A panel of advisers urged IT workers to cut back on the hype surrounding security threats
RSA 2010: Researchers seek balance in security hype
/v3-uk/news/1987758/rsa-2010-researchers-seek-balance-security-hype
03 Mar 2010, Shaun Nichols , V3
Some of the leading researchers in the security industry have warned administrators about the dangers of over-hyping threats.
A panel of researchers at the RSA conference in San Francisco, including Dan Kaminsky of IOactive and Tom Cross of IBM X-Force, advised administrators to take warnings of impending security crises with a pinch of salt.
The panel discussed a number of recent high-profile cases, such as the 2008 DNS vulnerability and the recent outbreak of the Storm and Conficker botnets. In each case, the panellists outlined the need for a balance between explaining the risks and the probability of an attack.
Kaminsky offered his highly-publicised DNS flaw as a textbook case of the void between public perception and reality.
The researcher explained that, while the flaw was a significant threat, about two thirds of all DNS servers had been patched within one month of his original warning, in all likelihood leaving the vast majority of users protected.
Even when DNS servers are vulnerable to such a threat, Kaminsky said that the system is hardly a prime attack candidate. Malware writers are far more likely to opt for more common targets, such as flaws in Internet Explorer or vulnerabilities in PDF files, he explained.
"The bad guys that are out there are in business," added Cross. "They tend to build a business model around exploiting a certain type of vulnerability."
However, public attention is not always a bad thing. Researchers noted that the high-profile attacks on Google had forced some large companies to reassess and tighten their security practices.
Ultimately, companies need to distinguish between the threats that they can address and those that they cannot. In the meantime, firms should avoid panicking each time a new security issue arises.
"It is OK if bugs don't lead to the end of the world," said Kaminsky. " Sometimes there are big problems that we've dealt with, and that's OK."
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Irony of IOActive
I think its rather funny that somebody from IOActive is on a panel about hype in security. IOActive is the poster child for exaggerating security claims. Heck, you can swing a dead mouse without hitting some press release from them about how the smart grid is going to destroy the whole world.
Posted by Tark Dom, 18 Mar 2010