We live in a world where fear plays an increasing role. We become more aware of risks and threats all the time, and learn how to avoid them. Some of this is for good and really saves us from harm, some is hysteria that we could live without. This is equally true both in cyberspace and our normal physical lives.
Can you tell if a security product or service really works? Or if any product is secure in the first place? A lock can be evaluated by how sturdy it is. But how do you evaluate cyber-security solutions? Don’t worry if your answer is NO. This can be really hard even for professionals, so it’s no wonder that most consumers haven’t got a clue. And on top of that we have the snake oil dealers, those who try to use your fear to sell bogus products.
We all need to make some security choices in our cyber life, but how can we do that if we can’t evaluate how secure the offerings are? This is actually an issue in almost all purchases, not only for security products but for any product that deal with your data. Luckily there are a couple of fairly simple hints that can help you. Keep these points in mind and the risk of ending up with insecure products or useless snake oil is significantly lower.
Did you learn about the threat and the solution in the same advertisement? If that’s the case, put your credit card back in the wallet and check the background first. Is the threat real and do you really need protection against it? Do not go ahead with the purchase before you have verified the threat from other sources too.
Some security products are tested by magazines etc. These tests can provide valuable guidance, but can sometimes also be less scientific than what’s desirable. A product that is praised by multiple independent sources is usually a quite safe bet. Products that involve virus detection and cleaning are especially hard to test scientifically. There are some organizations that do this well, like AV-Test.org for example. Look for tests relying on data from them.
You can’t verify the effectiveness of the security product yourself. So you must trust the vendor. Check how long the firm has been around and what they have done in the security business previously. Deep security knowledge is almost always coupled with some kind of research activity, which in turn produces results that can be published. Look for how often the company’s personnel appear as experts in media.
The Internet spying scandal in US has raised the importance of this question. We have learned that the US three-letter-agencies have pretty much free access to any data stored in the US or managed by US-based companies. If this kind of privacy is important to you, you can pretty much scrap all US-based alternatives. But which countries are safe if US isn’t. That’s a really complex question. I don’t have a comprehensive answer, but three is one country that I know well and trust.
Some products use cryptographic terminology extensively when trying to describe how safe they are. But cryptography is just a tool, which requires skills to use. Just a long list of crypto algorithms does not prove anything about the product’s security. Don’t get this wrong, crypto is good and can be really important when used right. Look for products that describe how and why stuff is secured rather than just flashing fancy acronyms. Also look for a holistic approach in the description as true security requires a solid end-to-end process to avoid weak links in the chain.
A key task of security systems is to prevent something from happening. From this follows that it’s hard to know if your system works to 100%. Be careful with products that boldly claim they are perfect and have achieved that! It either proves that they don’t have a clue about security, or that their marketoids have got too much rope. True security is built upon distrust in the product and a relentless quest for security faults in it. A product is secure enough if its vendor spends more time breaking it, and fixing what it manages to break, than the bad guys. You might have a pearl if this attitude shines true when reading a description of a product’s security features.
Want an example? This security description is written by a seasoned expert who I know well, and who really has the skills and attitude it takes to secure a system. He addresses the most important point last, just as I did in this article.
Image by Stuart Miles and bplanet / freedigitalphotos.net .
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018