Debunking The Top 10 Security Myths: 6-10

I was always taught, "security through obscurity is not." After years of experience, I disagree. If something can't be found, it can't be attacked or exploited. I'm not advocating simply hiding everything, but sometimes it's an easy and cost-effective means of keeping something from being under constant attack. Something can't be a target of opportunity if there is no opportunity! With a closer look, we realize that encryption ciphers are at their core a means of obscuring information. So this flies in the face of the idea that obscurity is not security.

Of course, in myths 3, 5, and 9, we'll see that encryption isn't as secure as it seems.

Much like the myths involving VPN and SSL, encryption does not equal security. WEP encryption, for example, can be cracked so quickly that the false sense of security is far more dangerous than the absence of security in an unsecured wireless network! Fortunately there are superior means of securing wireless access available (see How to Secure a Wireless Network).

Long, complex passwords are harder to remember so they are much more likely to be written down. At that point, the complexity is meaningless if the janitor finds that Post-it note on a desk or on the bottom of the traveling salesperson's laptop. If a user doesn't have access to mission critical data, maybe that user doesn't really need a thirteen-character password. The importance of this depends on your business and security policy of course, so don't let me be misunderstood. Passwords should be as complex as they need to be--and this isn't the same for every business case (see Password Security - Choosing Strong Passwords).

Whenever your encrypted data is used, it is decrypted. During use is when it's most likely to be obtained inappropriately. Whether by internal unauthorized access or an external attack, the data is almost always in use and already decrypted at that point. Encrypting every e-mail, whether for privacy or for sender validation, just doesn't make sense, unless perhaps you work for the CIA.

Well, some things don't need to be as secure as others. Spending time and effort equally, everywhere, on all resources isn't the best use of that time and effort. You should establish a security baseline for all your assets and infrastructure, then prioritize the value of various assets and infrastructure, and apply the most effort on those components with the highest value. For example, company HR data and financial records are of much more importance than a salespersons potential customer list (for more discussion about this, see the article Can You Have Too Much Security?).

I hope this examination of the top 10 security myths helps you take another or a closer look at your information and network security, in policy and in practice. Your mileage may differ, my assertions and conclusions may not apply to you, so please, don't kill the messenger.