[ISN] Thought for the day: Stop crying virus wolf

From: InfoSec News (isnat_private)
Date: Thu Aug 07 2003 - 00:34:04 PDT

  • Next message: InfoSec News: "[ISN] Microsoft testers get an eyeful"

    http://www.computerweekly.com/articles/article.asp?liArticleID=123954
    
    by Jan Hruska 
    6 August 2003 
    
    The security industry has a duty to be more realistic, says security
    expert Jan Hruska.
    
    If it is true that "sex sells" in the tabloid press, it is certainly
    fair to say that "security sells" in the IT media. Any IT department
    would prefer to be forewarned about a vulnerability rather than
    finding out about it first-hand.
    
    The critical role that the media plays in circulating information
    about potential vulnerabilities puts the security industry in a
    position of responsibility. It has a duty to provide accurate facts
    that can help businesses make informed decisions about current
    threats.
    
    Unfortunately, there have been several incidents where threats have
    been overblown to make a more interesting story.
    
    Take for example the Anthrax (or Antrax) worm. Coinciding with the
    Anthrax scares in the US, one security supplier released a media
    advisory warning of this piece of malicious code. In reality, this
    virus could be detected by reputable anti-virus software for months
    prior to the release. As a result the virus never spread in the wild.
    
    There are several other examples where the IT security industry has
    predicted Armageddon. A particularly high-profile damp squib involved
    the outbreak of mobile telephone viruses. Since 2000 we have heard
    "experts" predicting that mobile viruses are just around the corner
    and that we should safeguard our phones now before it is too late.
    
    To date, there have been no viruses for mobile phones and the only
    malicious code that exists for handhelds is a couple of Trojan horses
    and a virus for the Palm - none of which has ever circulated in the
    wild.
    
    Of course, one cannot say that the mobile virus threat will never
    happen. As mobile operating systems become more sophisticated, virus
    writers may target them. The problem is that with so many false
    predictions in the recent past, how will people know when the threat
    stops being theoretical and becomes actual?
    
    For the IT security industry as a whole - suppliers, analysts and
    consultants alike - the media represents a critical way of spreading
    news about threats, but it is crucial that they keep security issues
    in perspective and stick to the facts.
    
    This way, the industry can avoid creating a "boy that cried wolf"  
    situation where nobody believes that their network is under threat
    until it is too late.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 07 2003 - 03:12:24 PDT