The Real Problem With Naming Vulnerabilities

Many in information security have complained about, and made fun of, named vulnerabilities such as ShellShock, HeartBleed, and now BadLock. So a bug is found, a site is launched, there is a logo, and enterprises everywhere scurry to fix the issue as the highest priority.

Basically, because it has marketing it gets the attention of management and becomes a priority.

This has irked security professionals for a long time, but I’ve not seen the reason properly articulated. So here’s my my attempt:

It’s troubling when you need marketing in order to convince people to do the obvious and necessary.

That’s it.

Imagine if we named every pothole on the freeway, with a website describing how to drive around it.

Or what if we named various heart attacks, and then put up websites talking about diet and exercise as the solution.

The problem in all these cases is that we already know the general problems, and (more importantly) we already know the solution.

Stay. Patched.

It’s that simple. There will be hundreds of them per month; don’t wait for a themed website to take action.

If you run IT systems, stay patched. If you drive on the freeway, go around giant holes in the road. If you want to live a long life, don’t sit on a couch and eat pork skins.

TL;DR: Any person or organization that needs a named campaign in order to be convinced to perform basic hygiene, is doomed.

Related posts:

1. The Real Internet of Things: Details and Examples

2. 10 Behaviors That Will Reduce Your Risk Online

3. Stop Trying to Violently Separate Privacy and Security