We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

13 IT security myths

Security experts hammer on security ideas they say are just myths

13 IT security myths

Some generally-assumed and oft-repeated notions about security may not necessarily be true and we asked security experts to tell us their favourite "Security Myths" and what they think of them.

1. More security is always better

Bruce Schneier, security expert and author of 'Liars and Outlier': "More security isn't necessarily better. First, security is a always a trade-off,and sometimes security costs more than it's worth. For example, it's not worth spending £100,000 to protect a donut."

2. The DDoS problem is bandwidth-oriented

Carl Herberger, vice president of security solutions at Radware: It's an "urban myth" that distributed denial of service attacks would just "go away with more bandwidth." Over half of DDoS attacks are not characterised by bandwidth at all but are application-oriented. Only a quarter of DDoS attacks are mitigated by adding bandwidth.

3. Regular expiration strengthens passwords

Ari Juels, chief scientist, RSA: "In fact, recent research suggests that regular password expiration may not be useful," and that if an organisation is going to expire passwords, "it should do so on a random schedule, not a fixed one."

4. You can rely on the wisdom of the crowds

Bill Bolt, vice president of information technology for the Phoenix Suns basketball team: "Employees claim lots of people they know are telling them about a new virus or other imminent threat, but upon investigation, these notions don't pan out."

5. Client-side virtualisation will solve BYOD security problems

John Pescatore, Gartner analyst: The idea of the 'work' virtual machine and the 'personal' virtual machine for BYOD is going to be "a big waste of money". The NSA tried this years ago with VMware for intelligence use with VMs for Secret, Top Secret and so on, and it wasn't practical then and it's not practical now.

6. IT should encourage staff to use new and random passwords every 30 days

Kevin Haley, director Symantec security response: This has disadvantages because completely random passwords are usually difficult to remember and a better alternative is often to create strong passwords formulated as an easy-to-remember phrase.

7. Any computer virus will produce a visible symptom on the screen

David Perry, president of G Data Software North America: The typical man in the street believes a virus will be visible in the computer, showing files melting away and the like. And the lack of visible trouble means that a system is obviously malware-free.

8. We are not a target

Alan Brill, senior managing director for the cyber security and information assurance practice at Kroll: "Mostly I hear it from victims and they are usually wrong."

9. Software today isn't any better in terms of security holes

Gary McGraw, chief technology officer at Cigital: We have gotten way better and the density ratio is going down because of safe-coding practices in comparison to decades past. It's just that there is so much more software code being written.

10. Sensitive information transfer via SSL is secure

Rainer Enders, CTO, Americas, NCP engineering: There are a lot of doubts about SSL session security based on both real-world incidents and research. The best assurance would be never use the same key stream to encrypt two different documents.

11. Endpoint security software is a commodity product

Jon Oltsik, analyst at Enterprise Strategy Group: The majority of enterprise security professionals apparently agree with this statement about endpoint security products, but it's not true because products are vastly different in terms of level of protection and feature/functionality and most organisations aren't even aware of what they have.

12. Of course we are protected because we have a network firewall

Kevin Butler, information technology security analyst at the University of Arkansas for medical sciences: The myth that a properly configured firewall will protect you from all threats overlooks the fact that nothing says hello like malicious content encapsulated over an SSL connection infecting your workstations.

13. You should not upload malware samples as part of a targeted attack to reputable malware vendors and services

Joe Stewart, director of malware analysis for Dell SecureWorks: this is flawed advice that security managers follow thinking attackers are watching for evidence they've been found out or worry the malware will reveal their organization was attacked. Stewart says this isn't frequently the case and there's a great benefit to the community in sharing malware samples.

  • 13 IT security myths
  • 1. More security is always better
  • 2. The DDoS problem is bandwidth-oriented
  • 3. Regular expiration strengthens passwords
  • 4. You can rely on the wisdom of the crowds
  • 5. Client-side virtualisation will solve BYOD security problems
  • 6. IT should encourage staff to use new and random passwords every 30 days
  • 7. Any computer virus will produce a visible symptom on the screen
  • 8. We are not a target
  • 9. Software today isn't any better in terms of security holes
  • 10. Sensitive information transfer via SSL is secure
  • 11. Endpoint security software is a commodity product
  • 12. Of course we are protected because we have a network firewall
  • 13. You should not upload malware samples as part of a targeted attack to reputable malware vendors and services
  • Play
  • Play
  • Backward
  • Forward

13 IT security myths

Some generally-assumed and oft-repeated notions about security may not necessarily be true and we asked security experts to tell us their favourite "Security Myths" and what they think of them.

Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *