Security myths that can make you laugh… or cry

These security experts explain some of the best security myths they have heard over the years.

Security myths
Thinkstock (Thinkstock)

Not so true anymore

It is sort of like those commercials that stated it must be true because I read it on the internet. There are long held beliefs that have gone unchallenged and accepted. Then there are those who put their head in the sand with such statements as “I don’t need to protect my network, there is nothing worth stealing.”

Others think a firewall is all you need to protect your data. Ha! These security experts explain some of the best security myths they have heard over the years.

Security myths
Thinkstock (Thinkstock)

Myth: I don’t have anything worth stealing or protecting

Every organization has something worth stealing, says Josh Emde, lead security architect at BlueCat. If not the intellectual property or trade secrets, a brand reputation or trust is always at stake. Take breaches within the retail industry as an example – in addition to millions of customer credit cards being compromised, a company’s brand reputation takes a significant hit that often leads to lost sales, regulatory fines, identity theft monitoring payout and a long road to rebuilding customer loyalty.

Security myths
Thinkstock (Thinkstock)

Myth: We don’t think we can be compromised

It’s not if we can be compromised, it’s when will we be compromised. In this day and age with nation-state hacking organizations, sophisticated and prolonged attacks, etc. it’s impossible to stay ahead of trends and be 100% safe. It’s important to implement safeguards, but how —and how quickly— we react to and remediate compromises is just as important. 

Security myths
Thinkstock (Thinkstock)

Myth 3: Compliance is the same as security

Many organizations aspire to a level of compliance as a corporate goal, and they assume that being compliant with a standard brings them into a secure state.  Unfortunately, compliance with a standard really just means that you have minimal controls in place to pass an audit in a certain area, but it doesn’t mean that the rest of your infrastructure is actually secure. A mature security program with robust security controls is a necessary foundation for compliance, not the other way around.

Security myths
Thinkstock (Thinkstock)

Myth: When something goes wrong, everything I need to know is in application log data

Mike Orosz, senior manager of threat and investigative services at Citrix, says a common myth is applications and hardware are actually logging and if they are the data is useful. Everyone is talking about using application log data in order to better understand security risk. Terms like “machine learning” and heuristics are in circulation and sound exciting. However, before anyone can dive into risk rating user behavior a few questions need to be answered:

  • Is there an implemented enterprise logging policy? Is it implemented?
  • Are the logs aggregated and analyzed? If so, is the aggregation done in a way that will allow the data to be easily used.
Security myths
Thinkstock (Thinkstock)

Myth: Enterprise security policies will automatically fix security problems

The need for security risk mitigation can often be preempted by well implemented security policies and standards. Successfully implementing great policies is largely reliant on shared ownership. Since security policies should enable teams held liable, a blended policy review and approval group, comprised of stakeholders, should be at the epicenter of the application of policies and standards. Lastly, an internal control to ensure compliance and long-term success an annual review board should review enhancements and exceptions.

Security myths
Thinkstock (Thinkstock)

Myth: “Improving policy enforcement will solve my insider-threat problem”

Insiders, by definition, know something about their targets. With this knowledge, they can gain access and exfiltrate intellectual property at an astounding rate while flying under the “known” radar, says Matt Rodgers, head of product at E8 Security. Spending time expanding policy, just makes the insiders job a bit more difficult, while tracking behaviors of the insider over long periods of time and identifying changes to that behavior can have a greater impact than policy on insider-threat identification before they walk out the door with your intellectual property.

Security myths
Thinkstock (Thinkstock)

Myth: “If I collect enough data, I’ll find all of the threats”

Collecting data in a SIEM or Log Manager does nothing to understand the data itself nor the threats that the data represents. The amount of data being collected in the modern enterprise requires machines to look for changes in user and device behaviors, rather than depending on analyst-created rules and threshold which limit themselves to “yesterday’s understanding of the world”. Detection of attacker activities, such as compromised credentials, command and control traffic, backdoors, and lateral movement inside the organization, can no longer be lost in the noise of volume.

Security myths
Thinkstock (Thinkstock)

Myth: Phishing is a thing of the past

Socially engineered attacks are on the rise, accounting for $2.3 billion of loss in the last three years. Often targeting employee emails, these attack strategies contain your full name, appear as they come from inside the organization, and may have links or attachments for business documents like invoices, RFPs, or even corporate events. Spam filters won’t prevent targeted attacks, so there is a need to create awareness, encourage colleagues to be cautious of internal emails that contain attachments or requests for personal information, said Simon Puleo, a security expert at Micro Focus.

Security myths
Thinkstock (Thinkstock)

Myth: Two Factor authentication (2FA) with SMS provides strong security

Indeed 2FA provides better authentication over a password alone, but not all 2FA practices are equal in the level of security they provide. While it is true that 2FA with SMS provides another layer of security, it is vulnerable to MIM (Man In the Middle) attacks as the generated code transmission is documented and can be easily intercepted by hackers. The National Institute of Standards and Technology (NIST) in July 2016 issued guidance that states organizations “Should carefully consider alternative authenticators.” A better alternative to SMS is a software token as part of a mobile app.

Security myths
Thinkstock (Thinkstock)

Myth: Attackers have a massive advantage, so we should focus on detection rather than prevention

Ryan Olson, director of the Palo Alto Networks Unit 42 threat intelligence team, mentions this myth. While there are extremely advanced attackers in the world who are skilled at penetrating defenses, the majority of security incidents are preventable with the right technology and process. The most effective security operations begin with a prevention mindset that is prepared to detect and respond to those skilled adversaries.

Security myths
Thinkstock (Thinkstock)

Myth: We found Russian code, therefore Russians attacked me

Mike Patterson, vice president of strategy at Rook Security, says two things here: First, hackers aren't stupid. They are perfectly capable of spreading false breadcrumbs to throw security teams off their trail and conceal their presence and origin. Hackers know how to get security teams to chase their tails. Second, hackers cooperate: an American can purchase malware written in Russian by a hacker living in Ukraine and work with his friends in Albania to attack a target in Turkey. An investigation that finds Russian code and immediately attributes it to Russians let all of the parties off the hook. Don't be in a hurry to wrap an investigation after finding a single clue - it may be part of a bigger puzzle.

Security myths
Thinkstock (Thinkstock)

Myth: Security budget assumptions will hold true

I love the optimism. While it would be great for security budgets to come in according to expectations, the reality is that organizations almost always face incident investigations and hikes in vendor contracts as networks expand and more information gets created. Budgets need to be evaluated constantly, with incident response treated as an independent line item so a single incident doesn't trigger difficult decisions across the rest of the budget. Is your organization growing, facing more attacks or adding more devices to the network? If so, don't assume costs from vendor contracts to remain flat. While it's true that some economies of scale can be had and vendors can agree to cost concessions or adjustments, it creates an unnecessary, foreseeable hurdle when new contract tiers are reached and cost increases are incurred. 

Security myths
Thinkstock (Thinkstock)

Myth: Firewalls and antivirus are all the security I need

Firewalls and antivirus are absolutely necessary but not sufficient to protect your data. Forty percent of all breaches were launched via the application layer. A good web app and network security program are essential to your company’s security, says Ryan O’Leary, vice president of the Threat Research Center at WhiteHat Security.

Security myths
Thinkstock (Thinkstock)

Myth: Hacking is like what they show on TV

TV shows have been depicting hacking for quite some time and almost no show gets it right. Often the dialogue goes something like this: “We need to get into so and so, ‘I’ll just hack the mainframe.” In reality, hacking involves a lot of trial and error, and can take quite a while to come up with a working exploit.

RELATED: Security is no fiction: Infosec on TV, film—and in space

Security myths
Thinkstock (Thinkstock)

Myth: Hackers all wear black and sit in darkened basements

Well this is only partially true. There are some of these stereotypical hackers out there but most are normal folks. A lot of hackers began their careers in other fields and just found a knack for finding vulnerabilities. 

Security myths
Thinkstock (Thinkstock)

Myth: Critical vulnerabilities are relatively uncommon

According to WhiteHat’s annual web applications security statistics report, almost every single website has at least one critical vulnerability that could lead to a user or system compromise. If you own a website, you probably are open to a serious attack right now. To combat this you’ll need to implement a robust web application security program.