20 of the most misguided beliefs about InfoSec

02September

20 of the most misguided beliefs about InfoSec

The InfoSec landscape is littered with security theories with questionable validity. Believing these supposed truisms isn’t making us feel any safer. In a recent Citrix Security Survey, 84 percent of Americans think their personal information is more vulnerable than a year ago.

We need to rethink many of security’s mantras. I reached out to dozens of industry experts for their top security fallacy. Here are our 20 favorites. Read and reconsider.

1: Certain platforms are more secure than others

We’ve all been led to believe that Microsoft software is a target for hackers, and that it’s far safer to use a Mac or open source software.

According to studies conducted by the National Vulnerability Database and Shavlik, “85 percent of vulnerabilities are in non-OS non-Microsoft applications,” said Chris Goettl (@ShavlikProtect), Shavlik’s product manager.

“The misconception [of why Mac is more secure than Windows] stems from the fact that hackers who target Apple usually are out for a different goal like exploiting the iOS and iTunes stores,” said Goettl.

The vulnerability isn’t the platform. It’s aging software.

“Software sours like milk. The longer it’s out there the more likely it is to be exploited,” added Goettl.

Mike Pittenger (@black_duck_sw), VP, open source security strategy, Black Duck Software, advises users to “avoid adding 3rd party code with known vulnerabilities to your applications, whether they’re open source or commercial.”

2: Mobile devices are not a security concern

“By nature of being both personal and corporate devices – and that they connect to a range of secure and unsecure networks – mobile devices can encounter a fair amount of threats that put both the data and the organization at risk,” said Aaron Cockerill (@aaron_cockerill), VP of products, Lookout.

A Lookout study of 25 different Fortune 500 companies found 5 percent of Android devices had serious vulnerabilities over the course of one year. iPhones are no safer, as 39 percent of iOS devices are currently running an outdated OS, and therefore have unpatched operating systems (source: MixPanel).

A simple look at the iOS 8.1.4 updates shows a panoply of security issues, noted Adam Ely (@adamely), co-founder, Bluebox Security.

For those who do believe that mobile is a threat, they may mistakenly believe it’s only from mobile malware. The real problem stems from users not understanding how to manage their mobile devices, warned Eamonn Colman (@computenext), director of marketing for ComputeNext, who pointed out that Gartner predicts that by 2017 75% of mobile security breaches will be a result of mobile application misconfiguration.

3: You don’t need to secure non-sensitive data

“Every cloud app – regardless of the data it stores – presents a risk for compromised credentials which can have a negative ripple effect,” warned Sanjay Beri (@sanjberi), CEO and founder of Netskope. “This is especially true when considering smaller ‘ecosystem’ apps that connect to larger, better known collaboration or social apps, which may contain more sensitive business information.”

This belief trends into the dangerous practice of data classification, or prioritizing your investments for systems that manage your most sensitive and critical data.

“The classification and prioritization exercise can blind you to your actual attack surface,” explained Wendy Nather (@RCISCWendy), research director, Retail Cyber Intelligence Sharing Center (R-CISC). “Many breaches today happen through lateral movement: attackers exploit vulnerabilities in less-critical infrastructure, and then find their way to the real target.”

4: Too big to fail

One well-known but false InfoSec belief is that “large businesses will always take every measure possible to safeguard their information, since they’ve got the most to lose,” said Alex Monteiro (@Amanahtech), marketing manager with Amanah Tech.

“There’s no way a company that big doesn’t have a lot of security talent, so I don’t need to worry about security,” echoed Davi Ottenheimer (@daviottenheimer), founder, flyingpenguin.

“The reality is as an organization gets larger, it inevitably starts to grow more complex. And as it starts to grow more complex, the chances that something will go wrong [increase],” explained Monteiro. “Large organizations need to be more careful than small organizations where security’s concerned; not because they’ve got more to lose, but because there’s more that goes wrong.”

5: Just secure the perimeter

“No matter how much work you put into designing your network and firewall, there’s always a vulnerability somewhere. To believe otherwise is to get complacent,” said Daniel Page (@aseohosting), marketing manager of ASEOHosting.

“I still hear people inaccurately describe networks as ‘secure.’ Their misconception of network security primarily stems from the fact that they simply don’t understand just how large the network actually is,” said Serge Baluyot, web designer, Doubledot Media Limited.

“A combination of people, devices, and social media connections creates a fantastically complex attack surface that cyber thieves can exploit,” explained Greg Mancusi-Ungaro (@gmancusiungaro), CMO of BrandProtect.

“[Eventually,] data escapes,” alerted Ian Rowlands (@IanFL), VP of product management for ASG Software Solutions. “Well-intentioned people, trying to get their jobs done, will share supposedly secure information. Others will create and maintain valuable information outside the perimeter.”

“The problem with emphasizing perimeter-only security is that once a hacker gets in, all bets are off,” added Perry Dickau (@DataGravityInc), director of product management for DataGravity.

6: Every attack is sophisticated

While the Toronto police claim the Ashley Madison attack was “very sophisticated,” Impact Team, the perpetrators of the hack, admitted that the company’s security was “Bad. Nobody was watching… You could use ‘Pass1234’ from the Internet to VPN to root on all servers.”

“Time is too often wasted searching for traces of sophisticated avenues of attack from the elite hacker, while ignoring things like weak admin passwords on sensitive data repositories,” said Mark Stevens (@DigitalGuardian), VP of global services for Digital Guardian.

Even when we’re explicitly told about the simplicity of an attack, no company wants to admit to simple vulnerabilities.

“Most of the wildly spectacular and publicized security breaches of late were surprisingly underwhelming from a sophistication perspective,” said John Vecchi (@sudoapp), co-founder, Anonyome. “Today’s threats and attacks are far more targeted than they are advanced.”

“Criminals keep phishing because it works,” concurred Craig Sanderson (@infoblox), senior director of security products, Infoblox.

“Why bother trying to seek out a security hole in a business’ software when you can have some unsuspecting mark simply let you in,” asked Zac Cogswell (@wiredtree), CEO of WiredTree.

7: No matter what you do, you’re vulnerable

“People who read news headlines with ‘hacking’ in the title have come to assume that everything is vulnerable, everything can be hacked, and there’s nothing they can do about it,” said Adrian Sanabria (@sawaba), senior analyst, enterprise security practice, 451 Research.

It’s a belief held by 69 percent of Americans.

“We have gotten away from the basic blocking and tackling that we used to do as a matter of course,” said Rick Howard (@RaceBannon99), CSO of Palo Alto Networks. “The security vendor community has abdicated any kind of threat prevention technology saying to customers that your only hope is to detect and mitigate.”

“If your strategy is ‘detect and respond,’ when the inevitable really bad thing happens to your organization, your CEO and your board are not going to be very tolerant of your strategy,” noted Eric Cowperthwaite (@e_cowperthwaite), VP, advanced security & strategy, Core Security.

8: I’m not a target for hackers

“You do not have to be big to be a target,” said Marc Malizia (@marcM0313), CTO of RKON. Hackers sometimes just “target IP addresses, not companies.”

“It’s not personal. It’s not a guy at a keyboard,” added John Thompson (@ThreatSTOP), director, systems engineering, ThreatSTOP. “The attackers launch methodical scans looking for unprotected endpoints—anything online.”

They may not want to infiltrate your data, but rather use you as a tool.

“Anyone’s computer can be compromised and enlisted as a part of a ‘botnet army’ that can wreak havoc on the Internet,” explained Dwayne Melançon (@ThatDwayne), CTO, Tripwire.

9: Never write down your password

“We can’t expect people to remember every crazy 20-character password,” said Andrew Storms (@st0rmz), VP, security services, New Context. “Password managers are just another form of writing down your passwords.”

“Write down the passwords and move that piece of paper away from the computer in a secure location. That will give you the security of strong passwords,” added Ben Rothke (@benrothke), senior eGRC consultant, Nettitude Group.

10: The cloud isn’t/is as safe as an on-premise network

“There are many people out there who are [skeptical of] the cloud and bring up security as a concern,” noted Max Dufour (@maxdufour), partner, technology & strategy, Harmeda.

This fallacy has been echoed from many security pros.

“Hospitals use the cloud. Banks use the cloud. Government agencies use the cloud. These are organizations with some of the highest security requirements in the world. If they think cloud computing’s safe to use, it’s pretty clear the ‘cloud as less secure’ notion is a myth,” said Stephane Maarek (@outscaleinc), VP, North America, Outscale.

“Paradoxically, another myth is that cloud-hosted systems are automatically more secure than on-prem data centers. Organizations figure that security is now the provider’s responsibility, freeing them from responsibility,” said Don Maclean (@DLTSolutions), chief cybersecurity technologist, DLT Solutions.

“Whether or not moving to the cloud will improve your security or not depends on what shape it’s in today, what service you will use, how well you design the overall solution, and how you manage the migration,” said Scott Feuless (@ISG_News), principal consultant, ISG.

“Attention to secure design, deployment and operation at the application level is critical to the security of the overall solution, regardless of where it’s deployed,” added Ian Hamilton (@signiant), CTO, Signiant.

11: Most hacks come from the outside

“One mistake or error in judgment can undo millions in IT security dollars,” said James L. Bindseil (@globalscape), president and CEO of Globalscape. “Careless insiders are the biggest security threat facing companies these days.”

“Whether it’s poor password management, untrained phishing targets, or a lack of security on mobile devices, lax information governance practices within your organization are a more likely cause of data breaches,” noted Eric Mosca (@InOutsource), director of operations for InOutsource.

In a study by the Ponemon Institute, 78 percent of respondents say negligent or malicious employees or other insiders have been responsible for at least one data breach within their organizations over the past two years.

“The careless insider is quite possibly just a symptom,” explained Bindseil of this unfortunate trend. “The root cause is likely that you have either not given employees the tools to do work in the way that they want to or you have made it so difficult that it is easier to go around and later ‘ask for forgiveness’ rather than ‘ask for permission.’”

12: Tools are the answer to your security problem

“Organizations plagued with security issues and incidents believe that just ‘one more tool’ will close elusive gaps and end their security problems forever,” said Peter H. Gregory (@peterhgregory), director, information security, office of the CISO, Optiv Security.

“Even with the most powerful security technologies,” added Corey Nachreiner (@watchguardtech), CTO of WatchGuard Technologies, “it’s still up to humans to configure, monitor, and maintain them properly for them to work effectively.

“Companies have a saturation point for how many technologies they can support,” said Robb Reck (@robbreck), CISO, Pulte Insurance Services. “When we add another technology without the appropriate personnel resources to support it, we not only won’t get the value out of that product, but we often reduce the value of all of our other products, because we take our eye off the ball.”

13: Cybersecurity is the IT department’s responsibility

“Until organizations adopt a culture of cybersecurity that is promulgated vertically and horizontally across the organization, the adversary will always win,” argued Montana Williams (@thecybercowboy), senior manager of cybersecurity practices, ISACA.

Alex Rice (@senorarroz), co-founder and CTO of HackerOne, goes so far as to say cybersecurity is a communal responsibility: “The most secure organizations have come to the realization that they cannot achieve security in isolation and have adopted an approach of transparency, collaboration, and rapid response.”

14: Antivirus programs will keep you safe

“An antivirus program is just one component in the security mix,” said Pavel Krcma (@stickypassword), CTO, Sticky Password. “Its success rate is about 99.5% which means you have a 1 in 200 chance that you be attacked by some malware. In other words – it’s just matter of time.”

According to Grant Sainsbury (@gsainsbury), VP of advanced solutions, Dimension Data, many companies believe they can supplant poor patch management of known vulnerabilities by running an antivirus program.

Of the hundreds of penetration and vulnerability assessments Dimension Data conducts, “missing security patches are by far the most common cause of our testers being able to compromise systems,” said Sainsbury.

15: Attacks happen at lightning speed

“In many security professionals’ minds and consumers’ minds, there is this concept that the security battle is won or lost in milliseconds; that once the exploit’s payload is delivered, it is all over,” said 451 Research’s Sanabria.

“Serious, strategic intrusions play out as campaigns, over days, weeks, months, and sometimes years,” said Richard Bejtlich (@TAOSecurity), chief security strategist at FireEye, and blogger at TAO Security. “I advocate being able to detect and respond to intrusions within one hour, to prevent those intrusions from becoming breaches, where intruders destroy, alter, or steal data. Alert, resourced, well-led defenders do not need to act ‘at lightning speed’ in order to win.”

16: Better detection will solve security issues

“We now live in a ‘post-prevention’ world,” said Anonyome’s Vecchi. “What used to protect us has stopped working long ago, so ‘preventing’ security breaches and data loss from enemies without and within is no longer realistic.”

Vecchi isn’t advocating you give up using detection systems such as firewalls, antivirus, and intrusion prevention systems (IPS).

“Common, everyday ‘known’ attacks and malware still need to be stopped and these tools are critical at eliminating the low-hanging fruit,” said Vecchi.

But a detection-only security program can’t be the solution to your security ills.

“Detection will fail – with certainty,” argued Simon Crosby (@simoncrosby), CTO of Bromium, who references the 2013 Target hack for which installed detection systems alerted the security team of the intrusion, yet nothing was done.

The problem, said Crosby, is that “state of the art detection systems frequently bury alerts for actual attacks in a haystack of false-alerts. Security teams may easily fail to notice signs of an actual attack as they scurry about remediating non-attacked systems.”

17: You just need good password management

“If you tell your users to change their passwords once a month, they’re going to use ‘PasswordJan,’ ‘PasswordFeb,’ ‘PasswordMar,’” said Graham Cluley (@gcluley), cybercrime researcher and blogger at GrahamCluley.com. “The time to change your passwords is when you believe that your password has been breached, or if you wake up in a cold sweat one night realizing that you chose a dumb, easy-to-crack password, or one that you have reused somewhere else.”

“Another scary yet common fallacy is that passwords are secure,” said Scott Teger (@scottteger), VP of operations, 36 Labs. “I have seen firsthand that passwords are all too often being stored unencrypted. With passwords living in plaintext, they are very easy to become compromised by employees, whether they’re on the engineering team or not.”

“The more important thing is to use unique passwords,” said Sticky Password’s Krcma. “If an attacker hits a service you are using and steals your password, it’s not important if you had a strong password. What’s of the utmost importance is if this password was used only on this service or whether that attacker can use it for all your other accounts and gain easy access.”

18: You can deal with security later

“With most things in IT, if you push it off until later it’s doable.  With security, if you push it off until later, it’s going to be too late,” said Denny Cherry (@mrdenny), owner & principal consultant, Denny Cherry & Associates Consulting.

“If we don’t have time to do it correctly now, will we have time to do it over once it’s broken,” asked Marcus Ranum (@mjranum), CSO, Tenable Network Security. “Sometimes, building a system that is in constant need of repair means you will spend years investing in turd polish because you were unwilling to spend days getting the job done right in the first place.”

“Security has to be addressed up front, and not just once,” advised Cherry. “As systems change they need to be evaluated and modifications made to properly secure those changes.”

19: As long as I don’t click on anything malicious, I’m safe

“Bad guys use legitimate ad networks on reputable sites like cnn.com to spread ads that infect you with malware without you ever clicking on anything,” warned Marcin Kleczynski (@mkleczynski), founder and CEO, Malwarebytes.

“Any website that serves advertising could be a potential infection vector, and even if you go only to legitimate websites from huge, well-known companies, you should still keep anti-virus installed and scan your computer regularly,” suggested Alex Mouravskiy (@AlexMouravskiy), CEO, Digital Remedy Repair.

20: We’re compliant, therefore secure

“Constant compliance promotes a false sense of security and that can lead to complacency,” argued Tim Mullahy (@LibertyCenter1), general manager, Liberty Center One.

“Security is a moving target, and industry standards are constantly playing catch up,” added ISG’s Feuless.

“Security organizations are often depicted (and sometimes depict themselves) as needing to layer on process and control in order to ensure a highly secure environment… While process and control can give the semblance of security, they merely check boxes and give a false perception,” said Ariel Tseitlin (@atseitlin), partner, Scale Venture Partners. “In reality, agility, automation and visibility are much more effective than process and control.”

Conclusion: Educate fallacies today to prepare for tomorrow’s vulnerabilities

“It’s a fixed idea in IT teams that users are stupid, and because of that they cause all kinds of problems. ‘You can’t patch stupid’ is a security fallacy,” argued Stu Sjouwerman (@StuAllard), founder and CEO, KnowBe4. “Users aren’t stupid. They are just highly trained in another area. Getting end-users stepped through effective security awareness training is a tremendous help in keeping networks safe.”

DISCLOSURE: Spark Media Solutions works with Tenable Network Security.

Posted by David Spark  Posted on 02 Sep