Security Through Confusion – The FUD Factor

The FUD factor has been employed by sales and marketing teams from multiple industries for decades. It stands for fear, uncertainty, and doubt (FUD) and first appeared in the 70’s as a tactic used in the computer hardware business. FUD is a disinformation strategy used to intentionally push information that is very misleading and designed to confuse and deceive an audience.

FUD is very common in the infosec domain and used to gain advantage over competitors. It is often done by companies when they find themselves hurting financially, desperate for attention, lacking in adoption or the perceived real value of a product does not materialize. The goal is simple. Do whatever possible to divert attention and confuse an audience so that they buy X product.

WordPress – Security Through Confusion

We have been paying attention to the website security space for a while, paying special attention to the WordPress security domain as we find it rampant with FUD strategies. It’s gotten to a point now that it’s important we help provide some context into what we’re seeing and its effects on you as a website owner.

Every day there is a new self-proclaimed expert in the field of WordPress security and a quick search for “security” in the WordPress.org plugin repository shows over 1,000 plugins. As you drill into specific keywords like “malware” you find over 100+ plugins; “firewall” another 180+ plugins, and the list goes on.

Even with our write up on how to look at the WordPress security plugin ecosystem it’s practically impossible for website owners to really differentiate between the various solutions.

In a crowded space like this, where anyone can be an expert, how are these organizations supposed to stand out? Unfortunately, the apparent answer to some seems to be to grow through the employment of disinformation strategies, the FUD factor.

More concerning is that some might not be doing it intentionally. They don’t understand security and are mixing FUD with misinformation and taking advantage of the average low-level aptitude of many WordPress users. That creates this concept of Security Through Confusion.

The concept is simple:

Confuse the user enough, where they really don’t know any better and they will buy my product to solve their security problem; a problem that they may or may not have, and that I may or may not solve.

Red Flags – FUD Triggers

To help you parse through the noise, we prepared a list of triggers designed to help you know if you’re being deceived.  Let’s start with the red flags:

  1. The new product offers 100% success rate. –> No security product is 100% effective with no false positives/negatives.
  2. “This is the only product you need, it solves all your problems.” –> Security is much more complex and can’t be done with products alone.
  3. An organization that has invalid or no research behind their product — > This is evident when an organization fails to present their source or data to support claims.
  4. An organization who claims “We’re the best!” or “We’re the experts!” or “We beat everyone by a wide margin!” –> Everyone is the best in their own eyes.

If you see any of these red flags it’s time to approach them carefully. In some instances, you’ll want to run the other direction quickly. Instead, spend the time to perform some critical thinking when working with an organization. Why are they making these claims, and is there anything that is supporting these claims?

The more challenging triggers are those that are technical because not everyone is able to appreciate the nuances of an argument. You hear what you perceive to be an authority and believe them to be accurate. Classic examples in our own case might be when breaches have occurred in the past, like with Target, Sony and even the Panama Papers. In each of these instances we were asked to comment, but in each case we declined. Not because we didn’t know or feel strongly about how they might have occurred, but because it would have been inappropriate being how far removed we were from the scenario. In the cases where we do comment, we stick strictly to our specific domain, as that is what we’re known for. This same concept applies technically as well.

WordPress specifically is infamous for creating experts overnight on all facets of a subject, including security. Classic examples might be watching security plugins as they evolve. One minute they are application security utilities, the next they are the only security solution you need. The problem with this approach is that it’s extremely disingenuous to the user. CMS extensions (i.e. plugins, modules, etc.) function at a very different level of the technical stack. They can be effective, but they can also be ineffective.

For example, things to consider:

  1. A plugin says they will mitigate a DDoS attack. You know it is false because DDoS can’t be handled at the application layer. Your server will die before the plugin itself can respond. Additionally, in many instances the plugin itself will DDoS your site unintentionally as it starts to consume your local resources. It’s especially rampant on shared environments and why many hosts will disable these types of plugins.
  2. Plugins that misrepresent what they do. Classic examples are CAPTCHA or brute force plugins that say they are Website Application Firewalls (WAF). WAF’s are more complex pieces of software that do a lot more than just brute force / IP blocking.
  3. Plugin creators that misuse terminology. An example of this would be claiming they are the only “defense in depth” solution as it contradicts the very idea of a defense in depth strategy.

Security is a complicated domain that is constantly evolving. Security products require research to go hand in hand with their engineering. It’s why you see some of the biggest brands like CloudFlare, TrustWave, Incapsula and many others with really strong research teams that constantly share their insights. It’s about validation and contribution to the community as a whole. So when you engage with a security “company” be sure to look for their validators. What kind of research are they doing? What are they sharing with the greater community? Be mindful of bold claims with no supporting data, or extremely vague descriptions. Great places to start is on their blog. Look at their comments, ask yourself, are these real comments? Do people really talk like this? A few tips:

  • A malware detection product should have enough anti-malware analysis and research to back up their knowledge.
  • A protection product should have enough threat-detection and analysis research to share.

Some wise words from Yoda: Security company with no research to show, security company it is not.

6 comments
  1. great article Daniel. As always, Sucuri.net give us the big picture related with web security.

  2. Great article. I have a red flag to add: “Decrease penetration / infection rates”. This pretends that a lower rate means better security! But, one infection/penetration is enough! So Long, Palo

Comments are closed.

You May Also Like