10 Security Myths That Need To Be Put To Rest

One of the nice things about security is that there’s a lot of information out there. In fact, just about everyone has a favorite theory, a pet practice, or even a set of guidelines that will tell you what to do to be safe.

Problem is, not all of those practices will really improve security in your enterprise, and some may even make things worse.

Still, the beliefs about security perpetuate themselves through companies and agencies. They’re viewed as gospel, and in many cases repeated from one expert to another. Most of the time those beliefs – good and bad – are never really put to the test. We just believe them because we’ve heard it all so often. In the process, these security beliefs have become myths.

So when Judy asked me to write about the top 10 security myths, the first thing I had to do is ask around to see what people believed.

There were some doozies out there, but the myths I’m listing here seem to be fairly common. No doubt you’ll have some of your own. You’re welcome to send them to me, email: [email protected], and maybe we can have another list in a future column.1. You don’t need personal firewalls if you have a firewall between your enterprise and the Internet.
This belief is quite common in corporate IT departments, but it’s not true. While you should have a firewall between your network and the outside world, it only protects against external threats. You also need a personal firewall to protect against internal threats, including disgruntled employees, people who bring in worms and viruses from home, and people who get caught in phishing attempts.

2. OK, but I still only need one big hardware firewall on my enterprise network, right?
Actually, no. You probably need several. For example, it’s unlikely that your VoIP traffic goes out through the main corporate connection to the Internet, but you need one there. In addition, you need a firewall between your enterprise users and portions of the network containing sensitive data, or that carries sensitive traffic. For example, your HR department and your finance department should have a firewall between their portions of the network and the rest of the enterprise to protect against curious employees or people who may gain access to your network from outside.

3. To be really secure, I need complex passwords that are changed very frequently.
There’s no doubt that a password that consists of sixteen random characters (for example: cX-1rT&d+n7S6tU!) will be hard to guess. But it will also be impossible to remember. This means that such a password will certainly be written down, either on a PostIt Note stuck to the computer, or perhaps in a text file so it can be cut and pasted into the password window. As you can imagine, it's not a very secure strategy to take. A better approach is using something that’s easier to remember, but not obvious. This means that your mother’s middle name should be fine, but using “password” isn’t. For most companies, password guessing is less of a threat than people leaving their passwords lying around in the open.

4. Anti-virus software on each computer is enough, so I don’t also need spyware detection or AV protection on my e-mail server.
Anti-virus software on every client, provided it’s kept up to date religiously and provided that you make sure it stays installed, is a good start. But unless you’re certain that your AV protection will always catch every virus, even on its first day, it pays to have multiple layers of protection, and checking your incoming e-mail with a product such as GFI’s Mail Security is a good way to start. Likewise, AV software doesn’t always detect spyware. And of course, there’s all that spam, and AV software doesn’t protect against that at all.

5. Spam may be annoying, but it’s not a security threat.
This depends on the spam, and on what you consider a security threat. Some spam contains a payload of worms, viruses or other malware or phishing content. In addition, some comes with content that can get you sued if you don’t attempt to stop it, such as graphical ads for porn sites. And even if none of that happens it can bog down your network, fill up your servers and suck up your bandwidth.6. My wireless network is secure as long as encryption is turned on.
Encryption, even the outmoded WEP encryption that comes with 802.11b, is certainly better than nothing. But unless you’ve changed to the much more secure WPA encryption, turned off SSID broadcasts from your access points, and required an authenticated logon for wireless users, you’re still vulnerable.

7. Moving to biometrics will make my network more secure.
Perhaps. Biometric readers are a popular new feature for corporate and high-end consumer users. The idea is that you can use your fingerprint instead of a password. After all, everyone’s fingerprints are unique, right? That part is true – the unique nature of individual fingerprints is well proven. Unfortunately, affordable biometric devices are not overly reliable, fingerprint readers on laptops and keyboards are rife with false negatives, and there’s always the problem if having a Band-Aid on your finger. This means that you’ll have to set up an alternate means of getting access to a device using biometrics, and that means you’re back to passwords. Of course, there are biometric readers that are quite good, but almost no company can afford those for use on every desktop and laptop computer.

8. Full-disk encryption on workstations and laptops will protect my data against unauthorized access.
Probably not. Most full-disk encryption software only protects computers that happen to be turned off at the time. When they’re turned on, everything is automatically decrypted when read, and delivered to anyone with access to the computer. If you’re afraid of your laptop being stolen, full disk encryption will keep the data from being read as long as it’s stolen while turned off. But it probably won’t protect at all against someone logging in to your computer remotely while it’s attached to the network.

9. I can change to Linux for everything and be more secure.
It’s true that there are fewer viruses and worms aimed at Linux, but if you take a look at the SANS Institute / FBI top 20 vulnerability list, you’ll see that the problems of Linux and Windows are about equal. And the prime cause for security problems – complacency – is the same for both operating systems. There’s no security edge there.

10. My best security investment is in training.
This one happens to be true. Unless your users and administrators are properly trained, and that training kept up to date, your other efforts are diminished if not simply wasted. After all, you’re a lot better off if people remember not to open attachments than you are if you have to launch an AV program because someone did open something bad that came in the mail. But for your users to know this, they must be trained.0