Security Myth #4: "Risk management techniques are needed for IT security."
Richard Stiennon, chief research analyst at IT-Harvest, says although risk management "has become the accepted managerial technique," in reality "it focuses on an impossible task: identifying IT assets and ranking their value." No matter how this is attempted, it "will not reflect the value that attackers place on intellectual property." Stiennon argues "the only practice that will actually improve an enterprise's ability to counter targeted attacks is threat management which entails deep understanding of adversaries and their targets and methodologies."
Security Myth #5: "There are 'best practices' for application security."
Jeremiah Grossman, CTO at WhiteHat Security, says security professionals commonly advocate for "best practices" thought to be "universally effective" and worthy of investment since they're "essential for everyone." These include software training, security testing, threat modeling, web application firewalls, and a "hundred other activities." But he thinks this typically overlooks the uniqueness of each operational environment.
Security Myth #6: "Zero-day exploits are a factor of life and impossible to predict or effectively respond to."
Zero-day exploits are those targeting network vulnerabilities not yet generally known. But H.D. Moore, CSO at Rapid7 and creator of the Metasploit penetration-testing tool, thinks to the contrary, that "security professionals can actually do a good job of predicting and avoiding problematic software. "If the organization depends on any software that is 'impossible' to function without, there should be a plan in place for what to do if that software becomes a security risk. Selective enablement and limiting the privileges that the software receives are both good strategies." He also says another favorite security myth is that "You can tell how secure a product or service is based on the number of publicly disclosed vulnerabilities." He says a good example is the notion that "WordPress is terrible, look at how many vulnerabilities have been found so far!" But he says "the deep history of software flaws can be the natural result of a piece of software becoming popular." Moore concludes, "By contrast, there are dozens of products with no published flaws that are often much less secure than a better-known and more widely audited application. In short, the number of security flaws published for a piece of software is a terrible metric for how secure the latest version of that software is."
Security Myth #7: "The U.S. electric grid is well-protected under the North American Electric Reliability Corp.'s Critical Infrastructure Protection (CIP) requirements."
Joe Weiss, managing partner at Applied Control Solutions, argues that's a myth because CIP, drawn up by the industry itself, applies only to bulk distribution of power, not the entire distribution system, and also specifies only a certain size of power generation. "80% of the generation in the U.S. doesn't have to be looked at under CIP."