Earlier, Williams delivered a speech in which he said, "It's better to take preventative measures than to wait for disaster to unfold."The Fedread more
The country's Revolutionary Guards say they will soon releasePoliticsread more
Regional stability, oil prices and potential for war will all depend on what Iran does with its nuclear program in the event of the deal's termination.World Politicsread more
Boeing will take a nearly $5 billion charge in the second quarter to compensate 737 Max customers as the planes remain grounded.Airlinesread more
Market researcher James Bianco believes it's crucial to get a half point cut at the next Federal Reserve meeting.Trading Nationread more
The base version of the sports car will punch out 495 horsepower, 40 more than the seventh-generation car and enough to launch it from 0 to 60 in "less than three seconds"...Autosread more
President Trump said he's looking at the JEDI contract that will be awarded to Microsoft or Amazon.Technologyread more
Taiwanese President Tsai Ing-wen is expected to stop over in the U.S. on Friday on her way back from visiting diplomatic allies in the Caribbean, a move that's sure to make...China Politicsread more
Animation fans and Kyoto residents gathered at the site of Japan's worst mass killing in 18 years on Friday, offering flowers and prayers for the 33 people who died in an...Asia Newsread more
Libra and bitcoin are different in a lot of ways, from the technology behind them to the way they're used.Technologyread more
Microsoft beat on top and bottom lines, and guidance was just ahead of expectations, but the company's Azure growth is slowing down.Technologyread more
The cybersecurity vendor marketplace is growing so crowded that some companies have been resorting to extreme tactics to get security executives on the phone to pitch their products, including lying about security emergencies and threatening to expose insignificant breaches to the media.
The aggressive tactics come as the cybersecurity market expands dramatically, with a "long tail" of thousands of vendors with niche specialties. These sales tactics can make it harder for overworked cybersecurity execs to find and stop real threats. It can also result in overhyped publicity about breaches and hacks that are actually minor, which confuses customers and consumers.
CNBC spoke with four top cybersecurity executives at Fortune 500 finance, health care and payments firms about unsavory practices from vendors. These executives all said they have been pressured by vendors and researchers who claimed — rightly or not — to have found a cybersecurity problem at their company. Some hinted at the possibility of negative news coverage if the executive did not listen to the vendor's full pitch.
Complicating the picture, many ethical hackers use their contacts with the company to report legitimate problems. One executive complained the noise makes it difficult to pinpoint the legitimate reports of infrastructure flaws that need to be fixed.
It's hard for cybersecurity companies to get noticed. Smaller vendors particularly struggle because top corporations already have contracts or strong customer relationships with the biggest companies.
This is where the threat of negative media coverage comes in. Exposing a security flaw, no matter how small, can garner big headlines if it's at a big company. Enough press coverage can spark weeks of outrage and land top leaders in front of Congress.
However, breaches that actually cause damage are relatively rare. As a result, vendors often try to make a big deal out of minor breaches that don't expose important company or customer information.
For instance, all four executives said vendors tried to draw their attention to potentially exposed data on Amazon and Microsoft Azure cloud servers. None of this data included any current material information.
In one case, a database housed business plans for a 10-year-old project that had already been reported on and was now irrelevant. In another case, the data included information about customers — but only their names and the fact that they had attended a technology conference several years earlier. There were no further personally identifying details, Social Security numbers or other data that would have raised the ire of regulators or even senior company executives.
But the representatives pressured the execs on the phone, saying they had repeatedly tried to warn them about these minor issues and were ready to go to media outlets.
Fearing negative publicity, these execs typically agreed to spend around an hour allowing the vendor to offer "free services" to fix the problem, followed by a bigger pitch for paid services.
Two of the executives also said vendors used questionable tactics just to get through to their phone. Vendors have called in to report "emergency" incidents, then once they got past the company's gatekeepers, turned the "alert" into a sales pitch. They have also lied to administrative staff about their reasons for calling, characterizing their call as a matter of grave security importance, only to present a sales pitch once they'd worked their way up to the right executive.
All told, this results in a great deal of wasted time. Worse, as one executive said, "I distrust most of them, so it's possible I miss the people who may be trying to raise actual issues."
Cybersecurity vendors also often try to scare executives based on the type of perpetrator launching a given attack.
These pitches often work on board members or less technically inclined executives, who are scared of the prospect of defending their networks from Iran, China, North Korea or Russia and impressed at the vendor's purported investigative skills, the executives said.
But for the vast majority of companies, attribution doesn't matter at all, they said. That's because no matter who did it, the vast majority of private-sector data breaches can be attributed to the same basic security weaknesses that all hackers exploit.
"If you're vulnerable to SQL injection," said one bank chief information security officer, referring to a basic type of hack that often is used to steal consumer data, "then you're going to fall prey to SQL injection. It doesn't matter if some kid in the basement does it or the PLA [China's People's Liberation Army]."
Regulators don't particularly care, either, the bank official said. If you have a weakness that you should've fixed, regulators will focus on that weakness.
"Unless you're the NSA, attribution doesn't matter," the security head said.