• United States



Introducing FUD Watch

May 21, 20083 mins
Application SecurityCSO and CISOIT Leadership

Senior Editor Bill Brenner scours the Internet in search of FUD. The goal: separate hot air from genuine action items.

Senior Editor Bill Brenner will scour the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items.

Most mornings, I start the work day with an inbox full of emails from security vendors or their PR reps about some new malware attack, software flaw or data breach. After some digging, about half turn out to be legitimate issues while the rest – usually the most alarming in tone – turn out to be threats that have little or no impact on the average enterprise.

The big challenge for security writers is to separate the hot air from the legitimate threats. This column aims to do just that.

But for this to work, audience participation is a must.

The goal is to make this an interactive exercise, with readers offering their two cents on the latest threat reports and whether they truly demand action. If you see a threat that’s been overplayed or underplayed, let me know and I’ll include it in the next column.

For the sake of getting the conversation started, I’ll give you an example of something I ultimately deemed to be FUD.

Three years ago when I was writing for another security publication I got an e-mail quickly followed by a phone call from a PR person eager to flag a “new and serious” threat discovered by the security vendor she represented at the time.

The security vendor wanted the world to know about a new technique in which the bad guys could, from different locations, saturate wireless access points with log-in requests using multiple password combinations, clogging a company’s central authentication server. The vendor described this as “phlooding,” embracing the then-popular trend of coining words starting with the letters “ph” [phishing, pharming etc.]

The PR rep described phlooding the way others might describe the collapse of the Internet. Since then, nobody I know of has claimed to have suffered a catastrophic case of phlooding.

I wrote about the threat, but did so from the perspective of IT security pros who were getting annoyed with all the “ph” words flying (phlying) their way.

I’m fairly certain everyone has an example of FUD to talk about. Those who do should e-mail them to me at

Let’s have some fun (phun) and, in the process, make it a little easier for our peers to separate the hair-raising from the hyperbole.