Our guest today is Alexey Lukatsky, a well-known expert in the field of information security and business consultant of Cisco. The main topic for the conversation was an extremely interesting area - the safety of modern cars and other vehicles. If you want to know why drones are hacking even more often than cars and why agricultural equipment manufacturers block unauthorized repairs on their machines at the firmware level, read on!
On the safety of modern cars
There is a dangerous misconception among most people that a car is something unique, different from a normal computer. Actually it is not.
In Israel, Cisco has a separate division that deals with automotive cybersecurity. It appeared after the acquisition of one of the Israeli startups that worked in this area.
The car is no different from a home or corporate network, as evidenced by various studies examining what an intruder can do to a car. It turns out that cars also have computers, only they are small and inconspicuous. They are called ECU (Electronic Control Unit) and there are dozens of them in the car. Every power window, brake system, tire pressure monitor, temperature sensor, door lock, trip computer system, and so on are all computers, each managing a different piece of work. Through such computer modules, you can change the logic of the car. All these modules are combined into a single network, the length of the cables is sometimes measured in kilometers, the number of interfaces is in the thousands, and the amount of code is millions of lines for a normal on-board computer and, in general, for the entire electronic filling (in spaceship there are fewer of them). According to various estimates, up to 40% of a modern car is electronics and software. The amount of software in premium cars is up to a gigabyte.
I do not take into account the production of the Russian car industry, where, fortunately (in terms of security), there is no serious computer stuffing. But if we consider almost all foreign automakers, then all of them are now computerizing even the most budget models of their cars.
Yes, cars have computers. Yes, they have their own data exchange protocols, which are not something secret: you can connect to them, intercept data and modify them. As cases from the practice of manufacturers such as Toyota, Chrysler Jeep, GM, BMW, Chevrolet, Dodge and Mercedes-Benz show, attackers have learned quite well to analyze what is happening inside the car, they have learned to analyze the interaction of the outside world with the car. Experts estimate that 98% of all tested software applications in cars (and they provide up to 90% of all innovations) have serious defects, and some applications have dozens of such defects.
Now, within the framework of various projects in Europe and America, so-called smart roads are being created.(e.g. EVITA, VANET, simTD projects). They allow the car to communicate with the road surface, traffic lights, parking lots, traffic centers dispatch control road traffic. The car will be able to automatically, without human intervention, control traffic, traffic jams, parking lots, slow down, receive information about traffic incidents so that the built-in navigator can independently rebuild the route and direct the car along less busy highways. All this interaction now, unfortunately, takes place in an almost unprotected mode. Both the car itself and this interaction are almost not protected in any way. This is due to the common misconception that systems of this kind are very difficult to study and of little interest to anyone.
There are also business related issues. Business is ruled by whoever enters the market first. Accordingly, if the manufacturer was the first to launch a certain novelty on the market, he took a large share in this market. Therefore, security, which requires a lot of time to implement and, most importantly, to test, always pulls many businesses back. Often, because of this, companies (this applies not only to cars, but to the Internet of things as such) either postpone security until later, or do not deal with it at all, solving a more mundane task - to quickly release a product to the market.
Known hacks that have occurred in the past were related to interference with the operation of the brakes, turning off the engine on the move, intercepting data on the location of the car, remote disabling of door locks. This means that attackers have quite interesting opportunities to perform certain actions. Fortunately, while such actions are not performed in real life, rather, it is the so-called proof-of-concept, that is, some kind of demonstration of the possibilities of stealing a car, stopping it on the go, taking control, and so on.
What can be done today with the car? Hack the transport management system, which will lead to traffic accidents and traffic jams; intercept the PKES signal and steal the car; change routes via RDS; arbitrarily accelerate the car; block the brake system or engine on the go; change POI points in the navigation system; intercept the location or block the transmission of location information; block the transmission of a signal about theft; steal content in the entertainment system; make changes to the ECU and so on. All this can be done both through direct physical access, through connection to the diagnostic port of the car, and through indirect physical access through a CD with modified firmware or through the PassThru mechanism, as well as through wireless access at close (for example, Bluetooth) or long distance (for example, via the Internet or a mobile application).
In the long term, if vendors do not think about what is happening, this can lead to sad consequences. There are quite simple examples that do not yet indicate that hackers have actively taken up cars, but are already applicable in real life. For example, suppression of built-in tachographs that have GPS or GLONASS sensors. I have not heard about such cases with GLONASS in Russian practice, but in America there were precedents with GPS, when attackers jammed the signal of an armored car of collectors and stole it to an unknown place in order to rip it up and pull out all the valuables. Research in this area was carried out in Europe, in the UK. Such cases are the first step to attacks on the car. Because everything else (stopping the engine, turning off the brakes on the go) I, fortunately, have never heard in real practice. Although the very possibility of such attacks suggests that manufacturers and, most importantly, consumers, should think about what they are doing and what they are buying.
It is worth saying that even encryption is not used everywhere. Although encryption may be initially provided by the design, it is by no means always included, because it loads the channel, introduces certain delays and may lead to the deterioration of some consumer characteristics associated with the device.
In a number of countries, encryption is a very specific type of business that requires obtaining permission from government agencies. This also imposes certain restrictions. The export of equipment containing encryption functionality is subject to the so-called Wassenaar Dual-Use Technology Export Agreements, which include encryption. The manufacturer is required to obtain an export permit from their country of manufacture and then obtain an import permit for the country into which the product will be imported. If the situation has already calmed down with the software, although there are difficulties and limitations there, then there are still problems with such newfangled things as encryption on the Internet of things. The thing is, no one knows how to regulate it.
However, there are advantages to this, because the regulators are still almost not looking towards encrypting the Internet of things and cars in particular. For example, in Russia, the FSB controls the import of software and telecommunications equipment that contains encryption functions, but practically does not regulate encryption in drones, cars and other computer stuffing, leaving it outside the scope of regulation. The FSB does not see this as a big problem: terrorists and extremists do not use it. Therefore, while such encryption remains out of control, although it formally falls under the law.
Also, encryption, unfortunately, is very often implemented at a basic level. When, in fact, this is a regular XOR operation, that is, replacing some characters with others according to a certain simple algorithm that is easy to pick up. In addition, encryption is often implemented by non-experts in the field of cryptography, who take ready-made libraries downloaded from the Internet. As a result, in such implementations, vulnerabilities can be found that allow you to bypass the encryption algorithm and at least intercept data, and sometimes intrude into the channel to replace it.
Demand for car safety
Our Israeli division has a solution called Autoguard. This is a small firewall for cars that controls what happens inside and interacts with outside world. In fact, it analyzes the commands exchanged between the elements of the on-board computer and sensors, controls access from the outside, that is, determines who can and who cannot connect to the internal electronics and stuffing.
In January 2018, in Las Vegas, at the largest electronics exhibition CES, Cisco and Hyundai Motor Company announced the creation of a car new generation, which will use the architecture of a software-defined vehicle (Software Defined Vehicle) and be equipped with the latest network technologies, including cybersecurity mechanisms. The first cars should roll off the assembly line in 2019.
Unlike consumer electronics and enterprise IT solutions, automotive security is a very specific market. Consumers this market there are only a few dozen worldwide - by the number of car manufacturers. Alas, the car owner himself is not able to increase the cybersecurity of his "iron horse". As a rule, projects of this kind are not exactly advertised, but they are not in the public domain, because these are not millions of companies that need routers, and not hundreds of millions of users who need secure smartphones. These are just three or four dozen car manufacturers who do not want to draw attention to how the car protection process is built.
Many manufacturers take protection lightly, others are only looking at this area, conducting various tests, because there is its own specificity associated with life cycle car. In Russia, the average life of a car is five to six years (in the central regions and large cities it is three to four years, and in the regions it is seven to eight years). If a manufacturer now thinks about introducing cybersecurity into its car line, then this solution will enter the mass market in ten years, not earlier. In the West, the situation is slightly different. There, cars are changed more often, but even in this case it is too early to say that cars are sufficiently equipped with protection systems. Therefore, no one wants to draw much attention to this topic.
Attackers can now start attacking cars or provoking a recall of cars due to computer security problems. This can be very costly for manufacturers, because there are always vulnerabilities. Of course they will be found. But recalling thousands or hundreds of thousands of vulnerable vehicles every time because of a vulnerability is too expensive. Therefore, this topic is not widely heard, but large manufacturers, of course, are working and thinking about the prospects of this market. According to GSMA estimates, by 2025, 100% of cars will be connected to the Internet (the so-called connected cars). I do not know to what extent Russia is taken into account in these statistics, but the world's auto giants are counted in it.
Safety of other modes of transport
There are vulnerabilities in all types of vehicles. These are air transport, sea transport, cargo transport. Pipelines will not be taken into account, although they are also considered a mode of transport. Any modern vehicle contains a fairly powerful computer stuffing, and it is often developed by ordinary IT specialists and programmers who make classic mistakes when creating their code.
In terms of development, the attitude towards such projects is slightly different from what is done by Microsoft, Oracle, SAP or Cisco. And testing is not done at the same level. Therefore, cases of finding vulnerabilities and demonstrations of the possibility of hacking aircraft or maritime transport are known. That is why no vehicles can be excluded from this list - their cybersecurity is not at a very high level today.
With drones, the situation is exactly the same and even simpler, because this is a more mass market. Almost anyone has the opportunity to buy a drone and take it apart for research. Even if a drone costs several thousand dollars, you can buy it in a bag, analyze it, and find vulnerabilities. Then you can either steal such devices, or land them on the fly, intercepting the control channel. It is also possible to provoke them to fall and cause damage to the owner, or to steal the packages that drones transport if they are used to transport goods and shipments.
Given the number of drones, it is understandable why attackers are actively exploring this particular market: it is more monetized. The situation in this area is even more active than with cars, because there is a direct benefit for the “bad guys”. It is not present when a car is broken into, not counting the possible blackmail of the automaker. In addition, blackmail can go to jail, and the procedure for obtaining a ransom is much more complicated. Of course, you can try to get money from the automaker legally, but there are very few people who earn money by searching for such vulnerabilities legally and for money.
When manufacturers block updates
Recently there was an interesting case - a manufacturer of agricultural machinery. I do not see anything supernatural and contrary to business practice from the point of view of the manufacturer in this situation. He wants to take control of the software update process and lock in his customers. Since warranty support is money, the manufacturer wants to continue earning on it, reducing the risks of customers leaving for other equipment suppliers.
According to this principle, almost all companies operating in IT-related areas "live", as well as companies - manufacturers of cars, agricultural machinery, aviation technology or drones implementing IT at home. It is clear that any unauthorized interference can lead to sad consequences, so manufacturers close the possibility for self-updating software, and I understand them perfectly here.
When a consumer does not want to pay for warranty support for equipment, he starts looking at various warez sites for firmware updates. This may, on the one hand, lead to him updating his software for free, but, on the other hand, this may lead to damage. In particular, there was a case in Cisco practice when companies that did not want to pay for support (in this case, of course, not for automotive or agricultural equipment, but for ordinary network equipment) downloaded firmware somewhere on hacker forums. As it turned out, these firmware contained "bookmarks". As a result, for a number of customers, information that passed through network equipment leaked out to unidentified persons. There were several companies in the world that faced this.
If we continue the analogy and imagine what can be done with agricultural machinery, the picture will turn out to be sad. In theory, it is possible to block the work of agricultural machinery and demand a ransom for restoring access to machines that cost hundreds of thousands of dollars or even millions. Fortunately, as far as I know, there have been no such precedents yet, but I do not rule out that they may appear in the future if this practice continues.
How to improve vehicle safety
The instruction is very simple: you need to understand that the problem exists. The fact is that for many managers there is no such problem, they consider it either far-fetched or not very popular on the part of the market and, accordingly, are not ready to spend money on it.
Three or four years ago, the Connected Car Summit was held in Moscow, where they talked about various newfangled things related to the automation and computerization of cars. For example, about location tracking (car sharing with Internet connection) and so on. I spoke there with a report on car safety. And when I talked about various examples of what can be done with a car, many companies, manufacturers and car sharing companies came up to me after the speech and said: “Oh, we didn’t even think about it. What do we do?"
There are few car manufacturers in Russia. After the speech, a representative of one of them approached me and said that while they do not even think about computer security, because the level of computerization is very low, they first need to understand what can be added to the car in terms of computer stuffing. When I asked this representative if they were going to think about security at all, he replied that it was considered in the very long term. This is the key point: you need to think about the fact that computer security is an integral part, it is not an external “mounted” function, but a property of a modern car. This is half of the success in ensuring the safety of transport.
The second necessary step is to hire specialists, internal or external. We need people who can legally break existing solutions and look for vulnerabilities in them. Now there are individual enthusiasts or firms that are engaged in either pentesting or analyzing the security of cars and their computer stuffing. There are not many of them, because this is a rather narrow market where you can’t turn around and earn a lot of money. In Russia, I do not know anyone who would do this. But there are companies that are engaged in security analysis and do quite specific things - they test automated process control systems and the like. Perhaps they could try their hand at cars.
The third element is the implementation of secure development mechanisms. This has long been familiar to developers of conventional software, especially in Russia the relevant GOSTs for secure software development have recently been adopted. This is a set of recommendations on how to write code correctly to make it harder to crack, how to avoid constructs that would lead to buffer overflows, data interception, data spoofing, denial of service, and so on.
The fourth step is the implementation of technical security solutions, that is, the use of special chips in cars, building a security architecture. The staff of developers should include architects who deal specifically with security issues. They can also deal with the architecture of the car in terms of protection, the architecture of the control system. Because it is always possible to attack not the car itself - it is much more effective to hack the control system and gain control over all cars.
As recently happened with online cash registers, which suddenly stopped working on the day of the centenary of the FSB. After all, an online cash register is, roughly speaking, the same car: it has a computer filling, there is a firmware. The firmware stopped working at once, and a quarter of the entire retail market got up for several hours. It is the same with cars: poorly written code, vulnerabilities found in it, or hacking of the control system can lead to rather sad consequences. But if in the case of online cash registers the losses were measured in billions, then in the case of cars there will be victims.
Although with cars it is not necessary to wait for hacking or taking control of tens of millions of vehicles. It is enough to crack just a few of them, and chaos will already come on the road. And if the fact of hacking becomes public, you can be sure that the media will trumpet it to the whole world, and car owners will be horrified by the “prospects” that have opened up.
In general, there are three levels of protection of modern vehicle. This is the built-in cybersecurity of the car itself (immobilizer, PKES, secure internal communications between ECUs, anomaly and attack detection, access control, trusted security modules); security of communications (protection of external communications with the road infrastructure control center, the manufacturer of the car or its individual parts, protection of downloading applications, content, updates, protection of tachographs); and the safety of road infrastructure.
What and where to study as a specialist
IT professionals who are or want to develop code for cars, vehicles or drones can be recommended to start with the study of secure development (SDLC). That is, you need to study what safe development is in general. It must be admitted that this additional knowledge does not bring additional money. Today, no one is punished for not knowing the basics of secure development, there is no responsibility, so it remains at the discretion of the IT specialist himself. At first, this may be competitive advantage for a specialist, because this is not taught anywhere, which allows you to stand out from the background of others. But in the field of car security, the Internet of things, drones, this is not the most popular requirement for an employee. Unfortunately, it must be admitted that IT specialists do not have much attention to this topic.
Secure development is self-learning in its purest form. Because there are practically no courses of this kind, they are all made only to order, and, as a rule, this corporate training. This topic is also not included in the federal state educational standards, so the only thing left is self-study or going to courses of companies that are engaged in code analysis. There are such companies - among the Russian players, for example, Solar Security or Positive Technologies. There are many more of them in the West, for example, IBM, Coverity, Synopsys, Black Duck. They hold various seminars on this topic (both paid and free), where you can learn some knowledge.
The second direction for IT-specialists is architects. That is, you can become an architect for the security of such projects, for the Internet of things in general, because they are, plus or minus, built according to the same laws. This is a central control system from the cloud and a bunch of sensors: either narrowly focused, such as a drone, or sensors integrated within a car or a larger vehicle that need to be properly configured, implemented, and designed. It is necessary to take into account various threats, that is, the so-called threat modeling is necessary. It is also necessary to take into account the behavior of a potential intruder in order to understand its potential capabilities and motivation, and on this basis, to design mechanisms for repelling future threats.
On the Internet you can find a lot of useful materials. You can also read various presentations from conferences such as DEF CON and Black Hat. You can look at the materials of companies: many publish quite good presentations and whitepapers on their websites, descriptions of typical errors in the code, and so on. You can try to find presentations from specialized car security events (for example, Automotive Cybersecurity Summit, Vehicle Cyber Security Summit, Connected Cars Summit, CyberSecureCar Europe).
In addition, now the Russian regulator FSTEC of Russia ( federal Service on technical and export control) has a number of initiatives, in particular, it is proposed to post on the Internet typical mistakes, which programmers allow in the code, to maintain a certain database of such errors. This has not yet been implemented, but the regulator is working in this direction, although they do not always have enough resources.
After the cyber arsenal of the CIA and NSA was leaked to the Internet, anyone, even a "home hacker", can feel like a special agent. After all, he owns almost the same arsenal. This forces architects to take a completely different approach to how they build their systems. According to various studies, if you think about security at the stage of creating an architecture, then X resources will be spent on its implementation. If you change the architecture already at the stage of commercial operation, it will require thirty times more resources, time, human and money.
An architect is a very fashionable and, most importantly, a very profitable profession. I cannot say that there is a great demand for such specialists in Russia, but in the West a security architect is one of the highest paid specialties, the annual income of such a specialist is about two hundred thousand dollars. In Russia, according to the Ministry of Labor, there is a shortage of about 50,000-60,000 security guards every year. Among them are architects, administrators, managers and threat modelers, a very wide range of security professionals who are regularly in short supply in Russia.
However, architects are also not taught in universities. Basically, this is retraining, that is, appropriate courses, or self-study.
In Russia, corporate training is mainly practiced. Because it is not a mass market and training centers do not include it in their programs as courses. This is only made to order. In theory, it is necessary to initially include this in public education in universities. To lay the foundations for the proper design of various architectures. Unfortunately, federal state educational standards are written by people who are very far from reality and practice. Often this former people in uniform, who do not always know how to properly design systems, or they are familiar with this in a very specific way: their knowledge is related to state secrets or the fight against foreign technical intelligence, and this is a slightly different experience. Such an experience cannot be called bad, but it is different and of little use in the commercial segment and the Internet of Things. Federal State Educational Standards are updated very slowly, about once every three to four years, and mostly cosmetic changes are made to them. It is clear that in such a situation there are not enough specialists and will not be enough.
Working at Cisco
Cisco has a development in Russia. Currently, work is underway to create an open stack platform for service providers and data centers. We also have a number of agreements with Russian companies who are engaged in individual projects for us. One of them is Perspective Monitoring, which writes separate handlers for network traffic to recognize various applications, which are then embedded in our network security tools. In general, we, like most global IT companies, have several development centers in the world, and regional offices perform the functions of marketing, support, and sales.
We have an internship program for university graduates - a year in Europe, in our academy. Before that, they go through a big competition, and then they are sent for a year to one of the European capitals. Upon their return, they are distributed to our offices in Russia and the CIS countries. These are engineers who design systems and support them, as well as people who are involved in sales.
Sometimes we have vacancies when someone goes for a promotion or leaves the company. Basically, these are either engineering positions or positions related to sales. Given the level of Cisco, in this case we are not recruiting students, but people who have worked for more than one year in some position. If this is an engineer, then he must have a sufficient amount of Cisco certification. What is needed is not a basic CCNA, as a rule, a minimum of CCNP is required, but most likely, a specialist must pass CCIE certification at all - this is the maximum level of Cisco certification. There are few such people in Russia, so we often have a problem when we need to find engineers. Although in general the rotation in the company is not very large, it is measured at 1-2% per year. Despite the economic situation, American companies in Russia they pay very well, the social package is good, so usually people don't leave us.
I was born in 1973 in Moscow, where I still live, despite the attempts of foreign powers to get me into the ranks of their citizens. In 1996 he graduated from the Moscow Institute of Radio Engineering, Electronics and Automation (MIREA) with a degree in Applied Mathematics (specialization - Information Security). Twice he tried to get the degree of Candidate of Technical Sciences, but both times, having convicted future scientific leaders of plagiarism, he stopped his postgraduate career. We don't judge. I have no state or departmental awards.I have been working in the field of information security since 1992. Worked as an information security specialist in various government and commercial organizations. He has gone from a programmer of encryption tools and an administrator to an analyst and business development manager in the field of information security. He had a number of certifications in the field of information security, but stopped the race for badges. At the moment, I give my all to Cisco.
Published over 600 printed works in various publications - CIO, Director of Information Service, National Banking Journal, PRIME-TASS, Information Security, Cnews, Banking Technologies, Analytical Banking Journal , "Business Online", "The world of communication. Connect", "Results", "Rational Enterprise Management", "Mergers and Acquisitions", etc. In the mid-2000s, he stopped counting his publications as a hopeless exercise. At the moment I am blogging on the Internet "Business without danger".
In 2005 he was awarded the Association of Documentary Telecommunications "For the Development of Infocommunications in Russia", and in 2006 - the Infoforum award in the nomination "Publication of the Year". In January 2007, he was included in the rating of 100 persons of the Russian IT market (for which I did not understand). In 2010, he won the Lions and Gladiators competition. In 2011, he was awarded the diploma of the Minister of Internal Affairs of the Russian Federation. At the Infosecurity conference, he received the Security Awards three times - in 2013, 2012 and 2011 (for educational activities). For the same activity, or rather for blogging, in 2011 he received the Runet Anti-Prize in the "Safe Roll" nomination. In 2012, he was awarded by the Association of Russian Banks for his great contribution to the development of the security of the Russian banking system, and in 2013, at the Magnitogorsk forum, he received an award "For methodological support and achievements in banking security." Also in 2013 and 2014, the portal DLP-Expert was named the best speaker on information security. During his time at Cisco, he was also awarded a number of internal awards.
In 2001, he published the book Attack Detection (the second edition of this book was published in 2003), and in 2002, in collaboration with I.D. Medvedovsky, P.V. Semyanov and D.G. Leonov - the book "Attack from the Internet". In 2003 he published the book "Protect Your Information With Intrusion Detection" (on English language). During 2008-2009, he published the book "Myths and Fallacies of Information Security" on the bankir.ru portal.
I am the author of many courses, including "Introduction to Intrusion Detection", "Intrusion Detection Systems", "How to Link Security to Business Strategy of an Enterprise", "What is Personal Data Law Hiding", "ISIS and Organizational Theory", "Measuring Performance Information Security”, “IS Architecture and Strategy”. I give lectures on information security in various educational institutions and organizations. He was the moderator of the RU.SECURITY echo conference in the FIDO network, but abandoned this business due to the exodus of most specialists to the Internet.
For the first time in the Russian press, he addressed the topic:
- Business information security
- M&A Security
- Measuring the effectiveness of information security
- SOA Security
- Billing systems security
- deceptive systems
- IP telephony security
- Security of data storage systems (storage)
- Hotspot Security
- Call center security
- Applications of situational centers in information security
- mobile spam
- Mobile network security
- And many others.
I am married and have a son and a daughter. I try to devote my free time to my family, although exhausting work for the good of the Motherland and the employer leaves almost no such time. Hobby turned into work or work turned into a hobby - writing and Information Security. I have been involved in tourism since childhood.
PS. Photos for Internet publications (download above or
O replyseemingly obvious. To blog like Lukatsky, you have to be Lukatsky. But let's take a deeper look at the methods and motivations for running your own blog.Blogging is a drug. Even if you have already written a bunch of posts, tweets and comments in all possible social media today, you want more and more. The more information you are interested in dumps on you, the more you want to consume blogs, pages, sites. The more channels you have to distribute your information, the more ways you need to communicate with the outside world.
The real value of any blog for its owner is an affordable way to communicate information to a wide audience. In addition, a blog allows you to increase your own self-esteem, hide your weaknesses inside, and, on the contrary, expose your virtues to the outside.
Desire to create your own brand
The first reason for blogging is to have something to say to the audience. The world is becoming saturated with information, the demand for useful and timely information is growing, giving new opportunities to people who see this as a way to unlock their potential.
The second reason is quite selfish - the desire to create your own brand, that is, doing what you love to derive personal benefit from it (oops, casually formulated the dream of any hacker).
Let's find out if you have the prerequisites for creating your own brand in social networks.
First of all, when choosing a topic for blogging, you need to focus on something. You have a choice problem.
1. The brand of the reported information (it is assumed that this is some kind of exclusive, a’la Arustamyan from football with its pseudo-news).
2. Expert brand - you have to earn it, and this is a long and thorny path. Colleagues in the workshop should recognize in your person a specialist in the ability to convey high-quality information in an accessible form.
3. Brand of knowledge - in order to broadcast knowledge to the audience, they must first be obtained, and this is work that may not pay off. In any case, you need to increase your potential as a representative of the profession.
4. Well, and, as the most common option, you are just a talented person, you are bursting with a desire to become famous and it doesn’t matter to you what to write / talk about (most beginner bloggers think so).
You need to learn how to present the material in such a way that it is a) understandable, b) relevant and then whatever you like: interesting, exciting, aphoristic, easy, with humor. After all, writing or public speaking are skills that can be learned and come with experience.
Most people (in the context of this article - bloggers) are engaged either in interpreting other people's ideas (exactly what I am doing now), or in aggregating news press releases (events, vacancies, etc.), including broadcasting news of their own brand / product , publishing the necessary content from exhibitions, conferences, presentations, etc. But even in this case, not many people can pack information into high-quality material (we do not consider professional journalists). And why? The news presentation of materials suits most target audience. With the current shortage of time and an abundance of materials for more, the reader does not have enough strength or patience.
Despite the statement in the title, if not like Lukatsky, but you have everything you need to become a famous blogger - a person who knows how to write and is ready to devote all his free time to this occupation.
This requires only five terms.
First, you need luck. (and this is one of the reasons why you will not become Lukatsky). Not everyone is as lucky as Lukatsky. He has knowledge, experience and most importantly - modern technologies security. It is important (and it shows) that he gets support from his company. What was once just a hobby for Lukatsky has become a new approach for the company to transfer necessary information. Due to its popularity in social media, Lukatsky's blog has become a brand within the company as well (I doubt that this was a well-thought-out strategy, at least initially). This has become part of the business that Lukatsky represents ( Cisco ). He sincerely loves the work he does and his interest is transferred to the audience. He is concerned not only with the subject area of activity, but also with the state of the industry as a whole, and this is captivating.
The second is a cocktail of internal energy, personal charisma and experience
Public speaking requires charisma, a bright personality. Lukatsky is invited to various events because he is able to explain complex things in simple terms (a skill that needs to be learned) and has an excellent command of the subject area.
Fourth - see the forest before the trees
You need to see / feel / know the problems of the target audience of the blog. Top bloggers provide invaluable assistance in solving problems for readers of their blogs. Taking material and packaging it into clear and interesting blog posts is something they do regularly and well.
A blog is not only a method of conveying information, but also an opportunity for career development(there is no prophet in his own country). Lukatsky is an example of the creation new position in the company - an interpreter of the subject area to attract a new audience.
And finally, the fifth - blogging requires iron discipline to regularly (the more often the better) publish material on your blog.
Well, as an additional, optional option - it is desirable to regularly conduct training seminars to promote your brand.
To paraphrase a famous saying: people will forget what you wrote, people will forget what you said, people will not forget what they understood thanks to you. Now every iron is broadcasting that Lukatsky is holding a seminar on personal data tomorrow (maybe this is a form of PR, robots have been broadcasting for a long time, using IVR -technologies, or are remote villages in Kamchatka really still left in Russia, whose inhabitants did not attend Lukatsky's seminars on personal data?). But seriously, his articles, presentations, slides are replicated to all audiences and live their own lives, and this is normal, it strengthens the brand.
So, you will not be able to blog like Lukatsky. And who did it, when did it stop ?! As Andrei Knyshev joked: "The one who climbed higher just climbed earlier."
Loading...