We recently looked at nine
security tips that go outside the box of
conventional thinking. Along with thinking about security practices
creatively, however, we need to be aware of the shortcomings that
come with standard defensive and protective measures.
InfoWorld recently published
a report, titled ď18 Surprising Tips for Security Pros,Ē
that looked at widespread practices and tools that may end up
offering a false sense of security. Itís not that these practices
are ineffectual itís that their effectiveness is limited and they do
not fully address the challenges security professionals face.
Nine Security Practices to
There are common
cybersecurity practices that could potentially lull IT professionals
into complacency. Below are nine roadblocks that may speak to
1. Antivirus Software Is
Once upon a time, antivirus
programs could be counted on to recognize most viruses, worms and
other malware. Today, many end users still assume that having
antivirus software means they are safe, but malware now evolves and
proliferates so quickly that antivirus vendors cannot keep up.
2. Firewalls Are Even More
The goal of firewalls is to
block unwanted software, specifically malware. But most malware now
relies on social engineering schemes to bust through firewalls. As a
result, despite multiple
security teams face more penetrating attacks than ever.
3. Even Patching Is Limited
Security professionals have
long pointed to updating software with security patches as the most
important measure that users can take. Unfortunately, keeping
patches updated is tricky, and patch managers usually fall short.
Even more unfortunately, the rise of social engineering attacks has
made traditional software vulnerabilities a relatively minor factor,
so patching now protects against only 10 to 20 percent of attacks,
according to the report.
4. Poor User Education
The security community has
been warning end users about unsafe practices since the dawn of
time, but users keep engaging in them. In the age of social
more egregious than ever. Better application security and
well-designed default prompts will do more to protect people than
another lecture about bad security practices.
5. Strong Passwords Wonít
Yes, on the whole, usersí
password habits are especially execrable. Multiple studies have
shown that people will happily reveal their passwords to almost
anyone. But even strong passwords wonít help if attackers trick
users, gain admin access, harvest the password hashes and stroll
cheerfully through the checkpoints and unfortunately, this is what a
growing number of cybercriminals are doing.
6. Intrusion Detection Canít
The purpose of an intrusion
detection system (IDS) is to warn of suspicious activity. But what
counts as suspicious? From the activity that the IDS sees, a
fraudster using stolen credentials to access financial data looks
just like a legitimate user performing a routine action. Uncertainty
and false positives can render these warnings ineffectual.
7. The Public Key
Infrastructure Is Broken
The system of public
and private encryption keys has
become the foundation of our encryption protection. Mathematically,
it is the picture of elegance. But in the real world, numerous
certification organizations have been breached, resulting in the
proliferation of fraudulent keys. Moreover, how many users even care
or change their behavior if a website is flagged as untrusted?
8. Appliances Are Easy to
Appliances, in the IT sense,
are supposed to enhance security by limiting the functionality of
specialized devices such as routers. Yet, in practice, all too many
appliances come with malware. Since appliances and their firmware
are harder to update, if they can be updated at all, this malware is
almost impossible to get rid of. Appliances have their advantages,
but security is not one of them.
9. Sandboxes Donít Stay
The goal of sandboxing is to
let applications that may not be trustworthy run in a controlled
environment where their access to system resources is limited.
Still, cybercriminals regularly penetrate sandboxes and manage to do
real-world harm to the systems the sandbox was supposed to protect.
Curtain Call for Security
The unfortunate fact of
life, according to the InfoWorld report, is that too many of our
security practices can be chalked up to ďsecurity theater.Ē That is,
they give the impression of security by flashing badges and imposing
some inconveniences but donít actually provide much protection
The security practices
listed are not wrong, but they are insufficient to address the real
security threats teams face today.