Top security myths your company should beware

They're security myths, oft-repeated and generally accepted notions about IT security that arguably are simply not true - in other words, it's just a myth.

Share

They're security myths, oft-repeated and generally accepted notions about IT security that arguably are simply not true - in other words, it's just a myth.

We asked security experts, consultants, vendors and enterprise security managers to share their favorite "security myths" with us. Here are 13 of them:

More security is always better

Bruce Schneier, security expert and author of several books, including his most recent, "Liars and Outliers," explains why this security concept of 'you can't get enough' that's often bandied about is off the mark to him.

Schneier explains: "More security isn't necessarily better. First security is always a trade-off, and sometimes additional security costs more than it's worth. For example, it's not worth spending $100,000 to protect a donut. Yes, the donut would be more secure, but it would make more sense to simply risk the donut."

He also notes that "additional security is subject to diminishing returns. That is, measures that reduce a particular crime, say shoplifting, by 25% cost some amount of money; but additional measures to reduce it another 25% cost much more. There will always be a point where more security isn't worth it. And as a corollary, absolute security is not achievable."

Sometimes security may even become a moral choice and being in compliance might be an immoral decision, as it could pertain to a totalitarian system, for example. "Security enforces compliance, and sometimes complying isn't the right thing to do."

The DDoS problem is bandwidth-oriented

"There are a lot of urban myths you hear over time that aren't backed up by real evidence," says Carl Herberger, vice president of security solutions at Radware, who says there's a widespread belief among IT managers that if only they had enough bandwidth, distributed denial-of-service (DDoS) attacks would go away.

The reality, he claims, is that since last year, it's become evident that more than half of DDoS attacks are not characterised by bandwidth at all but are application-oriented, where attackers strike at the application stack and exploit standards for purposes of service disruption. In these circumstances, having more bandwidth actually helps the attacker.

In fact, only about one quarter of the DDoS attacks seen today are mitigated by adding bandwidth, Herberger contends.

Regular expiration (typically every 90 days) strengthens password systems

"I think this is like the nutritional advice that urges us to drink eight glasses of water a day," says Ari Juels, chief scientist, RSA, the security division of EMC, about his favourite myth, which is that passwords should be expired regularly. No one knows where this came from or if it's good advice at all, he points out.

"In fact, recent research suggests that regular password expiration may not be useful," says Juels. Research that RSA Labs has done suggests that if an organisation is going to expire passwords, it should do so on a random schedule, not a fixed one.

You can rely on the wisdom of the crowds

Over and over again, an employee will get an email from someone saying there's a new virus or some other type of imminent danger on the Internet has cropped up and they'll contact the IT department, says Bill Bolt, vice president of information technology for the Phoenix Suns basketball team.

But upon investigation, these commonly shared notions never seem to pan out as being new at all, he says. In fact, most of the time, the panic is about well-known malware threats first spotted a decade ago.

Client-side virtualisation will solve the security problems of 'bring your own device'

"The myth I keep hearing is BYOD security problems will be solved by having a 'work' virtual machine and a 'personal' virtual machine," says Gartner analyst John Pescatore. "That way, all the risk on the personal side will be contained and no data will be leaked from the work side to the play side."

But Pescatore says he's skeptical. "The intelligence community tried this years ago. NSA paid a tiny (at that time) company named VMware to develop a product called NetTop for intelligence analyst use which created separate VMs for Secret, Top Secret, Unclassified, etc. it immediately ran into a problem. Analysts don't work in Secret now, Top Secret later, they work across all domains at once and need to move things between domains. The same is true today with work and play."

"The first thing that happens with client-side virtualisation is that I get personal email in my work environment and I need to use it in my personal world (or vice versa), so I email it to myself or use a USB stick to transfer across, and all separation is lost. Virtualisation is just a big waste of money. NetTop is still around, very limited use in the intelligence community and that was the most likely place it could succeed!"

IT should encourage users to use completely random passwords to increase password strength and they should also require passwords to be changed at least every 30 days

The reality, contends Kevin Haley, director of Symantec security response, is that completely random passwords can be strong but they have disadvantages, too: they are usually difficult to remember and slow to type.

In reality, it is pretty easy to create passwords that are just as strong as random ones, but much easier to remember by using a few simple techniques. Passwords that are at least 14 characters long, use upper and lower-case letters, two numbers and two symbols are typically quite strong and can be formulated into a pretty easy to remember phrase.

He adds that while 30-day expiration might be good advice for some high risk environments, it often is not the best policy because such a short period of time tends to induce users to develop predictable patterns or otherwise decrease the effectiveness of their passwords. A length of between 90 to 120 days is "more realistic," he says.

Find your next job with computerworld UK jobs