What Security Myths?
In information security and network security some ideas and beliefs are repeated so often they become dogma. I’ve got a list of what I think are the "Top 10" concepts I’ve heard repeatedly that are just beliefs. They’re not true, they’re myths. Like all myths, there may be some truth in any of these. Let’s take a look at the first five of the top 10.
1. One operating system is inherently more secure than another
There is a lot of posturing and dogma among proponents of different operating systems regarding the relative security of their preferred OS platform. Any of them have the capacity to be horribly misconfigured, whether through ignorance or apathy. For years Windows was considered the softest target. If we look at the vulnerability listings today, we find that Linux and Windows have about the same number of listings. When I looked for a particular type of vulnerability, I found 6 in the top 10 that were vulnerabilities in an application server which could run on Windows, Linux, Solaris, or OS X.
2. Our firewall keeps our network safe
No, how you configure your firewall keeps your network safe. This may seem to be an equivalent statement, but it’s not. While the importance of firewalls cannot be overstated, even the most secure firewall available won’t provide security if error, ignorance, carelessness, apathy, or company policy results in an insecure configuration. I’ve seen this so many times it would be humorous if it wasn’t so dangerous and costly. Review your firewall logs frequently, re-examine your firewall rules, and have an impartial 3rd party audit your network security. Compare your network security policy with your implementation.
3. We use VPNs for our remote users so our network and our data are protected
This is yet another example of what I call security having a "Hard Exterior With a Soft Goey Center". If the users aren’t educated and careful in their actions, the best security solution is worth practically nothing. VPN client software configurations often let users surf the web while connected via the VPN to private corporate resources through a separated VPN tunnel. So it’s entirely possible that, for example, a hacker has a remote desktop connection, remote shell to the user’s pc, keystroke capture and transmit, etc. running. Yes, your VPN or client host-based security solution might not allow inbound connections to the user’s PC while the VPN is active, but if the user (or another process) can have outbound connections to the Internet that don’t go through the VPN tunnel, that can accomplish the same thing.
4. The most likely, common, and dangerous attacks are from determined hackers
Statistics show us that the most likely and frequent hacking attacks have been from automated, mindless bots and worms, operating essentially randomly. Yes, perhaps some very brilliant and determined hackers wrote them, but they’re likely completely unaware of you and this particular hacking attempt. The author of the code involved in an attack is probably neither its source nor are they aware of you as a target. Also, there are so many hacking and cracking tools available on the ‘net (with instructions) that it doesn’t take craft or brilliance to be a successful hacker anymore.
5. With SSL our web servers, users, & customers are protected and safe
Wrong! SSL protects that particular channel of communication (that session) but has nothing to do with the security of the server-side applications, data security, access control, and so forth. SSL without a concurrent strong login (authentication & authorization) is pretty meaningless. If the endpoint of an SSL connection is compromised, the encryption of the tunnel provides very limited benefit.
Be sure to read our other "Top" lists including Top Five Free Security Programs, Top Three Free Online Virus Scanners, Top Five Free Firewalls for Windows PCs, Top 10 Free Virus Removal Tools and Top Ten Sidebar Security Gadgets for Windows Vista.