Why You Shouldn’t Believe Everything Security Companies Tell You
Not long ago, in the midst of the controversy involving an American security researcher who claimed that he was able to hack a commercial jet and tilt the plane in flight, I was listening to the radio and a talk show had a discussion about the subject. They had on air (no pun intended) two security experts who described the case, noting that the fear is that a passenger with nefarious intentions could take over a plane using their laptop. “From what I understand, another fear from these claims is that they hijack planes from the ground as well, is it not?” the host asked, to which the expert replied “Yes, certainly.” The expert’s reply is what we call FUD (Fear, Uncertainty and Distrust).
Do you believe everything security companies tell you?
You see, the cybersecurity industry’s main selling point is fear. Without fear from the consequences of a hack or data breach, organizations will not fund security teams, and without well-funded security teams, the security industry would have no one to sell solutions to. Fear is a vital part of the business.
As a result, fear mongering is often pushed by security companies and experts. And while a lot of it is justifiable—security issues are a major threat and there’s nothing wrong with improving awareness—some of it is done with the goal of self-promotion. In the case of the hacked airplane story, the whole incident (regardless of whether it turns out to be true; so far the claims haven’t yet been substantiated in any way) revolved around the lack of separation between the airplane’s passenger entertainment system and the computer systems that run the plane. Theoretically, without such a separation, a passenger could hack into the plane’s control systems through the entertainment system. That’s exactly what the security researcher claimed to have done; nothing was ever said about hacking an airplane from the ground.
If you’re writing this off as an expert too eager to please a talk show audience, note that FUD is evident in the security industry all the time. Several months ago, a security company claimed that it discovered the largest amount of compromised credentials ever to be found. This made huge headlines, of course, as the company was hoping. But looking into the matter in scrutiny brought up a lot of questions. Just what was included in these credentials? What could actually be done with them, and were the numbers the company claimed truly accurate? Indeed, it took only a day for the Wall Street Journal to publish an article questioning these findings.
Do security companies need FUD?
FUD isn’t done only for general self-promotion, though. Security companies are often competing to get a slice from organizations’ security budgets. And with so many different attack vectors and niches, each company needs to emphasize just how much their niche is the worst threat to any organization or individual.
Tiversa, a company that recently made news for supposedly extorting potential customers, focuses on monitoring file sharing networks—torrents, eMule, KaZaa and other various networks that were popular at one point or another. Tiversa went around various security conferences giving presentations about the threat of peer-to-peer networks to organizations, even though there weren’t any known public incidents that occurred because an employee shared his entire work computer’s drive on such a network (which, according to Tiversa, is the major threat regarding peer-to-peer networks).
Another major security company (which we’ll leave unnamed for now) never discussed the threat of employee laptops getting infected by malware when used in the employee’s home… That is, until they started offering a service to protect such laptops. Then, all of a sudden, the company started claiming that this is the biggest threat in modern organizations and something must be done to mitigate it.
Don’t get me wrong; I’m not suggesting that security is not a major issue that should be taken seriously. It is, even more than how it’s currently perceived, and many solutions are developed to mitigate real threats. Trend Micro, for example, recently launched a service aimed at detecting and mitigating malware aimed at point-of-sale terminals (see just how much of a threat point-of-sale malware is). As we’ve noted before, POS malware is a serious threat, and it’s a good thing the security industry is responding to it. But there are also a lot of inflated claims being made purely for generating business for those who make them, and it’s important to know how to focus on the security concerns that really matter.
Interestingly, here we are… a security company saying you shouldn’t believe everything security companies tell you. Do you believe us? Have you seen any FUD articles in headlines lately?
Want to see more content like this? Subscribe to get a weekly roundup from BlogDOG.
The LogDog anti-hacking and privacy tool protects the most popular online account types including Gmail, Facebook, and Dropbox by detecting unusual access activity and alerting users so they can take control of their accounts before hackers do.
The service can be used across all devices and OS’s, so you’re always being protected. Here’s the Android and iOS links for you to check out.