13 IT confidence misconceptions debunked
<!—->
They’re confidence myths, oft-repeated and generally supposed notions about IT confidence that…simply aren’t true. As we did a year ago, we’ve asked confidence professionals to share their favorite “security myths” with us. Here are 13 of them (if you’d cite to zip by a slideshow chronicle of this, click here).
Security Myth #1: “Anti-virus is safeguarding we opposite malware in an fit way.”
Raimund Genes, Trend Micro CTO, says businesses use anti-virus given otherwise, “your auditors would kill we if we didn’t run A/V.” But A/V can’t reliably strengthen opposite a targeted conflict given before it’s launched, enemy have checked to make certain it won’t be held by A/V software.
[15 (FREE!) Security Tools You Should Try]
Security Myth #2: “Governments emanate a many absolute cyberattacks.”
John Pescatore, executive of rising confidence trends during SANS, says many supervision attacks are simply re-using criminal-owned conflict resources. And a U.S. Department of Defense likes to hype a hazard from republic states to boost a budget. The unhappy law is that denial-of-service attacks opposite banking Web sites such as Citibank can be stopped though there hasn’t been adequate bid to do that. And governments going after other governments for espionage is zero new, with China, a U.S., France, Russia and others during it for decades.
Pescatore also has dual other favorite misconceptions that regard cloud confidence that put together are contradictions in themselves: that “cloud services can never be secure” given they’re common services that can change whenever they wish to, and a second that “the cloud is some-more secure given a providers do it for a living.” About these dual paradoxical myths, Pescatore points out, “Many of a providers, like Google, Amazon, etc. did not build their clouds to yield craving category services or strengthen other people’s information. In fact, Google built a unequivocally absolute cloud specifically to collect and display other people’s information around a hunt services.”
But Pescatore also points out that e-mail-based cloud services from Google and Microsoft, for example, have so distant shown that when patron information was exposed, it was unequivocally frequency a error of a provider and could mostly be ascribed to phishing attacks on customers. But a craving patron is still grappling with how to reasonably change a processes to compare a cloud use providers in terms of occurrence response.
Security Myth #3: “All a accounts are in Active Directory and underneath control.”
Tatu Ylonen, contriver of SSH and CEO of SSH Communications Security, says this parable is common, though many organizations have set adult — and mostly lost — organic accounts used by applications and programmed processes, mostly managed by encryption keys and never audited. “Many vast organizations have some-more keys configured to entrance their prolongation servers than they have user accounts in Active Directory,” Ylonen points out. “And these keys are never changed, never audited and not controlled. The whole temperament and entrance managed margin generally manages interactive user accounts, and consistently ignores programmed entrance by machines.” But these keys dictated for programmed entrance can be used for attacks and pathogen widespread if not scrupulously managed.
Security Myth #4: “Risk supervision techniques are indispensable for IT security.”
Richard Stiennon, arch investigate researcher during IT-Harvest, says nonetheless risk supervision “has turn a supposed managerial technique,” in existence “it focuses on an unfit task: identifying IT resources and ranking their value.” No matter how this is attempted, it “will not simulate a value that enemy place on egghead property.” Stiennon argues “the usually use that will indeed urge an enterprise’s ability to opposite targeted attacks is hazard supervision that entails low bargain of adversaries and their targets and methodologies.”
Security Myth #5: “There are ‘best practices’ for focus security.”
Jeremiah Grossman, CTO during WhiteHat Security, says confidence professionals ordinarily disciple for “best practices” suspicion to be “universally effective” and estimable of investment given they’re “essential for everyone.” These embody program training, confidence testing, hazard modeling, web focus firewalls, and a “hundred other activities.” But he thinks this typically overlooks a aberration of any operational environment.
Security Myth #6: “Zero-day exploits are a cause of life and unfit to envision or effectively respond to.”
Zero-day exploits are those targeting network vulnerabilities not nonetheless generally known. But H.D. Moore, CSO during Rapid7 and creator of a Metasploit penetration-testing tool, thinks to a contrary, that “security professionals can indeed do a good pursuit of presaging and avoiding cryptic software. “If a classification depends on any program that is ‘impossible’ to duty without, there should be a devise in place for what to do if that program becomes a confidence risk. Selective enablement and tying a privileges that a program receives are both good strategies.” He also says another favorite confidence parable is that “You can tell how secure a product or use is formed on a series of publicly disclosed vulnerabilities.” He says a good instance is a idea that “WordPress is terrible, demeanour during how many vulnerabilities have been found so far!” But he says “the low story of program flaws can be a healthy outcome of a square of program apropos popular.” Moore concludes, “By contrast, there are dozens of products with no published flaws that are mostly most reduction secure than a better-known and some-more widely audited application. In short, a series of confidence flaws published for a square of program is a terrible metric for how secure a latest chronicle of that program is.”
Security Myth #7: “The U.S. electric grid is well-protected underneath a North American Electric Reliability Corp.’s Critical Infrastructure Protection (CIP) requirements.”
Joe Weiss, handling partner during Applied Control Solutions, argues that’s a parable given CIP, drawn adult by a attention itself, relates usually to bulk placement of power, not a whole placement system, and also specifies usually a certain distance of energy generation. “80% of a era in a U.S. doesn’t have to be looked during underneath CIP.”
Security Myth #8: “I am compliant, therefore we am secure.”
Bob Russo, ubiquitous manager during a PCI Security Standards Council, says it’s a common idea that businesses consider once they get agreeable with a data-security manners for remuneration cards, they’re “secure once and for all.” But checking a box for correspondence usually represents a “snapshot in time” while confidence is a continual routine associated to people, record and processes.
Security Myth #9: “Security is a arch information confidence officer’s problem.”
Phil Dunkelberger, boss and CEO during start-up Nok Nok Labs, says a CISO is going to get a censure for a information breach, generally given their pursuit has them environment a process or technical course. But many others in a organization, generally a IT operations people, also “own security” and they need to shoulder some-more shortcoming for it.
Security Myth #10: “You’re safer on your mobile device than on a computer.”
Dr. Hugh Thompson, RSA Conference Program Committee Chair, contends that while this “frequent assumption” has some merit, it underestimates how some normal safeguards for computers, such as masked passwords and URL previewing, don’t request to mobile inclination today. “So while mobile inclination still offer some-more confidence safeguards than laptops or desktops, several normal confidence practices that are damaged can leave we only as vulnerable.”
Security Myth #11: “You can be 100% secure though we need to give adult personal freedoms.”
Stuart McClure, CEO and boss of start-up Cylance, says don’t buy a evidence that to fight a bad guys online, we have to “submit all a trade to a supervision to do it.” Better to get to know a bad guys unequivocally good and “predict their moves, their tools,” and “get into their skin.”
Security Myth #12: “Point-in-time confidence is all we need to stop malware.”
Martin Roesch, owner of Sourcefire and contriver of a Snort intrusion-detection system, says confidence invulnerability too mostly is singular to throwing or not throwing any form of attack, and if it’s missed, that invulnerability “practically ceases to be a cause in a maturation follow-on activities of an attacker.” A newer indication of confidence operates invariably to refurbish information even if a initial conflict on a network is missed in sequence to know a range of a conflict and enclose it.
Security Myth #13: “With a right protection, enemy can be kept out.”
Scott Charney, Microsoft corporate clamp boss Trustworthy Computing, says, “We mostly associate confidence with gripping people out; thatch on a doors, firewalls on a computers. But a existence is that even with worldly confidence strategies and glorious operations, a dynamic and dynamic assailant will eventually find a proceed to mangle in. Acknowledging that with reality, we should consider differently about security.” For a whole confidence community, that means a “protect, enclose and recover” proceed to fight threats currently and in a future.
Ellen Messmer is comparison editor during Network World, an IDG announcement and website, where she covers news and record trends associated to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.
Read some-more about far-reaching area network in Network World’s Wide Area Network section.
<!—->
Article source: http://computerworld.co.nz/news.nsf/security/13-it-security-myths-debunked
