Last week, as much of the U.S. was inconvenienced by the widespread DDoS attack on many popular websites, Joomla! casually released a notice warning of a critical patch to its software. The update, which was published on Tuesday, October 25, 2016, according to the company’s website, only said that the new version “is a very important security fix,” bold letters and all. It further warned that “until the release is out,” the company was not able to provide any further information.
As an open source content management system, Joomla! serves as the backbone for many reputable websites, and while kudos should be given to the provider for releasing both a security patch and an announcement, the veil of secrecy shrouding the details and criticality of the vulnerability is precisely the type of fear, uncertainty, and doubt (FUD)-spreading from which security practitioners must steer clear.
Searching out fear in the gathering gloom
In most organizations, security teams are still not considered a trusted resource to the business. This results from a number of issues, not the least of which is the reliance on FUD as a communication tactic. Yes, security’s world revolves around the potential for negative occurrences: data breaches, insiders losing or accidentally exposing information, external attackers targeting a specific person or company, threat actors on a mission to make a political or social statement. It’s hard, therefore, to not think and then communicate: “Here are the bad things we’re up against.” But the type of announcement published by Joomla! goes well beyond, “Potential for a negative situation exists.” The Joomla! announcement is counter to every piece of expert advice around effective communication and trust building that I’ve ever heard or read. As one very successful communications expert put it yesterday, the Joomla! notice is basically saying, “it’s SUUUPER critical…but we can’t reveal why…and you should trust us. Just do it. Don’t ask questions. We’re the experts.”
Imagine this: a policeman comes to your home and says you need to leave your house from 8 PM – 10:00 PM for your own safety, but he or she won’t tell you why. “Just trust us,” this person says. Your first reaction is to question why. He/she won’t tell you why, but you decide you should go anyway, so you prepare to leave. Your fear, uncertainty, and doubt about what is going to/could potentially happen is much higher than if the policeman had simply said, “We’re closing the street so the utility company can fix a broken pipeline.” It’s unnecessary and uncalled for FUD. Which is exactly what the Joomla! announcement demonstrated.
And there is nothing I can do
After all of that, what were the problems? According to the company’s website, the security issues and bug fixed by the patch were:
- High Priority - Core - Account Creation (affecting Joomla! 3.4.4 through 3.6.3)
- High Priority - Core - Elevated Privileges (affecting Joomla! 3.4.4 through 3.6.3)
- Two-Factor Authentication encryption fix
Though most security practitioners would surely appreciate the urgency with which Joomla! addressed these vulnerabilities, the way in which the message about the release of the patch was delivered only helps perpetuate the myth that the only way to improve security is through scare tactics. Would you like to work for a CEO who constantly delivered company addresses in which she/he said, “We must generate more revenue! If we don’t, you are all going to lose your jobs and end up homeless”? There are probably some CEOs out there who say these kinds of things, but I’d bet none of them run terribly successful companies.
When I realize with fright, that the spider man is having me for dinner tonight
We’ve been saying it for years in the security community but it’s obviously worth writing again: Spreading FUD is not a successful or useful way of getting one’s message across. In this case, withholding information just makes users wonder what else was going on at Joomla!. Were users’ account credentials compromised? Have other incidents already happened, and is Joomla! also not releasing that information? It’s hard to tell since the company is sending cagey messages. Again, security practitioners can probably agree that finding critical vulnerabilities in one’s software, developing a patch, then informing users of the patch and releasing it quickly were the right steps from a security standpoint. It’s the way in which the messaging around all of this was delivered that is the problem. Because this is open source, we might not ever know how many users applied the patch based on the company’s announcement. At least three companies I’ve spoken to in the last two days have not applied the patch as of this publishing (which is not recommended, but goes to show that sending threatening messages doesn’t resonate with end users).
If security wants to truly be taken seriously and be trusted and respected by the business, it’s time to, once and for all, stop sending security messages in the form of FUD. Communicating in this way isn’t terribly respectful to users and implies that security doesn’t trust “outsiders” to understand. While users are not security experts and may not be familiar with security’s particular complexities, security isn’t the only complex component of business operations, and humans have the ability to grasp complex concepts when explained well. Communicating in a positive, educational way—even to those who aren’t technical—will have a much greater effect than attempting to scare people. Please, let’s steer clear of the FUD and start communicating with facts and clarity. And mostly importantly, with respect towards our end users.