Cyber Security Snake Oil

magic magicianA friend of mine uses the phrase “Pixie Dust” a lot when he looks at security products; that and a phrase along the lines of “My granny could break into that…” but essentially it is  vendor making a classic “snake oil” sales pitch, upgraded for the cyber-security-age.

I have really only recently begun to encounter this in volume, I used to encounter small pockets of it here and there with specific customer engagements over the years, but it does seem to be in growth.

Some top tips for spotting the "Cyber Snake Oil” Salesman: 

-My product is unique … well ok , this one might be true, but chances are it isn’t .

-My product is invulnerable … no it isn’t, it software built by humans ergo it is vulnerable and not knowing where it is vulnerable, is not the same as being invulnerable.

-My product cures all known and unknown malware/vulnerabilities … err… ok lets just think about that for a couple of Pico-seconds… no still sounds like nonsense to me.

-My product is secure even if the client is compromised, or it is impossible to compromise the client … this is very popular and at best usually comes from a failure to understand how a secure channel can work … “but I have a secure tunnel” “yes, and the end of it is already pwn3d so it can see all the way into the tunnel" … “but, it uses ‘military grade’ encryption” … sighs and breaks out the clue stick…

-My Product is completely non-invasive … if it is prompting me to do anything then its not really non-invasive, perhaps you meant it has zero client foot print, you did? and you still want claim its secure even if the client is pwn3d… I see… actually with a good 2FA this is possible (or at least limits the compromise to the current ‘session’), something I have and something I know is good, if the thing you have is the thing that’s pwn3d then not so much…

In many cases this is done by people who are well meaning; they actually believe the “snake oil” works; which just goes to show that social engineering is alive and well …

The reality is that some of these products might actually add some value to make the attackers job more difficult, but only if you have done basic hygiene first:

-use strong passwords; we may not like passwords as a security token but they are here to stay for the time being so you might as well use a strong one…

– apply security updates regularly; for all the software on your computer, it’s not sexy, it doesn’t feel like “cyber”  but it does make it much more difficult for the bad guy when he doesn’t get a free pass …

– use a good AV product and firewall … if you are using Windows you can get them for free…

– Invest in new products… well you would say that wouldn’t you … look, at best the security model of any given bit of software is as robust as the day the product ships, more realistically built or designed. But, the attacks that it receives evolve over time, unlike the architecture of a given bit of software. Newer versions of software typically have more and more defences built into them, so the newer a bit of software is the more difficult it is likely to be for an attacker to overcome it’s defences.

It’s not that “cyber security products” wont make you more secure Secure PC computer securitymany of them will, but if you haven’t done the basics then it really will not make any difference.

So… do the basics, then have a look and see if a specific technology can add value to your specific scenario, who knows it might just work .. or it could still be snake oil, but one things for certain if you don’t do the basics it makes the bad guys job trivial.. and no snake oil on the planet will save you then.  

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: