13 security myths

Security experts hammer on security ideas they say are just “myths”

Some generally-assumed and oft-repeated notions about security may not necessarily be true and we asked security experts to tell us their favorite “Security Myths” and what they think of them. See a story version.

Security Myth #1: “More security is always better”

Bruce Schneier, security expert and author of “Liars and Outliers”: “More security isn’t necessarily better. First, security is a always a trade-off,and sometimes security costs more than it’s worth. For example, it’s not worth spending $100,000 to protect a donut.”

Security Myth #2: “The DDoS problem is bandwidth-oriented”

Carl Herberger, vice president of security solutions at Radware: It’s an “urban myth” that distributed denial of service attacks would just ”go away with more bandwidth.” Over half of DDoS attacks are not characterized by bandwidth at all but are application-oriented. Only a quarter of DDoS attacks are mitigated by adding bandwidth.

Myth #3 “Regular expiration (typically every 90 days) strengthens password systems”

Ari Juels, chief scientist, RSA: “In fact, recent research suggests that regular password expiration may not be useful,” and that if an organization is going to expire passwords, “it should do so on a random schedule, not a fixed one.”

Myth #4: “You can rely on the wisdom of the crowds”

Bill Bolt, vice president of information technology for the Phoenix Suns basketball team: Employees claim lots of people they know are telling them about a new virus or other imminent threat, but upon investigation, these notions don’t pan out.

Security Myth #6:

“IT should encourage users to use completely random passwords to increase password strength and they should require passwords to be changed at least every 30 days.”

Kevin Haley, director Symantec security response: This has “disadvantages” because completely random passwords are “usually difficult to remember” and a better alternative is often to create strong passwords formulated as an easy-to-remember phrase.

Security Myth #7: “Any computer virus will produce a visible symptom on the screen”

David Perry, president of G Data Software North America: The typical “man in the street” believes a virus will be visible in the computer, showing “files melting away” and the like. “And the lack of visible trouble means that a system is obviously malware-free.”

Security Myth #8: “WE ARE NOT A TARGET”

Alan Brill, senior managing director for the cyber security and information assurance practice at Kroll: “Mostly I hear it from victims” and “they are usually wrong.”

Security Myth #10: “Sensitive information transfer via SSL session is secure”

Rainer Enders, CTO, Americas, NCP engineering: There are a lot of doubts about SSL session security based on both real-world incidents and research. The best assurance would be “never use the same key stream to encrypt two different documents.”

Security Myth #11: “Endpoint security software is a commodity product”

Jon Oltsik, analyst at Enterprise Strategy Group: The majority of enterprise security professionals apparently agree with this statement about endpoint security products, but it’s not true because products “are vastly different in terms of level of protection and feature/functionality” and most organizations aren’t even aware of what they have.

Security Myth #12: “Sure, we have a firewall on our network, of course we’re protected!”

Kevin Butler, information technology security analyst at the University of Arkansas for medical sciences: The myth that “a properly configured firewall will protect you from all threats” overlooks the fact that “nothing says hello like malicious content encapsulated over an SSL connection infecting your workstations.”