Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

13 security myths you'll hear - but should you believe?

Security experts, consultants, vendors and enterprise security managers to share their favorite "security myths"

They're "security myths," oft-repeated and generally accepted notions about IT security that arguably are simply not true -- in order words, it's just a myth.

We asked security experts, consultants, vendors and enterprise security managers to share their favorite "security myths" with us. Here are 13 of them:

Security Myth No. 1: "More security is always better."

IN PICTURES: 13 security myths

Bruce Schneier, security expert and author of several books, including his most recent, "Liars and Outliers," explains why this security concept of "you can't get enough" that's often bandied about is off the mark to him. Schneier explains: "More security isn't necessarily better. First security is always a trade-off, and sometimes additional security costs more than it's worth. For example, it's not worth spending $100,000 to protect a donut. Yes, the donut would be more secure, but it would make more sense to simply risk the donut." He also notes that "additional security is subject to diminishing returns. That is, measures that reduce a particular crime -- say, shoplifting -- by 25% cost some amount of money; but additional measures to reduce it another 25% cost much more. There will always be a point where more security isn't worth it. And as a corollary, absolute security is not achievable." Sometimes security may even become a moral choice and being in compliance might be an immoral decision, as it could pertain to a totalitarian system, for example. "Security enforces compliance, and sometimes complying isn't the right thing to do."

Security Myth No. 2: "The DDoS problem is bandwidth-oriented."

"There are a lot of urban myths you hear over time that aren't backed up by real evidence," says Carl Herberger, vice president of security solutions at Radware, who says there's a widespread belief among IT managers that if only they had enough bandwidth, distributed denial-of-service (DDoS) attacks would go away. The reality, he claims, is that since last year, it's become evident that more than half of DDoS attacks are not characterized by bandwidth at all but are application-oriented, where attackers strike at the application stack, and exploit standards for purposes of service disruption. In these circumstances, having more bandwidth actually helps the attacker. In fact, only about one-quarter of the DDoS attacks seen today are mitigated by adding bandwidth, Herberger contends.

Security Myth No. 3: "Regular expiration (typically every 90 days) strengthens password systems."

"I think this is like the nutritional advice that urges us to drink eight glasses of water a day," says Ari Juels, chief scientist, RSA, the security division of EMC, about his favorite myth, which is that passwords should be expired regularly. No one knows where this came from or if it's good advice at all, he points out. "In fact, recent research suggests that regular password expiration may not be useful," says Juels. Research that RSA Labs has done suggests that if an organization is going to expire passwords, it should do so on a random schedule, not a fixed one.

Security Myth No. 4: "You can rely on the wisdom of the crowds."

"Over and over again, an employee will get an email from someone saying there's a new virus" or some other type of imminent danger on the Internet has cropped up and they'll contact the IT department, says Bill Bolt, vice president of information technology for the Phoenix Suns basketball team. But upon investigation, these commonly shared notions never seem to pan out as being new at all, he says. In fact, most of the time, the panic is about well-known malware threats first spotted a decade ago.

Security Myth No. 5: "Client-side virtualization will solve the security problems of 'bring your own device.'"

"The myth I keep hearing is BYOD security problems will be solved by having a 'work' virtual machine and a 'personal' virtual machine," says Gartner analyst John Pescatore. "That way, all the risk on the personal side will be contained and no data will be leaked from the work side to the play side." But Pescatore says he's skeptical. "The intelligence community tried this years ago -- NSA paid a tiny (at that time) company named VMware to develop a product called NetTop for intelligence analyst use which created separate VMs for Secret, Top Secret, Unclassified, etc. it immediately ran into a problem -- analysts don't work in Secret now, Top Secret later -- they work across all domains at once and need to move things between domains. The same is true today with 'work' and 'play.' The first thing that happens with client-side virtualization is that I get personal email in my work environment and I need to use it in my personal world (or vice versa) -- so I email it to myself or use a USB stick to transfer across -- and all separation is lost. Virtualization is just a big waste of money. NetTop is still around, very limited use in the intelligence community and that was the most likely place it could succeed!"

Security Myth No. 6: "IT should encourage users to use completely random passwords to increase password strength and they should also require passwords to be changed at least every 30 days."

The reality, contends Kevin Haley, director of Symantec security response, is "completely random passwords can be strong but they have disadvantages, too: they are usually difficult to remember and slow to type. In reality, it is pretty easy to create passwords that are just as strong as random ones, but much easier to remember by using a few simple techniques. Passwords that are at least 14 characters long, utilize upper- and lower-case letters, two numbers and two symbols are typically quite strong and can be formulated into a pretty easy to remember phrase." He adds that while 30-day expiration might be good advice for some high-risk environments, it often is not the best policy because such a short period of time tends to induce users to develop predictable patterns or otherwise decrease the effectiveness of their passwords. A length of between 90 to 120 days is "more realistic," he says.

Security Myth No. 7: "Any computer virus will produce a visible symptom on the screen."

"To the man in the street, computer viruses are mostly a myth. That is to say, most of what he believes about malware comes to him from science fiction, from television and the movies," says David Perry, president of G Data Software North America. "My favorite is probably the idea that any computer virus will produce a visible symptom on the screen, showing the files melting away or making the computer itself catch on fire. This extrapolates down until people blame everything that goes wrong with their computer on a virus." He adds: "And that lack of visible trouble means that a system is obviously malware free."

Security Myth No. 8: "We are not a target."

"Mostly I hear it from victims," says Alan Brill, senior managing director for the cybersecurity and information assurance practice at Kroll. "They think they aren't worth hacking. Some say it's not worthwhile because they're a small business -- not on anybody's radar. Others contend they don't collect Social Security numbers, credit card data or other 'valuable' information. They are usually wrong."

Security Myth No. 9: "Software today isn't any better than it used to be in terms of security holes."

"There are a whole bunch of people actively claiming software isn't any better because of the holes in it," says Gary McGraw, chief technology officer at Cigital. But, he argues, "We have gotten way better" and "the defect density ratio is going down." He says safe coding practices are much better understood today than a decade or two ago and the tools for it are available. "We know what to do," says McGraw. The point that's sometimes overlooked, he says, is that in comparison to the era of Windows 95, there is simply so much more software code being written and "the square miles of code we're building is bigger than ever before." The sheer volume of code is why it sounds like software today is as full of vulnerabilities as was experienced in decades past, but the opposite is true. He adds: "Perfection is impossible."

Security Myth No. 10: "Sensitive information transfer via SSL session is secure."

"Companies often use SSL to send sensitive information from customers or partners with the assumption that transferring via SSL session is secure," says Rainer Enders, chief technology officer, Americas, NCP Engineering. "But increasingly, vulnerabilities during this process have surfaced." He notes that Citigroup last year suffered a breach that can be chalked up to a problem in this regard, and it isn't an isolated case. "Swiss researchers recently published a memo describing a way to gather information about the data transmitted over an SSL channel by exploiting a vulnerability in the implementations of block ciphers, such as AES." He says there are doubts about SSL session security, and "perhaps the ideal way to avoid this pitfall is to never use the same key stream to encrypt two different documents." Ender also adds that another favorite security myth has to do with any notion that using trusted certificates from a certificate authority is airtight. He contends last year's trouble with spoofed fraudulent certificates has shown that to be a myth.

Security Myth No. 11: "Endpoint security software is a commodity product."

Jon Oltsik, analyst at Enterprise Strategy Group (ESG), says it did appear that the majority of enterprise security professionals did agree with this statement about endpoint security products basically being all the same and a commodity when they were asked about it as a survey question by ESG. But Oltsik says he has to disagree with the idea that endpoint security software is basically all the same. "I believe this is a complete myth," he says. "Endpoint security products are vastly different in terms of levels of protection and feature/functionality." Oltsik adds that he even thinks that most organizations are unaware of the capabilities of the endpoint security products they have acquired and "therefore don't use the products appropriately for maximum protection."

Security Myth No. 12: "Sure, we have a firewall on our network; of course we're protected!"

Kevin Butler, information technology security analyst at the University of Arkansas for Medical Sciences, who says he has spent a decade as a firewall administrator, says there are plenty of myths about firewalls. Acknowledging he might have believed a few of them over the years, Butler says the ones that stand out for him are that "firewalls are always a piece of hardware" and "a properly configured firewall will protect you from all threats." About this second one he notes: "Nothing quite says hello like malicious content encapsulated over an SSL connection infecting your workstations." Other firewall myths he knows of include "with a firewall, there's no need for antivirus software" and one that really gets his ire, "Brand 'X' firewall protects against even zero-day threats." About this, he says, "New exploits against firewall protections are identified faster than they are mitigated. A firewall shall never be a 'fire and forget' solution for perimeter protection, EVER!"

Security Myth No. 13: "You should not upload malware samples found as part of a targeted attack to reputable malware vendors or services."

Joe Stewart , director of malware analysis for Dell SecureWorks, says he has heard this recommendation, which he considers to be "flawed advice." He says the idea came about because, "First, the theory goes that the attacker may be watching public sandboxes and virus scanners for signs of their malware, and uploading samples found during an incident response will tip them off that they have been detected."

He notes a secondary reason sometimes suggested is that in a targeted attack, the malware may have clues as to who the target is, leading to unintentional notification of the attack. Stewart says the counter-arguments he makes are, "The first point assumes the attacker has time to check for such things regularly. That is likely not the case, as even in targeted attacks, there are often dozens of victims in a single campaign, with the same attacker launching several campaigns per year.

Attackers with even a small number of targets rarely use a unique strain of malware for each target -- instead they rotate through a set of preselected Trojans over time, tweaking them along the way to avoid antivirus detection. So even if a malware sample shows up on one of the public malware tracking sites, there's no guarantee that the attacker will check for it, and even if they do, no guarantee which target found the sample and uploaded it."

Stewart says there's a great benefit to sharing samples involved in targeted attacks. And as to malware revealing the names of targeted institutions, he acknowledges "it's possible however it is not frequently seen." He adds that state/industrial espionage has become a "fact of life on the modern Internet" and no one should be surprised to hear any company or government was the target of an attack "if they have some information useful to another nation-state."

Stewart says it's his own view that "attempting to keep reports about this activity quiet are harming everyone except the attackers in the long run."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO newsletter!

Error: Please check your email address.

More about AES EnvironmentalBillCCSDellDell ComputerEMC CorporationGartnerIDGKrollLANNSAPhoenixRadwareRSASecureWorksSymantecVMware Australia

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Computerworld
ARN
Techworld
CMO