They're security myths, oft-repeated and generally accepted notions about IT security that...simply aren't true. As we did a year ago, we've asked security professionals to share their favorite "security myths" with us. Here are 13 of them (if you'd prefer to zip through a slideshow version of this, click here).
Security Myth #1: "Anti-virus is protecting you against malware in an efficient way."
Raimund Genes, Trend Micro CTO, says businesses use anti-virus because otherwise, "your auditors would kill you if you didn't run A/V." But A/V can't reliably protect against a targeted attack because before it's launched, attackers have checked to make sure it won't be caught by A/V software.
Security Myth #2: "Governments create the most powerful cyberattacks."
John Pescatore, director of emerging security trends at SANS, says most government attacks are simply re-using criminal-owned attack resources. And the U.S. Department of Defense likes to hype the threat from nation states to boost its budget. The sad truth is that denial-of-service attacks against banking Web sites such as Citibank can be stopped but there hasn't been enough effort to do that. And governments going after other governments for espionage is nothing new, with China, the U.S., France, Russia and others at it for decades.
Pescatore also has two other favorite myths that concern cloud security that put together are contradictions in themselves: that "cloud services can never be secure" because they're shared services that can change whenever they want to, and the second that "the cloud is more secure because the providers do it for a living." About these two contradictory myths, Pescatore points out, "Many of the providers, like Google, Amazon, etc. did not build their clouds to provide enterprise class services or protect other people's information. In fact, Google built a very powerful cloud expressly to collect and expose other people's information via its search services."
But Pescatore also points out that e-mail-based cloud services from Google and Microsoft, for example, have so far shown that when customer data was exposed, it was very rarely the fault of the provider and could mostly be ascribed to phishing attacks on customers. But the enterprise customer is still grappling with how to appropriately change its processes to match the cloud service providers in terms of incident response.
Security Myth #3: "All our accounts are in Active Directory and under control."
Tatu Ylonen, inventor of SSH and CEO of SSH Communications Security, says this misconception is common, but most organizations have set up — and largely forgotten — functional accounts used by applications and automated processes, often managed by encryption keys and never audited. "Many large organizations have more keys configured to access their production servers than they have user accounts in Active Directory," Ylonen points out. "And these keys are never changed, never audited and not controlled. The whole identity and access managed field generally manages interactive user accounts, and consistently ignores automated access by machines." But these keys intended for automated access can be used for attacks and virus spread if not properly managed.
Security Myth #4: "Risk management techniques are needed for IT security."
Richard Stiennon, chief research analyst at IT-Harvest, says although risk management "has become the accepted managerial technique," in reality "it focuses on an impossible task: identifying IT assets and ranking their value." No matter how this is attempted, it "will not reflect the value that attackers place on intellectual property." Stiennon argues "the only practice that will actually improve an enterprise's ability to counter targeted attacks is threat management which entails deep understanding of adversaries and their targets and methodologies."
Security Myth #5: "There are 'best practices' for application security."
Jeremiah Grossman, CTO at WhiteHat Security, says security professionals commonly advocate for "best practices" thought to be "universally effective" and worthy of investment since they're "essential for everyone." These include software training, security testing, threat modeling, web application firewalls, and a "hundred other activities." But he thinks this typically overlooks the uniqueness of each operational environment.
Security Myth #6: "Zero-day exploits are a factor of life and impossible to predict or effectively respond to."
Zero-day exploits are those targeting network vulnerabilities not yet generally known. But H.D. Moore, CSO at Rapid7 and creator of the Metasploit penetration-testing tool, thinks to the contrary, that "security professionals can actually do a good job of predicting and avoiding problematic software. "If the organization depends on any software that is 'impossible' to function without, there should be a plan in place for what to do if that software becomes a security risk. Selective enablement and limiting the privileges that the software receives are both good strategies." He also says another favorite security myth is that "You can tell how secure a product or service is based on the number of publicly disclosed vulnerabilities." He says a good example is the notion that "WordPress is terrible, look at how many vulnerabilities have been found so far!" But he says "the deep history of software flaws can be the natural result of a piece of software becoming popular." Moore concludes, "By contrast, there are dozens of products with no published flaws that are often much less secure than a better-known and more widely audited application. In short, the number of security flaws published for a piece of software is a terrible metric for how secure the latest version of that software is."
Security Myth #7: "The U.S. electric grid is well-protected under the North American Electric Reliability Corp.'s Critical Infrastructure Protection (CIP) requirements."
Joe Weiss, managing partner at Applied Control Solutions, argues that's a myth because CIP, drawn up by the industry itself, applies only to bulk distribution of power, not the entire distribution system, and also specifies only a certain size of power generation. "80% of the generation in the U.S. doesn't have to be looked at under CIP."
Security Myth #8: "I am compliant, therefore I am secure."
Bob Russo, general manager at the PCI Security Standards Council, says it's a common notion that businesses think once they get compliant with the data-security rules for payment cards, they're "secure once and for all." But checking the box for compliance only represents a "snapshot in time" while security is a continual process related to people, technology and processes.
Security Myth #9: "Security is the chief information security officer's problem."
Phil Dunkelberger, president and CEO at start-up Nok Nok Labs, says the CISO is going to get the blame for a data breach, mainly because their job has them setting a policy or technical course. But many others in the organization, especially the IT operations people, also "own security" and they need to shoulder more responsibility for it.
Security Myth #10: "You're safer on your mobile device than on the computer."
Dr. Hugh Thompson, RSA Conference Program Committee Chair, contends that while this "frequent assumption" has some merit, it underestimates how some traditional safeguards for computers, such as masked passwords and URL previewing, don't apply to mobile devices today. "So while mobile devices still offer more security safeguards than laptops or desktops, several traditional security practices that are broken can leave you just as vulnerable."
Security Myth #11: "You can be 100% secure but you need to give up personal freedoms."
Stuart McClure, CEO and president of start-up Cylance, says don't buy the argument that to combat the bad guys online, we have to "submit all our traffic to the government to do it." Better to get to know the bad guys really well and "predict their moves, their tools," and "get into their skin."
Security Myth #12: "Point-in-time security is all you need to stop malware."
Martin Roesch, founder of Sourcefire and inventor of the Snort intrusion-detection system, says security defense too often is limited to catching or not catching any type of attack, and if it's missed, that defense "practically ceases to be a factor in the unfolding follow-on activities of an attacker." A newer model of security operates continuously to update information even if the initial attack on the network is missed in order to understand the scope of the attack and contain it.
Security Myth #13: "With the right protection, attackers can be kept out."
Scott Charney, Microsoft corporate vice president Trustworthy Computing, says, "We often associate security with keeping people out; locks on our doors, firewalls on our computers. But the reality is that even with sophisticated security strategies and excellent operations, a persistent and determined attacker will eventually find a way to break in. Acknowledging that with reality, we should think differently about security." For the entire security community, that means a "protect, contain and recover" approach to combat threats today and in the future.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org.