Skip Links

13 security myths you'll hear -- but should you believe?

By , Network World
February 14, 2012 04:45 PM ET

Network World - They're "security myths," oft-repeated and generally accepted notions about IT security that arguably are simply not true -- in order words, it's just a myth. We asked security experts, consultants, vendors and enterprise security managers to share their favorite "security myths" with us. Here are 13 of them:

Security Myth No. 1: "More security is always better."

IN PICTURES: 13 security myths

Bruce Schneier, security expert and author of several books, including his most recent, "Liars and Outliers," explains why this security concept of "you can't get enough" that's often bandied about is off the mark to him. Schneier explains: "More security isn't necessarily better. First security is always a trade-off, and sometimes additional security costs more than it's worth. For example, it's not worth spending $100,000 to protect a donut. Yes, the donut would be more secure, but it would make more sense to simply risk the donut." He also notes that "additional security is subject to diminishing returns. That is, measures that reduce a particular crime -- say, shoplifting -- by 25% cost some amount of money; but additional measures to reduce it another 25% cost much more. There will always be a point where more security isn't worth it. And as a corollary, absolute security is not achievable." Sometimes security may even become a moral choice and being in compliance might be an immoral decision, as it could pertain to a totalitarian system, for example. "Security enforces compliance, and sometimes complying isn't the right thing to do."

Security Myth No. 2: "The DDoS problem is bandwidth-oriented."

"There are a lot of urban myths you hear over time that aren't backed up by real evidence," says Carl Herberger, vice president of security solutions at Radware, who says there's a widespread belief among IT managers that if only they had enough bandwidth, distributed denial-of-service (DDoS) attacks would go away. The reality, he claims, is that since last year, it's become evident that more than half of DDoS attacks are not characterized by bandwidth at all but are application-oriented, where attackers strike at the application stack, and exploit standards for purposes of service disruption. In these circumstances, having more bandwidth actually helps the attacker. In fact, only about one-quarter of the DDoS attacks seen today are mitigated by adding bandwidth, Herberger contends.

Security Myth No. 3: "Regular expiration (typically every 90 days) strengthens password systems."

"I think this is like the nutritional advice that urges us to drink eight glasses of water a day," says Ari Juels, chief scientist, RSA, the security division of EMC, about his favorite myth, which is that passwords should be expired regularly. No one knows where this came from or if it's good advice at all, he points out. "In fact, recent research suggests that regular password expiration may not be useful," says Juels. Research that RSA Labs has done suggests that if an organization is going to expire passwords, it should do so on a random schedule, not a fixed one.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News