Threatpost breaks with the conventional wisdom that an information service funded by a technology company is inherently biased. The independent news site is owned by Kaspersky Labs, but its reputation as an authoritative, independent source of cyber security news has been endorsed by such leading news outlets as The New York Times, The Wall Street Journal, MSNBC, USA Today and National Public Radio. Hundreds of thousands security professionals regularly visit Threatpost for the latest breaking news.
Editor-in-Chief Mike Mimoso leads a small team of reporters who collectively turn out a huge volume of information. A veteran journalist with more than a decade of IT security news reporting, he was previously Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won numerous national and regional awards.
In this interview, Mimoso talks about Threatpost’s mission and the changes he’s seeing in the security landscape.
Who’s the target Threatpost reader?
Threatpost’s audience is pretty technical. We reach a lot of white-hat researchers, people working for vendors or independently, who spend their days looking for vulnerabilities in products and hopefully disclosing them so that issues can get fixed in a timely manner. IT and security managers read us, as do an increasing number of people focused on privacy.
What are the most important changes you’ve seen in the cyber security landscape over the last couple of years?
The rapid acceptance and understanding of the need to encrypt data and keep communication between businesses and individuals secure, even secret. The last few years have opened my eyes to the fact that encryption is about far more than keeping Amazon or PayPal or banking transactions safe. A lot of people around the world rely on encryption to communicate in locations where freedom is scarce. It’s encouraging to see how many of them have gravitated toward using encrypted technologies, particularly secure messaging apps.
Would you say we’re gaining or losing the battle against cyber attackers, and why?
I don’t think defenders will ever catch up to those people on the offensive side of security; they’re just in too reactive of a position. Hackers aren’t hamstrung by regulations, laws and oversight. They run freely because the law is woefully behind. International cooperation between law enforcement agencies has improved, but still has a long way to go.
What recent story alarmed you the most and why?
That would have to be the recent distributed denial of service (DDoS) attacks that were carried out using unsecured IoT devices. Who would have thought a DVR or closed-circuit camera connected to the Internet could be used to impact Internet service on the East Coast? But that’s exactly what happened, and I’m not sure how that situation is going to be addressed. Many of these IoT devices are out there with no authentication—or very weak authentication—and it’s child’s play for hackers to use them in this way.
What recent story gave you the most cause for hope?
A year ago, there was a lot of worry about the Wassenaar Arrangement among researchers who look for bugs in products. The rules were about to be implemented in the U.S., and they would severely impact how vulnerability information was shared and whether bugs would get fixed at all. Many “nerdy” researchers stood up and turned into advocates to let people in charge know what a bad idea this was. And it worked. The rules have been up for revisions for months. It’s good to see people stand up and make a positive change.
What makes the computer security field different from other IT disciplines?
It’s such a moving target. Every day there is a new risk – from ransomware to gaping holes in long-standing open source software – and it’s difficult to prioritize investments and manage risk.
From a computer security standpoint, how do organizations most often shoot themselves in the foot?
By failing to keep up with the basics, like keeping operating system and third-party software patches up to date. We write about so many so-called “sophisticated” attacks, but the vast majority of successful hacks are against unpatched software that’s running across platforms.
What’s one big misperception people have about cyber security that you’d like to set straight?
The biggest misconception is that security is a hindrance to business. That attitude is starting to shift, I think, but there are plenty of places where security is a differentiator that actually makes a company more desirable to do business with
Threatpost is a top source of security news, but you must get your tips and ideas from somewhere. What are your best sources?
Security people have gravitated to Twitter, for better or worse. If you follow the right people on Twitter, you get a pretty accurate feel for what’s happening. There are a few good sub-Reddits that also share decent technical information.
What’s one big story or package of stories of which you’re most proud?
We did a lot of solid reporting earlier this year on the controversy about Apple and the FBI over the dead terrorist’s phone. There were a lot of implications to that story beyond the technical issues of accessing the device that we touched on while a lot of other outlets didn’t. Of late, our coverage of the IoT botnet DDoS attacks was pretty solid too.
The three people on your staff produce an enormous amount of news. How do you keep things straight between you?
We each have our strengths and complement each other well. Threatpost has been around since 2009 and it’s always had great internal support. Kaspersky has been smart enough to hire competent, well-regarded security journalists to keep the quality of content high.
Complete this sentence: I know it’s been a good day when…
We can post three or four well-reported stories that aren’t just a rehash of what’s been reported elsewhere. A lot of traffic helps too