A quick perusal of any daily news site turns out a healthy dose of articles such as “Cell-phones more dangerous than cigarettes,” “Man-Made Global Warming will Cause all the Oceans to Swallow all Land by 2020,” “Credit Crisis will Cripple All Global Economies Until we Move Back Into Caves.” OK, so the last one is an exaggeration, but it illustrates a point. The news media understands that few things on Earth motivate humans stronger than fear. Unfortunately, security professionals work in a risk-based environment where the fear mongers seem to thrive as if it were their natural habitat.
If one were to believe the news sites and pundits, the next great worm will happen tomorrow and it will cripple the entire Internet, forcing civilization back to the stone age. Fear indeed does sell, but it’s not a message one can use for long before “Chicken Little” syndrome sets in. There is a dual frustration among security professionals as well. How does one walk the fine balance between getting people’s attention and not being lumped into the category of fear mongering? Some amount of fear is needed to capture attention, I have previously called it “Enlightened FUD,” but it is easy to go too far. We are, after all, dealing with an extremely difficult logical challenge in that we are trying to prove a negative when we tell people “when” and not “if” another event occurs.
I’m reminded of a time when I went to a “fire safety” presentation, where they fed us dinner, then showed us all these horrible pictures of burn victims and made us believe that our house would burn down that night. Their salesmen kept saying things like, “I just couldn’t sleep tonight knowing you aren’t protected!” They were selling the most expensive fire detection equipment I have ever seen for home use… and people pulled out their wallets and hemorrhaged cash their way. Effective, yes, but I left, and so did anyone else that could apply even the simplest of logic. I recognize that fire is a real risk, and take measures to protect against it. Its not a guarantee, its not perfect, but we also don’t live in constant fear.
So how does one cut through the FUD? Here are a few hints. If you are reading an article and it says things like:
- This bug is sure to be a doozy!
- NO ONE reported this, It’s an Internet First!
- I just found 10 0-Day’s!
- There are 543 vulnerabilities in that product in one scan!
- Widespread outages possible!
- Things are different and we can’t resolve the issues!
- No-one is paying attention!
I could go on all day as I read them every day…. In fact, if the author uses more than a handful of exclamation points, or ever uses the “?!” as part of communicating a message, or types in all caps frequently when not part of an acronym, there’s a good chance it’s a FUD message. Sure we all use these techniques from time to time to make specific points, but it shouldn’t be the basis of the article. Just because you are loud does not make your argument more valid. If you have ever taken a college level course in logic or philosophy, you can almost immediately identify the logical fallacies of appeal to emotion and generalization, they are clear warning signs that should be listened to. These are the kinds of people and organizations that want to create a problem just so they have something to fix.
On the other hand, if you are reading an article from a respected security professional and it says something like, “interesting behavior on port XXXX” or they actually copy and past code snippets, packet captures, or relevant technical details (such as quoting professional articles), or they write about actual effective techniques and procedures, one might want to take notice. It is these folks I tend to listen to, as they usually back up their answer with something more significant than broad assumptions and loosely formed theory. Identify a problem statement, form an argument, support it with reason. The technique is not difficult. These are the tools required on any college paper, legal document, or any other professional thesis, so why are they so often ignored here?
So today the challenge goes out (including to myself). If we want to be taken seriously, write seriously, talk seriously, and get serious. I don’t come in with multi million dollar “answers” and “fixes for all security problems,” and neither will anyone on any team or company I work for. What we do offer are strategies, plans, roadmaps, and key technical solutions that are benefit driven and focus on the problems that need to be solved, and ignore those that don’t. There is no question that there ARE CHALLENGES (sorry, I couldn’t resist a little humor), but the message is that there are solutions, and there are things that can be done to not only improve security, but improve business as well.