Myth or Fact? Debunking the Biggest Information Security Myths

Wednesday, June 27, 2012

Tripwire Inc


Note: Tripwire would like to thank the author of this post, Mr. Javvad Malik, for sharing his information security expertise and for capturing the thoughts of other security professionals. Thanks @J4vv4D!

Myth [mith] - noun  An unproved or false collective belief that is used to justify a social institution

Myths have existed throughout history in different cultures and times. Sometimes these are created by dynasties in order to pad out their history a bit to make them seem far more awesome than they actually were. In other cases, it’s just a bit of Chinese whispers and misunderstandings that lead to myths being created.

The information security industry isn’t excluded from having its own share of myths. So, I got in touch with some European security professionals to share their views on some of the biggest security myths that need busting.

1.    Product x will solve all our security problems

Steve Lord (@SteveLord), a Principal at Mandalorian, one of the founders of 44Con, a regular speaker at many security conferences and someone who genuinely scares me with the level of technical knowledge he possesses. When I approached Steve to give his views on what he considers to be a big security myth, he responded, “The biggest security myth in my opinion is the incredibly pervasive idea that products solve problems.”

I found this rather strange coming from a person whose day job mainly involves breaking into networks and analyzing malicious code. Sensing my doubt he elaborated, “Almost all of the customers I work with will spend much more on technology than they do on people.

More often than not the spend on technology is on complex expert systems that require specialist knowledge to deploy and maintain. While it’s possible to send people on a product specific course there’s often very little knowledge sharing after the event and I’ve yet to see anywhere that pays more than lip service to retaining people a while after that investment.”

I prodded him further, asking what could be done to dispel this myth. “The only way we can improve things is to collaborate more with our peers, share stories of what worked and more importantly what didn’t. When you’re looking at buying a piece of security technology, no matter what, ask yourself whether or not you’re able to factor in the cost of gaining and maintaining the necessary know-how to get the most from it.

If you’re spending thousands of pounds rolling out software and hardware, you need to put funds and resources aside to make sure that your team and the end users can make the most with the tools available. It can save you way more than you spend if you get it right and when you do, make sure others know.”

2.    But we’re so young

An ISC2 Director, an organizer of BruCon, host of Eurotrash Security and contributor to PTES, it’s not an understatement to say Wim Remes (@WimRemes) is deeply involved in the security industry.

So what better person to ask about infosec myths? He started off by saying that there aren’t just myths within security, but there are myths built on myths, supported by myths.

The one myth he particularly would like to see dispelled is the notion that we are a young industry, “We are getting pretty good at fooling ourselves that we are a young industry and most of our faults and mistakes should be forgiven on that premise alone. I don’t agree with that view because, and here comes the surprise, almost everything we do, or very similar stuff, has been done before in other fields.

There is a wealth of knowledge to be soaked up and applied inside our little bubble from disciplines like law, medicine, psychology, linguistics and so many more! What I would recommend to anybody in information security is to study those disciplines and apply the awesome stuff in our own little realm. Let’s not reinvent the wheel but perfect one that already exists and make it fit our broken vehicle.”

3.    We can control our users

Quentyn Taylor (@QuentynBlog), is the CISO of Canon Europe, I thought if I included him, he’d be able to get me a nice deal on a new Canon camera. That didn’t materialize, but he did share his thoughts on what he regarded a myth in that there is a misguided belief placed that one can control their users. 

“Bring Your own Device (BYoD) really has shown that in the majority of cases one cannot control and it is far better that instead of trying to control the tide to use it for your own purpose. I.e. in BYoD losing control of the device but gaining better control of the data is a win / win scenario, the user gets what they want and infosec loses control of something that they didn’t want, the hardware asset, all the while gaining control of what is really important, the data.”

4.    Security is for techies

Neira Jones (@NeiraJones), is the Head of Barclaycard Security. She possesses a vibrant energy and enthusiasm which is infectious. I did make the assumption that due to her current role she would pick up on a myth surrounding compliance.

Instead she wrong-footed me by saying, “One of the common myths or misconceptions about information security is that it’s something that lives purely within the technical domain.

As a result you have security tarnished with well-worn brushes of it being too expensive, too complicated, prevents business innovation or doesn’t bring any value.

However, according to Jones, a portion of blame lies within the information security community for this, “the information security community has also been, on the main, guilty of perpetrating a certain mystique by relishing in the kind of techno-speak that our business colleagues will never be interested in…”

What can we do about this? Jones flashes her trademark smile before responding; well I’m assuming she would have smiled had we not been communicating over email.  “So, let’s start talking security in plain English to dispel this myth. Security should be an inherent and recognised part of any business at all levels. At the risk of being trite, it’s about People, Processes and Technology.”

5.    Code-breaking is a man’s world

Dr. Sue Black (@Dr_Black) is one of my heroes. I don’t say that lightly either, a one person machine who’s worked tirelessly to save Bletchley Park and whose contributions to information security are undeniable. Anyone with their own Wikipedia page must be legit.

For this reason I was slightly apprehensive about approaching the good Doctor. What if she ignored me, what if she was rude? Thankfully, though she’s as pleasant as she is awesome, which made me feel at ease, but also envious of her at the same time because I don’t like people who appear too perfect.

Dr. Black often encounters the myth that the code breakers at Bletchley Park were men. A view, that even she, herself may have held until she got closer to Bletchley Park through her work in trying to save its heritage, “Through my involvement with Bletchley Park over the last few years I’ve got very excited about the fact that several of the code breakers were women.”

But she’s doesn’t mean a small minority of women relegated to meaningless tasks, as she continued to elaborate, “In fact, more than half of the ten thousand or more people who worked there were women. In 1941 Mavis Batey, nee Lever, cracked the Italian naval codes which led to a crucial victory for the British fleet in the Mediterranean at the Battle of Cape Matapan. She was just 19. Wow!”

6.    Mobile security is all new

David Rook is better known by his online handle @SecurityNinja is the Application Security Lead at Realex Payments and the creator of Agnitio, an open source code security tool.

Like most people, David knows that it’s difficult to specify one particular myth in infosec. But I kept badgering him to nail it down to one specific hot topic until he finally caved in, “I’d have to go with mobile application security right now.

There are a lot of people making this out to be a whole new, big problem whereas in reality there is nothing new. In fact I’d go as far as advising people to ask anyone who tells them mobile application security introduces lots of new problems what service or product they are trying to sell them.

When you look at the mobile app security issues that we have all tweeted, blogged and no doubt laughed about I don’t think any of them were down to something mobile specific or something we didn’t already know how to prevent or find in code.

My own research shows that all of the big mobile application security issues so far fell into one of three categories (Data Security, Authentication & Authorization and Data Access/Privacy) which we should all already be aware of and know how to prevent.”

When asked on how people could become better informed on the topic he said, “I’d encourage people to use the mobile application security resources available from OWASP as these were put together by people with real world mobile application security experience. The OWASP Top 10 Mobile Risks is a good starting point whilst the ‘OWASP Top 10 mobile controls and design principles’ is a brilliant resource to help you design and develop secure mobile apps.

I said mobile application security doesn’t really introduce any new security problems so your existing application security approach and training materials can be reused with a few tweaks to include some platform specific guidance around how you implement certain security principles such as secure storage.”

7.    Email is a modern way of communication

Leon Van Der Eijk (@Lvdeijk) is a security researcher at the Dutch CERT team. His response was very Dutch as in he pretty much got straight to the point. “The good old SMTP protocol was not prepared for 2012”

I was a bit perplexed by his response. Because as far as I could tell, it was 2012, and email, which uses the SMTP protocol is very much alive and kicking. I asked him if he was in an Amsterdam coffee shop, but only in my head. I didn’t want him to think I was stereotyping the Dutch. So I asked him to elaborate in a diplomatic way, to which he said,

“It’s not that email doesn’t work, but users tend to have misguided expectations as to what can and cannot be achieved.  At my day job people can get frustrated when they receive a spam email. Computers are very good with numbers, they are lousy in reading. So every once in a while a spam email gets through our defenses.”

He advises against people panicking or getting worked up about it. But people swear blind that they’ve never signed up to a mailing list so are perplexed by how they still end up receiving spam. Leon breaks it down like this, “The first time you send an email from a freshly generated email address be it Gmail, Yahoo or whatever, you’ve lost track of your email address. Period! You can’t keep track of every email you send out. Machines get owned all the time and your address is exposed.”

8.    We can make it 100% secure

Renowned security researcher Robin Wood (@Digininja) has spent many hours neck deep in code, but what baffles him is that he still encounters a good number of security professionals, especially those new to the industry, believe that all businesses can be made 100% secure and then get annoyed and surprised when they aren’t.

“A colleague recently commented “if they just put a firewall in here, here and here, it would protect everything”. I tried to explain that to put in a bunch of new firewalls isn’t that simple, it takes time to spec and then source them, an initial cost outlay to buy them, time to do the initial configuration then ongoing maintenance.”

Aside from the technology, there are other real-world challenges they fail to take into consideration, “They also have to fend off all the business units that have their processes disrupted and cope with the change requests as those processes change. That is just one example where what seems to us, as security people, that there is a simple answer to securing a business but when you think beyond the idea of “just do ….” you soon realize that it isn’t that easy.”

9.    The illusion of security

Arron Finnon (@F1nux) is a sought-after security researcher and host of the Finux Tech Weekly (FTW) security podcast. Finnon believes the real illusion of security lies in the over reliance of technical controls at the detriment of user education.

He spoke of an incident he witnessed, “After dropping my young child off at nursery I was on the bus on my way to work, when I noticed a person outside their house lift a stone and remove a key from underneath, and then proceed to unlock the front door. 

This all happened on a main road that was busy with traffic and in full sight of everyone on the bus. The very nature of the locked front door had been totally defeated, in short this person had shown to everyone that noticed how insecure their home actually was.

Two things hit my straight away; firstly it seemed that I had been the only one that had noticed, and was totally in shock.  No second thought, not attempt to even hide what they were doing.  Secondly that how do we begin to talk about security and its risks if the very premise of a lock and its key is ignored?

It’s a myth to think that we will ever be secure when the very people using security have no care for it functioning correctly.  My only thoughts on fixing this issue in particular are that it’s a long path indeed.  That in the end, security must be taught from the front doors of homes, to the telephone conversations on trains, to the very real threat of breaches that everyone works so hard to defend.”

10.    Product x is secure

Jitender Arora (@jee2uu) is a high end security expert specializing in interim security leadership positions and leading global transformation projects. As a regular speaker at conferences, I knew the best chance I had to grab a few minutes of his time was to ambush him paparazzi style after a talk.

After a long Q&A session he came down the corridor and I seized my opportunity to put the question to him, and in his typical style he didn’t miss a beat before answering, “Myths change every day. People don’t learn from previous mistakes. The biggest myth I’m facing these days is where users are coming to me believing that IOS is secure. A few years ago there were people claiming open source is secure and before that having a firewall would make you secure. It doesn’t work like that, nothing is simply secure.”

11.    We’re not worth attacking

Brian Honan (@BrianHonan) is a globally respected security professional, CEO of BH Consulting and founder of the Irish Reporting and Information Security Service (IRISSCERT) which is Ireland’s first Computer Security Incident Response Team (CSIRT).

Having worked with many organizations of different size, Brian pointed out that one of the most common myths he gets from companies is a variation on, “We are too small/have no interesting data/don’t store credit cards for criminals to be interested in attacking us.”

“But surely logic would dictate that smaller companies are generally less targeted.”  I said, checking to see if his story would hold up to a bit of scrutiny. “I mean, if I were to attack a company, I’d make it worth my while and attack someone big rather than Grannies sweet shop.”

With his usual charm, Brian shrugged off my feeble heckle and gave more details, “Companies need to realize that all data has value and as such criminals are interested in that data.  Also they need to use computer resources like everybody else but rather than pay for their own computers and bandwidth they would rather use yours for their own nefarious means. So criminals are interested in you no matter how small or how little data you have.  They are interested in your bandwidth which they can use to attack other systems or to send spam, they are interested in your computers which they can also use to infect other systems, attack other systems and to send out spam, they are interested in your storage so they can store their own material be that child abuse material, stolen sensitive data or other criminal material and they are interested in your webserver which they can use to host phishing sites, share their illegal material or to spread malware by infecting unsuspecting users to your site.”

12.    Information security equals IT security (information security is something new)

Kair Roer (@KaiRoer), of the Roer Group, security expert, author and truck driver is one of the most positive people you’ll ever meet. The type of guy who has an answer for almost any question you pose to him, so it was natural he’d be on my hit list of security professionals to contact about myths. He was quick to respond that a common myth held by many is that information security equals IT security.

He says, “Information Security is the holistic view of how you value, use, store and protect information in general, within any organization, large or small. Whereas IT-security is a part within Information Security (you would use IT-security to secure information stored, transported or treated by information technology/ICT), it is more to Information Security. Information Security also includes information, systems and knowledge that does not use ICT. Some examples include physical security, safety, compliance and business decisions like mergers & acquisitions to name some.”

Although this is a very valid observation, I asked Roer for another myth with more “teeth”. I’m not sure how that question translated across email, but he kindly responded with his thoughts on another myth that people think information security is something new.  “Somehow, it seems like many people I talk to believe information security is new, like the new kid on the block.

They seem to think it came with the Internet and the first firewall. They are wrong of course (see previous myth) since they mistake infosec for IT-sec. Some are smarter, and consider the Enigma crypto machine to be an early example of information security. Again, they are wrong. Not only decades off, we are talking millenniums off target.

Consider people like Da Vinci, who constructed the mechanical, encoded papyrus transporter, a device that would destroy the message if the container were enforced open. That was 500 years ago. Go back to Julius Caesar, who as far as I know was one of the very first to encrypt his messages to his legions. These are only two examples of information security – long before IT, computers and high-tech.“

13.    Your company is secure because you haven’t been hacked yet.

Chris John Riley, (@chrisjohnriley) security researcher and co-host of the Eurotrash Security Podcast.

When talking to companies this is something you unfortunately are used to hearing at one-point or another.

The mistaken belief that a company is secure simply because it has yet to be hacked, is prelude on the fact that the company’s security monitoring and alerting are sufficient to raise the red flag when an attack does occur.

If the statistics are anything to go by, then this is definitely not the case.  According to the 2012 DBIR report, 92% of companies were informed of intrusions by a third party.  Even if your company’s logging and correlation are state of the art, without somebody trained to monitor, tune and react to alerts, then they’re only useful in the forensic analysis if why your company failed to detect your secret formula walking out the door.

14.    People are your greatest weakness

I approached Thom Langford (@TandTSEC) who is the Director of Global Security at Sapient for his view on security myths. Thom always has some great opinions and he started to list myths quicker than I could type. Eventually after much back and forth, Thom stated, “people are your greatest weakness.”

To which I responded, “I know that Thom, I think most people know that. What’s the myth?” Clearly I had missed the point, so Thom explained, “This is always touted as the big weakness in an organization and one that should always be plugged through training and awareness. I rarely if ever see the opposite, namely that people are your greatest strength and advocates.

The problem I think is that the “people” are too often seen as the problem, i.e. they don’t do x, y or z to ensure the security of an organization. This needs to be turned on its head, as most people really do “get” security when it is both put in terms they understand and meets their goals… and THAT is the part most infosec professionals don’t get.

Security controls can’t be forced onto people, as they will be rejected when they don’t help people meet their organizational goals; collaborate, involve and discuss the goals of security with your people, and while you may not come up with the perfect control (if there is such a thing), it will be more adopted, more understood and widely praised as being in the interests of all in meeting the goals of the organization.

With this approach you turn your people from your greatest weakness to your greatest assets and advocates for information security.”

15.    Security decreases usability


Cross-posted from Tripwire's State of Security

Possibly Related Articles:
Information Security
Enterprise Security Vulnerabilities Mobile Devices Network Security Security Solution vendors Human Factor BYOD
Post Rating I Like this!
Ian Tibble Good points here.

On some points, like 4 for example. True, security is not entirely for techies. But then its also not entirely for MBAs and economists - as in Shostack and Stewart's book there is a chapter titled "amateurs study cryptology, professionals study economics", which is nonsense.

It suits the agenda of many in the field to claim that security is actually not even slightly an IT-related field...but I don't believe many of those who make this claim really believe their own assertions. This premise about security being 100% about management and processes - its running out of legs as of 2012.

Primarily security at analyst level is pure tech. Then managers should graduate from analyst positions, and be able to speak the same language as those who understand how the business works in terms of the mapping of apps and information assets to and stuff. This doesn't need an economist. It needs someone who can talk to economists and possess a thimble full of common sense.

Point 2.."we're so young". I had a chuckle when I read this. I occasionally use this premise myself to take the edge off some of my critiques and snarks, usually something to do with CASEs (checklist and standards evangelists).

I would add to the list:
- We need a global, big incidents orifice/database in order to prove the existence of a threat and justify safeguards spending. Arrrggghhh. No we [censored] do not. We need management to trust us. That's what we need. Digging up incidents data has the opposite effect of enabling trust.

- C-levels are to blame for all our problems. Negative, no, etc. Security professionals are to blame.

- Vulnerability assessment can be automated. Did you hear that sound? that's the sound of your crown jewels being sucked up your uplink.

- Security analysis can be tephlon'ed off to ops.

- Cloud is new

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.