Security study: You will be owned

Editor’s note: The following story is from InfoWorld’s 2008 April Fool’s spoof-news feature package. It is not true. Enjoy!

Enterprises seeking a modicum of certainty in the ever-evolving threat landscape finally have it: No matter how much human, technological, and financial resources you commit to securing your enterprise, you’re hosed.

According to a research report published by a syndicate of IT security research labs, enterprises finally have something to plan their security implementations around — namely, that exploits, like death, are a surefire occurrence worth betting on.

In a recent paper published by the Foundation of Underground Developers (FUD), an all-star team of high-ranking experts assembled from a collection of the industry’s leading anti-malware labs contends that despite continued investments made in a wide range of security technologies, nearly all businesses remain utterly helpless in defending themselves from external attacks.

From botnets to spear-phishing, to cross-site scripting and DDoS (distributed denial of service) threats, there are no shortage of attacks that will “summarily exploit companies’ ubiquitous vulnerabilities” and “expose their most sensitive data to any half-baked thieves with Internet access,” said the FUD researchers who authored the paper.

[ April  Fools! Click here for more InfoWorld April Foolery. ]

“It’s actually pretty comical. Every major business in the world is spending millions on IT security, and basically, they’re still just sitting there like wussies waiting to get owned by all sorts of attacks,” said Marcus David, head of the Alert Labs Group at anti-virus vendor McAvoid. “Essentially, the malware authors are making way more money than the good guys, so they’re working much harder; the cops and the courts clearly don’t care about prosecuting the bad guys, so the white hat community is pretty much just going through the motions.”

Based on the group’s inaugural survey of 509 IT security professionals, most of those people paid to defend their companies’ data and IT assets from external assault feel that the “game is already over,” David said.

However, some 87 percent of respondents indicated that they would continue to encourage their employers to spend money on point products, despite characterizing the technologies as “woefully useless” (79 percent), “overpriced and underengineered” (64 percent), or “shameless vaporware” (58 percent).

Companies may be working to adopt top-down IT risk management and data governance strategies to help foster a more holistic approach to security, but those academic concepts were labeled as “consultant-bred mumbo-jumbo” (82 percent), “vendor marketing jargon” (73 percent), and “totally made-up hogwash” (69 percent) by those professionals responding to the FUD survey.

Experts have long evangelized the need for executive support for security projects, but getting business people involved in the process has only made the situation more dire, FUD researchers said.

“C-level executives might finally be committing to making security a real priority, but all this talk of risk management is just a thinly veiled admission that people understand that they’re totally defenseless, despite spending millions,” said Vincent Weeper, chief research scientist at anti-malware specialist Cement-Tech. “Hopefully, we can keep the wool pulled over their eyes in terms of selling them more products, but let’s face it, this ship actually sailed about five years ago.”

Despite the promise of newer security technologies including DLP (data leakage prevention) and NAC (network access control) tools, it would seem that businesses are only fooling themselves into thinking that crafty hackers haven’t already figured out ways to bypass any system aimed at stopping their attacks, according to the report.

Some industry watchers maintain that such products that have previously been tabbed as representing the best hopes for improving corporate security are actually just ideas cooked up by venture capitalists to give them an excuse to brag to their Silicon Valley colleagues how smart and cool they are because they’re remotely involved in a game of “electronic cops and robbers.”

“Basically, if you’re looking for leakage prevention, you’d be better off strapping a carton of Depends diapers to your servers,” said Jake Andrith, an analyst at Opportunist Research. “NAC has been on the market for two years and nobody even understands what it is supposed to do, let alone how to use it — not that it works, anyway.”

Looking into the future, experts predict that companies will continue to buy products, create internal initiatives, and pretend to welcome security-oriented compliance mandates even as hackers from all over the world simultaneously rob them of their most valuable customer data and intellectual property.

The problem is that hackers are simply more intelligent and better motivated than their peers in the security industry, not including the majority of self-proclaimed white hat hackers who also sell vulnerability and exploit data to criminals to pad their incomes, said Cathy Mooseiris, security forensics researcher at MicroSieve.

“It’s pretty much a given that most of the top people in the industry are playing both sides of the fence, because the truth is at the end of the day, they care more about making money than protecting some business concern they don’t work for,” Mooseiris said. “If I was a chief security officer, I’d be looking for a job that wasn’t so completely impossible.”

[ April  Fools! Click here for more InfoWorld April Foolery. ]