johnny Pistolas watches nearly half a million dollars go missing, it’s going to have repercussions.

With all the talk about innovative cybersecurity solutions, new technical paradigms, strategies for ensnaring cybercriminals, and the like, it’s important that we all remain cognizant that behind every new cybersecurity compromise are thousands of businesses like Johnny Pistolas — run by real people who likely don’t know or can’t care about cybersecurity because they’re too busy serving their customers. Figure out how to protect those companies, and you’ve found the cybersecurity industry’s long-sought panacea at last.

How The World’s Top Skiptracer Hunts Fugitives. We’ve all probably Googled an old friend or flame to see what they’re up to — but what if your entire livelihood consisted of using information tools as weapons to track down miscreants who just don’t want to get caught? That’s the specialty of AJ Barrera, whose very interesting work in tracking down people is a reminder of the importance of protecting personal data — and the futility of it as well.

Thanks to data-scraping algorithms, exhaustive public records and ever-enthusiastic cybercriminals, anecdotes say that the personal information of nearly every person has already been leaked online — but reports like this highlight the importance of doing what you can to minimize your exposure of personal information online. After all, you never know who might be Googling you.

Teen Hacked Crypto Investor And Stole $1 Million. Coverage of cybersecurity damages tends to talk about the impact on a particular business, university, or government department — but it’s when you hear personal stories about the losses that individuals have suffered that the risks that cybercrime poses truly hit home.

Gregg Bennett’s story offers just such a warning, highlighting the way that even an experienced industry player can get fleeced by resourceful cybercriminals. SIM-swapping attacks have proved deadly effective in stealing money and identities — and Bennett’s high-profile experience is a timely reminder of both the insecurity of the cryptocurrency ecosystem, and the need to be aware of the telltale signs of compromise as you go about your everyday business.

Pentest Glory: Spearfish, S.D. Woman Duped Prison Authorities. Forget firewalls and zero-trust: you never truly know how secure you are until you’ve had a human being try to breach your defenses — and time after time, penetration testers are showing that even the putatively most well-protected companies often have gaping vulnerabilities through which determined adversaries can quietly slip.

The story of one successful breach — in which a penetration tester’s mom decided to walk into a prison under the guise of a food inspector, and see how many systems she could compromise — should send shivers down the spines of readers whose entire careers revolve around making this sort of thing impossible. It’s an ever-present reminder that no matter how secure you think you are, there’s always someone who is convinced they can beat you. And many times, they’re right.

VCs Invest Cash Piles Into The Cybersecurity Market. One of the areas that Cybercrime Magazine has covered in great detail is the cybersecurity startup market — both with a running list of cybersecurity venture capital funding, and with regular interviews with the people who are out there making the deals that continue to shape the industry.

VC funding is a barometer of innovation, and it hit dizzying heights during 2021 as a battalion of cybersecurity startups and scaleups tapped enthusiastic capital markets to sell their value propositions to a world that was dragged through a cybersecurity masterclass during the COVID pandemic. This sort of coverage highlights new cybersecurity thinking and new solutions, and serves an important role in highlighting which areas of the market are likely to be most relevant in the future.

Beware Of Alexa’s Malicious And Manipulative Skills. The world is drowning in Internet of Things (IoT) devices — and while security specialists have wasted no effort warning the world how dangerous it can be to bring connected microphones and cameras into intimate places like kitchens and bedrooms, that hasn’t stopped us buying them by the tens of millions.

Stories like this are important reminders about the risks of blind faith in technology. Security researchers delight in finding ways to compromise devices like Amazon Alexa – and increasingly-connected cars — and their warnings are a worthwhile reminder of the importance of keeping security in mind as we all move into the era of the AI-assisted smart home. You never truly know who’s listening in.

Martyr Or Traitor, NSA Leaker’s Breath Of Fresh Air. With so much focus on the mechanics of cybersecurity’s ongoing cat-and-mouse game between attackers and defenders, it’s easy to forget that cybersecurity is also a story about people — and, for many of them, the consequences of their actions. The case of former NSA contractor Reality Winner is a good example of how security issues often cause individuals to get lost in the furor over their actions.

An undeniably intelligent, curious intelligence worker who leaked sensitive documents for what she felt was the greater good, Winner isn’t your stereotypical doxing cybercriminal. Motivated by good intentions, she was one of several high-profile leakers who highlighted just what happens when good intentions are lost in the noise.

Hacking Is Fun Until You Get Flash-Banged. Cybercriminals may be self-interested miscreants, but they’re people too — and when a misguided 15-year-old gamer ends up face to face with a SWAT team, you can’t help but feel for the disastrous outcome of someone who could be the same age as your own children.

Many of today’s security-industry luminaries started their careers as curious teenagers, which makes the story of Cosmo the God even more resonant, given that his run-in with authorities ultimately scared him straight, and ended up with his working for a cybersecurity training company. It’s a morality story with a happy ending, and a reminder that even cybercriminals aren’t always beyond redemption.

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.