Enterprises rely on some security products too much while counting on others too little. One product category that companies place too much faith in is encryption, which has vulnerabilities. The OpenSSL web encryption technology\u2019s infamous Heartbleed vulnerability is one example.Enterprises should assess their information security stance in light of the vulnerabilities that have actually given attackers a foothold and lead to costly breaches, whether for their organization or for their peers. Where an off-kilter reliance on some security products is the crack in these defenses, look at a more effective combination of tools. Don\u2019t ignore tools that are effective yet limit some usability. Security products that enable a lot of usability while masking danger are among those that we do and will continue to count on too much.Security products that dash hopes and promisesEnterprises have high hopes for security products that will let us down due to native security holes and shortcomings. A number of encryption technologies such as OpenSSL have sprouted gaping security holes, like Heartbleed, enabling attackers to leverage the vulnerability and circumvent the protection.\u201cThat\u2019s like having a really good lock on your house and then realizing that they can just jimmy the door off of the hinges,\u201d says Walter O\u2019Brien, cybersecurity expert, founder and CEO at Scorpion Computer Services. (Note: Walter O\u2019Brien is the genius coder with hacker handle, Scorpion whose firm is the basis for the CBS TV drama, \u201c\u201d.)The MIKEY-SAKKE VoIP call encryption protocol created by the UK intelligence agency the GCHQ has a backdoor, immediately making it a penetrable form of encryption.Both Dutch and Canadian law enforcement claim to have retrieved encrypted email information from special PGP\/military-grade-encrypted BlackBerry devices, calling that encryption into question.\u00a0\u00a0VPN encryption protects data in transit between laptops and enterprise networks. But if the laptop is already infected and controlled by an attacker, that connectivity is now a tool for that attacker for the length of the connection time, enabling him to gain control of the network machine on the other end and launch further attacks from there, according to Andrew Ginter, co-chair of the ISA SP-99 Working Group 1, revising the SP-99 report on cyber security technologies.Smart firewalls are another tool that offers less protection than people estimate.\u201cPeople upgrade to a smart firewall and they think great, now we\u2019re completely safe. Then they find out that application security, database security, and source code security have been completely neglected,\u201d says O\u2019Brien.Often it\u2019s not the type of tool but the preponderance of state-of-the-art products such as for pen testing and network monitoring and anomaly reporting that lead enterprises to check the proverbial box, marking information security as \u2018problem solved\u2019. \u201cPeople get lulled into a false sense of security because they see that their tools run 22,000 SQL injection tests over a given period and they believe they\u2019re safe. Those tests are often just variants on tests that have been around for 10 to 20 years. They\u2019re not cutting edge methodology,\u201d says O\u2019Brien. Dated tests won\u2019t tell you whether you\u2019re vulnerable to something that\u2019s based on altogether new code.Enterprises shouldn\u2019t expect so little of these products and approachesEnterprises should inventory, update, and clarify the locations, potential locations (cloud), paths (data paths, transmissions), vulnerabilities, and ingress and egress points of their most prized data. They should rally IS technologies that defend all these against potential, unacceptable losses.Companies should consider combining AI-enabled (artificially intelligent) security products such as Scorpion Computer Services\u2019 ScenGen (other intelligent security products include examples from Lancope and AlientVault) with products that establish exhaustive baselines such as Scorpion Computer Services\u2019 Normalizer (other baseline security products include Magna from LightCyber). Adding these into the mix with other effective products, perhaps replacing similar products that don\u2019t measure up should sharpen an organization\u2019s edge against intruders, helping it to better test for vulnerabilities and flag behavioral inconsistencies.The best weapon against attackers is only as effective as the warrior who wields it. Even the best warrior can do nothing if his hands are tied. \u201cWhoever is reading the alerts has to have the authority to take action immediately, to shut down a department, take away someone\u2019s permissions, or have someone arrested. If all he can do is report it at the end of the quarter, it\u2019s kind of pointless,\u201d says O\u2019Brien.Some protections work without additional effort from security warriors, much like a brick wall does. Organizations should consider using approaches that are natively secure due to the fundamental way that the technology works. \u201cMy favorite is unidirectional communications, using unidirectional gateways that permit information to move only in one direction,\u201d says Ginter.Power plants on the power grid use these to protect their safety systems from external attack. IT can use unidirectional gateways to remotely monitor the network while preventing data from returning inside the perimeter. \u201cThe most sensitive of IT networks use unidirectional gateways,\u201d says Ginter.This flies in the face of two-way data traffic that allows transmissions into the network from remote workers who want to do all the same things they can do at the office. We\u2019ve established that VPNs and firewalls are far from fool proof. Any business that could die from even once losing control to an attacker cannot afford to hand out remote, two-way communication with sensitive, vulnerable systems.