fudsec.com

Showcasing Fear, Uncertainty and Doubt from the Information Security Industry

FUD in Markets for Silver Bullets

This weeks invited guest blog post is from Chris Swan, who surgically deFUDs a classic infosec metaphor - the silver bullet.  Insightful as always, thanks Chris!

Chris Swan

CTO at Capital SCF.

Why do we have FUD? Ian Grigg characterises security products and services as a ‘Market for Silver Bullets’ – a market where neither the buyer nor the seller has sufficient information to determine whether something is effective or provides value for money. That is why we have so much Fear Uncertainty and Doubt (FUD).


The Market for Goods,
as described by Information
and by Party

Buyer
Knows

Buyer
Lacks

Seller
Knows

Efficient Goods

Lemons
(used cars)

Seller
Lacks

Limes
(Insurance)

Silver Bullets
(Security)


Ian’s 3rd hypothesis is ‘In the market for silver bullets, neither buyers nor sellers of the good are informed sufficiently to make rational decisions’. From which we might infer that it’s in the interest of sellers to push buyers towards making irrational decisions – decisions based on emotion rather than logic and data. Fear is an emotional response to threats and danger, related to the specific behaviours of escape and avoidance, whereas anxiety is the result of threats which are perceived to be uncontrollable or unavoidable. Fear sells – the product/service that provides the means of escape and avoidance. Anxiety is not profitable – there’s no money in things that are uncontrollable or unavoidable. The point of FUD is to make us fearful rather than anxious.

So where does the uncertainty and doubt come in? That’s in the lack of information in the hands (or heads) of the buyer and seller. The seller doesn’t want to reveal that he can’t be sure that his product or service is effective, so instead he must concentrate his efforts on the fact that the buyer also lacks information about what’s going on.

How do we get past FUD? This can only be done by having better information in the hands of both buyers and sellers, which is tricky as we’re dealing with a 3rd party – the attacker – who doesn’t want to join the party. The information that both the buyer and the seller of security are most lacking is in the head of the attacker.

All is not lost however – as speakers at security conferences keep boring on about – eCrime is now a business rather than a hobby, and businesses need transaction venues. eCrime transaction venues are by their very nature underground, or on ‘dark nets’, but they are imperfect in keeping law enforcement and security researchers out. We can therefore see what the attackers are up to, and determine a measured and economically viable response. This is what Ross Anderson was driving at with his original paper on the Economics of Information Security, and this is also why I think the Workshop on the Economics of Information Security (WEIS) is probably the best security conference going. Get along, get deFUDed, and dodge some silver bullets.

Introducing the FUDSEC Voting Machine

"I love the smell of FUD in the morning" -- Anonymous Infosec Dude #1

After much research we are proud to unveil the fudsec voting machine!

This is a place where you can submit blog posts, articles, marketing materials and other URI based receptacles of infosec Fear, Uncertainty and Doubt.  There's even a handy bookmarklet on the site so you can submit while your surf.

Technology wise, we decided against using "the leading vendor" after stumbling across the below on the Intertweets:
Media_httpassetsoupioasset03989168d40djpeg_tgyhhsgqikucijo

Instead, we went through a 70 step RFP dream sequence and outsourced it to a free web 2.0 service ;-). 

Go hither, submit FUD and vote at the fudsec voting machine.

Threat-Centric Thinking on the Rise

This weeks invited guest post is from Richard Bejtlich - a true thought leader in the incident response space.  Here he shares his insights on threat-centric thinking, FUD & how we can all make a difference.  Thanks Richard - appreciate it!

Director of Incident Response at General Electric and TaoSecurity blogger.

A lot of people have been discussing denial of service attacks against various Important Sites earlier this month.  It struck me that the focus of the discussion, really to the exclusion of anything else, has been one question: "who did it?"

Think about that for a second.  If this attack had happened in 1996, we would have asked "how did that happen?"  In other words, network DoS was new enough to warrant a technical examination of the event.  Attribution would be a concern, but most people would want to know how it happened.

The same thinking held true for many years.  Numerous technical variations of DoS ensued, moving from the elegance of the original SYN flood (allowing very few packets per minute to completely disable a service on a Windows NT computer) to the brutality of bandwidth consumption attacks.  Distributed DoS became popular as the last decade ended, but really only law enforcement cared about who was responsible for attacks on several high profile sites in early 2000.

For much of this decade we have continued to focus on the how, not the who.  This focus slowly changed over the last few years, to the point where "who did it" dominates all other discussion.  I had to spend a decent amount of time trying to find any site that explained the nature of these DoS attacks, while trying to sift out the FUD over "who."

Is this focus on "who" good?  Shouldn't we care about addressing vulnerabilities that make targets susceptible to attack, zombies prone to compromise, and the like?  On the contrary, I think focusing on "who" is the best approach we could take.  Trying to assign attribution is what real professionals do.  They think in terms of threats, not vulnerabilities.

People who can make a real difference, a lasting difference, frame almost all productive security work using threat-centric thinking.

These people are called governments, and they control military, police, intelligence, diplomatic, and economic levers of power.

Vulnerabilities are for people who don't have the power to make a difference.  People who think in terms of vulnerabilities aren't allowed to arrest or shoot anyone; they work for companies, non-profits, universities, and so on.  They have no choice but to patch and hope for the best while the marauding hordes surround their circled wagons.

Those who defend assets should work with threat-centric groups to deter and eliminate threats.  In fact, we should *demand* that we get help from these government forces.  We can also educate these parties, since their technical acumen is uneven at best and counterproductive at worst.

Asking "who" is the right question, finally. Now we can all try making a difference.

Cloud Security is not Cloud Security!

Queen of the Application Delivery Space, tech geek and accomplished blogger, Lori Mac Vittie wrote this weeks invited guest post.  The subject she chose - Cloud Computing Security is close to my heart and given some of the ass backwards reasoning going on right now this is a prime topic to de-FUD!  Thanks Lori!


Lori Mac Vittie

Technical Marketing Manager for F5 Networks.


Immediately after Twittergate broke pundits began (predictably) to use the resulting “breach” of Google Apps as reinforcement of the notion that “cloud security” is a widespread issue surpassed only in impact and reach by world hunger. One of the problems with this (because there are quite a few but we don’t have the time to get into all of them) is the use of the moniker “cloud” as an umbrella term and the application of the security issues of one model to all models.

Google, Salesforce, Facebook. These are “cloud” only in the very loosest sense of the term. They are hosted services that have taken up the cloud banner because, well, it’s effective marketing these days. But when it comes down to it there is a much similarity between SaaS and IaaS and PaaS as there is between a car and a boat. Sure, they’re essentially made of the same material, but their uses, architecture, and implementation are so vastly different that equating them under a single moniker of “vehicle” makes absolutely no sense.  

WHO IS RESPONSIBLE FOR WHAT and WHERE

There are certainly security issues with all kinds of “cloud”, but the security issues that need to be addressed by Amazon AWS or BlueLock or GoGrid are vastly different from those that need to be addressed by Facebook and Google and Salesforce.

In the case of SaaS, all security – from layer 1 to layer 7 – are the responsibility of the service provider. Google and Facebook and Salesforce provide the network, the infrastructure, and the application. They are responsibility for all aspects of security. The provider owns the entire stack including the software, and is therefore responsible for ensuring isolation (multi-tenancy), application security, and security of the overall network.

In the case of an IaaS provider like Amazon or BlueLock or GoGrid the situation is vastly different. The provider is responsible for the network security, for the security of its infrastructure and management systems, but the rest is up to the customer. The security of the applications the customer deploys in an IaaS cloud are solely the responsible of the customer and it is the customer that is beholden to its customers if something goes wrong, i.e. a breach in application security. The provider is responsible for any breaches that are successfully perpetrated through the exploitation of its underlying architecture and infrastructure, but if it happens through a customer’s deployed application then it’s solely the responsibility of the customer.

In the case of a PaaS provider like Microsoft and its Azure cloud, the distinction is a bit fuzzier. Microsoft is certainly responsible for the network and application network security of its infrastructure, and of the platform, but again the applications developed and deployed are the responsibility of the customer. Isolation (multi-tenancy) needs to be assured by PaaS providers to ensure against cross-contamination between customer applications, to be sure, but in the end it is the customer of the PaaS provider who is ultimately responsible to its customers to ensure the security of its applications. The provider could – and should – be held responsible for successful breaches via the network infrastructure or via the exploitation of vulnerabilities in the platform, but not the applications its customers build and deploy.

THE RED HERRING THAT IS “CLOUD” SECURITY

“Cloud security” means different things in different environments. Using a breach in Google Apps to question the security of “the cloud” is like using a bad seam in a boat to question the construction of a car engine. It’s utter #fail and the fallacy inherent in the logic should be obvious to anyone with even a smattering of technical understanding of cloud computing models. Just as there are different types of clouds in the sky, there are different types of clouds in the ether. Each cloud has its very own risks and while the dark ominous cloud may be in danger of bursting open the white fluffy one is not. Such is also true of clouds in the ether; each comes with its own unique security risks and they should each be treated as individual models, not as an undifferentiated group.

Pointing to vulnerability in Google Apps or any other SaaS provider as proof positive that there are security problems “in the cloud” is nothing more than a red herring; it’s FUD, plain and simple, and if cloud is ever going to be what pundits hope it will be such blatant misconceptions must be put to rest sooner rather than later.  

What do you think?

 

When Security Vendors Cry Wolf!

This is the perfect guest post to start our fudsec journey.  Thanks for the inspiration Amrit!

By Amrit Williams [re-posted with permission]

Chief Technology Officer, BigFix, Inc. 

As a former IT industry analyst and current Chief Technology Officer of a security and systems management software company, I spend a considerable amount of time reading press releases, marketing collateral, and news about and generated by our industry.

I have always been fascinated by the sheer volume of fear-based marketing propagated by security vendors. This in and of itself isn’t terribly interesting, but it provides some insight when trying to understand end-user purchasing and investment decisions.

We all know that fear is a great motivator, and few things evoke more uncertainty and doubt than fear. Marketing departments expect that this fear, uncertainty, and doubt—FUD--will help their companies grow, prosper and expand their market share.

Here are some examples of fear marketing from across the security industry…

“Michael Jackson’s death sparks off spam…hackers are relatively fast to grab on breaking news to spread their malware and spam. They and other cyber-criminals show no reverence to decency or taste. All that they want is to reap financial benefits and turn the lives of other end-users into misery”

There is no connection between a dead celebrity and malware, except that malware authors are opportunistic and will use any media sensation to trick users into clicking on malicious content. Curiously, security vendors play the same game by leveraging fads and media sensations to direct readers to self-serving marketing materials. Don’t believe me? Perform the following Google search; name of your favorite anti-virus vendor+Michael Jackson.

“The damage caused by new mobile threats likely will be more extensive than those caused by today's PC threats because of the large volume of smartphones shipping and the small percentage that are protected by mobile-security measures”

The above statement was written in 2005 by one of the leading anti-virus vendors that happened to be releasing a new mobile AV solution. Mobile malware is like the flying car. Whatever year it happens to be, it is always some years away.

“As we said before the ability to have viruses and all sorts of other malware is inherently available in all modern operating systems, Mac, Linux, BSD…” 
“…It is a warning to get antivirus protection for those Macs, even if the shopkeeper told you do not need it, even if there are no viruses in the wild today.”

MacOS X, like all operating systems, can be infected, no doubt about it. The costs of managing third party endpoint security solutions at enterprise scale and their negative impact on user productivity, however, can outweigh the risks and costs of an actual infection. Show of hands—how many of you know of you would like your Mac to run as slowly and inefficiently as a Windows box?

“Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves.” And: “Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs”

We have certainly come a long way since the Dark Avenger first crafted his polymorphic virus in the late 80’s, but $1 trillion a year? I wonder where this figure comes from because it can’t be based in reality. To give some perspective of size the total US GDP is about $14 trillion and that includes the value of every good and service produced and consumed in the world’s largest economy. Cybercrime is bad, but it isn’t larger than the entire worldwide drug trade, nor is it a $1 trillion industry—at least not yet.

 “2008 was the year when cyber warfare began…it showed that you can bring a country down within minutes.” And: “From a national security perspective, other than a weapon of mass destruction or a bomb in one of our major cities the threat to our infrastructure, the threat to our intelligence, the threat to our computer network is the most critical threat we face."

Cyber warfare, however one defines it, is far from the greatest threat we face. To name five threats more relevant and impactful than cyber warfare, just review the world news for the past 1-2 months: pandemics, global economic collapse, political instability in countries with weapons of mass destruction, severe global climate changes, and depleting supplies of natural resources. Any one of these has more impact on our lives, both personal and professional, than 99.8 percent of all digital badness that one can think of.

There is no question that information security is a problem. The increased reliance on technology for communications, culture, government, and commerce all create an environment that breeds crime. I believe that while awareness is important, people should have a realistic grasp of the dynamics and risks inherent in this new digital environment. FUD, however, doesn’t solve the problem. It stokes hysteria that must be constantly amplified lest customers lapse into ambivalence and apathy. FUD is the drug of the security industry and many are addicted. 

Welcome To fudsec.com

Found FUD? Send links/scans to fudalert@fudsec.com

Sampf65ea398a49eb76d
 

What?  fudsec was created to showcase bad examples of Information Security marketing.  Anytime the marketing message from an Information Security vendor or provider makes you feel Fear, Uncertainty, Doubt (FUD!)...or just plain dirty, let us know and we'll feature it here.

Why fudsec? Wow, you haven't been in the industry long.  FUD = Fear, Uncertainty and Doubt.  Oh and it seems to happen a lot with the "security" industry.

Why now? Because it's time to give recognition where due...plus we think its fun!

How can I help?  See our carefully crafted "call to action" immediately below this sentence.

Found FUD? Send links/scans to fudalert@fudsec.com

FAQ

Do you offer any free bonuses?  YES!  You can follow us for free on twitter to get updates: http://twitter.com/fudsec

There is so much FUD, what will be featured?  We can't possibly feature all the FUD, therefore we will give preference to mainstream security vendors (that should know better).

I'm a security vendor, can I advertise on your site?  Indirectly yes.  If you ads meet our strict publishing criteria (see above), they may be featured on this website.  We reserve the right to add a commentary to facilitate the positioning of your product/service.  The primary audience of this website are  information security professionals, therefore by appearing on fudsec.com you can rest assured you are reaching decision makers.

I'm a marketeer and I resent you featuring my ad on fudsec.com - I spent ages coming up with that!  Although we don't offer official marketeer counseling services, we can suggest an approach that has worked for many in the past - change your company name and branding - it turns out people have really short term memories!

Do you hate marketeers? Not at all.  We hate bad marketing.  If a marketeer constantly pushes out FUD and/or hyperbolic marketing messages then its possible *they* could get featured on a possible future project: fudsecmarketeers.com.

How long will you run this site for?  Til the FUD problem is solved.  

How long is that?  You need to ask? ;-)

Why do you use cheesy highlighting for your "call to action"?  Why not?  We hear it works really well for ebook sellers!

Found FUD? Send links/scans to fudalert@fudsec.com