Feeds

Bad security products thrive on confusion

High-drama obscures real risks, warns Schneier

Providing a secure and efficient Helpdesk

The information security market is riddled with mediocre products because buyers are often sold on a story rather than having enough information to make a rational choice, a security expert has said.

Bruce Schneier, founder and chief technical officer of BT Counterpane, said many security products offered the feeling of being secure rather than actual security. Vendors can't be trusted to give a reliable precis of a product's capabilities, he warned.

The field of information technology security is so complex that purchasing decisions are based on feelings and hunches rather than reality, a process that suppliers play into, in what Schneier described as "security theatre". Products sold through this process often either fail to live up to their promises or address a threat that is overstated.

"For every supplier with a good product or service, there is at least one more out to make a quick buck before customers find out," Schneier told delegates to the RSA security conference during a keynote presentation on Tuesday. "There's a problem when feelings and reality are out of whack."

The presence of bad products diminishes trust in the market as a whole over the long-term, while leaving end-users with a false sense of security.

The same problem can apply to product categories as well as individual items of kit. Firewalls, for example, are ubiquitious but often poorly configured. On the other hand, email security products work well but enjoy little market penetration, Schneier said.

Part of the difficulty is that human beings are inherently irrational, finding it difficult to weigh a balance between risks and costs and behaving irrationally on the basis of perceived fears. "The human brain is still in beta testing. There are all sorts of patches and workarounds in there," Schneier joked. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.