Here's how it works these days: A security firm finds out about a vulnerability, then sends its PR folks into overdrive to promote it as the biggest of all time.
It started years ago with the big APT campaign discoveries, notably Night Dragon, Project Aurora, and Operation Shady Rat. But now it has reached a fever pitch, with proactive marketing of individual exploits with supercool names -- Shellshock, Heartbleed, Sandworm -- some of which even have logos.
Logos? Really? Check out this one for SandWorm:
I can’t decide. Is it based on the "Dune" movie, "Alien Raiders," or "Tremors"? I can practically see the graphic designer winning approval from management for the logo. It would make a Navy vet with a dragon tattoo jealous.
This logo has sent me over the edge.
Is this the new norm? You find a vulnerability, then get your PR team and graphic designers involved to gin up the most hype that can possibly be created? For Pete's sake, Sandworm (can I use that name without putting a ™ after it?) is a local OLE exploit, originally executed using Microsoft PowerPoint. Sure, it was used by bad guys against good guys in the wild -- NATO members, no less. But dozens of examples have popped up over the years, and on the spectrum of absolute risk, Sandworm is not so bad. Also, it’s not a worm. I guess "SandExploit" didn’t have the right ring to it.
I understand why these firms are doing this. They want to get maximum exposure to sell their products and services, like ambulance-chasing lawyers. But McAfee and Symantec made billions after Code Red, Slammer, and Blaster without creating and pushing logos.
It seems to me that these firms don’t want their discovery to be overlooked among the daily onslaught of zero-day exploits or huge data breaches. Yell louder or get lost, I guess.
However, all it does is excite decision makers, who then learn the latest cataclysmic attack doesn’t impact them much. It's a classic "cry wolf" situation. As a result, people spend too much time on the wrong details and eventually become numb -- until the day they miss responding to a real threat. Worse, overhyped exploits catch the eye of CEOs and CIOs who ask questions and kick off feedback loops that waste time and resources.
Can you imagine how a real “big one” will be marketed in the future? Cue the operatic music and overlay graphics. Will it be like the Weather Channel’s “Storm of the Century” full-time news cycle with cyber security pros blown around in heavy winds, showing crying website widows holding wet cat GIFs among digital portal ruins?
If you ask me, I'd rather have flashy logos for patching, multifactor authentication, and end-user education. Maybe we need trademarked catchphrases like, “Are you ready to patch Javaaaaaa!!” or “Configure securely or get Ebola!” Here I am complaining about hyperpromoting every little discovered vulnerability -- perhaps I’ve overlooked the one component missing from our computer security defense plans.
By accepting aggressively pushed marketing strategies around found vulnerabilities, aren’t we essentially injecting advertising into our alerting system? It’s fake reality television. When does Honey Boo Boo show up to tell me how to best defend against APT?
Still, if PR teams and logos would fix the multidecade slide into terrible computer security, I’d be the first to sign up. But they won’t. They're distracting and counterproductive.