There is a new breed of animal appearing in the infosec community, according to Dr. Jimmy Blake, chief security officer for Mimecast, a cloud-services company based in London, and host of the blog Cloud Computing and Bad Behavior. The new breed is what he calls the "attention monger" (he actually used a more colorful word, but we toned it down for this article.) The attention monger is courting headlines with the media that add no real value to information security.
Most infosec pros know the term FUD; it stands for Fear, Uncertainty and Doubt. But increasingly Blake thinks he sees FUD making headlines too often because opportunists are hoping to get their name out there. However, while drumming up concern over vulnerabilities in popular products does often garner media attention, it can be detrimental, too, he warns (See also: Good FUD vs. bad: Is there really a difference?).
"The danger in raising FUD is that users get attrition. They get so used to a constant stream of things that they are told to watch out for and when the really big things actually occur, they aren't ready for it," he said. "If we are constantly bombarding users with this stuff, it gets lost in the noise and they aren't prepared for the real vulnerabilities."
Blake recently outlined three areas where he sees rampant hype spewed in the media with little value.
Anything with a small i in front of it is fodder for headlines lately, said Blake. He points to the recent dust-up about a vulnerability with the iPad that was discovered by Goatse Security. The vulnerability was hardly newsworthy at all, according to Blake, and was actually a coding error on an AT&T website which leaked email addresses.
"The device itself didn't play a part in this," noted Blake. "It was really a sloppily-made web site."
Blake said attention mongers are hot to point out any issue with an Apple product because of their popularity, resulting in a disproportionate amount of attention on a product line that really has a much lower rate of vulnerabilities.
"The initial reaction is 'Oh, its iPad or iPhone related, so that's what we are going to hit the headlines with.'"
A day doesn't go by when we don't hear of a new scam or vulnerability on Facebook. Security pros agree Facebook is a hotbed of opportunity for criminals, but Blake wonders if a lot of the concerns are being blown up inappropriately. (Also see: 4 things Facebook doesn't tell you about your privacy and security)
Last month, a researcher with Skull Security collected information from 100 million Facebook pages that users had classified as publically available. They were all essentially profiles of users who had not bothered to set their privacy settings to, well, private. The resulting data included user account names and a URL for each user's profile page, from which details such as addresses, dates of birth or phone numbers could be accessed. Big deal, said Blake.
"All they did was collect data from public-facing web sites and pitch it as a huge privacy issue," said Blake. "Anyone who puts something up on the web and pays no mind to their privacy settings has to be aware that it is available to the rest of the world."
Blake said he is concerned about the number of infosec researchers who are trying to ride the wave of concern over Facebook privacy issues. Instead of educating users, most of the hype about Facebook has no useful purpose, he said.
"In the case of the Facebook news, there is nothing you can do about it. It's after the fact information."
Cloud security is a growing concern among security departments as more organizations adopt cloud technologies. As a result, it's also a target for FUD. Is it unmerited? A survey conducted at Defcon last month asked 100 hackers in attendance about security in the cloud. The results: 96 percent said they believe the cloud opens up more hacking opportunities and 45 percent said they had already tried to exploit vulnerabilities in the cloud. Additionally 89 percent said cloud vendors aren't doing enough to address cyber security.
But Blake said he believes an artificially high barrier has been set for cloud security. Organizations have irrational fears because they are nervous about moving their data from a tangible data center and develop an unrealistic level of expectation. Headlines regularly call into question the implications for cloud security that scare people with fears of the unknown.
"A lot of FUD is spread by on-premise vendors who are selling on-premise solutions and are seeing their market share erode," said Blake.
Blake recommends customers do their own research, independent of on-premise vendor suggestions and scary headlines, before making decisions. He also points to two governing bodies, the Cloud Security Alliance and Cloud Audit, both of whom are working on a set of recommended controls specific for the cloud and a mechanism for third-party evaluation of conformance.