Comment Articles

There's no silver bullet for security

Patrick Gray ZDNet Australia

Published: 11 Dec 2003 16:30 GMT

Have you heard the news? The spam problem has been solved by a new type of mail architecture, and hackers are a thing of the past! A vendor has released software that can block attack types that haven't even been invented yet, and can foil spam techniques that won't even be developed until 2015. Really.

This is what us poor old IT journalists are told every day by a dozen press releases from a dozen companies out there that are eager -- too eager -- to get their products out there. They may have good software and "solutions", but there is such a thing as over-selling.

Let's look at some of the pitches out there.

A great example is MessageLabs' marketing material. According to its Web site, MessageLabs' mail filtering service "can assure you of complete peace of mind from complete email security". Aside from being somewhat ambiguous -- it's not "email security" that worries me as much as email-borne threats -- this statement is an exaggeration. Sure, the service is a good one, but would it give me complete peace of mind? Hardly.

ZDNet Australia recently had a visit from a Melbourne-based software distributor, which had put together a suite of software products in the security area -- a couple of which were good products that I would recommend to some people. However, there is no way known that their product could make "all [italics mine] unauthorised software (including viruses) un-executable while still allowing network users to access the software they need". Let's get real, people!

Don't even get me started on security vendors peddling "Intrusion Prevention Systems" (IPS) like they're some kind of silver bullet cure for all security ills. I'd like to see some of those vendors taken to court on a Trade Practices Act violation for misleading and deceptive conduct. Sure, IPS are starting to show some promise in detecting and preventing some types of attacks, and there's some ok-ish heuristics code being bunged into them, but even calling them an Intrusion Prevention System is, in my opinion, misleading.