IT security throws up constant new challenges, so you can’t afford to waste time dealing with non-issues. Here are five security myths that you need to ignore.
Unicorn picture from Shutterstock
This list is drawn from a longer presentation given by Gartner analyst Jay Heiser at the Gartner Security & Risk Management Summit in Sydney earlier this week. None should be surprising, but all pop up with disturbing regularity in workplace environments large and small.
Myth#1: It won’t happen to me
This mindset is surprisingly common, both with individuals who delude themselves they know their systems so well that no security risk could ever eventuate, and with businesses that believe they aren’t a worthy target. “It really comes down to wanting to avoid any responsibility or cost,” Heiser commented.
With that said, an equally big problem is overestimating the likelihood of issues. “Our risk perspective is often not rational,” Heiser said. “It’s our job to do the best possible we can for our employers, and in the infosec realm, that requires us to be brutally honest about the degree of risk confronting our organisations.”
Myth#2: Security accounts for 10 per cent of IT budgets
This figure is sometimes thrown around by managers annoyed with the overall cost of IT, but it’s not based in fact. “That’s very, very rare,” Hesiser said. “Maybe at a bank undergoing a drastic upgrade.” In a large organisation, 5 per cent is more typical, and it can be as low as 1 per cent
Myth#3: You can assign a monetary value to security policy
Spreadsheets are the prime tool through which many organisations run, and the request to quantify the business value associated with a security program is a common one. Unfortunately, that makes about as much sense as asking for an ROI on an insurance policy. The value only becomes apparent when you need it.
“We live in a culture of quantification and it becomes a buck-passing mechanism,” Heiser said of this tendency. “It’s a face-saving way to send you off on a task where you can’t succeed.”
Myth#4: Longer passwords and frequent changes help security
An obvious four-letter dictionary password is a ripe target for cracking, but Heiser suggests that constantly forcing users to memorise new and unique passwords is a complete waste of time. “Most passwords are cracked because they’re slurped through malware,” he said. “We put way too much emphasis on complexity.”
A better strategy is to encourage employees not to use passwords that blur between professional life and personal life. One of the best policies we could pursue is to encourage employees not to use their Facebook passwords at work,” Heiser said.
Myth#5: Physical security means we’re safe
Physical security matters, but with huge amounts of data stored online, its importance can be overestimated. “In the overwhelming number of cases, your data is not going to be snuck out the front door,” Heiser said. “One hard drive really doesn’t have much data on it.”
Comments
11 responses to “Five Security Myths Everyone Should Dismiss”
““One hard drive really doesn’t have much data on it.””
Really? Many of our high value customers could have all of their important corporate data handed to a competitor on a single USB hard drive.
Heck, most of the really critical data could probably fit on a floppy. Customer names, addresses, phone numbers, bank details, and possibly credit card details.
Forget about that though. Hard drives these days cap out at 4TB. 4TB only qualifies as “not a lot of data” if you’re an Enterprise, and even then it’s a pretty fair slab. It’s a megabyte for each of a million people.
Network security is worthless without physical security, because a physical security violation can almost always be bootstrapped into a network security violation. Examples of possible intrusions:
– Copy the company data onto a USB key or hard drive – This is the least likely because it’s time consuming and needs to be precisely targeted.
– Install a sniffer box that nabs key data and forwards it via a HTTP/HTTPS tunnel or email.
– Similarly, install a VPN basepoint to leverage permanent network access. This box does not have to be big – it could just be a Raspberry Pi or something even smaller.
– Most likely is a regular burglar looking for stuff to sell for cash. Keep your laptops locked up.
– If all they want to do is ruin you, walk in with a sledgehammer and pound on key hardware. Enterprises with good fallback setups will survive this, but there’s a lot of untested redundancy plans out there.
– DItto, if they can get access to your database, introduce subtle corruption. Possibly introduce encryption on the sly – used to be a common malware tactic.
– Database access -> modify the bank details used for outgoing transfers -> suddenly your suppliers are asking why they haven’t been paid.
Very true. I’ve dealt with systems that have significant information that run on DOS6.22 (I’m not joking). The real trick would be finding a floppy drive. 😛
Myth 4 hits home for me. Having to change my password every 2 weeks at work drives me nuts. Having to change it to something that is not the same as the last 15 passwords is arbitrary and stupid. Most of us just pick a strong enough password we can remember, put a number on the end and start incrementing…
Yep. Half the time enforced password security measures result in me using weaker passwords. Plus when you start putting up those sorts of walls employees start doing stupid things like leaving their passwords written in their e-mail contacts or on a note in their draw.
Reminds me of the old XKCD password strength strip. http://xkcd.com/936/
I, ahh, can not tell you how much I hate that one xkcd comic. White hack hackers have pointed out the fact that it has made their job easier, by combining brute force with word lists and substituting letters/symbols for typo’s. Really, anything to do with password security should have a link to the are technica series on it.
that aside, whilst I personally do manage my passwords quite strongly, its important to change your passwords at least once a year, more for secure services, and never to share passwords across web services. More so if you have access to enterprise data.
What about the other XKCD comic – the one where a password is extracted by use of a wrench (american for spanner)? It summarises the fundamental flaw of passwords quite elegantly.
http://xkcd.com/538/
Might as well just get an authenticator…
This is what gets me; why isn’t dual factor authentication far more widespread, especially in enterprises?
Trying to quantify the value of fraud risks is difficult.. you can say there is a potential for this much.. the trends are this or that.. you can say this is how much we lost last financial year and so on.. but really, at the end of the day the money you save is a constant unknown when it is saved through the implementation of pro-active systems and processes.
Reactive systems and processes can be measured, obviously.. because you can see that such and such fraud event occurred and you saved n percent of that.. but you can’t measure the fraud that didn’t happen because your systems and processes were secure against those potential attacks.
Security comes in waves.. generally after a big loss event.. and then things get lax as it seems that nothing is happening and all this money is being thrown into security without any reactive saves.
It’s a tricky one, that’s for sure.. but you have to continue to pump the money into it… a bit like insurance really.. you could pay your premiums for years and never make a claim.. but if you didn’t have insurance and needed to make a claim, you’d be up the creek without a paddle.
One word: Stuxnet. It wasn’t getting something out that was the security problem though, it was someone bringing in a simple USB flash drive and then taking down an entire nuclear power facility. Then you have the Pwn Plug, a physical device designed to look like a common office object that is actually a powerful set of hacking and sniffing tools for networks and devices. All it takes is for someone to walk in pretending to be a professional of some sort and you open the doors to being hacked, or spied upon. It’s also not the only item of its kind. If that wasn’t enough, someone can easily pull the same stunt of pretending to be a professional and tricking your staff into installing a remote administration tool that allows them to control the machine.
So while it’s not really the data walking out the door that’s the big problem, it’s what’s walking in that is the bigger problem. Given that the biggest security risk of any company is the staff, physical security is very important to ensure that no one is trying to do anything untoward.