The Four Most Dangerous Security Myths

Network security is all about nightmares. As organizations have become increasingly dependent on their networks and the Internet to provide that essential link of data, capital and business intelligence, they have also opened themselves up to potential risk – potentially immense risks.

The litany of companies that have been burned by hackers, worms, viruses and simple human error has made organizations wary of the perils of the networked economy. There's so much out there in the digital ether that can jump up and bite you. On the other hand, says Justin Peltier, a senior security consultant with Peltier Associates and leader of Web hacking seminars for the Computer Security Institute, there are also a lot of myths out there.

"Network security has a particularly affinity for myths," he says. "It's hard to change an opinion once it's made, and a lot of IT and security professionals have based their opinions on received wisdom. They've heard about security risks, but they haven't tried it for themselves. Some of these opinions might have been based on reality but are no longer valid, and some is just based on what we've been told."

What they've been told is often only partly true, if at all, he says. It's often based on misconceptions and preconceptions. These myths can lull organizations into a false sense of security or distract them from the real business at hand. Either way, they are legion, though Peltier says that any organization serious about security can address the handful the biggest and most egregious myths through a combination of experience and common sense.

"If you look at most other disciplines, you see facts and statistics to back things up," he says. "That's not always true about security. It's not enough to just hear about something, you have to check it out for yourself."To help you separate truth from fiction, here are four of the most dangerous security myths.

1. Patches always fix the security hole: Peltier is particularly troubled by the complacency he sees surrounding patching. "An awful lot of people think that, once you've applied a security patch, you'll be okay," he says. "That just isn't true. Sometimes it works, sometimes it moves the vulnerability somewhere else, and sometimes it creates a new hole."

Above all, patches only address published exploits and just because the hole hasn't been published doesn’t mean it isn't there. The problem is that networking is based on technologies developed in an earlier, more innocent time, and many of the biggest vulnerabilities are inherent flaws in the architecture of TCP/IP. Network miscreants are probing networks right now, looking for weaknesses, and there is "almost inevitably" a lag between what they know and what vendors and security professionals know.

"You need to find the holes before the bad guys do," he says. "Most people think defensively, but you have to think offensively. It's jujitsu."

The bottom line is that the only thing that will improve the situation is a new architecture -- specifically IPv6. Peltier expects that wholesale migration to the new version of TCP/IP will be motivated by an inevitable wave of distributed denial of service attacks, "and that's a good thing. Organizations have to start to plan for migration now."2. SSL is secure: Secure sockets layer (SSL) encryption has become so ubiquitous that the last thing anyone wants to hear is that it's fundamentally insecure, but Peltier says that our faith is unfounded. "No one is getting burned yet, but they will be," he says. "You see the lock icon, and you assume you're safe -- but you're not."

The problem is that it's a negotiated security standard with two major flaws, both of which can be exploited by man-in-the-middle attacks. "The first thing is that SSL depends on a negotiated certificate, but when there is a problem in the negotiation, the only thing that happens is that an alert window pops up. SSL hijacking is so easy because of the implicit trust we have in the digital certificate."

The other problem is that SSL still supports export-grade 40-bit encryption. The SSL transaction will negotiate down to the lowest common level, Peltier says. "That's a big problem," he says. "Security people don't get into SSL because they think it's a Web thing. But it can open up the network, so it's really a network thing."

3. Theoretical vulnerabilities don't pose a danger: There are, Peltier says, any number of vulnerabilities that are theoretically known, "but can't yet be proven through proof of concept code." The operative term, of course, is "yet," and even though door hasn't been pried open, doesn't mean it won't be.

The problem is that you never know. "Vendors will often ignore theoretical vulnerabilities until they become a really high profile thing." Peltier says. "The best known one recently was the Windows password hashes vulnerability."

Because it's impossible to say when a theoretical flaw will become an exploit, Peltier says that organizations can't wait for vendors to notify them of vulnerabilities. A complete security plan should include keeping tabs on what the hacker and security research community is talking about."These things don't come out of left field," he says. "There's always a warning. There are always people jumping up and down saying 'there's a hole here, there's a hole here,' when someone discovers an exploit. If you don't stay on top of this stuff, you're going to take six times as long to fix the vulnerability because you won't know what part of your anatomy to cover with your hand."

4. Wireless networks are inherently insecure: Wireless networking gets a bad rap. The conventional wisdom holds that Wi-Fi is inherently less secure than wired networks because in its early days, Peltier concedes, the Wired Equivalency Privacy (WEP) protocol had more security holes than Swiss cheese. The point, however, is that wireless security has gone far beyond WEP; users just have to enable these security features.

"Properly configures, wireless is actually much more secure than wired networking," he says. "Proper configuration is everything, of course, and you have to turn on WPA (Wi-Fi Protected Access) shared key security, but it's not exactly difficult. You just have to select the option from a drop-down menu."

With the Institute of Electrical and Electronics Engineers (IEEE) 802.11i wireless security specification finalized and products already shipping, Peltier hopes that Wi-Fi's bad rap will be laid to rest. "So many people have been brainwashed to believe that wireless is insecure, though," he muses.