Truth in Advertising

Oct. 27, 2008
Don’t fall for security's version of the vacuum cleaner sale

The NCAA basketball championships are now over, but I still miss the football season. My wife and I always enjoy National Football League playoff weekends, and we try to reserve them each year. We make a big pot of spicy chili and serve a variety of snacks during the games. Of course, another football tradition is the predictable wealth of advertising for beer, trucks, and financial services.

The beer advertisements are usually the funniest. In fact, I've noticed the worse the beer tastes (to me), the funnier and more engaging the commercials. But the advertisements that cause me to erupt in incredulity are the ones featuring new cars and trucks. The formula is usually the same:

  • Show slow-motion video of a truck clawing its way through mud and deep snow, or depict a car sliding around tight corners at top speed.

  • Tout the large, powerful engine, luxurious appointments, and numerous features.

  • Blast a bottom-basement price or low monthly lease payment across the screen.

  • Flash a tiny paragraph of disclaimers at the bottom.

What truly galls me is that fine print. If you look closely, you will see that the car they just spent 57 seconds promoting is not the vehicle you get if you want to pay the amount highlighted in the last three seconds. In fact, the “as shown” price can be 80% higher. The most egregious example I saw during this season's playoffs was a stylish sedan advertised for around $25,000 with an “as shown” price of more than $43,000. That is a big difference.

Apparently, the requirement for truth in advertising is satisfied by the fine print at the end of the commercial. The automobile manufacturers who do this like to refer to the price difference as customer “options,” as if the V-8 engine, four-wheel drive system, and leather seats are items you can buy a la carte from the dealer after selecting the basic body style. The “options” shown on the television vehicle are not just tacked-on extras like a towing hitch or some chrome doodads. They are often critical to the specific features and benefits hyped by the manufacturer. What Adirondack woodcutter would be satisfied with a pickup truck as good in deep snow as your basic front-wheel-drive family sedan?

Marketing people call this the bait-and-switch tactic. Their goal is to entice you into a local dealership. You see the low price and think, “Hey, we could afford one of those!” Once at the dealer, you are confronted with the hard facts: namely, the vehicle you really want may be beyond your means. However, the helpful on-site salesperson and in-house financing expert will work very hard to convince you that you really do need it, and you really can afford it. They are happy to craft a monthly payment that masks the true lifecycle cost of the vehicle.

I believe the commercials would be fair if they simply depicted the vehicle to which the advertised price applies. Of course, they would not be able to show the truck blasting effortlessly through knee-deep snow, nor the car smoking the tires at a stoplight. They would have to show the cloth seats and the basic trim level, and eliminate the fog lights, roof rack, towing package, and stylish chrome wheels. The other sensible sales pitch would be to actually show the price of the vehicle represented in the commercial.

Another ubiquitous, and frustrating, marketing strategy is to hype a perceived problem that a potential customer would pay a high price to avoid. This is a type of marketing ploy is very prevalent in the IT security industry. I call it the vacuum cleaner sale.

The vacuum cleaner sale approach was firmly impressed upon me as a grade-school boy growing up in simpler times. I was home from school with measles one day when the doorbell rang. I was wrapped securely in layers of blankets on the living room sofa, from whence I could ogle the 1957 RCA console television—our one concession to modernity. My mother answered the door, and I heard the assertive greeting of a man hawking vacuum cleaners. He was garrulous and insistent as he convinced my mother she absolutely needed to see the demonstration.

After a breezy display of his hulking stainless steel behemoth, he produced a small jar from his bag. Before my mother could protest, he removed the lid and sprinkled the contents across the only rug we possessed. As my mother and I looked at each other with incredulity, he deftly plugged in the unit and turned on the switch. With a grand belly laugh, he swung it around to inhale the scattered detritus he had willfully placed on the rug. To no one's surprise (least of all his), the debris was sucked up in one quick pass.

Ironically, my mom ended up buying that fancy vacuum. She said she had planned to get some more rugs, and the salesman closed the deal when he demonstrated the unit's ability to suck up another bottle of his prepackaged particulate from the wood floor surfaces. He was a good salesman.

Not long ago, I witnessed the same sales approach in the office of a prominent government agency chief information officer. The salesman for the security company began his pitch by carefully inquiring after the types of systems and protocols used within the organization. He listened carefully to the concerns of the CIO. I was impressed. He was listening—something a good salesperson learns to do. But when the CIO had finished his overview, the salesman whipped out his laptop for the obligatory demonstration.

The salesman asked the CIO if he had been experiencing problems with certain ActiveX controls. The CIO looked over at his security expert, and both shook their heads. The salesman recovered by pulling up some slides showing that it was possible for them to become a problem for the organization. He then executed a malicious software attack that exploited an ActiveX control on his laptop and showed how the system locked up. Of course, when he employed his company's software solution, the problem was magically eradicated and the system was back up and running.

After the demonstration, the CIO reiterated that his agency had not been affected by the exploits the salesman had portrayed. The salesman then offered to load the ActiveX exploit on one of the agency's internal systems for a more close-to-home demonstration. The security expert's eyes shot wide open, and he looked furtively at the CIO. However, the CIO needed no prompting. He said he appreciated the offer, but he was not interested in introducing new vulnerabilities into his systems simply to prove the salesman's point—even as the salesman assured him he could remove them completely with his software. The salesman was thanked and swiftly shown to the lobby.

If someone tries to create a sense of vulnerability for your organization simply to sell a one-off solution, look for the fine print before shelling out your limited security funds. The entire range of products, procedures, and human-factor safeguards should be evaluated for their ability to provide appropriate and cost-efficient policy enforcement. Just because someone can demonstrate a potential vulnerability doesn't mean you need their specific safeguard. But admitting that would require more candid truth in advertising than you will likely receive from a salesman.

There are often ways to configure and manage your existing environment to provide the same (or even better) risk mitigation. It is up to the security professionals to outline the risks and the costs associated with their mediation or elimination. This must be done in consideration of all the existing and potential exposures. Then the business leaders can use this information to make the best decision for the organization. Had my mother not let the vacuum cleaner salesman scatter his bottle of dirt around our carpet, perhaps my parents could have afforded to get me that new bicycle I wanted.

John McCumber is a security and risk professional. He is the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology from Auerbach Publications. Mr. McCumber can be reached at [email protected].