The other night, I was watching the Showtime network program “Penn & Teller: Bullshit!” The program, hosted by Penn and Teller, spends its time debunking popular beliefs.
The latest episode talked about how we are manipulated by questionable companies and organizations that seem to sell safety but actually market fear.
Companies profess to want to protect us, the show said, while using fear to manipulate us into doing what they want us to do and buying what they want us to buy. I saw a direct parallel between what they were saying and what we in the IT world have been seeing as of late.
I really dont like being manipulated, and Im getting really tired of security alerts that seem designed primarily to get me to buy a vendors product. I think its time we explore this and do something about it, as the desktop remains one of the most vulnerable both to security exposures and to being exploited in this way.
Security firms, which are exploding right now, make money by increasing your perception of risk. They do this by pointing out potential exposures, so that you feel their services are critical to your survival. If it were up to them, every employee would have personal protection, and an eight-hour day probably wouldnt be long enough to get through their security to do your job.
We get incredibly interested in comparisons between Windows and Linux, but our own Larry Seltzer has concluded that it really doesnt matter what the platform is, and that whether youre secure depends “on the dedication of administrators and a given organization to security.”
We simply cannot rely on security firms to accurately assess what the real risks are and what we need to combat them. It is in their best interest that things look worse than they are because they use this to move their products.
An example of this came up on National Public Radio the other day. They were interviewing 22-year-old hacker Adrian Lamo, and I was fortunate enough to run into a transcript of the interview while working on a related project. Lamo is famous for illegally hacking into The New York Times computer network, among other things. One of the things he said really drove this point home.
When NPR asked him why he didnt use his skills legally, he replied that he finds the security industry inherently dishonest and that it preys on the fears of IT managers by pointing out unrealistic exposures and then profiting from the fear created by these largely bogus exposures. He said he thinks the security firms are simply too dishonest to work for.
Reports as Instructions
I read the NPR transcript shortly after going through the mother of all security checkpoints in Denver. I was thinking that while all of the money being spent to scan my tennis shoes was simply to make me feel safer, there is no doubt in my mind that the best protection is still likely the air marshals, the locked, armored door protecting the pilots and the armed pilots themselves.
Much of the rest of the stuff is simply a dream come true for the firms that make the related equipment and provide the services to run it. The airlines may be going broke, but the airport security industry is doing extremely well.
It doesnt matter which platform you are on, you are probably being killed by patches, and each new security system or practice you put in place slows down your companys performance and, much like in the airline industry, makes it harder and harder to compete.
You live under the hope that its the same for everyone else. But as certainly as new airlines such as Jet Blue take out near monopolies such as American Airlines, you, too, may learn that the escalating security technology benefits younger, smaller companies that can more easily adopt to the changing—and largely artificial—environment.
It is particularly galling when you realize that a virus generally results from a security firms report that an exploit exists. Some of these reports contain enough detail to, in effect, provide instructions for the virus writer. Some of these companies may be actively increasing our risk so that we become addicted to their offerings.
There is a widely held belief, which I certainly hope isnt true, that some of the firms may actually be writing some of these viruses. Once you start to believe that parts of the industry may be corrupt, it isnt very hard at all to take that last step.
Even if you think this a huge pain for your IT department, think of the poor software vendor. A security company, after substantial work, finds an exploit, and it may tell the vendor candidly or tell the world publicly.
Even if it is candid, it will argue, “If I can find it, so could someone else.” Were I the vendor, Id suspect that the security company would leak its discovery either accidentally or to prove the point.
If the vendor patches too often, it will lose its customers; if it guesses wrong and doesnt patch in time, the security firm will point out that the vendor “knew” of the exploit and didnt act quickly, and the vendor will lose customers. Even if vendors patch in a timely manner, some customers (on the desktop, often “some” is a really big number) wont apply the patch quickly, and theyll lose some customers.
Invest in a Strong
And if that werent enough, the security firm will track the time between when it told the vendor of the exploit and when the vendor patched it, so that even if no one is ever actually damaged, the perception is created that the vendor isnt responding fast enough.
In short, it doesnt matter whether the vendor is in an open-source or closed-source world; it has a target on its back. No matter how vendors dodge or what they do, they are going to get shot. That just doesnt seem right to me.
There are places you can go, such as the Organization for Internet Safety, that can help put things in perspective. But the best route is to have a chief security officer (CSO) with the resources to fully assess the risks, implement appropriate protection for those risks and translate the massive amount of security information into actionable, internal bulletins.
In the current environment, where the tendencies both to spend ineffectively and to overspend are extremely high, this role has never been more critical. You need someone whose loyalties are clear to protect your and your companys interests.
Allowing security firms to benefit by increasing our exposure is a fools game. It is only by positioning well-trained and capable security professionals who are loyal to us that we have a reasonable chance of not being taken advantage of.
In the end, we should collectively reward the security firms who dont add to the problem and not do business with companies that appear to be working to increase our exposures and costs just so they can sell products. Whether or not you have a CSO, this policy should be a high priority for any CIOs wanting to help return their companies environment to one that is both safer and easier to manage.