Like most wars, the war between attackers and IT security managers is full of misinformation. Attackers fill open message boards with boasts about their latest exploits, yet the smart ones keep the most effective hacks to themselves. Enterprises issue press releases about their latest upgrades and purchases, yet many never report penetration of their most sensitive systems. And like combatants in their foxholes, security professionals are left to sort through a mix of rumor, propaganda, news, and real intelligence in order to find the true lay of the land.
Here at Dark Reading, we're overloaded with the same information and disinformation. Like you, we're trying to separate fact from fiction. To help further that cause, we recently asked the Dark Reading editorial advisory board -- some of the industry's top IT consultants, security managers, and market experts -- to help us identify 10 of the most prevalent myths in the IT security space. The following article is a result of that discussion (along with a little research from our dutiful editorial staff).
You may not agree with our decision to label some of these ideas as "mythical," and you wouldn't be alone. Heck, even our experts disagree on some of these. If you don't agree (or even if you do), please click on the link to "Discuss this story" and post a message to our message board. One of the reasons Dark Reading was founded was to dive into controversy and get people to think outside the usual trade pub circuit. So let us hear from you!
(Editors note: Please don't use email. The message boards are completely anonymous, and we want everyone to see your opinions -- even if they involve our mama.)
- 'Epidemic' Data Losses
- Anything But Microsoft
- Vendors Have Your Best Interests In Mind
- Separate Physical, Electronic Security
- Employees Always Trustworthy
- Bad Guys Are Winning
- Hackers Are a Necessary Evil
- Antivirus Software is 100% Effective
- Clean Bill of Health Attainable?
- More Spending = Better Security
The Staff, Dark Reading
Next Page: 'Epidemic' Data Losses
Many more companies are losing more data than ever before.
Pity the Veterans Administration, or any other organization that's experienced some headline-making loss in recent months. (See Thief Steals 26.5 Million Veterans Identities and Data Losses Hit Four More.) The cycle's a familiar one: First the publicity, then a ranting politician or regulator, followed by PR or marketing machinery with promises of how you can avoid a similar fate with their product.
In that conversation, terms like "epidemic" and "relentless trend" get tossed around pretty freely. From there, we go to terabytes of personal data flooding out your front doors, credit bureaus besieged by frightened callers, and hackers coming for your children.
Let's all take a breath together: There is no data loss epidemic. In fact, the actual incidence of security violations has decreased, according to the latest figures from the Computer Security Institute and the FBI. (See CSI/FBI: Violations, Losses Down.) Companies reporting unauthorized use of their systems in the last 12 months dropped to 52 percent this year from 56 percent last year.
But security experts point to twinned dynamics that help explain this perceived byte flight: compliance regulations, coupled with data's greater mobility.
State and federal regulations require companies to inform customers of even potential data loss or theft -- any sort of exposure that might compromise a customer. So while data losses have not increased, our awareness of them has.
"A CSO from a financial services company told me over dinner recently, 'We've been losing backup tapes for years, but now its become unacceptable to our board and shareholders'," says Andrew Jaquith, senior analyst with the Yankee Group.
Personal data has also acquired a certain "toxicity," Jaquith theorizes, pointing to Social Security and credit card numbers, PINs, and passwords. "We dont seem to mind people gathering that kind of data, but we sure as hell mind when they lose it."
And laptops seem to be the main offender here. As hard drive space increases, all those precious gigabytes start to take on monetary value. "There's a real profit motive now to gaining access to that data, whether its personal information or a companys trade secrets," notes Eric Maiwald, senior analyst with the Burton Group. "So while it seems like the attacks and threats are increasing, it's actually the value of the data, along with the skill level of attackers."
Next Page: Anything But Microsoft
Microsoft is a security nightmare, Macs and Linux are a godsend.
Just because you're a Linux or Mac person sipping coffee in your server room on Patch Tuesdays doesn't mean you're immune from exploits. Nothing is bulletproof these days.
Let's state the obvious here: Microsoft is a big, fat target for hackers, so of course it has a bigger volume of security troubles. But that doesn't mean Linux and Mac don't have their fair share of "issues" -- notice Red Hat's patches this week (See Red Hat Patches Linux Apps.) and the recent Mac OS X vulnerabilities that allow remote attackers to insert and run malware on Mac boxes. (See Cyber Security Alert.) See also the Safari browser bugs being reported by the Month of Browser Bugs project. (See Getting Buggy with the MOBB.) Oh, and don't forget that Macs can run Windows now, too.
And you can bet attackers are always prowling around for more victims. Linux is a tempting one these days as it becomes a popular Web server OS and contender for mobile handsets such as Motorola's. Linux's small kernel size and open source nature will spur its adoption as a mobile OS, according to IMS Research.
Security-wise, the trouble with Linux is many shops don't bother patching it. "These boxes typically sit there for years," says Joe Hernick, IT director for the Loomis Chaffee School. Organizations don't always pay for service contracts for the OS, he says, even though commercial Linux providers like Red Hat offer automated patches through those contracts. They're either afraid to touch the Linux boxes or assume they are inherently secure, he says.
And Linux servers typically run some key apps, so if a hacker gets one, he's struck gold. "The thing about a Linux box is it's usually a very important one," like an email server, says David Aitel, CTO for ImmunitySec.
Macs face fewer threats because they aren't a popular choice for servers, but that doesn't mean a Mac desktop couldn't be recruited as a drone in a botnet. Apple does release monthly patches but keeps the details under wraps. "If you're not paying attention to a Mac server, it probably won't get auto-updated," Hernick says.
"Windows machines are attacked and patched more frequently and obviously get the attention of systems admins," Hernick says. "And not every shop has a Linux or Mac guy" to police those boxes.
So wake up and smell the coffee. "Nothing is 100 percent safe," says Allen Wilson, director of research for SecureWorks. "All platforms are vulnerable to poor maintenance practices."
Next Page: Vendors Have Your Best Interests In Mind
The primary goal of a security vendor/service provider is to make your enterprise more secure.
The primary goal of a security company -- like most other companies -- is to make money. When security problems are rampant, their revenues go up. Now, we're not suggesting some sort of conspiracy in which vendors create vulnerabilities only to fix them. But it does make sense to question vendors that attempt to overcomplicate security problems or issue homegrown "studies" that say the industry is being overrun by the very problem they claim to solve.
This "myth" was the most polarizing of all the myths discussed by our experts. While some feel that vendors, service providers, and consultants have created a cottage industry by relying heavily on FUD and complexity, others feel it is wrong to suggest that vendors consciously mislead their customers in order to turn a higher profit.
"Vendors dont want you to be more secure -- they want you to buy more stuff from them," says one expert. "They are at cross purposes with reaching an adequate security level because they are financially motivated to maximize your spend. Thats why you need to make damn sure you set your own security needs and not have them do it for you."
Another expert disagrees. "Most exposures are caused by uninformed users, uneducated or lazy administrators and developers, and/or poor-quality products." Vendors are not the ones causing these problems, he observes.
"A successful vendor simplifies security issues down to common, understandable issues and lays out a risk management plan to deal with them," says a third expert. "Raising too much FUD creates the impression that the bad guys are unstoppable."
Although they disagree on vendor motivation, the experts generally agree that security administrators should be wary of product makers or service providers that trade too heavily on fear, or try to take over the enterprise security function. "You want to manage your vendors, and not let them manage you," says one expert. "In my experience, most enterprises have that one nailed."
Next Page: Separate Physical, Electronic Security
Physical and electronic security are separate.
For years, enterprises kept one security strategy for the building and a separate strategy for the network. Today, it's becoming critical to pull those two strategies together.
But the vendors that sell you physical security systems and those that sell IT security have little to no overlap. Organizationally, physical security is often handled by the facilities department, while computer security is IT's domain.
"You cant assume anything about your computer security if you don't have physical security," says Eric Maiwald, senior analyst with the Burton Group. "There's always been an assumption that the data center was physically secure, but if I can physically get my hands on the computer at the end of the line, encryption and all that other security technology isn't going to help you much."
The fact that physical and IT security are separate disciplines is more of a historical anomaly, Maiwald adds. "Physical security depends on what risks youre willing to tolerate, which is just the same as computer security."
Any attacker worth his hacks is going to try multiple methods to penetrate a company. And often, physical intrusion is easier than any electronic breaking and entering. (See Social Engineering, the Shoppers' Way.) Ideally, there's a fair amount of interleaving, such that when a physical or electronic attack occurs, the enterprise can take coordinated countermeasures that encompass both physical and virtual realms.
Video surveillance over IP is forcing the issue of physical and electronic integration. And as some organizations turn to biometrics for individual access and authentication (thumbprints, retinal scans, facial and gait recognition), the line blurs even further.
And some firms are taking it even farther than that. "There's a combination card being sold now that's part proximity card, part smart card," says Andrew Jaquith, senior analyst at the Yankee Group. "It gets you into the building and lets you shop at the company cafeteria, for example."
Imagine additional credit getting added to the card at the end of each pay period, transparent to the employee, and you've gone beyond the physical and technical into the financial and personal. We'll save the problems and nightmares inherent in that brave forecast for our next mythical followup.
Next Page: Employees Always Trustworthy
Employees are always trustworthy and can be relied upon to make the right security decision.
Our experts agree that any security strategy which doesnt include the end user is doomed to failure. "Employees are the first line of any defense, whether it is simply to notice if a visitor in the building is acting strangely, or to recognize a phishing email that doesnt come from the real IT department," says Rob Enderle, president of Enderle Group, an IT consultancy. "The best security system, when it surrounds employees who arent part of the defense, will be easily breached. The worst security system, if it surrounds informed employees, is vastly more difficult to bypass."
Experts agree that security systems and policies work best with an informed user base, but they also warn against relying too heavily on end user proficiency, or honesty.
"Most employees dont know security, and they dont know the right thing to do," says Todd Fitzgerald, director of information systems security at United Government Services LLC. "Your security policy should take that into account."
This means that end user training is not enough. The IT organization must employ safeguards that assume the employee will click the wrong button or make the wrong decision.
A recent report supports Fitzgeralds assertion. In a study of 22 users activity, researchers at Harvard University and UC Berkeley found that good phishing sites fooled 90 percent of participants. Anti-phishing browser cues and popup warnings were largely ineffective and frequently ignored, the study said.
Some analysts recommend a policy that not only assumes the incompetence of some users, but also the potential for dishonesty. "In any given population of people, there are bound to be a few bad apples," says Brooke Paul, an analyst at Neohapsis, an IT security consultancy. "We need to be diligent in hiring practices and put appropriate controls in place to protect against insiders with bad intent."
Even if you could trust all of your employees, you couldnt trust their families, Enderle observes. "I recall an instance where an employee came in and complained his cousin was blackmailing him into stealing from the company," he says. "There was another case where a CEOs kid got into the system and renamed all of the critical financial files just prior to a stockholders meeting. People are people, and just because they are related to people we do trust doesnt mean that we should automatically trust them."
Recently-published statistics from the Computer Security Institute and the FBI suggest that it pays to be paranoid: About 30 percent of large enterprises surveyed said that insider threats accounted for at least half of their security losses last year.
Next Page: Bad Guys Are Winning
We are losing a computer arms race with the criminals. We need new technologies to fight computer attackers.
Most hacker attacks are preventable. Behind every successful exploit is usually an improperly configured, maintained, or patched computer, or a clueless user (think lame passwords or clicking on suspicious links or emails). There's plenty of security technology out there, but if you don't deploy it properly, you're asking for it.
"Everyone says we need more information security. We want Computer Security 899, but we're flunking Computer Security 101," says Ira Winkler, author of "The Spies Among Us." "We could get rid of these attacks by using what we already have out there."
There's no excuse for not properly maintaining and updating your systems and software. You wouldn't blow off putting gas in your car, or changing the oil, so you shouldn't ignore patching and maintaining your servers, Winkler says.
The situation is improving. According to the 2006 Computer Security Institute/FBI Computer Crime and Security Survey, fewer organizations experienced computer breaches in the past 12 months, 52 percent versus 56 percent last year, and they suffered lower financial losses as well. (See CSI/FBI: Violations, Losses Down.)
"We're not losing, but evolving," says Allen Wilson, director of research for SecureWave. Before forking out a lot of cash on cutting-edge technologies, first make sure you're implementing best practices with your IPS/IDS, host intrusion prevention, AV, and anti-spyware tools, for instance, he says.
And don't blame your troubles on insecure software. Sure, it helps to have security built into an app or OS, but new viruses and worms and other exploits get plenty of press and publicity these days. You have to take the time to update your virus definitions or run a new virus scan. "Despite massive news coverage, people still get hit by it. All they have to do is update their antivirus software," Winkler says.
Microsoft is leading the movement with its secure software development process initiative, but there are still reports of bugs and holes in its upcoming Vista OS. "No matter how good it [the development process] is, there will still be bugs in software," Winkler says. "You can't write perfect software."
Next Page: Hackers Are a Necessary Evil
We need hackers to help protect our systems.
Hacking doesn't equal security know-how. Just because an attacker can break through security doesn't mean he or she can actually secure it. "Knowing how to destroy something doesn't mean you can create it, too," says Winkler.
Researcher HD Moore says the industry needs people who can break security controls: They provide the meat for AV, IDS, security assessment tools. "I would classify as hackers all of the people who are at least moderately good at network security," he says. "Trying to secure something without having any idea how people break in isn't feasible."
But those who hack into a system "often only know a small amount of the entire attack surface," Moore says. "So asking them to secure your network is like asking a Windows administrator to lock down your firewalls."
Malware writers may know where some security holes lie, agrees Winkler, but if we "enable" them by courting their services and knowledge, we're enabling damage to systems, apps, and data.
"Knowing how to do social engineering is not the antithesis of implementing an organization-wide security program," he says.
Next Page: Antivirus Software is 100% Effective
Using desktop antivirus software will prevent your organization from contracting viruses.
The security industry passed a milestone earlier this month with the 20th anniversary of the Brain virus, widely viewed as the first computer virus infection. Since that time, although AV technology has grown significantly, the incidence of virus and worm outbreaks has continued to increase. A study published earlier this month by the Computer Security Institute and the FBI shows that although 98 percent of enterprises are now using AV software, virus contamination was by far the largest cause of security-related financial losses in 2005.
AV tools are effective as a means of stopping known bugs, but attackers now routinely design new exploits to bypass them, experts observe. The phrase zero day attack was coined in part to separate exploits that might be stopped by AV tools from new threats that are not immediately addressed by the software. And while security vendors are generally quick to deploy patches that stop the spread of zero-day attacks, there is virtually always a period in a zero-day exploit during which the attacker has the upper hand, and security managers are helpless to do anything but warn their users not to click on any attachments.
"As long as we are dependent on end users to administer their security, even a perfect AV scanner is bound to fail," says Geoff Bennett, product marketing director at StreamShield Networks.
Users, or analysts, for that matter, shouldnt expect AV tools to be a panacea, says Ira Winkler, founder and president of Internet Security Advisors Group. "If you take the analogy out to real viruses, being inoculated for Hepatitis A doesn't give you immunity for Hepatitis B, he observes. Any viral inoculation only gives you immunity to the specific virus you are being inoculated against. It doesnt give you immunity to all viruses in all forms. Its the same with antivirus software: It doesnt give you immunity to all future viruses."
Despite their shortcomings, AV tools are still necessary, experts say. "It'd be crazy to abandon desktop AV software," says Bennett, "but it's not going to be completely effective on its own. Business users enjoy two, three, maybe four layers of AV protection. Residential users are stuck with just desktop software. Does the phrase 'second class citizen' spring to mind?"
Next Page: Clean Bill of Health Attainable?
Its possible to pass a security audit on the first try.
As they seek regulatory compliance or just to test their infrastructures, security managers are facing off with security auditors more frequently than ever. And they are losing every time.
"We have never had a company pass an audit on the first try," says Nigel Tranter, a partner at Payment Software Co., a leading PCI auditing firm.
The fact is that auditors are paid to look for problems, and they usually find them, experts say. Even after the key risk items have been identified, there are usually smaller items to fix, or the auditor may turn to an entirely new area and turn up another can of worms.
"Its nearly impossible to pass an audit, says Fitzgerald.
Part of the problem is the stringency of the compliance standards themselves, auditors say. PCI, for example, requires 100 percent compliance with every single specification, and it can be achieved only on a pass/fail basis.
"I've failed companies that passed 99 percent of the requirements but didn't do their training or documentation correctly. I think the requirements ought to be split so that the security of the data is protected, but you could slide a bit on some of the administrative requirements. As it is now, if you don't have 100 percent compliance on everything, you don't pass."
Next Page: More Spending = Better Security
You must spend exorbitantly on outside security experts in order to secure your enterprise.
There's no real way to measure your return on investment from hiring white-hats to run penetration tests and stage social engineering exploits. It's much more cost-efficient to train your own instead. Think of it as investing in your internal IT expertise.
For one thing, outside security help isn't cheap. A full social engineering assault on an organization with 100 IP addresses costs around $20,000, and a remote penetration test for that size firm would be anywhere from $5,000 to $10,000, according to numbers from a Texas-based security firm. A pen test for a Fortune 100 firm, including a social engineering test, ranges from $20,000 to $250,000. Compare that to the price of sending one of your IT guys or gals to a high-end penetration certification test: $2,000 to $4,000, says Joe Hernick, director of IT for the Loomis Chaffee School and former Fortune 100 IT executive.
Most outside white-hatters are straight shooters and extremely professional in how they handle the delicate task of hacking the heck out of you. But you have to wonder if some may be having a little too much fun with their exploits. "They are in the business of making people nervous or scared," Loomis says. "How much are they inflating the threat levels?"
Hiring out a smaller-scale, annual or semiannual outside audit makes more sense than spending thousands of dollars on these services. Put your money into certifying your IT folks and you can build on that expertise. And the occasional outside white-hat audit keeps the auditors happy and everyone honest, plus it provides you some perspective.
And this is a bigger picture thing, anyway, says Allen Wilson, vice president of research for SecureWorks. "This isn't a security-specific issue," Wilson says. "Most corporations have evolved from the IT audit point remediation game and pure information security into more formalized risk management disciplines."
Staff of Dark Reading, Dark Reading