Hype or hostages to fortune?


23 Mar 2006

Already this year two widely-predicted internet attacks proved to be of little more than nuisance value and fell far short of the doomsday scenario that some had been forecasting. Once again comes the perception that the security industry often hypes an issue simply to scare customers into buying more products.

In these cases, part of the problem is that the industry knew of these attacks in advance. The dilemma for professionals working in IT security is whether to draw attention to attacks such as these or simply to ignore them and hope they’ll go away.

Make too much noise and the accusation is that a potential threat is being hyped. Don’t make enough and risk being blamed for not letting people know there’s a problem.

The more recent of the two cases concerns the much-publicised Kama Sutra worm, also known as Nyxem, Mywife or Blackworm, which was forecast to cause widespread havoc on 3 February last. Travelling under the guise of pornographic content, it was designed to overwrite files on computers that it had infected. In the event, the predicted explosion was little more than a damp squib.

Playing the blame game, the security industry got its retaliation first by pointing the finger at the media for drawing attention to the problem out of proportion to the nature of the threat. Representatives from McAfee, Trend Micro and Symantec — the three leading anti-virus software makers — pointed out that their alert levels never went below low or medium. On the other hand, the Finnish security company F-Secure noted on its blog that media coverage helped draw attention to the problem and in all likelihood prompted many people to update their systems.

Brian Honan of BH Consulting in Dublin observes that high-profile security stories often relate to major computer virus outbreaks or attacks on well-known institutions. “These stories only make the news because they are simply that, news,” he says, drawing an apt analogy with media coverage around another type of virus: bird flu. “As yet this has not mutated to a form that is dangerous to humans, yet there is talk of major pandemics and how economies could collapse if this bug does mutate. Yet the common flu has killed more people this year worldwide than the bird flu.”

Clearly there is a fine line to be walked between performing a service by informing the public and mixing the message. Some articles about Nyxem incorrectly stated that more than five million PCs had been infected but, according to Honan, the actual number was nearer to 300,000 and of these, around 300 were located in Ireland.

“The hype was generated primarily because of the incorrectly reported figure of five million and also because of the virus’s destructive payload,” he contends. “People needed to be aware of the destructive payload to ensure they updated their anti-virus software and also to serve as a reminder that viruses can cause real damage, but overstating the number of infected machines undermined that message,” Honan adds.

Colm Murphy, technical director of the security consultancy Espion, argues that many companies are protected from most of the common threats — and by extension, from a lot of the hype. “There’s a general awareness around: if you have your anti-virus up to date, you’re running Windows updates and you have a firewall, you’re going to be relatively safe.”

Frank Kennedy, country manager for CA in Ireland, agrees that many businesses are now protecting themselves from external threats, but he uses an interesting choice of words to describe how we got to this point. “There’s no need to sell the fear anymore. You don’t need to convince people they need it,” he says.

Some in the security industry believe that a little hype is occasionally appropriate or necessary to raise awareness of newer dangers. “A little bit of the hype around spyware is probably justified at the moment because a lot of anti-virus packages don’t include it and you’ve got to get a separate package [to protect against it],” Murphy says.

Human nature plays a part on both sides, Murphy suggests. “People buy for two reasons: fear and pain — they have a problem and it needs fixing. For the security industry, it’s easy to hype up those things.” He points out that a security product supplier might find themselves speaking to a financial controller or a managing director. “They don’t have visibility of technical issues and might be inclined to believe you.”

As a consequence, some companies spend more than is necessary to buy a product that has too many features. “A lot of Irish companies have fallen into the trap where the IT guy goes for the safe bet,” Murphy suggests. “It’s like buying a Merc for the little old lady who needs to go shopping once a week.”

Kennedy points out that the matter can’t be ignored. “IT security is an important issue because it deserves to be. You can’t own a business without thinking about IT security.”

Honan puts this in terms of risk management, applied to IT in the same way as it would be to any other area. “You identify the threat to your business, be that burglars, theft from staff, fraud or fire. You then decide what you need to put in place to manage that risk. Once you deploy computers and/or connect to the internet, there are very real threats to your business. Computer viruses, hackers and in-house threats exist and need to be managed.”

What’s frustrating, says Honan, is that many people don’t relate their IT security to behaviour in other areas of life. “People understand the security risks we face in the real world. That’s why we deploy burglar alarms on our homes or business premises, shred important documents, have a safe to store valuables and keep our money in banks.”

This lack of understanding hampers efforts to make security better, as the real solution doesn’t simply come in a box. “Everyone is looking for solutions without actually understanding the problem. Vendors and resellers will be only too happy to sell products. If the underlying problem, however, is not properly addressed then these solutions are not going to work as expected resulting in the customer having a greater lack of confidence in IT security,” Honan says. “While it is good that more people are becoming aware that IT security needs should be addressed, customers need to ensure their vendor fully understands IT security and is providing solutions based on impartial advice and not simply to sell a product.”

Murphy agrees, suggesting that there is now choice in the market for those seeking security. “Follow Mary Harney’s advice: shop around,” he concludes. “There’s no harm getting second opinions.”

By Gordon Smith