The Marketing of Security Threats

How Major Threats Get 'Sold' for Maximum Effect

By Mathew J. Schwartz, August 7, 2014.
The Marketing of Security Threats
 

Major information security warnings these days - from the newest banking Trojan or ransomware variant to the latest group of Chinese hackers or Russian cybercriminals - are often slickly marketed, with the announcements carefully timed.

See Also: CEO Bob Carr on EMV & Payments Security

Take the news this spring of the Heartbleed flaw, which arrived with its own logo. In 2013, the release on the allegedly state-sponsored Chinese hacking group APT1 from Mandiant was timed to coincide with the annual RSA security conference. Earlier this year, Crowdstrike released a report on China's "Putter Panda" group, in the wake of the U.S. indicting five Chinese army officers on hacking charges. And this week, when the Black Hat and final Def Con conferences are running in Las Vegas, Hold Security drops the bombshell that one team of Russian hackers, which it dubbed CyberVor, has amassed 1.2 billion stolen credentials.

Beyond the fear, uncertainty and doubt these warnings provoke, so many vendors are looking for new customers to sign on the dotted line. Among other products and services, Mandiant and Crowdstrike sell intelligence services designed to attribute attacks to attackers. Hold Security, meanwhile, plans to run a paid, subscription-based service for websites and consumers to see if hackers have stolen their personal credentials.

The timing of so many of these announcements, which may reveal ongoing attacks or unresolved vulnerabilities in products and websites, hasn't gone unnoticed by members of the information security community. "It does seem to be raising [questions] in terms of where people are going with vulnerabilities - whether it's [for] selling them, using them for marketing advances, publicity or other reasons that aren't necessarily for the greater good," says Bruce Murphy, a partner in the enterprise risk services group at Deloitte & Touche.

Warnings Foster Competition

Still, many security experts say that just because dire security warnings are timed for maximum effect - never mind the slick infographics and PDFs - doesn't invalidate what's being said. "I agree the info on breaches is packaged and self-serving, but it's not a bad thing in this day and age - it fosters competition among security researchers and companies as they try to find a big enough scoop to grab media attention," says Avivah Litan, an analyst at Gartner Research, who, by the way, sees the Russian hacking operation detailed by Hold Security as being worse than the Target breach.

"I personally prefer less packaging, but in the end it serves its purpose," she says.

Finnish anti-virus firm F-Secure's chief research officer, Mikko Hypponen, likewise says just because Hold Security timed the release of its findings for maximum effect doesn't invalidate the quality of the data. "I find that these announcements always happen on the Black Hat or RSA week, just like it happened again," he says. "So, of course, it's marketing as well, but this company behind it has done good work before, and I have no doubt that this database wouldn't exist at all. I'm sure it exists."

When dire warnings do arrive, beware shooting the messenger, warns Craig Carpenter, chief cybersecurity strategist for digital forensics and e-discovery firm AccessData. "I used to work for one of the integrated firewall companies years ago, and people used to accuse us of writing viruses, because it was good for business," he says. "And the sad truth is, we don't need to, right? There's plenty of stuff going on out there."

Behind the Marketing

Follow Mathew J. Schwartz on Twitter: @euroinfosec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Anti-Hacker Executive Order: 5 Concerns

Declaring a national emergency over hack attacks, President Obama signed an executive order...

Latest Tweets and Mentions

ARTICLE Anti-Hacker Executive Order: 5 Concerns

Declaring a national emergency over hack attacks, President Obama signed an executive order...

The ISMG Network