Gartner Blog Network

Missing the Point, Over and Over and Over Again

by Ben Tomhave  |  September 24, 2013  |  1 Comment

I saw a quaint marketing message from a security vendor recently that made a call for “back to basics.” This is a somewhat intriguing piece of advice to give, considering that the basics aren’t really getting the job done these days. In fact, for that matter, security in general seems to be flailing about many a day trying to grope through the darkness for solutions to problems we don’t really seem to understand or define very well. Unfortunately, we’re constantly confronted with a shrillness in sales and marketing pitches that seems to spin us around, pointing us in every direction on the compass, and yet to what end? Context is missing…

Here’s an example of context missing (WARNING: this post/site may not be deemed safe for work due to the use of harsh language). The post rants against the ongoing use of anti-virus software in the enterprise. Does anybody really see AV as a panacea these days? Are we really all living under a delusion of false hope and security? Perhaps “the business” or consumers have such delusions, but we in the security industry have known better for ages.

The point that’s missed, however, is that even if AV only catches, say, 40% of the mundane garbage out there, it’s still better than catching 0%. Moreover, if your organization does not deploy AV and it suffers a breach or productivity loss or data loss as a result of a mundane piece of malware, there will be dire consequences for those who opted not to deploy it. True, we know that 40% does not equal 100% no matter how many ways you look at it, but being reasonable we also have to realize that it’s important to at least filter out the mundane background noise. The same line of thinking applies to firewalls.

Then there’s the story of how the new Apple TouchID interface has been hacked by the Chaos Computer Club. It’s an interesting story, but definitely not one that should result in the mass hand-wringing we’ve heard from some in the security industry. Put into proper context, Apple reportedly is targeting users who don’t apply any security to their devices today (no PIN, password, or pattern). So, in that regard, even if the fingerprint can be faked, the fact that they have /something/ limiting access is better than not having anything at all. And, in fact, for those concerned about the fingerprint being hackable, add a PIN, it’s easy (read about that here).

What I also find interesting about the iPhone TouchID “hack” is this: So you can lift a fingerprint and get it scanned by the device. Great. But… that means you have physical access to both my fingerprints AND the device. Those can be pretty big IFs. I’d be more impressed if they lifted the fingerprint off the case (or cover) of an iPhone and then used it to guess the right fingerprint. So, yes, it can be defeated, but really, so what? Put into a proper risk management context, this is fairly trivial.

Over the past week, I think I’ve had about a half-dozen “public” conversations (such as on Twitter and Facebook) about the missing context. It’s way too easy to freak out about the latest hack/attack and jump off the cliff (so to speak). However, when you put some context around an issue, it is fairly common to realize that what you’re seeing really isn’t a huge crisis, or that there are other compensating controls in place, or that the threat or weakness doesn’t really apply the same way in the given scenario. Take the emotionalism out of these scenarios and level-set with good ol’ context-setting and then let things progress naturally from there. The worse thing we can do for ourselves, our careers, our employers, our society… is to be shrill Chicken Littles.

What do you think? How’s your context-awareness today?

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: risk-management  

Tags: context  important  risk  

Ben Tomhave
Research Director
1 years at Gartner
19 years IT Industry

Ben is conducting research within the Security and Risk Management Strategies team under Gartner for Technical Professionals.

Thoughts on Missing the Point, Over and Over and Over Again

  1. This is a good reminder of Courtney’s Second Law, RFC 4949, which says that you cannot say anything interesting about the security of a system except in the context of a particular application and environment. The industry keeps forgetting that.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.