This article is second in a two-part series examining and debunking the top 10 information and network security myths. This article debunks myths six through ten of the top 10. I hope that after reading you take a closer look at your own network and information security in policy and practice.
6. "Security Through Obscurity" is always bad
I was always taught, "security through obscurity is not." After years of experience, I disagree. If something can't be found, it can't be attacked or exploited. I'm not advocating simply hiding everything, but sometimes it's an easy and cost-effective means of keeping something from being under constant attack. Something can't be a target of opportunity if there is no opportunity! With a closer look, we realize that encryption ciphers are at their core a means of obscuring information. So this flies in the face of the idea that obscurity is not security.
Of course, in myths 3, 5, and 9, we'll see that encryption isn't as secure as it seems.
7. Our Wi-Fi network is secure because we use encryption
Much like the myths involving VPN and SSL, encryption does not equal security. WEP encryption, for example, can be cracked so quickly that the false sense of security is far more dangerous than the absence of security in an unsecured wireless network! Fortunately there are superior means of securing wireless access available (see How to Secure a Wireless Network).
8. Lengthy, complex passwords are always better
Long, complex passwords are harder to remember so they are much more likely to be written down. At that point, the complexity is meaningless if the janitor finds that Post-it note on a desk or on the bottom of the traveling salesperson's laptop. If a user doesn't have access to mission critical data, maybe that user doesn't really need a thirteen-character password. The importance of this depends on your business and security policy of course, so don't let me be misunderstood. Passwords should be as complex as they need to be--and this isn't the same for every business case (see Password Security - Choosing Strong Passwords).
9. If we encrypt all our data it will be more secure
Whenever your encrypted data is used, it is decrypted. During use is when it's most likely to be obtained inappropriately. Whether by internal unauthorized access or an external attack, the data is almost always in use and already decrypted at that point. Encrypting every e-mail, whether for privacy or for sender validation, just doesn't make sense, unless perhaps you work for the CIA.
10. We should secure everything as much as possible
Well, some things don't need to be as secure as others. Spending time and effort equally, everywhere, on all resources isn't the best use of that time and effort. You should establish a security baseline for all your assets and infrastructure, then prioritize the value of various assets and infrastructure, and apply the most effort on those components with the highest value. For example, company HR data and financial records are of much more importance than a salespersons potential customer list (for more discussion about this, see the article Can You Have Too Much Security?).
I hope this examination of the top 10 security myths helps you take another or a closer look at your information and network security, in policy and in practice. Your mileage may differ, my assertions and conclusions may not apply to you, so please, don't kill the messenger.
Debunking The Top 10 Security Myths
There are some common beliefs about information and network security that are actually myths. We hear statements about security so often that they become dogma, when a closer look shows that these statements are only belief, not facts. In this series we debunk the top 10 security myths.
- Debunking The Top 10 Security Myths: 1-5
- Debunking The Top 10 Security Myths: 6-10