February 19, 2013, 1:47 PM — They're security myths, oft-repeated and generally accepted notions about IT security that...simply aren't true. As we did a year ago, we've asked security professionals to share their favorite "security myths" with us. Here are 13 of them (if you'd prefer to zip through a slideshow version of this, click here).
Security Myth #1: "Anti-virus is protecting you against malware in an efficient way."
Raimund Genes, Trend Micro CTO, says businesses use anti-virus because otherwise, "your auditors would kill you if you didn't run A/V." But A/V can't reliably protect against a targeted attack because before it's launched, attackers have checked to make sure it won't be caught by A/V software.
Security Myth #2: "Governments create the most powerful cyberattacks."
John Pescatore, director of emerging security trends at SANS, says most government attacks are simply re-using criminal-owned attack resources. And the U.S. Department of Defense likes to hype the threat from nation states to boost its budget. The sad truth is that denial-of-service attacks against banking Web sites such as Citibank can be stopped but there hasn't been enough effort to do that. And governments going after other governments for espionage is nothing new, with China, the U.S., France, Russia and others at it for decades.
Pescatore also has two other favorite myths that concern cloud security that put together are contradictions in themselves: that "cloud services can never be secure" because they're shared services that can change whenever they want to, and the second that "the cloud is more secure because the providers do it for a living." About these two contradictory myths, Pescatore points out, "Many of the providers, like Google, Amazon, etc. did not build their clouds to provide enterprise class services or protect other people's information. In fact, Google built a very powerful cloud expressly to collect and expose other people's information via its search services."
But Pescatore also points out that e-mail-based cloud services from Google and Microsoft, for example, have so far shown that when customer data was exposed, it was very rarely the fault of the provider and could mostly be ascribed to phishing attacks on customers. But the enterprise customer is still grappling with how to appropriately change its processes to match the cloud service providers in terms of incident response.
Security Myth #3: "All our accounts are in Active Directory and under control."
Tatu Ylonen, inventor of SSH and CEO of SSH Communications Security, says this misconception is common, but most organizations have set up and largely forgotten functional accounts used by applications and automated processes, often managed by encryption keys and never audited. "Many large organizations have more keys configured to access their production servers than they have user accounts in Active Directory," Ylonen points out. "And these keys are never changed, never audited and not controlled. The whole identity and access managed field generally manages interactive user accounts, and consistently ignores automated access by machines." But these keys intended for automated access can be used for attacks and virus spread if not properly managed.