Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/5/2006
04:15 PM
Commentary
Commentary
Commentary
50%
50%

Airing Dirty Security Laundry

We all need to be smart, stay informed, and understand our systems well enough to figure out what needs fixing first, or risk being out of business. No vendor, well-intentioned or not, can make these decisions for us; we need to take this responsibility for ourselves.

Everyone in IT needs to read this article about security alerts and how they're sometimes created in the self-serving interests of the vendors involved.

It's not a new problem, of course, but I'm glad to see this issue being held up to the light. Kudos to reporter Kevin McLaughlin and our sister publication CRN for doing so.

Given how much we've all come to rely on security alerts, and how often IT organizations prioritize their daily workloads around them, it's a problem that's both broad and deep. And it's about time the industry as a whole started talking about this particular elephant in the living room.The essence of the problem, as I see it: Some suggest that vendors that make their living by selling security software or hardware should not also be in the business of telling customers how serious a particular issue is. After all, the thinking goes, it's only natural that these vendors stand to make money out of scaring the tar out of customers, so they're apt to make everything into a huge issue, even if the problem doesn't deserve to be.

The security vendors, in turn--okay, let's name names: primarily McAfee and Symantec--respond that since they're in the business of fixing software that "breaks" due to bugs and viruses, they're in a particularly good place to know how critical an issue is, especially when compared to other issues of a similar ilk. They both also employ analysts whose job it is to be unbiased researchers, answering questions including whether MS Blast is worse than Sober.k, Love Bug, or Sasser, and if dealing with the Microsoft MS06-040 vulnerability should take precedence.

I can see this point, but I believe it essentially boils down to an old IT issue. Companies that consult shouldn't also be in the business of selling hardware and software. This is the primary reason why Gartner, Forrester, IDC, and other research and consulting firms have been successful for a long time. Their business models are all about having no ostensible stake in the outcome--in other words, it shouldn't matter to the consultant if a customer winds up adopting X software or Y hardware to solve any given problem.

Now most of us old warhorses know this isn't necessarily always the case and that even supposedly unbiased advisers can have an agenda, whether it's to keep selling more services or just to have fun watching the sparks fly. It also doesn't help when those of us in the media jump all over every security warning, bulletin, and "survey." (News bulletin: "Security vendor says security problems are getting worse." Um, hello? What else would we expect them to say? Even if it's true, there's an appearance of a conflict of interest here, and all of us would be much better off by foreswearing 95% of these types of stories.)

As all this is happening, new security problems keep appearing, from AT&T's recent Web site hack to organizations' concerns about Web applications in general and service-oriented architectures in particular.

Okay, so we know what's wrong. How to fix it? Well, for starters we do have organizations including Secundia, the SANS Institute, and, despite its flaws, the CERT. These groups aren't being paid by any particular vendroid to say anything and are, as far as I can determine, as free of product hype as possible. Conspiracy theorists--and you know who you are--point out that all security-watch organizations, like all companies, have at their essence a need to keep on keepin' on--that is, to ensure their own survival by touting all security problems as Big Deals. After all, if people aren't scared, there would be no need for their services.

There's a grain of truth to that charge, but on the whole I think these kinds of groups are mostly providing a public service with the copious amounts of free information they make available. All of them--except of course for the CERT, which is funded by the U.S. government--have to survive by doing private consulting for both vendors and end-user organizations. They certainly can't live by means of the public listservs and other info they give away.

In other words, if all three of these groups start screaming "Danger, Will Robinson," I'd submit it's time to pay attention to the issue at hand. If they disagree, which the CRN story says they're doing more frequently these days, there's another way to think about it.

Ultimately, it's up to each of us to know our own environment and to keep the perpetual index finger in the air to know what's going on. If there's one lone researcher shrieking about something, well, there are only two choices--either s/he's correct and is far ahead of the rest of the security pack, or s/he's out on limb that's about to snap off the tree.

We all need to be smart, stay informed, and understand our systems well enough to figure out what needs fixing first, or risk being out of business. No vendor, well-intentioned or not, can make these decisions for us; we need to take this responsibility for ourselves. No one else knows what an acceptable level of risk may be for each of us. That's something IT and the business units need to work on and agree upon together.

So what do you think? Is this controversy about security alerts something to pay attention to, and if so how do you do that? Or is this a nonproblem of the industry's own making that a little or a lot of common sense will go a long way in resolving? Respond below.We all need to be smart, stay informed, and understand our systems well enough to figure out what needs fixing first, or risk being out of business. No vendor, well-intentioned or not, can make these decisions for us; we need to take this responsibility for ourselves.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Vulnerability Disclosure Programs See Signups & Payouts Surge
Kelly Sheridan, Staff Editor, Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...