Beware of Scare Tactics in Security

By Cameron Sturdevant  |  Posted 2001-04-30 Print this article Print

The computer security industry got its groove back at the RSA Security Conference by invoking FUD—fear, uncertainty and doubt—to wrest the attention and dollars of corporate IT managers.

The computer security industry got its groove back at the RSA Security Conference by invoking FUD—fear, uncertainty and doubt—to wrest the attention and dollars of corporate IT managers. Entrepreneurs and investors, a fine group of foxes, are trying to profit in a down market by selling guard services to the henhouse. IT managers should resist

being scared into purchases. At best, organizations that immediately buy a wide range of security products, ranging from intrusion-detection and virus-scanning software to firewalls and smart cards, are going to be the integration guinea pigs for the vendors. And judging by the security industrys track record thus far, the guinea pigs are in for quite a bit of pain.

Whats more, neither the corporate-paid doctoral students nor the feral hackers-turned-industry experts who spoke at the RSA conference in April have come up with a way to make security products any stronger than a Post-it note. In other words, the need to keep track of passwords still leads users to write down their secret words.

I can already hear the howls from vendors of single-sign-on products. What these vendors forget is that they are dealing with real people. Real people have PINs for their bank accounts and wallets or purses full of credit cards, passwords for personal bill payment systems, passwords to access screen savers and confidential documents, and PINs or passwords for at least 10 other services.

People write these PINs and passwords down. They are especially sure to write them down if IT managers have instituted prudent password-creation rules, for example, requiring that the password not contain common words, that it be a certain length, that it contain letters and numbers and—heres the killer—that it change every two or three months.

Sure, some vendors have come up with smart cards and biometric systems that can eliminate the need for passwords. An interesting session at the RSA conference, "Attacks and countermeasures for USB hardware token devices," discussed the methods used to compromise such systems. And biometric systems come with their own "gotchas," not the least of which are expense and installation.

IT managers should focus on the limited amount of data that must be protected. Be leery of products and services that fall outside the scope of your organizations protection effort. Finally, dont panic when the foxes show up dangling the latest horror story.

Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel