[LINK] security myths

[stephen at melbpc.org.au]

"Thirteen IT security myths debunked"

By Ellen Messmer (Network World) 15 February, 2013 23:19
<http://www.arnnet.com.au/article/453966/13_it_security_myths_debunked/>


They're security myths ... oft-repeated and generally accepted notions 
about IT security ... that simply aren't true. 

As we did a year ago, we've asked security professionals to share their 
favorite "security myths" with us. Here are thirteen of them.


Security Myth #1: "Anti-virus is protecting you against malware in an 
efficient way."

Raimund Genes, Trend Micro CTO, says businesses use anti-virus because 
otherwise, "your auditors would kill you if you didn't run A/V." But A/V 
can't reliably protect against a targeted attack because before it's 
launched, attackers have checked to make sure it won't be caught by A/V 
software.

Security Myth #2: "Governments create the most powerful cyberattacks."

John Pescatore, director of emerging security trends at SANS, says most 
government attacks are simply re-using criminal-owned attack resources. 
And the U.S. Department of Defense likes to hype the threat from nation 
states to boost its budget. The sad truth is that denial-of-service 
attacks against banking Web sites such as Citibank can be stopped but 
there hasn't been enough effort to do that. And governments going after 
other governments for espionage is nothing new, with China, the U.S., 
France, Russia and others at it for decades. 

Pescatore also has two other favorite myths that concern cloud security 
that put together are contradictions in themselves: that "cloud services 
can never be secure" because they're shared services that can change 
whenever they want to, and the second that "the cloud is more secure 
because the providers do it for a living." About these two contradictory 
myths, Pescatore points out, "Many of the providers, like Google, Amazon, 
etc. did not build their clouds to provide enterprise class services or 
protect other people's information. In fact, Google built a very powerful 
cloud expressly to collect and expose other people's information via its 
search services." 

But Pescatore also points out that e-mail-based cloud services from 
Google and Microsoft, for example, have so far shown that when customer 
data was exposed, it was very rarely the fault of the provider and could 
mostly be ascribed to phishing attacks on customers. But the enterprise 
customer is still grappling with how to appropriately change its 
processes to match the cloud service providers in terms of incident 
response.

Security Myth #3: "All our accounts are in Active Directory and under 
control."

Tatu Ylonen, inventor of SSH and CEO of SSH Communications Security, says 
this misconception is common, but most organizations have set up and 
largely forgotten functional accounts used by applications and automated 
processes, often managed by encryption keys and never audited. "Many 
large organizations have more keys configured to access their production 
servers than they have user accounts in Active Directory," Ylonen points 
out. "And these keys are never changed, never audited and not controlled. 
The whole identity and access managed field generally manages interactive 
user accounts, and consistently ignores automated access by machines." 
But these keys intended for automated access can be used for attacks and 
virus spread if not properly managed.

Security Myth #4: "Risk management techniques are needed for IT security."

Richard Stiennon, chief research analyst at IT-Harvest, says although 
risk management "has become the accepted managerial technique," in 
reality "it focuses on an impossible task: identifying IT assets and 
ranking their value." No matter how this is attempted, it "will not 
reflect the value that attackers place on intellectual property." 
Stiennon argues "the only practice that will actually improve an 
enterprise's ability to counter targeted attacks is threat management 
which entails deep understanding of adversaries and their targets and 
methodologies."

Security Myth #5: "There are 'best practices' for application security."

Jeremiah Grossman, CTO at WhiteHat Security, says security professionals 
commonly advocate for "best practices" thought to be "universally 
effective" and worthy of investment since they're "essential for 
everyone." These include software training, security testing, threat 
modeling, web application firewalls, and a "hundred other activities." 
But he thinks this typically overlooks the uniqueness of each operational 
environment.

Security Myth #6: "Zero-day exploits are a factor of life and impossible 
to predict or effectively respond to."

Zero-day exploits are those targeting network vulnerabilities not yet 
generally known. But H.D. Moore, CSO at Rapid7 and creator of the 
Metasploit penetration-testing tool, thinks to the contrary, 
that "security professionals can actually do a good job of predicting and 
avoiding problematic software. "If the organization depends on any 
software that is 'impossible' to function without, there should be a plan 
in place for what to do if that software becomes a security risk. 
Selective enablement and limiting the privileges that the software 
receives are both good strategies." He also says another favorite 
security myth is that "You can tell how secure a product or service is 
based on the number of publicly disclosed vulnerabilities." He says a 
good example is the notion that "WordPress is terrible, look at how many 
vulnerabilities have been found so far!" But he says "the deep history of 
software flaws can be the natural result of a piece of software becoming 
popular." Moore concludes, "By contrast, there are dozens of products 
with no published flaws that are often much less secure than a better-
known and more widely audited application. In short, the number of 
security flaws published for a piece of software is a terrible metric for 
how secure the latest version of that software is."

Security Myth #7: "The U.S. electric grid is well-protected under the 
North American Electric Reliability Corp.'s "Critical Infrastructure 
Protection" (CIP) requirements."

Joe Weiss, managing partner at Applied Control Solutions, argues that's a 
myth because CIP, drawn up by the industry itself, applies only to bulk 
distribution of power, not the entire distribution system, and also 
specifies only a certain size of power generation. "80% of the generation 
in the U.S. doesn't have to be looked at under CIP."

Security Myth #8: "I am compliant, therefore I am secure."

Bob Russo, general manager at the PCI Security Standards Council, says 
it's a common notion that businesses think once they get compliant with 
the data-security rules for payment cards, they're "secure once and for 
all." But checking the box for compliance only represents a "snapshot in 
time" while security is a continual process related to people, technology 
and processes.

Security Myth #9: "Security is the chief information security officer's 
problem."

Phil Dunkelberger, president and CEO at start-up Nok Nok Labs, says the 
CISO is going to get the blame for a data breach, mainly because their 
job has them setting a policy or technical course. But many others in the 
organization, especially the IT operations people, also "own security" 
and they need to shoulder more responsibility for it.

Security Myth #10: "You're safer on your mobile device than on the 
computer."

Dr. Hugh Thompson, RSA Conference Program Committee Chair, contends that 
while this "frequent assumption" has some merit, it underestimates how 
some traditional safeguards for computers, such as masked passwords and 
URL previewing, don't apply to mobile devices today. "So while mobile 
devices still offer more security safeguards than laptops or desktops, 
several traditional security practices that are broken can leave you just 
as vulnerable."

Security Myth #11: "You can be 100% secure but you need to give up 
personal freedoms."

Stuart McClure, CEO and president of start-up Cylance, says don't buy the 
argument that to combat the bad guys online, we have to "submit all our 
traffic to the government to do it." Better to get to know the bad guys 
really well and "predict their moves, their tools," and "get into their 
skin."

Security Myth #12: "Point-in-time security is all you need to stop 
malware."

Martin Roesch, founder of Sourcefire and inventor of the Snort intrusion-
detection system, says security defense too often is limited to catching 
or not catching any type of attack, and if it's missed, that 
defense "practically ceases to be a factor in the unfolding follow-on 
activities of an attacker." A newer model of security operates 
continuously to update information even if the initial attack on the 
network is missed in order to understand the scope of the attack and 
contain it.

Security Myth #13: "With the right protection, attackers can be kept out."

Scott Charney, Microsoft corporate vice president Trustworthy Computing, 
says, "We often associate security with keeping people out; locks on our 
doors, firewalls on our computers. But the reality is that even with 
sophisticated security strategies and excellent operations, a persistent 
and determined attacker will eventually find a way to break in. 
Acknowledging that with reality, we should think differently about 
security." For the entire security community, that means a "protect, 
contain and recover" approach to combat threats today and in the future.


Ellen Messmer is senior editor at Network World, an IDG publication and 
website, where she covers news and technology trends related to 
information security. Twitter: MessmerE. E-mail: emessmer at nww.com.
--

Cheers,
Stephen