Schneier: Beware of security products

Schneier: Beware of security products

Summary: Leading security expert Bruce Schneier has warned businesses to beware of buying shoddy security products.

SHARE:
TOPICS: Security
1

Leading security expert Bruce Schneier has warned businesses to beware of buying shoddy security products.

Bruce Schneier, founder and chief technical officer of BT Counterpane, issued the warning at the RSA Conference Europe 2007 in London on Tuesday. He told delegates that they should not necessarily trust security vendors to give a fair representation of the security of those products.

"There might be a political bent to security decisions, or there might be a marketing bent," said Schneier. "People selling smart cards [for example] will do a lot to convince us that smart cards are the answer to security problems. For every company that's secure, there's at least one 'me too'."

Schneier said it was difficult for companies to judge the security of varying products, as known attacks are rare and carry a high risk.

"If events are high damage and rare it's difficult to get data. I'm not going to know [the validity of a product] because I don't have the data. After 9/11 there was a huge inquiry into what went wrong, but it's hard to tell what went wrong because it was one event. There's not enough data," said Schneier.

"The [security] market is asymetrical -- the seller knows a lot more than the buyer," said Schneier. "In the US a lousy used car is called a lemon -- but you don't know until you drive it off the lot that it's a lemon."

If marketed correctly, bad products can drive good products out of the market, Schneier warned.

"Products can have the same claims, the same algorithms, the same buzzwords, and one is very secure while the other is just slapped together. If there's no functional way to test a product, you'll buy the cheaper one," said Schneier.

Schneier said that due to market dynamics, good products tend to rise to the top, but that the market probably couldn't stop the incidence of rare events. He warned businesses not to get "caught up in the feeling of security, driven by fear, rather than the reality".

"Fundamentally we are not rational," said Schneier. "The brain is just barely functioning in the security community. It's still in beta testing. There's weird holes and shortcuts, and all sorts of patches and workarounds."

Businesses should evaluate security products very carefully, said Schneier, and find trusted individuals with expertise who can make security decisions within a company.

Eric Baize, senior director of the product security office of storage company EMC, agreed that there were both good and bad quality security products available.

"The law of statistics is such that in anything there are good and bad quality things," Baize told ZDNet Australia sister site ZDNet.co.uk. "This applies to wine, food and security products. There has been a lot of discussion about whether security should be added on to the infrastructure, or included as a core feature. Now in the security space companies are selling secure infrastructures," said Baize.

Shannon Kellogg, director of information security policy for security company RSA, said that it was critical to build security into systems from the beginning.

"Building core security functionalities is absolutely critical," Kellogg told ZDNet.co.uk. "Systems in the past didn't have security functionalities, but it enables your company to do more. If your car has brakes it enables you to go faster."

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • avoid NORTON, major corporate bloatware

    Avoid NORTON ANTIVIRUS especially, but the big 3 'corporate' products all seem to have high bloatware factors.

    ie. YOUR MACHINE RUNS SLOWER, THAN THE OLD ONE YOU THREW OUT THREE YEARS AGO.

    Note that *the* major threat these days, is browser attacks and malware -- malicious code embedded in HTML webpages, exploiting poor security & bugs in the browser.

    "Internet Explorer" is just a collection of holes, sufficient to allow a 6-lane freeway of malicious software to drive thru.
    Mozilla Firefox presents a superior Web Browser, with inherently security-focused design and frequent automatic updates.

    IE is not recommended to be run on corporate networks as it is the 'pre-eminent' weakness & entry point, targetted by modern malware.

    If you run IE instead of Firefox, any employees visiting 'grey area', celebrity, porn or warez sites -- even accidentally -- will likely serve as an entry point for malware & further attacks into your network.

    Combine Firefox with a cheap, lightweight anti-virus like AVG; and use a couple of different malware scanner/ removal tools. eg. Spybot Search & Destroy, Lavasoft Adaware.

    Use CNET Download.com or similar to review & obtain software, because -- VERY IMPORTANT -- many advertised "spyware removers" are in fact, malware themselves.
    anonymous