NCSAM: Security myths that you should knowby Steve Ragan - Oct 4 2008, 15:22
A look at some of the larger myths related to security.(IMG:J.Anderson)
Security, as mentioned, is a mental game, as well as one that uses tools and software. Yet, misconceptions regarding security can do more harm than good. Here is a brief list of security related myths, as a part of The Tech Herald’s series supporting the NCSAM initiative.
Myth: I use Brand X Internet Security 2008/2009, so I am protected from online threats.
Fact: No, you are not covered. New threats emerge every hour of every day. This may seem like hype, but ask the experts, and they agree. While security vendors fight for the number one spot in both the consumer and corporate markets, they all agree that new threats come out of nowhere, and strike fast.
Just because you use an all-in-one security product does not mean you are 100 percent covered. No single product will protect you from everything. Sure vendors are attempting to do just that, but none of them can claim 100 percent coverage 100 percent of the time.
This is why you layer security. While using Brand X Internet Security, add in other protections such as SpyBot S&D to help catch more Spyware and Adware.
Myth: My security software automatically updates. I don’t need to worry about updating things on my computer.
Fact: Oh yes you do! If there is software on your computer, you need to check the vendor once a month to see if there are updates. Some will offer automatic updates, but only if you enable the process and allow the software to manage updates on its own.
Do you use Winamp? Have you updated it recently? What about iTunes? Is that updated? When was the last time you installed something from Microsoft or Windows Update? Microsoft releases monthly security patches, and Brand X Internet Security will not monitor them. (One security vendor will monitor Microsoft patches if the option is enabled in their 2009 offering. However, this is not a common feature and should not be assumed.)
Myth: Brand X Internet Security 2008/2009 scans in real time, so there is no need to run manual or automatic scans.
Fact: The real time scanning does not protect the entire system. This is because Malware appears so suddenly that AV signatures, including cloud computing based protection, will still take time to update themselves. Real time monitoring is a great asset to any AV program, but it is not intended to be the only means of detection and removal used.
No AV vendor will tell you to stop scheduled scans or manual ones. If they do, they lie. You need to schedule scans to detect Malware that may have appeared after the last signature or cloud update. The scheduled scans for some of the latest AV products currently in the lab here at The Tech Herald scan constantly in the background, on top of the coverage offered by real time monitoring.
Cloud computing based protection is near instant in some cases, but before the cloud releases an update, there has to have been a detection or a compromise on some level to trigger the protection. Also, cloud based offerings still on some levels use signature based methods of discovery, this is to ensure that scheduled scans are comprehensive and cover all the bases.
Myth: Hackers would not want anything on my computer. There is no sensitive information on my computer. This is just a monitoring station; it’s not critical equipment, so it needs only minor patching.
Fact: This myth deals with issues in business. Moreover, the same mentality will apply to normal computer operators as well. Your computer is a tool. In business it is a tool to get work assignments completed, manage operations, and control a network.
Criminals see your computer as a tool as well. For example, that monitoring station with little to no security measures is connected to the network. Once compromised, the entire network is at risk. How long do you think it would take before someone uses it to launch DNS poisoning attacks, redirecting Internet traffic for the whole company?
How long before that unsecured computer, with no sensitive information or anything of value, is used by a criminal to launch a Denial of Service attack, because they infected it and attached it to a botnet?
Here is something to consider, the external FTP is just for development people to dump files and run. It’s cleaned up weekly. No big deal, if there are missing patches on it, its wiped anyway. (This is a real life example.)
How long before the FTP application is compromised because of known vulnerabilities and the FTP server used to host Phishing sites, Malware or pirated files? Have you noticed the shrinking amount of disk space on that FTP server? Was the FTP server linked to the corporate network? If so, could the network be compromised?
Assuming that criminals have no interest in your computers, information or other assets is like assuming that if you close your eyes, you become invisible.
You have to patch each system on the network or in your house, no matter its use. If it is connected to the Internet or a corporate network, it needs updated often.
See also : NCSAM: The mental blocks of security
Myth: Regulatory compliance covers 100 percent of the security needs for most organizations
Fact: This comes from the recent Gartner IT Summit. Compliance will help a company with security, but it is not to be confused with security. While true, following most compliance laws to the letter will prevent some types of crime and risk, it does not stop them all.
Just because your company passed a PCI audit, does not ensure that it is protected from software vulnerabilities, or other security issues such as insider threats. There is no PCI enforcement, for example, that requires IT training within a company. None of the regulations you frequently read about require a company to train the IT staff for anything, let alone security.
Myth: The URL has HTTPS in the name, so it must be completely safe
Fact: The short answer to this myth is a single word, wrong. Just because a URL has HTTPS (where S means secure) does not mean that site is free from malicious code that was injected.
Any website can have an HTTPS URL. The owner, either criminal or legitimate, simply needs to install a self signed certificate or purchase one for penny’s on the dollar.
Assuming that because you see https:// in a Web site address that means instant security is risky.
Is there a myth you want to correct? Is there a security “fact” you want to check? Leave us a comment and let us know, or email the security address here on the site.