Recent Entries
Popular articles
Topics
Recommended links

RSS icon Subscribe

» View my profile
Technorati

del.icio.us My links on del.icio.us

Tags
analysis antivirus application security auditing botnets breaches compliance crime cryptography DNS encryption forensics humor interesting Linux Malware marketing network pdf pentest phishing php Privacy rant reference software ssl standards sysadmin tool tools trends ubuntu Virtualization virtualization security vmware vulnerabilities vulnerability+assessment web web application security webappsec web security windows Windows security xss

« Previous article — Next article »

Is anyone still influenced by paid studies?

August 29th, 2006 Posted by D Webber

Let’s say you’re a company that produces “end point authentication” products… hardware and software-based products that allow access devices to determine whether a PC or laptop connecting remotely is really one of your own.

Now let’s say not enough people understand why they would need such products. What can you do?

If you’re Phoenix Technologies, you can pay a marketing / research company to find a statistical base that illustrates a need for multi-factor authentication, then publish a study promoting the specific form of authentication the sponsor sells. That’s what it appears we have with Network Attacks: Analysis of Department of Justice Prosecutions 1999- 2006 (PDF link).

This alarming study shows that “most crimes, 84%, could have been prevented if the identity of the computers connecting were checked in addition to user IDs and passwords.”

The numbers presented are interesting and re-enforce what we already know about the weakness of single-factor username and password authentication. That’s why many organizations deploy additional factors, such as RSA SecureID tokens or client certificates for SSH and VPN access. Even limiting remote access to specific IP addresses can help. This study is the first time I’ve seen where the only additional authentication factor presented is authentication of the hardware platform itself.

Vendor-sponsored studies like this are nothing new. However, each time a new one comes out I’m amazed once again that companies think they have any credibility with decision makers. Paid studies and astroturf campaigns become a target of derision once the sponsors behind them are revealed, and trust in the sponsor is harmed due to the perceived deception.

It is technically possible for a sponsored study to be impartial. For example it could be arranged through a double-blind where neither the sponsor nor researchers know who the other is. To be fair, perhaps this particular study was conducted through a double-blind… the paper doesn’t say. Given that the conclusions only mentions a form of authentication that is provided by the sponsor, that possibility seems unlikely.

By the way, small organizations who don’t have the sizable funds required to commission a study can at least pick up very cost effective reviews and quotes from The Quote Whore.

Posted in Computer industry |
Tags: , , ,

Comments for this article are closed.


Article contents copyright © Advosys Consulting Inc. Comments are copyright of the author
Icons courtesy Wikimedia Commons and are copyright of their authors.