The Twitter hashtag #cisotips has been greeted by derision from the hacker community after a spoof tweet mocking bad infosec advice went viral.
It came after @LiveOverflow, aka security researcher Fabian Faessler, who is known in the community for his educational hacking tutorial videos, posted a tweet that has quickly gained traction online.
Faessler told The Daily Swig that he wanted to share some “terrible” security advice, spoofing that of a non-technical CISO – chief information security officer – as a joke.
“As you probably know, there is the hashtag #bugbountytips and #pwntips to share technical tips,” Faessler said.
“And sometimes people would share very funny – and wrong – tips as a joke. Then I just had an idea for a funny terrible security advice that I wanted to tweet. But it was not bug bounty related, so I thought of something else.”
The tweet that sparked the meme
He added: “Because sometimes we more technical people have this stereotype of non-technical executives with a position like CISO, I thought it would be funny to tweet some more general bad security advice and use #cisotips.”
Bad advice
The original tweet, which has had more than 330 likes and 23 retweets, drew inspiration from a whole host of questionable infosec advice that Faessler has seen over the years.
It later inspired a flurry of other parody posts using the #cisotips hashtag from members of the infosec community.
>
Muddying the waters
Faessler told The Daily Swig that he had to clarify that some of his tweets were a joke, since many of them “blurred the lines” between a spoof and a genuine post.
“Some of the tweets were intentionally on a blurry line and are probably worth discussing,” he said.
“For example, the tweet about ‘95% of vulnerabilities can be found by scanning’. The number is made up, but I think it’s a very interesting debate about the ‘best effort’ and ‘cost-benefit’ ratio.”
He concluded: “I can totally see this being an actual discussion a company might have.”