Security sturm und drang - selling fear. - flaskdata

Security sturm und drang – selling fear.

admin

November 29, 2011

Sturm und Drang is associated with literature or music aiming to frighten the audience or imbue them with extremes of emotion”.
The Symantec Internet Security Threat Report is a good example of sturm und drung marketing endemic in the information security industry.
Vendors like Symantec sell fear, not security products, when they report on “Rises on Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers’ Financial Gain”, without suggesting cost-effective security countermeasures.

1. Lumps consumers and enterprises together

“End users, whether consumers or enterprises, need to ensure proper security measures to prevent an attacker from gaining access to their confidential information, causing financial loss, harming valuable customers, or damaging their own reputation.”

Since when do consumers have customers…Consumers are insured for credit card theft and PCI DSS certified merchants are protected from chargeback exposure with the acquiring bank. What financial losses do consumers and enterprises have in common?

2. Incorrectly classifies assets, incorrectly uses legal terms

“Symantec tracked the trade of stolen confidential information and captured data frequently sold on underground economy servers. These servers are often used by hackers and criminal organizations to sell stolen information, including social security numbers, credit cards, and e-mail address lists”.
Social security numbers are classified as PII (personally identifiable information) not confidential information. If Symantec is uncertain how to classify this asset, they should read the US State privacy laws and PCI DSS specification. As a matter of fact, the law does not protect confidential information – it protects a confidence relationship. Once the information is disclosed (and Social security numbers are frequently disclosed), a third party is not prevented from independently duplicating and using the information. See the Wikipedia.

3. Provides misleading data

“Increase in Data Breaches Help Facilitate Identity Theft”
By not quantifying the threat probability, Symantec deliberately misleads the reader into thinking that cyber threats are the main attack on PII.
Au contraire. The FTC says that most identify theft cases are caused by offline methods such as dumpster diving, stealing and pretexting. According to Applied Cybersecurity Research, “Internet-related identity theft accounted for about 9 percent of all ID thefts in the United States in 2005”.

4. Cites vulnerability stats without suggesting countermeasures

“Symantec documented 12 zero-day vulnerabilities during the second half of 2006”
What is the point of a threat model without security countermeasures?
a. What were the vulnerabilities, and do consumer PCs have the same vulnerabilities as corporate servers behind a Checkpoint firewall?
b. What are the most cost-effective security countermeasures?
c. Does Symantec recommend that consumers use the same security countermeasures and risk assessment procedures as business enterprises?
See the full report here:
Symantec Reports Rise in Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers’ Financial Gain

More Articles

Risk assessment

CLINICAL TRIAL READINESS ASSESSMENT

December 2, 2022 No Comments

Are you really ready to run a clinical trial? How can you best assess your clinical trial readiness? We work with C-level executives and management

clinical data from patients

Assuring protocol compliance without checklists

November 29, 2022 No Comments

At a site monitoring visit, the CRA works on assuring protocol compliance. Assuring protocol compliance is one of the 3 pillars of GCP: The 3

Decentralized clinical trials

Home alone and in a clinical trial

November 27, 2022 No Comments

1 in 7 American adults live alone COVID and social isolation is part of our lives. During COVID, it became easier to recruit patients for

drug counterfeiting

Preventing drug counterfeiting

October 24, 2022 No Comments

Counterfeiting is old as money itself. Drug counterfeiting is no exception. In this post, we’ll share an analytical approach that you can use to estimate

clinical trial risks

What risks really count for your clinical trials?

October 23, 2022 No Comments

Is there a “black-box” risk management solution for your clinical trial? What clinical trial risks are the most important for you and your company? Risk

growth stage

Dealing with information junkies in decentralized clinical trials

October 18, 2022 No Comments

DecentraIized clinical trials software vendor Medable is doing an outstanding job in understanding and executing an online work-flow between sites and patients at home.. This understanding and

Clinical data made radically simple and affordable.

Contact

Resources

Flask Open API for clinical data

Copyright © 2022 Flask Data Ltd. All Rights Reserved.

Privacy Policy | Terms of Use