ControlScan and the FTC: We Don’t Need Your Stinkin’ Badges
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
One of the reasons security is so tough is because it’s next to impossible to make guarantees. People incorrectly think security is a binary property – Linux is secure, Windows isn’t, etc. You can show a system isn’t secure by finding a vulnerability. But to guarantee a system is “secure”, without further explanation, is meaningless. Unless you have an unlimited budget, 100 percent security is not an attainable or even desirable goal.
Imagine you’re a busy executive. You’ve got a budget, a timeline, and your job to keep. Your boss/shareholders/board is concerned about the security of your systems. Someone is trying to sell you a magical piece of technology that gives you “guaranteed” security. You may be tempted to buy. And you would be wasting your money.
It’s extremely common – if you walk through the RSA or Blackhat conference exhibition halls, you’ll find hundreds of companies marketing comprehensive security “solutions” that rely on deceptive claims and glossy packaging.
It’s why so many people in the security community rally against “security badge” services for web sites. Companies will sell you the right to display an image that lets your customers know your site is “secure”. McAfee Secure, TrustGuard, and Shopper Safe are just a few of the competitors. Most of these companies rely on automation and simple security scanning technologies. Many security researchers have found these services to be inadequate. There are even reports of attackers specifically targeting sites that relied on these services.
ControlScan, one of these web site scanning services, recently reached a settlement with the FTC agreeing that it misled customers about the frequency and effectiveness of its scans. ControlScan offered many badges with “little or no verification” of actual security practices. And while the badge showed the current date, the scans were often weekly or less frequent.
It will be interesting to follow the ramifications of this agreement to see how it impacts other security vendors. Many security companies rely on vague claims about the effectiveness of their products because it’s hard to sell incremental risk protection. Most buyers want immediate and complete solutions. When do bold claims become deception? Whose responsibility is it to verify the efficacy of a security technology? The FTC has made a stand against an obvious shyster, but will the “snake oil salesmen” of the security industry be shut down?
Comments Off on ControlScan and the FTC: We Don’t Need Your Stinkin’ Badges