As columnist Wayne Rash points out, conventional wisdom about security can be a useful guide--or a trap.
5. Spam may be annoying, but it’s not a security threat. This depends on the spam, and on what you consider a security threat. Some spam contains a payload of worms, viruses or other malware or phishing content. In addition, some comes with content that can get you sued if you don’t attempt to stop it, such as graphical ads for porn sites. And even if none of that happens it can bog down your network, fill up your servers and suck up your bandwidth.
6. My wireless network is secure as long as encryption is turned on. Encryption, even the outmoded WEP encryption that comes with 802.11b, is certainly better than nothing. But unless you’ve changed to the much more secure WPA encryption, turned off SSID broadcasts from your access points, and required an authenticated logon for wireless users, you’re still vulnerable.
7. Moving to biometrics will make my network more secure. Perhaps. Biometric readers are a popular new feature for corporate and high-end consumer users. The idea is that you can use your fingerprint instead of a password. After all, everyone’s fingerprints are unique, right? That part is true – the unique nature of individual fingerprints is well proven. Unfortunately, affordable biometric devices are not overly reliable, fingerprint readers on laptops and keyboards are rife with false negatives, and there’s always the problem if having a Band-Aid on your finger. This means that you’ll have to set up an alternate means of getting access to a device using biometrics, and that means you’re back to passwords. Of course, there are biometric readers that are quite good, but almost no company can afford those for use on every desktop and laptop computer.
8. Full-disk encryption on workstations and laptops will protect my data against unauthorized access. Probably not. Most full-disk encryption software only protects computers that happen to be turned off at the time. When they’re turned on, everything is automatically decrypted when read, and delivered to anyone with access to the computer. If you’re afraid of your laptop being stolen, full disk encryption will keep the data from being read as long as it’s stolen while turned off. But it probably won’t protect at all against someone logging in to your computer remotely while it’s attached to the network.
9. I can change to Linux for everything and be more secure. It’s true that there are fewer viruses and worms aimed at Linux, but if you take a look at the SANS Institute / FBI top 20 vulnerability list, you’ll see that the problems of Linux and Windows are about equal. And the prime cause for security problems – complacency – is the same for both operating systems. There’s no security edge there.
10. My best security investment is in training. This one happens to be true. Unless your users and administrators are properly trained, and that training kept up to date, your other efforts are diminished if not simply wasted. After all, you’re a lot better off if people remember not to open attachments than you are if you have to launch an AV program because someone did open something bad that came in the mail. But for your users to know this, they must be trained.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.