« A border approach to bot mitigation | Main | Email and bots »

Security FUD and chronic infection

I’m periodically struck by now much security research and development is sold by scare talk (fear, uncertainty, and death). Unless you go over the top, you don’t get the news articles, the congressional hearings, or the money. There was a recent video going around that showed security researchers messing with a SCADA system and blowing up a power substation (in a lab) using techniques that are generally known in the community. This got congressional hearings going.

A couple years back, I saw a local researcher present simulation results that showed how two or three simultaneous errors (squirrels, trees, or terrorists) could take down the greater Chicago-land power grid. But simulation results don’t make the news. Real explosions do.

I was talking with a former colleague last week about trusted OS results from a couple decades back that were strongly worded and controversial at the time. He cynically said that the researcher in question made his statements as controversial as possible to ensure that he got attention and thus funding.

In both of these cases, raising attention through showmanship brought broader attention to valid security concerns. So I suppose the ends justify the means. It is just how the game is played.

In any case, while pulling together my network security notes for the semester, I was struck by the amount of FUD in my notes. However, I think much of the concern there is valid. Or perhaps better stated, the concern is chronic. With the IP infrastructure, our problems are chronic. We can incrementally try to make our part of the world better, but ultimately there will be infections, attacks out there. There is a shared resource out there, and by sharing we are exposing ourselves to the threat. Like getting lice by sharing a hair brush.

Perhaps we could just switch over to a newly designed, better network infrastructure. But it isn’t going to happen. Not anytime soon anyway. Still waiting for IPv6 ten years later. Even in that case, there would be threats. With the shared network, you are at the mercy of the least prepared or least savvy connected entity.

No deep observation here really. Just noting that the biological analogies fit here with respect to chronic infectious diseases.


TrackBack URL for this entry:

Comments (2)

A Grego:

Although I agree with the fact that FUD is practically the security market driver, I have come to learn that customers and users tend to react only when they are scared. There is a lack of knowledge in the upper managerial spheres (either public or private sectors) to actually measure and understand risk.

I have been involved in several projects with very high risk assets as targets, being unable to transmit the impact of the exploitation of those risks top the decision makers. Worse is the fact that FUD has caused an abuse of using pen testing as a tool for diagnostics, which in turn triggers eternal patching cycles.

Then again, it is always more appealing for a decision maker to think of security as a product and not a process…

Dr. H:

Right, security is inherently a hard sell in terms of ROI. With other features you can show nice charts about how a new process or product will make your organization run faster, earn more money, and smell nicer. Charts showing “security increases” are pretty meaningless. I guess you can have charts that show reduction in vulnerabilities (assuming you have a good handle on the total number of vulnerabilities), but it is much more difficult to have something meaningful and understandable. Scare mongering is much easier.

Post a comment


This page contains a single entry from the blog posted on November 1, 2007 4:35 PM.

The previous post in this blog was A border approach to bot mitigation.

The next post in this blog is Email and bots.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34