Until recently, evangelizing for data security was like shouting into the wind. Even regulated industries and companies with a high risk of data theft would often yawn and shrug. Among those entities that understood the consequences of a date breach, many paid lip service to security.
Two things have changed. First — data breaches are in the news almost daily. An awful lot of the folks that thumbed their noses at security got stung. They got breached, or got audited, or got sued. Maybe they got into the headlines. Suddenly they’re scrambling to prove they’re doing what they need to do.
Simultaneously, regulations are being enforced. Notably, the FTC has recently handed down some decisions that include mandatory compliance audits.
The data security industry has responded with an avalanche of security boxes, widgets and software. But Habeas Hard Drive has noticed a disturbing trend. These vendors are making extraordinary claims that simply aren’t true.
Some are claiming their widget would have stopped the latest breach. Others guarantee compliance with Federal, State or other mandates. Every product is a magic bullet, if you believe the sales pitches.
Digital security practitioners will tell you there’s no single box, software, or widget that can stop these breaches. Prevention can’t be purchased in a download, or by plugging in a fancy box with blinking lights.
Habeas Hard Drive has actually called some of the companies to challenge their product managers. Yes, one of them said, it’s ridiculous. But it’s our marketing staff that comes up with the sales pitch. We can’t control what they say. Wow.
Here’s the Habeas Hard Drive take on digital security snake oil:
* The majority of security issues can be addressed through network configurations and staff training, which don’t require any product purchase.
* When it comes to products, the incidence of exaggerated claims is higher when there’s a reseller involved. If you purchase equipment from a reseller, rather than from the product developer directly, save copies of all communication that goes back and forth prior to the sale.
* Here’s why: Suppose you’ve got a contractual obligation with your client to protect data, or to be in regulatory compliance, and you’ve purchased a security product with the assurance of the reseller that it serves your purpose. When you download the EULA – the end user licensing agreement– you will have to “click here” to acknowledge the actual product specifications. If they aren’t represented, and the product doesn’t perform, you might have breached your contract with the downstream party you promised to protect.
* In evaluating sales claims for security products, get help from experts other than IT staff. IT is a different field than data security. The focus of the training is different.
* Be skeptical. Caveat emptor.
by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a digital forensics and data security analyst. He is a contributor to HabeasHardDrive.com, The SANS Computer Forensics Blog, and CyberJungle Radio. He holds US patents in email security and authentication. He President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor.
Digital Crime and Litigation Briefings 