The Four Most Dangerous Security Myths - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure
News
10/10/2005
10:05 AM
50%
50%

The Four Most Dangerous Security Myths

A lot of "accepted wisdom" is just flat-out wrong. If you've been told that patches always fix a security hole, or that SSL is all you need to be safe, read on.

Network security is all about nightmares. As organizations have become increasingly dependent on their networks and the Internet to provide that essential link of data, capital and business intelligence, they have also opened themselves up to potential risk – potentially immense risks.

The litany of companies that have been burned by hackers, worms, viruses and simple human error has made organizations wary of the perils of the networked economy. There's so much out there in the digital ether that can jump up and bite you. On the other hand, says Justin Peltier, a senior security consultant with Peltier Associates and leader of Web hacking seminars for the Computer Security Institute, there are also a lot of myths out there.

"Network security has a particularly affinity for myths," he says. "It's hard to change an opinion once it's made, and a lot of IT and security professionals have based their opinions on received wisdom. They've heard about security risks, but they haven't tried it for themselves. Some of these opinions might have been based on reality but are no longer valid, and some is just based on what we've been told."

What they've been told is often only partly true, if at all, he says. It's often based on misconceptions and preconceptions. These myths can lull organizations into a false sense of security or distract them from the real business at hand. Either way, they are legion, though Peltier says that any organization serious about security can address the handful the biggest and most egregious myths through a combination of experience and common sense.

"If you look at most other disciplines, you see facts and statistics to back things up," he says. "That's not always true about security. It's not enough to just hear about something, you have to check it out for yourself."

To help you separate truth from fiction, here are four of the most dangerous security myths.

1. Patches always fix the security hole: Peltier is particularly troubled by the complacency he sees surrounding patching. "An awful lot of people think that, once you've applied a security patch, you'll be okay," he says. "That just isn't true. Sometimes it works, sometimes it moves the vulnerability somewhere else, and sometimes it creates a new hole."

Above all, patches only address published exploits and just because the hole hasn't been published doesn’t mean it isn't there. The problem is that networking is based on technologies developed in an earlier, more innocent time, and many of the biggest vulnerabilities are inherent flaws in the architecture of TCP/IP. Network miscreants are probing networks right now, looking for weaknesses, and there is "almost inevitably" a lag between what they know and what vendors and security professionals know.

"You need to find the holes before the bad guys do," he says. "Most people think defensively, but you have to think offensively. It's jujitsu."

The bottom line is that the only thing that will improve the situation is a new architecture -- specifically IPv6. Peltier expects that wholesale migration to the new version of TCP/IP will be motivated by an inevitable wave of distributed denial of service attacks, "and that's a good thing. Organizations have to start to plan for migration now."

2. SSL is secure: Secure sockets layer (SSL) encryption has become so ubiquitous that the last thing anyone wants to hear is that it's fundamentally insecure, but Peltier says that our faith is unfounded. "No one is getting burned yet, but they will be," he says. "You see the lock icon, and you assume you're safe -- but you're not."

The problem is that it's a negotiated security standard with two major flaws, both of which can be exploited by man-in-the-middle attacks. "The first thing is that SSL depends on a negotiated certificate, but when there is a problem in the negotiation, the only thing that happens is that an alert window pops up. SSL hijacking is so easy because of the implicit trust we have in the digital certificate."

The other problem is that SSL still supports export-grade 40-bit encryption. The SSL transaction will negotiate down to the lowest common level, Peltier says. "That's a big problem," he says. "Security people don't get into SSL because they think it's a Web thing. But it can open up the network, so it's really a network thing."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Slideshows
7 Technologies You Need to Know for Artificial Intelligence
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2019
Commentary
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
News
Data Science Salary Survey Reveals Market Shift
Jessica Davis, Senior Editor, Enterprise Apps,  6/27/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Slideshows
Flash Poll