13 myths about information-technology security you’ll hear but should you believe?
Some generally assumed and oft-repeated notions about security may be only assumptions and not necessarily true. We asked security experts for what they consider security "myths," and here’s what they said.
Raimund Genes, CTO at Trend Micro, says businesses use anti-virus because otherwise, “your auditors would kill you if you didn’t run A/V,” but A/V can’t reliably protect against a targeted attack because before it’s launched, attackers have checked to make sure it won’t be caught by any A/V software.
John Pescatore, director of emerging security trends at SANS, says most government attacks are simply re-using criminal-owned attack resources, and the U.S. Department of Defense likes to hype the threat from nation states to boost its budget.
Tatu Ylonen, inventor of SSH and CEO of SSH Communications Security, says this misconception is common, but most organizations have set up — and largely forgotten — functional accounts used by applications and automated processes, often managed by keys and never audited.
Richard Stiennon, chief research analyst at IT-Harvest, says although risk management "has become the accepted managerial technique, in reality it focuses on an impossible task: identifying IT assets and ranking their value." No matter how this is attempted, it "will not reflect the value that attackers place on intellectual property."
Jeremiah Grossman, CTO at WhiteHat Security, says security professionals commonly advocate for 'best practices' thought to be "universally effective" and worthy of investment since they’re "essential for everyone." These include software security training, security testing, threat modeling, web application firewalls, and "a hundred other activities." But this typically overlooks the uniqueness in each operational environment.
H.D. Moore, chief security officer at Rapid7, thinks to the contrary, that security professionals can actually do a good job of predicting and voiding problematic software. "If the organization depends on any software that is 'impossible' to function without, there should be a plan in place for what to do if that software becomes a security risk. Selective enablement and limiting the privileges that the software receives are both good strategies."
Joe Weiss, managing partner at Applied Control Solutions, argues that’s a myth because CIP, drawn up by the industry itself, applies only to bulk distribution of power, not the entire distribution system, and also specifies only a certain size of power generation. "80% of the generation in the U.S. doesn’t have to be looked at under CIP."
Bob Russo, general manager at the PCI Security Standards Council, says it’s a common notion that businesses think once they get compliant with the data-security rules for payment cards, they’re "secure once and for all." But checking the box for compliance only represents a "snapshot in time" while security is a continual process related to people, technology and processes.
Phil Dunkelberger, president and CEO at start-up Nok Nok Labs, says the CISO is going to get the blame for a data breach, mainly because their job has them setting a policy or technical course. But many others in the organization, especially the IT operations people, also "own security" and they need to shoulder more responsibility for it.
Dr. Hugh Thompson, RSA Conference Program Committee Chair, contends that while this "frequent assumption" has some merit, it underestimates how some traditional safeguards for computers, such as masked passwords and URL previewing, don’t apply to mobile devices today. "So while mobile devices still offer more security safeguards than laptops or desktops, several traditional security practices that are broken can leave you just as vulnerable."
Stuart McClure, CEO and president of start-up Cylance, says don’t buy the argument that to combat the bad guys online, we have to "submit all our traffic to the government to do it." Better to get to know the bad guys really well and "predict their moves, their tools" and "get into their skin."
Martin Roesch, founder of Sourcefire, says security defense too often is limited to catching or not catching any type of attack, and if it's missed, that defense "practically ceases to be a factor in the unfolding follow-on activities of an attacker." A newer model of security operates continuously to update information even if the initial attack on the network is missed in order to understand the scope of the attack and contain it.
Scott Charney, Microsoft corporate vice president Trustworthy Computing, says, "We often associate security with keeping people out; locks on our doors, firewalls on our computers. But the reality is that even with sophisticated security strategies and excellent operations, a persistent and determined attacker will eventually find a way to break in. Acknowledging that reality, we should think differently about security." For the entire security community, that means a "protect, contain and recover" approach to combat threats today and in the future.
Don’t have an account? Sign up here
Don't have an account? Sign up now