Courtesy of Secure Enterprise
Merriam-Webster defines a myth as a popular belief or tradition that has grown up around something or someone but is often unverifiable. When it comes to information security, there's a lot of popular wisdom available, but much of it is unfounded and won't necessarily improve your organization's security.
Why do such beliefs persist? The answer is that we don't challenge new and existing ideas enough. We must test and evaluate the validity of new security concepts, so the good ones can become standards. Only by cutting through the hype to separate reality from myth can IT professionals help take their enterprises to the next level. Here are 10 network security myths that bear further examination.
MYTH #1: Organizations are more secure now than they were a year ago. Although limited resources have forced some organizations to neglect security issues, most companies have initiated the necessary steps to safeguard their company assets. Information security has moved from a business cost to a business enabler—allowing for better business decisions that help organizations grow and see firsthand how strategic decisions may unfold. However, any complacent attitudes should be checked at the door. New threats and technologies are constantly and rapidly changing the network landscape. System administrators must scan the network continually for known security weaknesses, keep their skills current and, most important, re-examine corporate security policies periodically. Letting this last step slide is a recipe for disaster. Business processes defined a year ago may not match the organization's current needs.
MYTH #2: The presence or absence of regulations greatly matters when it comes to protecting both personal and customer data. Governmental regulations, such as HIPAA (Health Insurance Portability and Accountability Act) and Sarbanes-Oxley, contain information security components in their guidelines. But with or without a legal requirement, organizations should still safeguard their sensitive information. Failure to protect customers' personal data means a loss in consumer confidence, which results in lost revenue and government fines. Regulations and laws are getting the attention of C-level executives and forcing them to invest in information security initiatives, but don't be misled into thinking governmental regulations mean data is protected and that companies themselves won't violate a regulation.
Case in point: When BJ's Wholesale Club's network was compromised and thousands of their customers' credit card numbers were stolen from a BJ's database, many believed the retailer had violated MasterCard's and Visa's regulations by storing account and customer information. The same held true for CardSystems, which may have violated MasterCard's regulations by not only retaining credit card information but failing to encrypt the data. Organizations must proactively fashion a philosophy that combines network security with an acceptable level of compliance.
MYTH #3: External consultants know more about information security than in-house personnel do. People believe consultants—whether they work for a consulting firm or independently—have tools and advanced training that's lacking internally. But that's not always true. Before hiring an outside consultant, be sure you haven't overlooked your staff. Network and system administrators often make good full-time security personnel because they handle security problems as part of their daily duties. You might find you already have the required skills in-house—all that's needed is some training classes. Training in-house personnel demonstrates your commitment to providing employees growth and career opportunities.
Consider using an outside consultant on an as-needed basis to provide additional support to existing staff—in other words, to supplement the skills of your staff. If you decide to bring in outside services, thoroughly validate the consultant's qualifications and experience. Be sure to check references. Memberships in professional organizations and certifications are helpful, although some certifications are more useful than others. Outside consultants can provide a good business partnership even beyond the services outlined in a contract. Having an internal contact person well-placed within the organization can help foster a better working partnership and help the staff view the consultant as a valuable team member.
MYTH #4: Information security must be managed as a separate business unit to be effective. At first glance, you may think keeping information security people together in one department is a good idea. After all, infosec professionals all speak the same language and deal with similar concerns. However, a single security group would have to deal with all the business units that have some level of security as part of their charters—most notably physical security, IT security and disaster security preparedness. If you keep your infosec professionals in one group, you risk alienating the business groups they'll need to work with to conduct security awareness and training programs.
Top-level management must realize that information security and infosec policies must fit into all facets of the organization. Information security is not solely the responsibility of IT but rather an enterprise function that must mandate input from all business units so each unit can ensure its needs, concerns and mission statements are met. Smart organizations are starting to realize that security has evolved into an enterprisewide support division, rather than an isolated group dedicated solely to protecting servers. Security professionals can offer cost management, build a stronger focus on customer relations and help identify and communicate growth opportunities throughout the organization.
MYTH #5: Complex, frequently changed passwords will make my enterprise secure. No one would argue that a password of 12 to 16 characters, with mixed upper- and lowercase letters, numbers and special characters, is hard to guess. But it's also hard to remember. If you require users to change passwords every 60 days, they'll be writing down their passwords, which is exactly what you don't want. Instead, create a flexible password policy that lets users create simple yet inconspicuous passwords. Consider having users create easy-to-remember passphrases, such as "HotDogWithMustard," "8YearsOldToday" or "Please,Hold theMayo." Written password security policies should be governed by the organization, not the end user. However, each end user must be held accountable for managing and safeguarding his or her own password. Remember that passwords written on Post-It notes or stored in Excel spreadsheets are far bigger threats to security than password cracking.
MYTH #6: The padlock icon present during an SSL session means my data is safe. This is untrue. That tiny padlock icon found at the bottom of a Web site is a sign that data sent between your device and the site is encrypted. It doesn't mean the Web site itself is safe. Web site certificates are text files of information—such as to whom the certificate belongs, who issued it, a unique identifier and valid dates of use—that's used by SSL protocols to establish secure connections. Five conditions must be met for a browser to accept a certificate. If any condition isn't met, the browser should display a warning to the user, who then decides whether to start a connection. The first condition is that the certificate is issued by a trusted certificate authority, which creates and manages security credentials and public keys for messaging encryption. Certificates and keys are regularly stored on the hard drive of the local computer being used. Second, the certificate must be within the validity period. Third, if a user is connecting to www.etrust-bank.com, then the certificate common name must be for www.etrust-bank.com. Fourth, the certificate must validate that it hasn't been altered, and finally, it must not be revoked. Unfortunately, most users don't bother to check site certificates when there is a problem. To check the Web site's certificate, double click the padlock icon in your browser window while you're active on the site. A pop-up window will show the name of the site and its certification information. Smart users will validate that the information matches that of the site and the organization with which they're conducting a transaction.
In addition, keep in mind that data sent isn't stored on the Web site but on a server, and you have no way of knowing if the data you sent is encrypted on that server. How well an organization safeguards its server is a bigger security risk than the communication transmission itself . Nothing is 100 percent secure, and even sites using 128-bit encryption can be compromised.
MYTH #7: Migrating from Internet Explorer to Firefox will make my enterprise secure. Although Internet Explorer commands the majority of the browser market, Firefox is steadily gaining ground. But if a vulnerability is discovered in your browser, your computers are susceptible to compromise, no matter which browser you're running. The real risk lies in users continuing to click on virus-infected attachments, which are browser-agnostic. The December 2005 Microsoft WMF vulnerability should re-emphasize the fact that users must still be trained not to accept or execute files or links from untrusted or unknown sources. As the download popularity of Firefox increases, so does the number of exposed flaws. Small shops and individual users shouldn't find switching to Mozilla's Firefox a problem—after all, it's targeted at that user base. However, mid- to large-size enterprises may find that Firefox isn't quite ready for the enterprise, despite its better security. First, Firefox lacks a management system, making it difficult for admins to control how the browser is used. Second, if your company has several Web-based applications built around IE, migrating to Firefox will incur development costs in addition to deploying Firefox to your users. In the long term, switching back and forth between browser vendors isn't cost-effective or efficient. Instead, restrict Internet browsing activity to "what access is needed" and "who needs it." It's a time-consuming administrative task, but teaching proper browsing behavior will keep your organization much safer than worrying about which browser you use.
MYTH #8: Increased security spending results in greater security. This is false. Organizations often use some sort of metric (or measurement tool) to justify their security spending within an IT budget. This can result in spending more money for security products but not actually building a more secure enterprise. Every company has a unique risk profile that will determine its required security investment. You can't generalize security needs. Instead, establish a risk management profile, manage those risks within a given budget and purchase wisely to meet the needed security level. But don't spend your entire infosec budget on hardware and software technologies. Security is as much a matter of awareness as technology, so be sure to spend appropriately on training and educating your users and customers in how their actions can result in a major network security breach. It's also vital to make security a visible and important part of your organizational culture.
MYTH #9: Wireless networks aren't secure. Wireless is one of the hottest technologies around, but, like other new technologies, it has suffered from a bad reputation. Wireless networks, in their early incarnation, were considered less secure than wired networks because the WEP (Wired Equivalent Privacy) protocol had numerous security holes. Today, there are security methodologies and technologies that can be used in place of WEP, such as secure forms of key exchanges and encryption, VPNs and authentication servers. Having a good understanding of the 802.11i wireless standard and the 802.1x authentication standard will assist you in properly designing and configuring your wireless network. The IEEE 802.11i wireless security specification has been finalized and products are shipping with this support built in. Although wireless is more susceptible to security problems than wired networking, smart IT professionals can make secure and effective use of wireless technology by building in additional security, properly managing the rich features found in Wi-Fi products and planning to take advantage of future Wi-Fi security enhancements.
MYTH #10: Dumping Windows for Linux will make increase security. The media portrays Linux as a secure alternative to Windows, but will Linux make your enterprise that much more secure? Not really. With proper planning, you can securely deploy both Windows and Linux. Although there are more viruses written for the Windows platform, Linux isn't in the clear. Linux tends to have an advantage over Windows in that it's an open-source platform with a worldwide programming and security community supporting it. The CERT database lists the most recent flaws and fixes issued for Linux. But in fact, all operating systems have flaws. An improperly configured Linux server is just as vulnerable as any Windows server.
So, should you dump Windows and migrate to Linux? For the majority of enterprises, the answer is no. While the Linux interface continues to improve, Windows is still better. And while more software is becoming available for the Linux platform, organizations will have a hard time finding Linux versions of everything they need to run their businesses. The work associated with migrating to Unix—testing applications to see if they function properly on the platform and retraining users—makes the switch cost-prohibitive and not a viable long-term solution. The better alternative is to use Linux where it performs best—as the underlying OS on appliances and powering high-end workstations and file servers.
Joanne VanAuken is a technology editor for Secure Enterprise. She has 14 years' experience in computer operations and systems administration. Write to her at firstname.lastname@example.org
Debunking Myths For Consumers
The corporate setting isn't the only place information security myths go unchallenged. Here are five commonly held consumer beliefs:
#1: I need a desktop firewall for protection. This is false. With Windows XP SP2, the built-in desktop firewall is automatically turned on, but most consumers don't know how to configure it or answer the pop-up messages saying the executable is attempting to make a connection. Honestly, even we don't know what every file is supposed to do. So users just click "Yes" to let the action proceed or even turn off the desktop firewall altogether. Instead, we propose that home consumers use a NAT (Network Address Translation) router, which hides the network's IP address from the Internet but still allows access to it. When a computer in a private home network requests data from the public Internet, the NAT device opens a tunnel between the home and the destination computers. When the public computer returns the requested results, they're passed back through the NAT device to the requesting computer. NAT offer good security for home users because they don't forward requests that originate from the Internet to your home network.
#2: It's unsafe to make online purchases. Wrong. We trust online purchases and even online banking. It's highly unlikely that many consumers would be targeted individually. Most malicious users target financial institutions such as banks or credit unions so they can get names and passwords to numerous accounts. E-business is just as safe as shopping at brick-and-mortar stores. After all, what's to stop a department store salesperson from skimming off your store credit card?
#3: ISPs can protect you from identity theft. Lately, ISPs such as AOL have sponsored numerous commercials implying that DSL isn't safer than broadband connections. And ISPs are leading consumers to believe that using their services will protect them from malicious activity on the Internet. The truth is that no ISP or vendor can protect you 100 percent from malicious activity or protect your identity from being stolen. Only you can protect yourself. Use common sense and engage in good security practices when surfing and entering personal information on Web sites. Remember this basic rule: You can't see who you're dealing with, so no matter how appealing or legitimate something looks, proceed with caution.
#4: Having antivirus software installed means my computer is secure. Not so. Most people don't bother to update their antivirus signatures, and many let their subscriptions expire. It's only when their computers are infected with a virus that users panic. Use the layered approach to securing your personal computing devices. Antivirus software doesn't typically detect spyware, but there are some good, free products out there, such as Lavasoft's Ad-Aware. In addition, make the best use of e-mail filters to reduce the amount of spam you receive. Depending on your technical skills, you may want to invest in a product that bundles antivirus-spyware-antispam in one package.
#5: Vendor patches fix security holes. This is false. Aside from the fact that many consumers don't bother to patch their computers, too many of them think once they've applied a security patch, they'll be safe. Patches address specific vulnerabilities and, therefore, may or may not entirely solve a particular security problem. In fact, security patches often create vulnerabilities elsewhere. There are, and always will be, undocumented vulnerabilities. Consumers, just like companies, must play an offensive, rather than defensive security game.
Keeping Online Transactions Safe
Remind your employees to follow these rules to help keep enterprise and home-office systems safe.
- Always limit the financial and personal data you enter on Web sites.
- Scroll down to opt out of receiving marketing materials and request the vendor not store your data for later use.
- Search for info on how the merchant uses technology to protect your transaction and whether it promises any guarantee your personal data is protected.
- To ensure your session is encrypted, look for the prefix https in the address line, which means the communications channel is encrypted with the SSL protocol.
- Take print screens after you fill out any online forms and prior to submitting data, so you have a paper trail of your transaction.
- Valid online merchants will provide alternatives to online transactions to get and retain you as a valued customer. If they don't, shop around.