How to prevent 1% of cybercrime?

An interesting picture appears on the PBS Shop Web site:

HACKER SAFE certified sites prevent over 99.9% of hacker crime.

Because of what it says I felt an urge to click on it. The first attempt (a right-click) resulted in the following message box:

Prohibited by Law

I think the law that prohibits copying the picture doesn’t exist. Otherwise my Web browser would be breaking the law by caching the picture, for example. And the trademark law, at least in Australia, USA and other Western countries, actually allows nominative fair use (as well as parody).

But I don’t need to do any copying anyway. The “HACKER SAFE” picture above is provided to you directly from its source, (and “certifies” sites other than this weblog). Clicking on it will show a page that says, among other things:

Research indicates sites remotely scanned for known vulnerabilities on a daily basis, such as those earning HACKER SAFE certification, can prevent over 99% of hacker crime. 

I would be really interested in the methodology of that research. Why 99% and not 99.9%? But mentioning research is just weasel words here.

The company that brings you the “HACKER SAFE” picture provides many services related to Web security and privacy protection. Every single one comes with its own picture (they are called “trust seals”):

Internet Security By ControlScan

That, as I wrote, gives a false sense of security. Looking at the service offerings reveals more interesting facts:

  • The company provides vulnerability scanning for those who need to be compliant with flawed and largely useless Payment Cards Industry Data Security Standard;

  • The company offers vulnerability scanning bundled together with EV SSL certificates – overpriced ones, supposedly more secure and with questionable benefits;

  • EV SSL certificates are positioned to secure E-Mail applications among other things. Internet email standards generally don’t require a browser, and current EV certificates’ main distinction is the green address bar in IE7. You can encrypt SMTP using SSL but the fact that the the SSL certificate is Externed Validation will make exactly zero difference compared to any other SSL certificate. I won’t be surprised though if EV flavour of mail signing certificates will emerge;

  • And the certificates are positioned as those giving the Highest Level of Digital Encryption available in industry – even though the level of encryption doesn’t really have much to do with the type, or issuer, of the certificate.

Vulnerability scanning has its value. It’s a very basic security control mechanism that allows to identify trivial system administrators’ mistakes independently of their process. But it doesn’t prevent 99% of security exposures. If it does, what about the remaining 1%? Is one attack out of a hundred successful? One attacker out of a hundred? That doesn’t make sense.

In the example above we see how aggressive marketing can be misleading, even deceptive, and therefore diminish the value of otherwise useful service.


One thought on “How to prevent 1% of cybercrime?”

  1. I acualy used the service of an online scan for my site provide by GamaSec

    i can say that I am please of the service, the clear report with practical recommendation to solve the vulnerabilities and the easy and freindly control panel that provid on demand scan scheduler.

    I my opinion the use of 3th partty security scan and security seal is important for website and for customer but the it must be done by proffessional companies and not onlt seals marketing comapnies.

    I can from our experience recommend the used of for vulnerabilities scan

Leave a Reply

Your email address will not be published. Required fields are marked *