Beware of Scare Tactics in Security

By Cameron Sturdevant  |  Posted 2001-04-30

The computer security industry got its groove back at the RSA Security Conference by invoking FUD—fear, uncertainty and doubt—to wrest the attention and dollars of corporate IT managers. Entrepreneurs and investors, a fine group of foxes, are trying to profit in a down market by selling guard services to the henhouse. IT managers should resist

being scared into purchases. At best, organizations that immediately buy a wide range of security products, ranging from intrusion-detection and virus-scanning software to firewalls and smart cards, are going to be the integration guinea pigs for the vendors. And judging by the security industrys track record thus far, the guinea pigs are in for quite a bit of pain.

Whats more, neither the corporate-paid doctoral students nor the feral hackers-turned-industry experts who spoke at the RSA conference in April have come up with a way to make security products any stronger than a Post-it note. In other words, the need to keep track of passwords still leads users to write down their secret words.

I can already hear the howls from vendors of single-sign-on products. What these vendors forget is that they are dealing with real people. Real people have PINs for their bank accounts and wallets or purses full of credit cards, passwords for personal bill payment systems, passwords to access screen savers and confidential documents, and PINs or passwords for at least 10 other services.

People write these PINs and passwords down. They are especially sure to write them down if IT managers have instituted prudent password-creation rules, for example, requiring that the password not contain common words, that it be a certain length, that it contain letters and numbers and—heres the killer—that it change every two or three months.

Sure, some vendors have come up with smart cards and biometric systems that can eliminate the need for passwords. An interesting session at the RSA conference, "Attacks and countermeasures for USB hardware token devices," discussed the methods used to compromise such systems. And biometric systems come with their own "gotchas," not the least of which are expense and installation.

IT managers should focus on the limited amount of data that must be protected. Be leery of products and services that fall outside the scope of your organizations protection effort. Finally, dont panic when the foxes show up dangling the latest horror story.

Rocket Fuel