 |  | |
 | ||
| | |
| ||
|
URL :
 |  |  | ||
 | November 20025 Myths of Infosecurity5 reasons not to put your money where your myth is.BY Peter TippettDebunking infosecurity myths is not simply an intellectual exercise. Any company that buys into the following myths is expending unnecessary time and money without significantly improving its security. In tough times--or any time, for that matter--can your organization afford to spend dollars and man-hours on ineffective tools or practices? Myth 1: Stronger end-user passwords significantly improve real-world security. The world is flat--at least from the perspective of someone who is limited to travel on foot or horse. Similarly, for companies with only a few users, complex passwords do reduce risk. But for everyone else--those with hundreds or thousands or tens of thousands of users--the risk is staggering. If someone gets a copy of the password file and runs a cracking tool against it, the cracking tool will win, and the bad guy will gain access with the rights and privileges of a large percentage of users--no matter what your password policy is. Significantly strong passwords are very expensive to support, making their maintenance the single largest cost of security in organizations that go that route. Given the choice of paying for stronger passwords (or paying for most password substitutes), I can think of at least a dozen things I'd rather spend money on. Bottom line--make sure the password "file" doesn't get stolen and be comfortable that six characters and two data types, changed two-to-three times per year, is enough. Myth 2: Encrypting Internet traffic significantly reduces risk. The facts are pretty straightforward. Millions of credit cards were defrauded, stolen or misappropriated in the past five years--but none of them by sniffed Internet traffic. None of the big five credit card companies, the FBI or other large law enforcement agencies, financial regulators or security product vendors can point to a single event in the history of the Internet where sniffing was the mechanism for credit card fraud. Collectively, these organizations do report thousands of credit card theft or fraud cases in which the mechanism was electronic: information attacks, such as hacking. And lest you think that encryption like SSL itself is the reason for this wonderful state of affairs, think again, because as of 2001, only about half of all credit card transmissions were encrypted. Myth 3: Frequent patching of most systems is now a requirement. From 1999 to 2001, the number of newly published electronic vulnerabilities increased from about 400 to more than 2,400. The number of patches and hot fixes grew at roughly the same rate. With the proliferation of attacks against desktops and Web servers, we've become convinced that the only viable solution is to patch everything, every time, in a hurry. However, the top 10 vulnerabilities responsible for Code Red, RDS, Nimda, most viruses and most hacking were much more easily prevented by simple configuration, registry or filter settings than by patching. And of the 50 or so "critical" patches released by Microsoft over the past year, fewer than half addressed vulnerabilities that were likely to result in an attack against anyone. An example is the Microsoft SSL man-in-the-middle vulnerability, for which a patch was released this past August. A complex set of circumstances would have to be in place for the attacker to succeed: (1) The attacker would have to be on the same Layer 2 network; (2) an SSL session would have to be under way; (3) the attacker would use a sniffer; and (4) either the PDC or DNS server has to be compromised. But any attacker having done all of this doesn't need to break SSL. He already owns your network! The patch? Oh, just update IE for all users--that's it. Myth 4: Good protection against new worms and viruses requires daily antivirus updates. Put good filtering rules on your e-mail gateway, set up Outlook correctly, configure a few other tweaks on desktops and browser gateways, and you'll stop 99 percent of all new desktop-bound viruses and worms. Updating frequently wouldn't work nearly as well. So, if it's costly, don't bother to update desktops more than weekly (in most cases, monthly updating is just as effective). Myth 5: Most expensive security breaches involve theft of sensitive information. Boo! Most security breaches cause loss of productivity, a radical increase in meetings and significant downtime.
November 2002 Table of Contents Copyright 2002 TechTarget | | ||
 |  |  |
